Information Gatheringdnsenumerationsubdomainswhoisreverse-lookupbrute-force

Dnsenum

Dnsenum is a multithreaded Perl script to enumerate DNS information of a domain and discover non-contiguous IP blocks. It gathers comprehensive details including host addresses, name servers, MX records, and subdomains.

Description

Dnsenum is designed to gather as much information as possible about a domain through various DNS enumeration techniques. It is particularly useful for pentesters, ethical hackers, and forensics experts conducting security tests and reconnaissance.

The tool performs operations such as retrieving A records, name servers, MX records, AXFR queries, Google scraping for subdomains, brute force subdomain enumeration, whois queries on network ranges, and reverse lookups. It supports multithreading for efficiency and can output results in XML format for further analysis.

Use cases include domain reconnaissance in penetration testing, identifying potential attack surfaces, and mapping network infrastructure during security assessments.

How It Works

Dnsenum operates as a multithreaded Perl script using protocols like DNS queries for A, NS, MX records, and AXFR zone transfers on name servers. It performs Google scraping with queries like 'allinurl: -www site:domain' to find subdomains, brute forces subdomains from a wordlist with optional recursion on those having NS records, calculates C-class network ranges, runs whois queries, and conducts reverse lookups on discovered IP blocks. All operations are threaded for speed, with configurable timeouts, delays, and output options including XML.

Installation

bash
sudo apt install dnsenum

Flags

--dnsserver <server>Use this DNS server for A, NS and MX queries.
--enumShortcut option equivalent to --threads 5 -s 15 -w.
--noreverseSkip the reverse lookup operations.
--nocolorDisable ANSIColor output.
--privateShow and save private ips at the end of the file domain_ips.txt.
--subfile <file>Write all valid subdomains to this file.
-t, --timeout <value>The tcp and udp timeout values in seconds (default: 10s).
--threads <value>The number of threads that will perform different queries.
-p, --pages <value>The number of google search pages to process when scraping names, the default is 5 pages, the -s switch must be specified.
-s, --scrap <value>The maximum number of subdomains that will be scraped from Google (default 15).
-f, --file <file>Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
-u, --update <a|g|r|z>Update the file specified with the -f switch with valid subdomains. a (all) Update using all results. g Update using only google scraping results. r Update using only reverse lookup results. z Update using only zonetransfer results.
-r, --recursionRecursion on subdomains, brute force all discovered subdomains that have an NS record.
-d, --delay <value>The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whoisPerform the whois queries on c class network ranges. **Warning**: this can generate very large netranges and it will take lot of time to perform reverse lookups.
-e, --exclude <regexp>Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
-o, --output <file>Output in XML format. Can be imported in MagicTree (www.gremwell.com)

Examples

Don’t do a reverse lookup (--noreverse) and save the output to a file (-o mydomain.xml) for the domain example.com.
dnsenum --noreverse -o mydomain.xml example.com
Print this help message.
dnsenum -h
Use shortcut option equivalent to --threads 5 -s 15 -w for domain example.com.
dnsenum --enum example.com
Use specified DNS server for A, NS and MX queries on example.com.
dnsenum --dnsserver 8.8.8.8 example.com
Run with 10 threads performing different queries on example.com.
dnsenum --threads 10 example.com
Brute force subdomains from specified file on example.com.
dnsenum -f /path/to/wordlist.txt example.com
Scrape 10 Google pages for up to 20 subdomains on example.com.
dnsenum -p 10 -s 20 example.com
Updated 2026-04-16kali.org ↗