dnsrecon - DNS Enumeration and Scanning Tool
dnsrecon [-h] [-d DOMAIN] [-n
NS_SERVER] [-r RANGE] [-D DICTIONARY]
[-f] [-t TYPE] [-a] [-b] [-k]
[-w] [-z] [-y] [--threads THREADS]
[--lifetime LIFETIME] [--tcp] [--db DB]
[-x XML] [-c CSV] [-j JSON]
[--iw] [--disable_check_recursion]
[--disable_check_bindversion] [-v] [-V]
dsnrecon is a simple python script that enables to gather
DNS-oriented information on a given target.
- -h, --help
- show help message and exit
- -d DOMAIN,
--domain DOMAIN
- Target domain.
- -n NS_SERVER,
--name_server NS_SERVER
- Domain server to use. If none is given, the SOA of the target will be
used. Multiple servers can be specified using a comma separated list.
- -r RANGE,
--range RANGE
- IP range for reverse lookup brute force in formats (first-last) or in
(range/bitmask).
- -D DICTIONARY,
--dictionary DICTIONARY
- Dictionary file of subdomain and hostnames to use for brute force. Filter
out of brute force domain lookup, records that resolve to the wildcard
defined IP address when saving records.
- -f
- Filter out of brute force domain lookup, records that resolve to the
wildcard defined IP address when saving records.
- -a
- Perform AXFR with standard enumeration.
- -s
- Perform a reverse lookup of IPv4 ranges in the SPF record with standard
enumeration.
- -y
- Perform Yandex enumeration with standard enumeration.
- -b
- Perform Bing enumeration with standard enumeration.
- -k
- Perform crt.sh enumeration with standard enumeration.
- -w
- Perform deep whois record analysis and reverse lookup of IP ranges found
through Whois when doing a standard enumeration.
- -z
- Performs a DNSSEC zone walk with standard enumeration.
- --threads
THREADS
- Number of threads to use in reverse lookups, forward lookups, brute force
and SRV record enumeration.
- --lifetime
LIFETIME
- Time to wait for a server to respond to a query. default is 3.
- --tcp
- Use TCP protocol to make queries.
- --db DB
- SQLite 3 file to save found records.
- -x XML, --xml
XML
- XML file to save found records.
- -c CSV, --csv
CSV
- Comma separated value file.
- -j JSON, --json
JSON
- JSON file.
- --iw
- Continue brute forcing a domain even if wildcard records are
discovered.
- --disable_check_recursion
- Disables check for recursion on name servers
- --disable_check_bindversion
- Disables check for BIND version on name servers
- -v
- Enable verbose
- -V
- Show version
- -t TYPE, --type
TYPE
- Type of enumeration to perform. There are several possible types:
- • std: SOA, NS, A, AAAA, MX and SRV.
- • rvl: Reverse lookup of a given CIDR or IP range.
- • brt: Brute force domains and hosts using a given
dictionary.
- • srv: SRV records.
- • axfr: Test all NS servers for a zone transfer.
- • bing: Perform Bing search for subdomains and hosts.
- • yand: Perform Yandex search for subdomains and hosts.
- • crt: Perform crt.sh search for subdomains and hosts.
- • snoop: Perform cache snooping against all NS servers for a
given domain, testing all with file containing the domains, file given
with -D option.
- • tld: Remove the TLD of given domain and test against all
TLDs registered in IANA.
- • zonewalk: Perform a DNSSEC zone walk using NSEC
records.