table of contents
DNSRECON(1) | General Commands Manual | DNSRECON(1) |
NAME¶
dnsrecon - DNS Enumeration and Scanning Tool
SYNOPSIS¶
dnsrecon [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY] [-f] [-a] [-s] [-b] [-k] [-w] [-z] [-y] [--threads THREADS] [--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV] [-j JSON] [--iw] [--disable_check_recursion] [--disable_check_bindversion] [-v] [-V] [-t TYPE]
DESCRIPTION¶
dsnrecon is a simple python script that enables to gather DNS-oriented information on a given target.
OPTIONS¶
- -h, --help
- show help message and exit
- -d DOMAIN, --domain DOMAIN
- Target domain.
- -n NS_SERVER, --name_server NS_SERVER
- Domain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list.
- -r RANGE, --range RANGE
- IP range for reverse lookup brute force in formats (first-last) or in (range/bitmask).
- -D DICTIONARY, --dictionary DICTIONARY
- Dictionary file of subdomain and hostnames to use for brute force. Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
- -f
- Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
- -a
- Perform AXFR with standard enumeration.
- -b
- Perform Bing enumeration with standard enumeration.
- -s
- Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration.
- -y
- Perform Yandex enumeration with standard enumeration.
- -k
- Perform crt.sh enumeration with standard enumeration.
- -w
- Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration.
- -z
- Performs a DNSSEC zone walk with standard enumeration.
- --threads THREADS
- Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumeration.
- --lifetime LIFETIME
- Time to wait for a server to respond to a query. default is 3.
- --tcp
- Use TCP protocol to make queries.
- --db DB
- SQLite 3 file to save found records.
- -x XML, --xml XML
- XML file to save found records.
- -c CSV, --csv CSV
- Comma separated value file.
- -j JSON, --json JSON
- JSON file.
- --iw
- Continue brute forcing a domain even if wildcard records are discovered.
- --disable_check_recursion
- Disables check for recursion on name servers
- --disable_check_bindversion
- Disables check for BIND version on name servers
- -v
- Enable verbose
- -V
- Show version
- -t TYPE, --type TYPE
- Type of enumeration to perform. There are several possible types:
- • std: SOA, NS, A, AAAA, MX and SRV.
- • rvl: Reverse lookup of a given CIDR or IP range.
- • brt: Brute force domains and hosts using a given dictionary.
- • srv: SRV records.
- • axfr: Test all NS servers for a zone transfer.
- • bing: Perform Bing search for subdomains and hosts.
- • yand: Perform Yandex search for subdomains and hosts.
- • crt: Perform crt.sh search for subdomains and hosts.
- • snoop: Perform cache snooping against all NS servers for a given domain, testing all with file containing the domains, file given with -D option.
- • tld: Remove the TLD of given domain and test against all TLDs registered in IANA.
- • zonewalk: Perform a DNSSEC zone walk using NSEC records.
EXAMPLES¶
- attempts a zone transfer (AXFR) on the zonetransfer.me domain
- dnsrecon -t axfr -d zonetransfer.me