Information Gatheringdnsenumerationreconnaissancebrute-forcezone-transfer

dnsrecon

DNSRecon is a powerful Python script for DNS enumeration and scanning. It performs tasks like checking NS records for zone transfers, enumerating general DNS records, brute forcing subdomains, and more.

Description

DNSRecon provides comprehensive DNS reconnaissance capabilities for security testing and information gathering. It enables checking all NS records for zone transfers, enumerating general DNS records such as MX, SOA, NS, A, AAAA, SPF, and TXT for a given domain, performing common SRV record enumeration, TLD expansion, wildcard resolution checks, and brute forcing subdomains and hosts using a wordlist. Additionally, it supports PTR record lookups for IP ranges or CIDRs, checking cached DNS records, and enumerating hosts via Google.

Use cases include penetration testing during the reconnaissance phase, such as in PEN-200 training for DNS enumeration. It helps identify potential misconfigurations like open zone transfers or wildcard resolutions that could expose internal hostnames and subdomains.

The tool outputs results in various formats including XML, CSV, and JSON, making it suitable for automated workflows and reporting.

How It Works

DNSRecon operates by querying DNS servers using standard protocols like UDP/TCP DNS (with --tcp option). It performs iterative queries to NS servers (auto-detected from SOA or specified via -n), attempts AXFR zone transfers, resolves common record types, brute forces A/AAAA records with dictionary wordlists, conducts reverse lookups on IP ranges, and checks for cached records or Google dorking. Features like threads, lifetime limits, and NXDOMAIN/recursion checks optimize performance and evasion.

Installation

bash

sudo apt install dnsrecon

Flags

-d, --domainTarget domain.

-iL, --input-listFile containing a list of domains to perform DNS enumeration on, one per line.

-n, --name_serverDomain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list.

-r, --rangeIP range for reverse lookup brute force in formats (first-last) or in (range/bitmask).

-D, --dictionaryDictionary file for brute forcing.

-tType of scan (e.g., std).

--xmlSave output to XML file.

--tcpUse TCP for DNS queries.

Examples

Scan a domain, use a dictionary to brute force hostnames, do a standard scan, and save the output to a file.

dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml

Show the help message and usage options.

dnsrecon -h

Perform general enumeration of a target domain.

dnsrecon -d example.com

Run a standard scan on a domain.

dnsrecon -d example.com -t std

Brute force subdomains using a dictionary wordlist.

dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt

Perform PTR record lookup for an IP range.

dnsrecon -r 192.168.1.1-192.168.1.254

Enumerate DNS for a list of domains from a file.

dnsrecon -iL domains.txt

Updated 2026-04-16kali.org ↗