DNS Reverse Lookup

dig -p 53 -x $IP @$IP

Asynchronous Full Transfer (Zone Transfer)

dig @$IP -t AXFR domain.local

dnsrecon -d heist.offsec -t axfr -n <IP>

dnsrecon -d <DOMAIN> -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t brt -n $IP