dnsrecon

Enumerate DNS information for a domain

TLDR

Scan a domain and save the results to an SQLite database

$ dnsrecon [[-d|--domain]] [example.com] --db [path/to/database.sqlite]

Scan a domain, specifying the nameserver and performing a zone transfer

$ dnsrecon [[-d|--domain]] [example.com] [[-n|--name_server]] [nameserver.example.com] [[-t|--type]] axfr

Scan a domain, using a brute-force attack and a dictionary of subdomains and hostnames

$ dnsrecon [[-d|--domain]] [example.com] [[-D|--dictionary]] [path/to/dictionary.txt] [[-t|--type]] brt

Scan a domain, performing a reverse lookup of IP ranges from the SPF record and saving the results to a JSON file

$ dnsrecon [[-d|--domain]] [example.com] -s [[-j|--json]]

Scan a domain, performing a Google enumeration and saving the results to a CSV file

$ dnsrecon [[-d|--domain]] [example.com] -g [[-c|--csv]]

Scan a domain, performing DNS cache snooping

$ dnsrecon [[-d|--domain]] [example.com] [[-t|--type]] snoop [[-n|--name_server]] [nameserver.example.com] [[-D|--dictionary]] [path/to/dictionary.txt]

Scan a domain, performing zone walking

$ dnsrecon [[-d|--domain]] [example.com] [[-t|--type]] zonewalk

SYNOPSIS

dnsrecon -d DOMAIN [-t TYPE] [-n NAMESERVER] [-a] [-b] [--threads NUM] [--json FILE]

-d DOMAIN
    Specifies the target domain for reconnaissance.

-t TYPE
    Defines the type of enumeration. Common types include 'std' (standard), 'axfr' (zone transfer), 'brt' (brute force), 'srv' (SRV records), 'spf' (SPF records), 'dmarc' (DMARC records), etc.

-a
    Performs an AXFR (zone transfer) attempt against all nameservers for the target domain.

-b
    Enables brute-force subdomain enumeration using a built-in wordlist or a custom one specified with -l.

-n NAMESERVER
    Designates a specific nameserver to use for DNS queries instead of relying on the domain's NS records or system defaults.

-r RANGE
    Conducts a reverse DNS lookup on a specified IP range (e.g., 192.168.1.0/24).

-l FILENAME
    Provides a custom wordlist file for brute-force subdomain or host enumeration.

--threads NUM
    Sets the number of threads for concurrent requests, speeding up enumeration, especially for brute-forcing.

--json FILENAME
    Outputs the reconnaissance results to a JSON formatted file.

--csv FILENAME
    Outputs the reconnaissance results to a CSV formatted file.

--xml FILENAME
    Outputs the reconnaissance results to an XML formatted file.

--iw
    Includes WHOIS information for the domain if available.

-v
    Enables verbose output, showing more details about the process and findings.

DESCRIPTION

Dnsrecon is a versatile and comprehensive command-line utility designed for DNS enumeration and reconnaissance. It's widely used by cybersecurity professionals and penetration testers to gather extensive information about target domains and their DNS infrastructure.

The tool can perform a variety of lookups, including standard record queries (A, AAAA, NS, SOA, MX, SRV, SPF, DMARC), zone transfer attempts (AXFR), and brute-force subdomain discovery using wordlists. It also supports reverse DNS lookups on specified IP ranges, wildcard DNS detection, and can identify common record types to map out a domain's network presence.

Dnsrecon helps in understanding a domain's attack surface by revealing publicly exposed hosts, services, and misconfigurations, making it an essential tool in the initial information gathering phase of any security assessment.

CAVEATS

While powerful, dnsrecon can be noisy on a target network, potentially triggering intrusion detection systems (IDS) due to the volume of DNS queries, especially during brute-force operations.

Many organizations disable zone transfers (AXFR) to prevent information disclosure, so this feature may not always yield results.

The accuracy of results depends on the quality of nameservers and the completeness of wordlists used for brute-forcing.

It requires a working Python environment to run.

COMMON USAGE SCENARIOS

Dnsrecon is frequently used during the reconnaissance phase of a penetration test to map out a target's infrastructure. It helps identify potential misconfigurations, discover hidden subdomains, find mail servers, and determine the overall network footprint. This information is crucial for subsequent attack phases.

INTEGRATION

As dnsrecon supports various output formats (JSON, XML, CSV), its results can be easily parsed and integrated into other security tools, scripts, or reporting frameworks for further analysis or visualization. This makes it a flexible component in automated security workflows.

HISTORY

Dnsrecon originated as a tool within the penetration testing and ethical hacking community, primarily developed by Bitquark. It gained popularity due to its comprehensive enumeration capabilities, quickly becoming a staple in distributions like Kali Linux. Its development has been driven by the need for automated and efficient DNS information gathering, constantly evolving to include new record types and enumeration techniques, such as DMARC and SPF checks, and improved brute-forcing methods. It remains an active and maintained project within the security toolset.