DOKK / manpages / debian 10 / dnsrecon / dnsrecon.1.en
DNSRECON(1) dnsrecon - DNS Enumeration Tool DNSRECON(1)

dnsrecon - DNS Enumueration and Scanning Tool

dnsrecon <options>


-h, --help
Show help message and exit


-d, --domain <domain>
Domain to Target for enumeration.


-r, --range <range>
IP Range for reverse look-up brute force in formats (first-last)
or in (range/bitmask).


-n, --name_server <name>
Domain server to use, if none is given the SOA of the
target will be used


-D, --dictionary <file>
Dictionary file of sub-domain and hostnames to use for
brute force.


-f Filter out of Brute Force Domain lookup records that resolve
to the wildcard defined IP Address when saving records.


-t, --type <types>


std To Enumerate general record types, enumerates.
SOA, NS, A, AAAA, MX and SRV if AXRF on the
NS Servers fail.
rvl To Reverse Look Up a given CIDR IP range.


brt To Brute force Domains and Hosts using a given
dictionary.


srv To Enumerate common SRV Records for a given
domain.


axfr Test all NS Servers in a domain for misconfigured
zone transfers.


goo Perform Google search for sub-domains and hosts.


bing Perform Bing search for sub-domains and hosts.


crt Perform crt.sh search for subdomains and hosts.


snoop To Perform a Cache Snooping against all NS
servers for a given domain, testing all with
file containing the domains, file given with -D
option.


tld Will remove the TLD of given domain and test against
all TLD's registered in IANA


-a Perform AXFR with the standard enumeration.


-s Perform Reverse Look-up of ipv4 ranges in the
SPF Record of the targeted domain with the
standard enumeration.


-g Perform Google enumeration with the standard
enumeration.


-b Perform Bing enumeration with the standard enumeration.


-k Perform crt.sh enumeration with standard enumeration.


-w Do deep whois record analysis and
reverse look-up of IP ranges found thru whois
when doing standard query.


-z Performs a DNSSEC Zone Walk with the standard
enumeration.


--threads <number>
Number of threads to use in Range Reverse Look-up,
Forward Look-up Brute force
and SRV Record Enumeration

--lifetime <number>
Time to wait for a server to response to a query.


--db <file> SQLite 3 file to save found records.


--xml <file> XML File to save found records.


--iw Continue brute forcing a domain even if a wildcard
records are discovered.


-c, --csv <file> Comma separated value file.


-j, --json <file> JSON file.


-v Show attempts in the bruteforce modes.

I wrote this tool back in late 2006 and it has been my favorite tool for enumeration thru DNS, in great part because I wrote it and it gives the output in a way that I can manipulate it in my own style. One of the features that I used the most and gave me excellent results is the SRV record enumeration.

Standard Record Enumeration for a given domain (A, NS, SOA and MX). Top Leven Domain Expansion for a given domain. Zone Transfer against all NS records of a given domain. Reverse Lookup against a given IP Range given a start and end IP.

_gc._tcp.
_kerberos._tcp.
_kerberos._udp.
_ldap._tcp.
_test._tcp.
_sips._tcp.
_sip._udp.
_sip._tcp.
_aix._tcp.
_aix._tcp.
_finger._tcp.
_ftp._tcp.
_http._tcp.
_nntp._tcp.
_telnet._tcp.
_whois._tcp.
_h323cs._tcp.
_h323cs._udp.
_h323be._tcp.
_h323be._udp.
_h323ls._tcp.
_h323ls._udp.

Carlos Perez, Carlos_Perez@darkoperator.com

Copyright (C) 2012 Carlos Perez

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Applies version 2 of the License.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA

March 23, 2013 0.8.1