LinuxCommandLibrary

dnsrecon

Enumerate DNS information for a domain

TLDR

Scan a domain and save the results to an SQLite database

$ dnsrecon [[-d|--domain]] [example.com] --db [path/to/database.sqlite]
copy

Scan a domain, specifying the nameserver and performing a zone transfer
$ dnsrecon [[-d|--domain]] [example.com] [[-n|--name_server]] [nameserver.example.com] [[-t|--type]] axfr
copy

Scan a domain, using a brute-force attack and a dictionary of subdomains and hostnames
$ dnsrecon [[-d|--domain]] [example.com] [[-D|--dictionary]] [path/to/dictionary.txt] [[-t|--type]] brt
copy

Scan a domain, performing a reverse lookup of IP ranges from the SPF record and saving the results to a JSON file
$ dnsrecon [[-d|--domain]] [example.com] -s [[-j|--json]]
copy

Scan a domain, performing a Google enumeration and saving the results to a CSV file
$ dnsrecon [[-d|--domain]] [example.com] -g [[-c|--csv]]
copy

Scan a domain, performing DNS cache snooping
$ dnsrecon [[-d|--domain]] [example.com] [[-t|--type]] snoop [[-n|--name_server]] [nameserver.example.com] [[-D|--dictionary]] [path/to/dictionary.txt]
copy

Scan a domain, performing zone walking
$ dnsrecon [[-d|--domain]] [example.com] [[-t|--type]] zonewalk
copy

SYNOPSIS

dnsrecon [options] -d DOMAIN

PARAMETERS

-d DOMAIN, --domain=DOMAIN
    Target domain for enumeration.

-D FILE, --dict=FILE
    Wordlist file for brute-force subdomains.

-t TYPE, --type=TYPE
    Enumeration type: std, axfr, bbrt, crt, perm, rpz, srv, svcb, tld, wlist, zone.

-n NS, --name_server=NS
    Custom DNS server for queries.

-N, --norecurse
    Disable recursive queries.

-a, --all
    Run all enumeration types.

-A, --analyze
    Analyze records for anomalies.

-r START-STOP, --range=START-STOP
    Port range for service scans.

-p PORTS, --ports=PORTS
    Specific ports to scan.

-T TIMEOUT, --timeout=TIMEOUT
    Query timeout in seconds.

-R RETRIES, --retries=RETRIES
    Number of query retries.

--threads=NUM
    Parallel threads for speed.

--csv
    CSV output format.

--xml
    XML output format.

--json
    JSON output format.

--db
    Store results in database.

-v, --verbose
    Enable verbose output.

-h, --help
    Show help.

DESCRIPTION

dnsrecon is an open-source Python tool for comprehensive DNS reconnaissance and enumeration, widely used in penetration testing and security assessments. It performs various DNS queries to map a domain's infrastructure, identifying hosts, subdomains, mail servers, and services.

Core capabilities include standard record lookups (<A>, <CNAME>, <MX>, <TXT>, <SRV>), brute-force subdomain discovery with wordlists, zone transfer attempts (<AXFR>), Certificate Transparency log scraping, SRV record enumeration, TLD queries, SPF checks, and permutation-based scans. Users specify enumeration types via -t, supporting combinations or all tests with -a.

Configurable for custom nameservers, timeouts, retries, threading, and port scanning on discovered hosts. Outputs support plain text, CSV, XML, or JSON. Integrated database storage aids large-scale recon. Ideal for ethical hacking's reconnaissance phase, it reveals attack surfaces but requires authorization to avoid legal issues.

Pre-installed in Kali Linux, it's efficient for both quick scans and deep dives, with verbose logging for analysis.

CAVEATS

Requires network access and permission; may be blocked by firewalls/IDS; high-volume scans can trigger rate limits or abuse detection.

COMMON EXAMPLES

Standard lookup: dnsrecon -d example.com -t std
Brute-force: dnsrecon -d example.com -D dict.txt -t bbrt
All types: dnsrecon -d example.com -a

OUTPUT FORMATS

Supports text (default), --csv, --xml, --json for parsing; use --db for persistent storage in SQLite.

HISTORY

Developed by Carlos Perez (darkoperator) around 2006-2008; evolved into a mature Python tool by 2011; GitHub-hosted with ongoing updates; staple in Kali Linux since early versions for DNS recon.

SEE ALSO

dig(1), host(1), nslookup(1), dnsenum, fierce

Copied to clipboard