$nslookup> server IP> IP# should give you domain informationdig@IP-xIP
Zone Transfer Check
Check for additional sub-domains
$host-l<domain><IP>[OR]$digaxfr@<IP><domain># find domainswfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://<DOMAIN>" -H "HOST: FUZZ.<DOMAIN>"
# when run you'll see a lot of page coming with a specified number of characters, to eliminate them add flag--hh<character-value>