DNSRecon

DNSRecon is a versatile open-source tool designed for DNS enumeration and information gathering.

Purpose: DNSRecon assists in discovering and extracting valuable information related to DNS records, subdomains, and zone transfers.

Key Features:

  • Subdomain Enumeration

  • Zone Transfer Analysis

  • Brute-Force Dictionary Attacks

  • DNSSEC (DNS Security Extensions) Support

  • WHOIS Information Retrieval

Examples:

  1. General Enumeration:

    kali@kali:~$ dnsrecon -d jawad.ca -t std     
    [*] std: Performing General Enumeration against: jawad.ca...
    [-] DNSSEC is not configured for jawad.ca
    [*]      SOA dns1.registrar-servers.com 156.154.132.200
    [*]      SOA dns1.registrar-servers.com 2610:a1:1024::200
    [*]      NS dns1.registrar-servers.com 156.154.132.200
    [*]      Bind Version for 156.154.132.200 Nameserver"
    [*]      NS dns1.registrar-servers.com 2610:a1:1024::200
    [*]      NS dns2.registrar-servers.com 156.154.133.200
    [*]      Bind Version for 156.154.133.200 Nameserver"
    [*]      NS dns2.registrar-servers.com 2610:a1:1025::200
    [*]      MX mx1.privateemail.com 198.54.122.240
    [*]      MX mx2.privateemail.com 198.54.122.250
    [*]      A jawad.ca 185.199.110.153
    [*]      A jawad.ca 185.199.111.153
    [*]      A jawad.ca 185.199.109.153
    [*]      A jawad.ca 185.199.108.153
    [*]      TXT jawad.ca v=spf1 include:spf.privateemail.com ~all
    [*] Enumerating SRV Records
    [+]      SRV _autodiscover._tcp.jawad.ca privateemail.com 198.54.122.136 443
    [+] 1 Records Found
    

  2. Zone Transfer Analysis:

    kali@kali:~$ dnsrecon -d jawad.ca -t zonewalk
    [*] Performing NSEC Zone Walk for jawad.ca
    [*] Getting SOA record for jawad.ca
    [*] Name Server 156.154.132.200 will be used
    [*]      A jawad.ca 185.199.110.153
    [*]      A jawad.ca 185.199.108.153
    [*]      A jawad.ca 185.199.111.153
    [*]      A jawad.ca 185.199.109.153
    [+] 4 records found
    

    Conducts a comprehensive zone transfer analysis to identify authoritative name servers.

  3. Brute-Force Dictionary Attack:

    dnsrecon -d example.com -D /path/to/wordlist.txt

    Executes a dictionary attack on the domain "example.com" using a specified wordlist, uncovering potential subdomains.

  4. DNSSEC Support:

    dnsrecon -d example.com -a

    Retrieves DNSSEC information for the domain "example.com," highlighting the presence of DNS security extensions.

  5. WHOIS Information Retrieval:

    dnsrecon -d example.com -w

    Fetches WHOIS information for the domain "example.com," providing insights into domain registration details.

Resources:

Last updated