What is dnsrecon?

Dnsrecon is a tool written in Python, for the exhaustive enumeration of DNS records. Its use is crucial in reconnaissance, right after identifying the target domain and before subdomain fuzzing.

Key Enumeration Objectives

• Discover subdomains and hidden records (A, AAAA, CNAME).
• Identify misconfigured Zone Transfers (AXFR) (a high-severity finding).
• Map the network infrastructure (MX, NS, SOA, TXT).
• Detect insecure or poorly implemented configurations (DNSSEC, TXT/SPF/DMARC).

Installation

Option A — System Repository (Debian/Ubuntu):

sudo apt update
sudo apt install dnsrecon -y

Option B — Cloning the Repository (recommended for the latest version):

git clone https://github.com/darkoperator/dnsrecon.git
cd dnsrecon

# Install dependencies (if requirements exists)
python3 -m pip install --user -r requirements.txt || true

# Install the tool
python3 setup.py install

Verify Installation

dnsrecon -h

Main Options

|Option|Description                                           |Example                      |
|------|------------------------------------------------------|-----------------------------|
| -d   |Target domain                                         |-d target.com                |
| -t   |Enumeration type (std, brt, srv, axfr, zonewalk, etc.)|-t std                       |
| -D   |Wordlist for subdomain brute force                    |-D wordlist.txt              |
| -n   |Specific DNS server (resolver) to query               |-n 8.8.8.8                   |
| -r   |IP range for PTR lookup (reverse)                     |-r 192.168.1.0-192.168.1.255 |
| -s   |SRV server scanning                                   |-t srv                       |
| -a   |Force zone transfer attempt (AXFR)                    |-d target.com -a             |
| -z   |Zone walking with NSEC                                |-t zonewalk                  |
| -j   |Save results in JSON                                  |-j results.json              |
| -c   |Save results in CSV                                   |-c results.csv               |

Strategic Scans

• 1. Standard Enumeration (-t std): Collects NS, MX, A, AAAA, SOA, TXT records.

dnsrecon -d target.com -t std -j dns_std.json

Key Output: Look for TXT records to discover external services (SPF, DKIM, DMARC, verification tokens) and MX records to map mail servers.

• 2. Zone Transfer (-t axfr or -a) (High Severity!)

dnsrecon -d target.com -a

Key Output: If successful, all internal subdomains will be obtained. If it fails, the output will be concise.

• 3. Subdomain Brute Force (-t brt)

dnsrecon -d target.com -D /path/to/seclists/subdomains.txt -t brt -j dns_brute.json

Improvement: Use -n 1.1.1.1,8.8.8.8 to rotate resolvers and increase the success rate while avoiding blocking.

• 4. Reverse lookup (-r)

dnsrecon -r 192.0.2.0-192.0.2.255 -n 8.8.8.8

Usage: Useful if you know specific IP ranges of the organization. It can reveal internal host names through PTR records.

Usage Strategy in Bug Bounty

A professional workflow not only executes commands but analyzes and prepares the data for the next step.

1. Initial Phase: Collection and Mapping

• Standard and Basic: Run the standard scan saving the result.

dnsrecon -d target.com -t std -j target_std.json -c target_std.csv

• Quick Analysis: Inspect the output.

# Filter only MX and TXT records from the JSON file
cat target_std.json | grep -E '"type": "MX"|"type": "TXT"'

→ Action: MX and TXT records often reveal third-party technology (AWS, Azure, G Suite, etc.) or security policies (SPF, DMARC).

2. Critical Transfer and Security Phase

• AXFR Test: This is a must. If it works, it is a critical finding

dnsrecon -d target.com -a

• Zone Walking (DNSSEC): If the domain uses DNSSEC, try zone walking to enumerate subdomains.

dnsrecon -d target.com -t zonewalk -j target_zonewalk.json

3. Expansion Phase: Brute Force and Pivoting

• Advanced Brute Force: Use a quality wordlist (e.g., SecLists) with multiple trusted resolvers.

dnsrecon -d target.com -D /path/to/wordlist.txt -t brt -n 1.1.1.1,8.8.8.8,9.9.9.9 -j target_brute.json

• Consolidation: Concatenate the JSON/CSV outputs from std, axfr, zonewalk, and brt to create a master list of subdomains.

4. Integration (Pipeline)

Use the master list of subdomains for the next steps of reconnaissance: active resolution (with tools like dnsx or massdns) or port probing (with naabu or masscan).

# Example integration: extracting A records for dnsx
cat target_brute.json | grep '"type": "A"' | jq -r '.name' | dnsx -resp -cname -o final_subdomains.txt

Integration with Other Tools

• Amass: Complementary passive/active enumeration.

amass enum -d target.com -o amass.txt

• Subfinder: Additional source of subdomains.

subfinder -d target.com -o subfinder.txt

• Dnsx: Mass resolution and verification.

dnsx -l subdomains.txt -resp -silent -o alive.txt

Best Practices and Mitigation

Best Practices

• Quality Wordlists: Use high-performance wordlists for brute force testing (e.g., from SecLists).
• Cross-Validation: Always validate the tool's results with other enumeration tools (Amass, Subfinder, dnsx) to ensure coverage.
• Resolver Rotation: Employ the -n option with several different resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) to avoid being blocked by rate limiting.

Mitigation Recommendations

• AXFR: Disable Zone Transfer (AXFR) for public DNS servers and strictly limit its use only to internal or authorized resolvers.
• DNSSEC: Correctly configure DNSSEC and/or disable NSEC3 whitelies to prevent enumeration through zone walking.
• TXT Records: Minimize exposed TXT records, removing internal tokens, non-public emails, or sensitive details.
• Infrastructure: Ensure that subdomains revealing records are controlled and have secure access policies.

Connect with me

Did you find this information useful? You can find more content on:

• Medium
• LinkedIn
• GitHub
• Twitter

Support Me ☕

• Paypal
• BuyMeACoffe