The HOST command is a simple Command-line interface utility for performing DNS enumeration.

In security research and ethical hacking, DNS enumeration is the first phase in the information gathering of a target. It’s the process of querying all potential DNS records from a domain name server like name server details, IP addresses, Mail exchanger details, TTLs, and more.

Attackers may utilize this DNS-enumerated information to examine internal network records.

There are numerous DNS recon and online enumeration tools available on the internet. However, the DNS enumeration can be accomplished easily with a single command-line utility. That is “HOST”.

In this article, we’ll look at some useful host Command Examples for Querying DNS Details. 

Let’s get started!

Installation

The “HOST” command sometimes may not be available by default on a newly installed machine. As a result, You’ll have to install it manually on the system. The process of installation is rather simple.

All the DNS-related commands like nslookup, dig and host are contained in the “bind-utils” library. For that, just type the following command in the terminal.

sudo apt-get install dnsutils -y

This HOST command works on both MAC and Linux.

Usage

General syntax: The general “host” command prints the command’s overall syntax and its arguments that can be used with it, as well as a brief description of each argument.

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host          
Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
            [-R number] [-m flag] [-p port] hostname [server]
       -a is equivalent to -v -t ANY
       -A is like -a but omits RRSIG, NSEC, NSEC3
       -c specifies query class for non-IN data
       -C compares SOA records on authoritative nameservers
       -d is equivalent to -v
       -l lists all hosts in a domain, using AXFR
       -m set memory debugging flag (trace|record|usage)
       -N changes the number of dots allowed before root lookup is done
       -p specifies the port on the server to query
       -r disables recursive processing
       -R specifies number of retries for UDP packets
       -s a SERVFAIL response should stop query
       -t specifies the query type
       -T enables TCP/IP mode
       -U enables UDP mode
       -v enables verbose output
       -V print version number and exit
       -w specifies to wait forever for a reply
       -W specifies how long to wait for a reply
       -4 use IPv4 query transport only
       -6 use IPv6 query transport only

To find the domain IP address

To find the IP address of a particular domain, simply pass the target domain name as an argument after the host command.

host Target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host geekflare.com
geekflare.com has address 104.27.118.115
geekflare.com has address 104.27.119.115
geekflare.com has IPv6 address 2606:4700:20::681b:7673
geekflare.com has IPv6 address 2606:4700:20::681b:7773
geekflare.com mail is handled by 1 aspmx.l.google.com.
geekflare.com mail is handled by 5 alt1.aspmx.l.google.com.
geekflare.com mail is handled by 5 alt2.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt3.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt4.aspmx.l.google.com.

For a comprehensive lookup using the verbose mode, use -a or -v flag option.

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -a geekflare.com 
Trying "geekflare.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24690
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;geekflare.com.                 IN      ANY

;; ANSWER SECTION:
geekflare.com.          3789    IN      HINFO   "RFC8482" ""
geekflare.com.          3789    IN      RRSIG   HINFO 13 2 3789 20220307065004 20220305045004 34505 geekflare.com. HW0Lfr5HazPMaACSBHmFqs94usKUljX+kONW/8Q2jwQ1QoAO9DEMjwDX rIQKODGtGnEizj2SzBF98mC2uQr7hQ==

Received 161 bytes from 192.168.1.1#53 in 64 ms

This (-a) option is used to Find All Domain Records and Zones Information. You can also notice the local DNS server address utilized for the lookup.

To perform Reverse Lookup

This command performs a reverse lookup on the IP address and displays the hostname or domain name.

As an example, the syntax would be as follows:

host target-ip-address

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host dnsleaktest.com                                                                                  
dnsleaktest.com has address 23.239.16.110
                                                                                                              
┌──(geekflare㉿kali)-[~]
└─$ host 23.239.16.110  
110.16.239.23.in-addr.arpa domain name pointer li685-110.members.linode.com.

If you copy-paste the pointer address ( li685-110.members.linode.com.) in the web browser, you will be redirected to the website.

To find Domain Name servers

Use the -t option to get the domain name servers. It’s used to specify the query type.

Here I am passing -t argument to find name servers of a specific domain name.

NS record specifies the authoritative nameservers.

host -t ns target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -t ns geekflare.com
geekflare.com name server olga.ns.cloudflare.com.
geekflare.com name server todd.ns.cloudflare.com.

