dnsrecon
DNSRecon is a powerful Python script for DNS enumeration and scanning. It performs tasks like checking NS records for zone transfers, enumerating general DNS records, brute forcing subdomains, and more.
Description
DNSRecon provides comprehensive DNS reconnaissance capabilities for security testing and information gathering. It enables checking all NS records for zone transfers, enumerating general DNS records such as MX, SOA, NS, A, AAAA, SPF, and TXT for a given domain, performing common SRV record enumeration, TLD expansion, wildcard resolution checks, and brute forcing subdomains and hosts using a wordlist. Additionally, it supports PTR record lookups for IP ranges or CIDRs, checking cached DNS records, and enumerating hosts via Google.
Use cases include penetration testing during the reconnaissance phase, such as in PEN-200 training for DNS enumeration. It helps identify potential misconfigurations like open zone transfers or wildcard resolutions that could expose internal hostnames and subdomains.
The tool outputs results in various formats including XML, CSV, and JSON, making it suitable for automated workflows and reporting.
How It Works
DNSRecon operates by querying DNS servers using standard protocols like UDP/TCP DNS (with --tcp option). It performs iterative queries to NS servers (auto-detected from SOA or specified via -n), attempts AXFR zone transfers, resolves common record types, brute forces A/AAAA records with dictionary wordlists, conducts reverse lookups on IP ranges, and checks for cached records or Google dorking. Features like threads, lifetime limits, and NXDOMAIN/recursion checks optimize performance and evasion.
Installation
sudo apt install dnsreconFlags
Examples
dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xmldnsrecon -hdnsrecon -d example.comdnsrecon -d example.com -t stddnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txtdnsrecon -r 192.168.1.1-192.168.1.254dnsrecon -iL domains.txt