At Hack3rCon today I had a chance to sit in on Carlos “@carlos_perez” Perez’s DNSRecon talk. This awesome tool brings together all the tips and tricks that Carlos has learned and used over the years into one easy-to-use package. Yeah, there are already scripts like Fierce that goes out and dumps almost everything imaginable however Carlos, like many of us, wanted something a little more strategic. He wrote the original DNSRecon script in Ruby several years back however recently ported it to Python due to limited DNS-related libraries in Ruby at the time. And good news is that most of us already have this tool available to us if you have an up to date version of Backtrack. You’ll find it in the /pentest/enumeration/dns/dnsrecon directory.

The core option/parameter set that must be included is -d followed by the domain as shown in the example below. By default this query returns information such as the SOA, NS, A, AAAA, MX, and SRV records. Optionally, you can use –domain in place of -d. For most users this standard query is where we’ll probably start.

./ -d <domain>

Carlos has also added a number of options to augment this standard query to quickly return additional information embedded deeper within DNS. Here’s a quick printout of the relevant options from DNSRecon’s help output.

  • -a: Perform AXFR with the standard enumeration.
  • -s: Perform Reverse Look-up of ipv4 ranges in the SPF Record of the targeted domain with the standard enumeration.
  • -g: Perform Google enumeration with the standard enumeration.
  • -w: Do deep whois record analysis and reverse look-up of IP ranges found thru whois when doing standard query.
  • -z: Performs a DNSSEC Zone Walk with the standard enumeration.

There is another whole set of parameters you can use with the -t or –type option to skip the standard query and perform more strategic reconnaissance. At this time these parameters include:

  • rvl: To Reverse Look Up a given CIDR IP range.
  • brt: To Brute force Domains and Hosts using a given dictionary.
  • srv: To Enumerate common SRV Records for a given domain.
  • axfr: Test all NS Servers in a domain for misconfigured zone transfers.
  • goo: Perform Google search for sub-domains and hosts.
  • snoop: To Perform a Cache Snooping against all NS servers for a given domain, testing all with file containing the domains, file given with -D option.
  • tld: Will remove the TLD of given domain and test against all TLD’s registered in IANA
  • zonewalk: Will perform a DNSSEC Zone Walk using NSEC Records.

DNSRecon also includes several output options to simplify later analysis. Currently, the supported formats include sqlite (–db <file>), xml (–xml ), and csv (–csv ). Finally, under the main DNSRecon directory are two useful scripts for parsing through the results (./tools/ and importing the results into Metasploit (./msf_plugin/dnsr_import.rb).

But overall that pretty much covers a basic description of DNSRecon’s capabilities. For more information be sure to checkout Carlo’s blog as well as it’s GitHub repo.


What have your experiences been with DNSRcon? Let us know in the comments below. Today’s post pic is from See ya!

15 comments for “HOWTO – DNSRecon

  1. October 20, 2012 at 8:38 pm

    BLOGGED: DNSRecon from Hack3rCon 3

  2. October 20, 2012 at 9:59 pm

    DNSRecon from Hack3rCon 3

  3. October 21, 2012 at 8:29 am

    DNSRecon from Hack3rCon 3

  4. December 29, 2012 at 9:36 am

    Best Of: How-To – DNSRecon

  5. April 9, 2013 at 11:29 pm

    Best Of: How-To – DNSRecon

  6. May 5, 2013 at 6:04 pm

    @NimbleSec also mentioned as well over on the Twitters. Thanks!

  7. March 10, 2014 at 11:52 am

    Best Of: How-To – DNSRecon

  8. July 4, 2014 at 7:21 pm

    Best Of: HOWTO – DNSRecon

  9. Juan
    October 13, 2014 at 4:03 am

    Having trouble importing dnsrecon results into msf database via db_import. Any help with this?

  10. November 8, 2014 at 7:56 am

    Thanks for the question. Unfortunately, I can’t help you there. Haven’t had a chance to play with Metasploit in a year or so.

  11. January 27, 2015 at 9:55 pm

    Best Of: HOWTO – DNSRecon

  12. Xaneth
    September 23, 2015 at 10:31 pm

    I didn’t like the XML import, because it would only import the IP address and not the hostname. I edited the dnsr_import.rb file and fixed it so that it properly imports both IP address and name. Does a great job of reverse DNS lookup against an entire local subnet without the need for zone transfer rights.

  13. Xaneth
    September 23, 2015 at 10:40 pm
  14. Xaneth
    September 23, 2015 at 10:40 pm

    This file goes (by default of course) into /usr/share/metasploit-framework/plugins and you have to load it in msfconsole with “load dnsr_import”

  15. Xaneth
    September 23, 2015 at 10:45 pm

    Sorry, bad link with a typo, use this one:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.