To query certain domain nameserver

To query details about a specific authoritative domain name server, use the below command.

host target-domain [name-server]

Sample Output:

┌──(root💀kali)-[/home/geekflare]
└─# host geekflare.com  olga.ns.cloudflare.com.                                                           1 ⨯
Using domain server:
Name: olga.ns.cloudflare.com.
Address: 173.245.58.137#53
Aliases: 

geekflare.com has address 104.27.118.115
geekflare.com has address 104.27.119.115
geekflare.com has IPv6 address 2606:4700:20::681b:7773
geekflare.com has IPv6 address 2606:4700:20::681b:7673
geekflare.com mail is handled by 1 aspmx.l.google.com.
geekflare.com mail is handled by 5 alt1.aspmx.l.google.com.
geekflare.com mail is handled by 5 alt2.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt3.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt4.aspmx.l.google.com.

To find domain MX records

To get a list of a domain’s MX ( Mail Exchanger ) records.

host -t MX target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -t mx  geekflare.com
geekflare.com mail is handled by 1 aspmx.l.google.com.
geekflare.com mail is handled by 5 alt1.aspmx.l.google.com.
geekflare.com mail is handled by 5 alt2.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt3.aspmx.l.google.com.
geekflare.com mail is handled by 10 alt4.aspmx.l.google.com.

This MX record is responsible for directing an email to a mail server.

To find domain TXT records

To get a list of a domain’s TXT ( human-readable information about a domain server ) record.

host -t txt target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -t txt geekflare.com
geekflare.com descriptive text "google-site-verification=MRSwa454qay1S6pwwixzoiZl08kfJfkhiQIslhok3-A"
geekflare.com descriptive text "google-site-verification=7QXbgb492Y5NVyWzSAgAScfUV3XIAGTKKZfdpCvcaGM"
geekflare.com descriptive text "yandex-verification: 42f25bad396e79f5"
geekflare.com descriptive text "v=spf1 include:_spf.google.com include:mailgun.org include:zcsend.net ~all"
geekflare.com descriptive text "ahrefs-site-verification_8eefbd2fe43a8728b6fd14a393e2aff77b671e41615d2c1c6fc365ec33a4d6d0"
geekflare.com descriptive text "ca3-7fbfaa573ba248ddb17a618e5b46ca01"

To find domain SOA record

To get a list of a domain’s SOA ( start of authority ) record

host -t soa target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -t soa geekflare.com
geekflare.com has SOA record olga.ns.cloudflare.com. dns.cloudflare.com. 2271966690 10000 2400 604800 3600

Use the command below to compare the SOA records from all authoritative nameservers for a particular zone ( the specific portion of the DNS namespace ).

host -C target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -C geekflare.com                                                                                 2 ⨯
Nameserver 173.245.58.137:
        geekflare.com has SOA record olga.ns.cloudflare.com. dns.cloudflare.com. 2271966690 10000 2400 604800 3600

To find domain CNAME records

CNAME stands for canonical name record. This DNS record is responsible for redirecting one domain to another, which means it maps the original domain name to an alias.

To find out the domain CNAME DNS records, use the below command.

host -t cname target-domain

Sample Output:

┌──(geekflare㉿kali)-[~]
└─$ host -t cname  geekflare.com
geekflare.com has no CNAME record

If the target domain name has any CNAME records, they will be displayed after running the command.

To find domain TTL information

TTL Stands for Time to live. It is a part of the Domain Name Server. It is automatically set by an authoritative nameserver for each DNS record.

In simple words, TTL refers to how long a DNS server caches a record before refreshing the data. Use the below command to see the TTL information of a domain name.

host -v -t a target-domain

Sample Output:

┌──(root💀kali)-[/home/geekflare]
└─# host -v -t a geekflare.com                                                                            1 ⨯
Trying "geekflare.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2479
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;geekflare.com.                 IN      A

;; ANSWER SECTION:
geekflare.com.          30      IN      A       104.27.119.115
geekflare.com.          30      IN      A       104.27.118.115

Received 63 bytes from 192.168.1.1#53 in 60 ms

Conclusion

I hope you found this article helpful in learning some useful host Command Examples for Querying DNS Details.

You may also be interested in learning about free online tools to check DNS records of a domain name.