DNSRecon – DNS Enumeration Script

By Cyb3rw0rM -


DNSRecon is a Python based DNS enumeration script designed to help you audit your DNS security and configuration as part of information gathering stage of a pen-test. DNS reconnaissance is an important step when mapping out domain resources, sub-domains, e-mail servers and so on and can often lead to you finding an old DNS entry pointing to an unmaintained, insecure server.

It’s also considered passive information gathering, as it’s a way to gather a map of company/target resources without alerting IDS/IPS systems by doing active probes/scans.


DNSRecon provides the ability to perform:

  • Check all NS Records for Zone Transfers
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
  • Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
  • Check for Wildcard Resolution
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist
  • Perform a PTR Record lookup for a given IP Range or CIDR
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
  • Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google


root @ root : ~ # dnsrecon -h
Usage: dnsrecon . py
h , help Show this help message and exit
d , domain Domain to Target for enumeration .
r , range IP Range for reverse look up brute force in formats ( first last )
or in ( range / bitmask ) .
n , name_server Domain server to use , if none is given the SOA of the
target will be used
D , dictionary Dictionary file of sub domain and hostnames to use for  brute force .
f Filter out of Brute Force Domain lookup records that resolve to  the wildcard defined IP Address when saving records .
t , type Specify the type of enumeration to perform :
std To Enumerate general record types , enumerates .
SOA , NS , A , AAAA , MX and SRV if AXRF on the
NS Servers fail .
rvl To Reverse Look Up a given CIDR IP range .
brt To Brute force Domains and Hosts using a given
dictionary .
srv To Enumerate common SRV Records for a given
domain .
axfr Test all NS Servers in a domain for misconfigured
zone transfers .
goo Perform Google search for sub domains and hosts .
snoop To Perform a Cache Snooping against all NS
servers for a given domain , testing all with
file containing the domains , file given with D
option .
tld Will remove the TLD of given domain and test against
all TLDs registered in IANA
zonewalk Will perform a DNSSEC Zone Walk using NSEC Records .
a    Perform AXFR with the standard enumeration .
s    Perform Reverse Look up of ipv4 ranges in the SPF Record of the  targeted domain with the standard enumeration .
g    Perform Google enumeration with the standard enumeration .
w   Do deep whois record analysis and reverse look up of IP  ranges found thru whois when doing standard query .
z    Performs a DNSSEC Zone Walk with the standard enumeration .
threads Number of threads to use in Range Reverse Look up , Forward  Look up Brute force and SRV Record Enumeration
lifetime Time to wait for a server to response to a query .
db SQLite 3 file to save found records .
xml XML File to save found records .
iw Continua bruteforcing a domain even if a wildcard record resolution is discovered .
c , csv Comma separated value file .
v    Show attempts in the bruteforce modes .