DNSSEC NSEC. The accidental treasure map to your subdomains

This report explains how DNSSEC’s NSEC and NSEC3 mechanisms can enable DNS zone walking, allowing attackers to enumerate domains and subdomains even when AXFR is blocked. It details practical methods for NSEC-based enumeration, NSEC3 hash collection and cracking (including parameters like salt and iterations), and differences from zone transfers. The report recommends mitigations such as properly configured NSEC3 with strong parameters and DNSSEC “White Lies” to reduce enumeration risk while balancing privacy, operational overhead, and security.