Skip to content

04. DNS Recon

Overview

dnsrecon is a powerful DNS enumeration tool used to gather information about DNS records of a target domain.

Basic Command

dnsrecon -d <domainname>

Key Features of dnsrecon

  1. Standard Record Enumeration: Retrieves common DNS records like A, AAAA, CNAME, MX, NS, etc.
  2. Zone Transfer Testing: Checks if zone transfers (AXFR) are possible, revealing sensitive information.
  3. Reverse Lookup: Performs PTR record lookups to find associated domain names for IP ranges.
  4. Brute Forcing: Attempts to find subdomains using wordlists.
  5. Wildcard Resolution Detection: Identifies wildcard DNS configurations.

Explanation of Results

  • A Records: Maps domain names to IPv4 addresses.
  • AAAA Records: Maps domain names to IPv6 addresses.
  • CNAME Records: Canonical names (aliases) for a domain.
  • MX Records: Mail exchange servers.
  • NS Records: Nameservers managing the domain.
  • PTR Records: Reverse DNS lookups.

Example

dnsrecon -d example.com

Output:

[+] A Records:
    www.example.com -> 192.0.2.1
[+] AAAA Records:
    ipv6.example.com -> 2001:db8::1
[+] MX Records:
    mail.example.com -> 192.0.2.2
[+] NS Records:
    ns1.example.com -> 192.0.2.3
    ns2.example.com -> 192.0.2.4

DNSDumpster

DNSDumpster is an online tool for passive DNS reconnaissance that provides a graphical overview of DNS records.

Website:

Visit DNSDumpster.

Features

  1. DNS Record Enumeration: Similar to dnsrecon, retrieves A, AAAA, MX, NS, TXT records.
  2. Subdomain Discovery: Lists associated subdomains.
  3. Reverse DNS Lookups: Identifies domains associated with IP ranges.
  4. Visual Map: Provides a graphical representation of DNS relationships.
  5. PTR Records: Offers reverse DNS resolution for IPs.

Explanation of Results

  • A Records: Maps subdomains to IPs.
  • TXT Records: Includes additional information like SPF or DKIM.
  • Graphical Map: Visualizes DNS infrastructure, such as servers and IP ranges.

Example Workflow

  1. Enter example.com into the DNSDumpster search bar.
  2. Analyze the graphical map and DNS records.

Results Example:

  • Subdomains:

    - api.example.com -> 192.0.2.10
- mail.example.com -> 192.0.2.11

  • MX Records:

    mail.example.com -> 192.0.2.11

  • TXT Records:

    v=spf1 include:_spf.example.com ~all

Notes Summary

Tool Key Features Example Use Case
DNSRecon Active DNS enumeration, zone transfer Find subdomains, test zone transfer vulnerability, retrieve DNS records.
DNSDumpster Passive DNS enumeration, visual mapping Graphical representation of DNS infrastructure, passive information gathering about DNS records.

Important Considerations

  • Always have proper authorization before performing active DNS reconnaissance (e.g., with dnsrecon).
  • DNSDumpster is passive and safe for preliminary investigation without interacting directly with the target's DNS servers.