Enumerate root servers of a domain: https://github.com/mschwager/fierce

Scrape subdomains from open source sources (passive): https://github.com/projectdiscovery/subfinder

Brute force subdomains (using DNS and not vhosts requests): https://github.com/TheRook/subbrute

To test if domain takeover is possible: https://github.com/EdOverflow/can-i-take-over-xyz

Ettercap can perform MITM on DNS (plugin DNSSpoof)

Writeup

Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

Brute force using target IP as resolve:

./subbrute.py -p inlanefreight.htb -r res
hr.inlanefreight.htb,REFUSED,

Then:

dig axfr hr.inlanefreight.htb
hr.inlanefreight.htb.   604800  IN      TXT     "HTB{LUIHNFAS2871SJK1259991}"