dnsrecon

Scan and save to SQLite database

$ dnsrecon -d [example.com] --db [path/to/database.sqlite]

$ dnsrecon -d [example.com] -n [nameserver.example.com] -t axfr

$ dnsrecon -d [example.com] -D [path/to/dictionary.txt] -t brt

$ dnsrecon -d [example.com] -s -j

$ dnsrecon -d [example.com] -g -c

$ dnsrecon -d [example.com] -t snoop -n [nameserver.example.com] -D [path/to/dictionary.txt]

$ dnsrecon -d [example.com] -t zonewalk

dnsrecon [options]

dnsrecon is a comprehensive DNS reconnaissance tool that performs multiple enumeration techniques to map DNS infrastructure. It combines zone transfers (AXFR), brute-force subdomain discovery, cache snooping, DNSSEC zone walking, and reverse lookups into a single tool.
The tool supports various scan types: standard enumeration, zone transfers to extract complete zone data, brute-force with custom dictionaries to discover subdomains, cache snooping to check for cached records on nameservers, and DNSSEC zone walking which exploits NSEC records to enumerate zones. Results can be exported to multiple formats including JSON, CSV, and SQLite databases for analysis. It can also perform Google enumeration to find subdomains through search engine results and SPF record analysis to discover related IP ranges. Widely used in penetration testing and security assessments to thoroughly map an organization's DNS footprint.

-d, --domain domain

Target domain

Specific nameserver

Scan type (std, axfr, brt, snoop, zonewalk)

Dictionary for brute force

Output to JSON

Output to CSV

SQLite database output

Use only against authorized targets. Zone transfers often blocked. Brute-force can be slow depending on dictionary size.

dnsmap(1), dig(1), nslookup(1)