Scroll to navigation

DNSRECON(1) General Commands Manual DNSRECON(1)

NAME

dnsrecon - DNS Enumeration and Scanning Tool

SYNOPSIS

dnsrecon [-h][-dDOMAIN][-nNS_SERVER][-rRANGE][-DDICTIONARY]
[-f] [-t TYPE] [-a] [-s] [-g] [-b] [-k] [-w] [-z]
[--threads THREADS] [--lifetime LIFETIME] [--tcp] [--db DB]
[-x XML] [-c CSV] [-j JSON] [--iw]
[--disable_check_recursion] [--disable_check_bindversion]
[-v]

DESCRIPTION

dsnrecon is a simple python script that enables to gather DNS-oriented information on a given target.

OPTIONS


-h, --help show help message and exit
-d DOMAIN, --domain DOMAIN
Target domain.
-n NS_SERVER, --name_server NS_SERVER
Domain server to use. If none is given, the SOA of the
target will be used. Multiple servers can be specified
using a comma separated list.
-r RANGE, --range RANGE
IP range for reverse lookup brute force in formats
(first-last) or in (range/bitmask).
-D DICTIONARY, --dictionary DICTIONARY
Dictionary file of subdomain and hostnames to use for
brute force. Filter out of brute force domain lookup,
records that resolve to the wildcard defined IP
address when saving records.
-f Filter out of brute force domain lookup, records that
resolve to the wildcard defined IP address when saving
records.
-a Perform AXFR with standard enumeration.
-s Perform a reverse lookup of IPv4 ranges in the SPF
record with standard enumeration.
-g Perform Google enumeration with standard enumeration.
-b Perform Bing enumeration with standard enumeration.
-k Perform crt.sh enumeration with standard enumeration.
-w Perform deep whois record analysis and reverse lookup
of IP ranges found through Whois when doing a standard
enumeration.
-z Performs a DNSSEC zone walk with standard enumeration.
--threads THREADS Number of threads to use in reverse lookups, forward
lookups, brute force and SRV record enumeration.
--lifetime LIFETIME Time to wait for a server to respond to a query. default is 3.
--tcp Use TCP protocol to make queries.
--db DB SQLite 3 file to save found records.
-x XML, --xml XML XML file to save found records.
-c CSV, --csv CSV Comma separated value file.
-j JSON, --json JSON JSON file.
--iw Continue brute forcing a domain even if wildcard
records are discovered.
--disable_check_recursion
Disables check for recursion on name servers
--disable_check_bindversion
Disables check for BIND version on name servers
-v Enable verbose
-t TYPE, --type TYPE Type of enumeration to perform.
Possible types:
std: SOA, NS, A, AAAA, MX and SRV.
rvl: Reverse lookup of a given CIDR or IP range.
brt: Brute force domains and hosts using a given dictionary.
srv: SRV records.
axfr: Test all NS servers for a zone transfer.
bing: Perform Bing search for subdomains and hosts.
yand: Perform Yandex search for subdomains and hosts.
crt: Perform crt.sh search for subdomains and hosts.
snoop: Perform cache snooping against all NS servers for a given domain, testing
all with file containing the domains, file given with -D option.
tld: Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk: Perform a DNSSEC zone walk using NSEC records.

EXAMPLES

dnsrecon -t axfr -d zonetransfer.me