DNS enumeration extracts DNS information — querying all record types, attempting zone transfers (AXFR), brute-forcing subdomains, analyzing certificate transparency logs.
Zone transfer: 'dig axfr @[nameserver] [domain]' — reveals ALL DNS records if misconfigured. Should be restricted to authorized secondary nameservers. Tools: dnsenum, dnsrecon, amass. Certificate transparency (crt.sh) reveals subdomains without any DNS queries.