dnsrecon

Scan a domain and save the results to an SQLite database

$ dnsrecon [[-d|--domain]] [example.com] --db [path/to/database.sqlite]

$ dnsrecon [[-d|--domain]] [example.com] [[-n|--name_server]] [nameserver.example.com] [[-t|--type]] axfr

$ dnsrecon [[-d|--domain]] [example.com] [[-D|--dictionary]] [path/to/dictionary.txt] [[-t|--type]] brt

$ dnsrecon [[-d|--domain]] [example.com] -s [[-j|--json]]

$ dnsrecon [[-d|--domain]] [example.com] -g [[-c|--csv]]

$ dnsrecon [[-d|--domain]] [example.com] [[-t|--type]] snoop [[-n|--name_server]] [nameserver.example.com] [[-D|--dictionary]] [path/to/dictionary.txt]

$ dnsrecon [[-d|--domain]] [example.com] [[-t|--type]] zonewalk

dnsrecon [options] -d

-d
    Target domain to enumerate. Required parameter.

-n
    Use this nameserver for lookups. Useful for testing specific DNS servers.

-r
    Perform reverse lookups on discovered IP ranges.

-D
    Use this wordlist for brute force subdomain enumeration.

-t
    Specify the enumeration type: std, axfr, brt, srv, rvn, zon. (Standard, Zone Transfer, Brute Force, SRV records, Reverse Lookup, All Zone records).

-a
    Perform an AXFR (zone transfer) query.

-v
    Enable verbose output for debugging.

--threads
    Specify the number of threads to use for brute forcing.

--lifetime
    Specify the DNS query timeout in seconds.

-w
    Enable whois lookups for discovered domains and networks.

-z
    Perform a DNS zone walk.

-x
    Perform reverse DNS lookups for a given IP address or CIDR block.

-g
    Perform Google enumeration (requires API key).

--xml
    Save the output to an XML file.

--json
    Save the output to a JSON file.

--csv
    Save the output to a CSV file.

dnsrecon is a powerful Python script used for DNS enumeration. It gathers DNS records and information about a domain by performing various types of DNS zone transfers, lookups, and brute forcing techniques. It aims to discover all DNS servers, records (A, AAAA, MX, NS, SOA, SRV, SPF, TXT), and hostnames associated with a target domain.

By leveraging different enumeration techniques, including reverse lookups, zone transfers, and brute forcing, dnsrecon can uncover a comprehensive picture of a domain's DNS infrastructure. This information can be used to identify potential security vulnerabilities, map out network infrastructure, and gain a better understanding of the target organization. The tool's detailed reporting capabilities enable security professionals and network administrators to efficiently analyze and utilize the collected data. dnsrecon is particularly valuable during penetration testing, vulnerability assessments, and security audits. It is available in Kali Linux.

Zone transfers are often disabled on production DNS servers due to security concerns. Brute forcing large domain names can take a long time. Usage of Google enumeration requires an API key and can be rate limited.

The '-t' option controls the type of enumeration performed. 'std' performs standard DNS queries. 'axfr' attempts a zone transfer. 'brt' performs brute force subdomain enumeration. 'srv' queries SRV records. 'rvn' performs reverse lookups based on detected IP ranges. 'zon' fetches all zone records.

dnsrecon supports various output formats including XML, JSON, and CSV. These formats allow for easy integration with other tools and reporting systems.

dnsrecon was developed as a tool for security professionals and penetration testers to automate DNS enumeration and reconnaissance tasks. It has evolved over time to incorporate new techniques and features, making it a comprehensive solution for gathering DNS information. Initially created to replace other, less effective tools, it has become a standard component in many security distributions, particularly Kali Linux. Its development continues, driven by the need to keep pace with evolving DNS security practices.

host(1), dig(1), nslookup(1)