DNSRecon Package Description

DNSRecon provides the ability to perform:

  • Check all NS Records for Zone Transfers
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
  • Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
  • Check for Wildcard Resolution
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist
  • Perform a PTR Record lookup for a given IP Range or CIDR
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
  • Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Source: DNSRecon README
DNSRecon Homepage | Kali DNSRecon Repo

  • Author: Carlos Perez
  • License: GPLv2

Tools included in the dnsrecon package

dnsrecon – A powerful DNS enumeration script

root@kali:~# dnsrecon -h
usage: dnsrecon.py [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY]
                   [-f] [-t TYPE] [-a] [-s] [-g] [-b] [-k] [-w] [-z]
                   [--threads THREADS] [--lifetime LIFETIME] [--tcp] [--db DB]
                   [-x XML] [-c CSV] [-j JSON] [--iw] [-v]

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Target domain.
  -n NS_SERVER, --name_server NS_SERVER
                        Domain server to use. If none is given, the SOA of the
                        target will be used.
  -r RANGE, --range RANGE
                        IP range for reverse lookup brute force in formats
                        (first-last) or in (range/bitmask).
                        Dictionary file of subdomain and hostnames to use for
                        brute force. Filter out of brute force domain lookup,
                        records that resolve to the wildcard defined IP
                        address when saving records.
  -f                    Filter out of brute force domain lookup, records that
                        resolve to the wildcard defined IP address when saving
  -t TYPE, --type TYPE  Type of enumeration to perform.
  -a                    Perform AXFR with standard enumeration.
  -s                    Perform a reverse lookup of IPv4 ranges in the SPF
                        record with standard enumeration.
  -g                    Perform Google enumeration with standard enumeration.
  -b                    Perform Bing enumeration with standard enumeration.
  -k                    Perform crt.sh enumeration with standard enumeration.
  -w                    Perform deep whois record analysis and reverse lookup
                        of IP ranges found through Whois when doing a standard
  -z                    Performs a DNSSEC zone walk with standard enumeration.
  --threads THREADS     Number of threads to use in reverse lookups, forward
                        lookups, brute force and SRV record enumeration.
  --lifetime LIFETIME   Time to wait for a server to response to a query.
  --tcp                 Use TCP protocol to make queries.
  --db DB               SQLite 3 file to save found records.
  -x XML, --xml XML     XML file to save found records.
  -c CSV, --csv CSV     Comma separated value file.
  -j JSON, --json JSON  JSON file.
  --iw                  Continue brute forcing a domain even if a wildcard
                        records are discovered.
  -v                    Enable verbose

dnsrecon Usage Example

Scan a domain (-d example.com), use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt), do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml):

root@kali:~# dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
[*] Performing General Enumeration of Domain:example.com
[*] DNSSEC is configured for example.com
[*] DNSKEYs:
, ,

Related Posts