You are here: Home » Information Gathering » DNSRecon

DNSRecon

DNSRecon Description

DNSRecon is a simple python script that enables to gather DNS-oriented information on a given target.

This script provides the ability to perform:

  • Check all NS Records for Zone Transfers.
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  • Perform common SRV Record Enumeration.
  • Top Level Domain (TLD) Expansion.
  • Check for Wildcard Resolution.
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
  • Perform a PTR Record lookup for a given IP Range or CIDR.
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.

Homepage: https://github.com/darkoperator/dnsrecon

Author: Carlos Perez

License: GPLv2

DNSRecon Help

Usage:

dnsrecon.py [-h] -d DOMAIN [-n NS_SERVER] [-r RANGE] [-D DICTIONARY]
                   [-f] [-a] [-s] [-b] [-y] [-k] [-w] [-z] [--threads THREADS]
                   [--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV]
                   [-j JSON] [--iw] [--disable_check_recursion]
                   [--disable_check_bindversion] [-v] [-t TYPE]

Options:

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Target domain.
  -n NS_SERVER, --name_server NS_SERVER
                        Domain server to use. If none is given, the SOA of the
                        target will be used. Multiple servers can be specified
                        using a comma separated list.
  -r RANGE, --range RANGE
                        IP range for reverse lookup brute force in formats
                        (first-last) or in (range/bitmask).
  -D DICTIONARY, --dictionary DICTIONARY
                        Dictionary file of subdomain and hostnames to use for
                        brute force. Filter out of brute force domain lookup,
                        records that resolve to the wildcard defined IP
                        address when saving records.
  -f                    Filter out of brute force domain lookup, records that
                        resolve to the wildcard defined IP address when saving
                        records.
  -a                    Perform AXFR with standard enumeration.
  -s                    Perform a reverse lookup of IPv4 ranges in the SPF
                        record with standard enumeration.
  -b                    Perform Bing enumeration with standard enumeration.
  -y                    Perform Yandex enumeration with standard enumeration.
  -k                    Perform crt.sh enumeration with standard enumeration.
  -w                    Perform deep whois record analysis and reverse lookup
                        of IP ranges found through Whois when doing a standard
                        enumeration.
  -z                    Performs a DNSSEC zone walk with standard enumeration.
  --threads THREADS     Number of threads to use in reverse lookups, forward
                        lookups, brute force and SRV record enumeration.
  --lifetime LIFETIME   Time to wait for a server to response to a query.
  --tcp                 Use TCP protocol to make queries.
  --db DB               SQLite 3 file to save found records.
  -x XML, --xml XML     XML file to save found records.
  -c CSV, --csv CSV     Save output to a comma separated value file.
  -j JSON, --json JSON  save output to a JSON file.
  --iw                  Continue brute forcing a domain even if a wildcard
                        records are discovered.
  --disable_check_recursion
                        Disables check for recursion on name servers
  --disable_check_bindversion
                        Disables check for BIND version on name servers
  -v                    Enable verbose
  -t TYPE, --type TYPE  Type of enumeration to perform. std: SOA, NS, A, AAAA,
                        MX and SRV. rvl: Reverse lookup of a given CIDR or IP
                        range. brt: Brute force domains and hosts using a
                        given dictionary. srv: SRV records. axfr: Test all NS
                        servers for a zone transfer. bing: Perform Bing search
                        for subdomains and hosts. yand: Perform Yandex search
                        for subdomains and hosts. crt: Perform crt.sh search
                        for subdomains and hosts. snoop: Perform cache
                        snooping against all NS servers for a given domain,
                        testing all with file containing the domains, file
                        given with -D option. tld: Remove the TLD of given
                        domain and test against all TLDs registered in IANA.
                        zonewalk: Perform a DNSSEC zone walk using NSEC
                        records.

DNSRecon Usage Example

Scan a domain (-d miloserdov.org), use a dictionary to brute force hostnames (-D /usr/share/dict/theHarvester/dns-names.txt), do a standard scan (-t std), and save the output to a file (--xml dnsrecon.xml):

dnsrecon -d miloserdov.org -D /usr/share/dict/theHarvester/dns-names.txt -t std --xml ~/dnsrecon.xml

Attempts a zone transfer (AXFR) (-t axfr) on the domain (-d miloserdov.org):

dnsrecon -t axfr -d miloserdov.org

How to install DNSRecon

Installation on Kali Linux

The program is pre-installed on Kali Linux.

sudo apt install dnsrecon

Installation on Debian, Linux Mint, Ubuntu

sudo apt install python3-pip git python3-setuptools
git clone https://github.com/darkoperator/dnsrecon
cd dnsrecon
sudo pip3 install -r requirements.txt
python3 ./dnsrecon.py -h

Installation on BlackArch

The program is pre-installed on BlackArch.

sudo pacman -S dnsrecon

DNSRecon Screenshots

DNSRecon Tutorials

Coming soon…

Related tools