dnsrecon  is part of the information gathering stage on a penetration test engagement.When a penetration tester is performing a DNS reconnaissance is trying to obtain as much as information as he can regarding the DNS servers and their records.The information that can be gathered it can disclose the network infrastructure of the company without alerting the IDS/IPS.This is due that most of the organizations are not monitoring their DNS server traffic and those that do they only monitor the zone transfers attempts.

On the web there are a variety of tools available that can gather DNS information effectively but in this article we will focus on the DNSRecon which is a tool that was developed by Carlos Perez and it is designed to perform DNS reconnaissance.This tool is included on backtrack and it is written in python.

Below is the list of things that we can do using DNSRECON Tool:

  • Top level domain expansion ( Zone Walking and Zone Transfer)

  • Reverse Lookup against IP range

  • Perform general DNS query for NS,SOA and MX records (Standard Record Enumeration)

  • Cache snooping against Name Servers

  • Google Scanning for Sub Domains and Host


1. Top level domain Expansion:

First of all we all should understand what are top level domains. A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. For ex: In www.mywebsite.com , .com is  a top level domain. Usually expansion occurs for those websites which uses country codes as their top level domains ex: .in, .uk, .au etc. As the name suggests Top level domain Expansion means to expand your domain from one region to other which is also known as Zone Transfer and in case zones are not correctly configured we can extract almost all internal records of a domain which is also known as Zone Walking. So we can use DNS Recon for multiple purposes i.e. Zone Walking and Zone Transfer. Lets understand both of them in detail i.e. How we will use DNSRECON to exploit both of these features:

a. Zone Transfer :

 The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers,host names,MX and CNAME records, zone serial number, Time to Live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays. However DNSRecon provides the ability to perform Zone Transfers and we can use following commands to perform Zone transfer:

dnsrecon  -d <mywebsite.com> -a

or you can use below command :

dnsrecon  -d <mywebsite.com> -t axfr

2. Reverse Lookup against IP range:

DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command:

dnsrecon  -r <startIP>-<endIP>

For Example :

dnsrecon  -r

Also reverse lookup can be performed against all ranges in SPF records with the command :

dnsrecon  -d <domain> -s

3. Domain Brute Force Enumeration:

For performing Domain Brute force technique, we have to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.
In order to perform domain brute force attack user needs to type below command:

dnsrecon  -d <domain> -D <namelist> -t brt

For example:

dnsrecon  -d hackingloops.com -D namelist.txt -t brt

4. Cache Snooping against name servers:

DNS cache snooping happens when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information about the name servers and other DNS information.However DNS cache snooping does not happen quite often because servers normally do not cache DNS records.
The command that can be used to perform cache snooping is as follows:

dnsrecon  -t snoop -n server -D <dictionary file>

For example :

dnsrecon  -t snoop -n <server IP address> -D dictionary.txt

5. Standard Records Enumeration:

Standard Enumeration is generally used to gather information about NameServers,SOA and MX records. In order to perform standard enumeration you can use below command:

dnsrecon  -d <domain>

For example:

dnsrecon  -d hackingloops.com

There are lot of other options that DNSRECON tool provides. It is an extremely useful tool to gather plenty of information about DNS records.

Syntax :

dnsrecon.py <options>

Options :

   -h, --help                  Show this help message and exit
   -d, --domain      <domain>  Domain to Target for enumeration.
   -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server <name>    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type        <types>   Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.

                               rvl      To Reverse Look Up a given CIDR IP range.

                               brt      To Brute force Domains and Hosts using a given

                               srv      To Enumerate common SRV Records for a given 


                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.

                               goo      Perform Google search for sub-domains and hosts.

                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D

                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA

                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.

