Posted on

Complete guide to DNSrecon

Hello, aspiring ethical hackers. This is a complete guide to dnsrecon tool. In our previous blogpost on DNS enumeration, you read what DNS is, what are the various types of DNS records, what is the information about the network can DNS enumeration reveal to a pen tester or a Black Hat Hacker. DNSrecon is one such tool used for enumerating DNS.

DNSrecon is written by Carlos Perez. He wrote it initially in Ruby to learn about that programming language and about DNS way back in 2007. As time passed by, he wanted to learn python and he posted dnsrecon tool to python.

The features of DNSrecon tool are,

  1. Checks all NS Records for Zone Transfers.
  2. Enumerates general DNS Records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  3. Performs common SRV Record enumeration.
  4. Top Level Domain (TLD) expansion.
  5. Checks for Wildcard resolution.
  6. Brute forces subdomains and host A and AAAA records given in a domain and a wordlist.
  7. Performs PTR record lookup for a given IP Range or CIDR.
  8. Checks a DNS server’s cached records for A, AAAA and CNAME.
  9. Records provided a list of host records in a text file to check.

Let’s see how to enumerate DNS with DNSrecon. DNSrecon is installed by default in Kali Linux. To use DNSrecon, all we have to do is use the command below.

dnsenum -d <domain>

DNSrecon 12

–name_server (-n)

By default, DNSrecon will use SOA of the target server to enumerate DNS. You can use a different server, you can use it using this option.

DNSrecon 3

-a

This option is used to do a zone transfer along with standard enumeration performed above.

DNSrecon 4

As expected it failed.

DNSrecon 5

-y, -b, -k

Similarly, you can perform yandex (-y), bing(-b), crt.sh (-k) enumeration along with standard enumeration.

DNSrecon 7
DNSrecon 8
DNSrecon 9
DNSrecon 10

-w

This option is used to perform deep whois record analysis and reverse lookup of IP ranges found when doing standard enumeration.

DNSrecon 11

-z

This option is used to perform a DNSSEC zone walk along with standard enumeration.

DNSrecon 12 1
DNSrecon 13

–dictionary (-d)

This option is used to use a dictionary file containing subdomains and hostnames to use for brute force.

DNSrecon 14

–range (-r)

Specify a IP range to perform reverse lookup.

DNSrecon 15

–type (-t)

This option is used to perform a specific type of enumeration only. The various possible types of enumeration that can be performed using dnsrecon are,

  • Std: all SOA, NS, A, AAAA, MX and SRV.
  • rvl: reverse lookup
  • brt: brute force using a given dictionary
  • srv: SRV records.
  • axfr: zone transfer from NS server.
  • bing: Bing search for hosts and subdomains.
  • Yand: Yandex search for hosts and subdomains.
  • Crt: crt.sh enumeration for subdomains and hosts.
  • Snoop: cache snooping argument at NS server.
  • tld: test against all TLD’s registered with IANA.
  • Zonewalk: perform DNS sec Zone using NSEC records.
DNSrecon 16
DNSrecon 17
DNSrecon 18
DNSrecon 19
DNSrecon 20

Saving results

You can save the results of the found records to a database (-db), XML (-X), CSV (-c) and Json(-j) files.

DNSrecon 21
DNSrecon 22 1
DNSrecon 23

–lifetime

This option is used to set the time the tool has to wait until the target server responds. The default time is 3 seconds.

DNSrecon 24

–threads

This option is useful to specify the number of threads to be used while performing reverse lookup, forward lookup, brute force and SRV record enumeration.

DNSrecon 25

That’s all about DNSrecon.

Follow Us