   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         <number> Time to wait for a server to response to a query.
   --db               <file>   SQLite 3 file to save found records.
   --xml              <file>   XML File to save found records.
   -c, --csv          <file>   Comma separated value file.
   -v                          Show attempts in the bruteforce modes.


cyborg@cyborg:~$ sudo dnsrecon -d google.com -a
[*] Performing General Enumeration of Domain: google.com
[*] Checking for Zone Transfer for google.com name servers
[*] Resolving SOA Record
[*] 	 SOA ns4.google.com
[*] Resolving NS Records
[*] NS Servers found:
[*] 	NS ns1.google.com
[*] 	NS ns4.google.com
[*] 	NS ns3.google.com
[*] 	NS ns2.google.com
[*] Removing any duplicate NS server IP Addresses...
[*] Trying NS server
[*] Has port 53 TCP Open
[-] Zone Transfer Failed!
[*] Trying NS server
[*] Has port 53 TCP Open
[-] Zone Transfer Failed!
[*] Trying NS server
[*] Has port 53 TCP Open
[-] Zone Transfer Failed!
[*] Trying NS server
[*] Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] DNSSEC is not configured for google.com
[*] 	 SOA ns4.google.com
[*] 	 NS ns1.google.com
[*] 	 NS ns4.google.com
[*] 	 NS ns2.google.com
[*] 	 NS ns3.google.com
[*] 	 MX alt1.aspmx.l.google.com
[*] 	 MX alt3.aspmx.l.google.com
[*] 	 MX alt2.aspmx.l.google.com
[*] 	 A google.com
[*] 	 AAAA google.com 2404:6800:4007:805::200e
[*] 	 TXT google.com v=spf1 include:_spf.google.com ~all
[*] Enumerating SRV Records
[*] 	 SRV _ldap._tcp.google.com ldap.google.com 389 0
[*] 	 SRV _xmpp-client._tcp.google.com xmpp.l.google.com 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com xmpp.l.google.com 2404:6800:4003:c01::7d 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt4.xmpp.l.google.com 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt4.xmpp.l.google.com 2607:f8b0:4001:c07::7d 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt1.xmpp.l.google.com 2404:6800:4008:c01::7d 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt3.xmpp.l.google.com 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt3.xmpp.l.google.com 2607:f8b0:4003:c02::7d 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt2.xmpp.l.google.com 5222 0
[*] 	 SRV _xmpp-client._tcp.google.com alt2.xmpp.l.google.com 2607:f8b0:400e:c03::7d 5222 0
[*] 	 SRV _xmpp-server._tcp.google.com alt3.xmpp-server.l.google.com no_ip 5269 0
[*] 	 SRV _xmpp-server._tcp.google.com alt1.xmpp-server.l.google.com 5269 0
[*] 	 SRV _xmpp-server._tcp.google.com alt2.xmpp-server.l.google.com 5269 0
[*] 	 SRV _xmpp-server._tcp.google.com alt4.xmpp-server.l.google.com no_ip 5269 0
[*] 	 SRV _xmpp-server._tcp.google.com xmpp-server.l.google.com 5269 0
[*] 	 SRV _jabber-client._tcp.google.com alt4.xmpp.l.google.com 5222 0
[*] 	 SRV _jabber-client._tcp.google.com alt4.xmpp.l.google.com 2607:f8b0:4001:c07::7d 5222 0
[*] 	 SRV _jabber-client._tcp.google.com xmpp.l.google.com no_ip 5222 0
[*] 	 SRV _jabber-client._tcp.google.com alt2.xmpp.l.google.com 5222 0
[*] 	 SRV _jabber-client._tcp.google.com alt3.xmpp.l.google.com 5222 0
[*] 	 SRV _jabber-client._tcp.google.com alt3.xmpp.l.google.com 2607:f8b0:4003:c08::7d 5222 0
[*] 	 SRV _jabber-client._tcp.google.com alt1.xmpp.l.google.com 5222 0
[*] 	 SRV _jabber-client._tcp.google.com alt1.xmpp.l.google.com 2404:6800:4008:c01::7d 5222 0
[*] 23 Records Found


Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?