How to use the command 'dnsrecon' (with examples)
- Linux
- December 17, 2024
‘dnsrecon’ is a versatile command-line tool designed for DNS enumeration. DNS enumeration involves collecting and querying DNS data about a domain to gather insights about its infrastructure. This information can be crucial for security assessments, penetration testing, and network troubleshooting. ‘dnsrecon’ provides various options and arguments to tailor these inquiries to suit different purposes, facilitating tasks such as zone transfers, reverse lookups, and DNS cache snooping.
Scan a domain and save the results to an SQLite database
Code:
dnsrecon --domain example.com --db path/to/database.sqlite
Motivation: Storing DNS enumeration results in an SQLite database is particularly beneficial for historical data analysis, audit trails, and correlation with other datasets. By centralizing the data, users can efficiently query past results, analyze trends, and potentially identify changes or anomalies over time.
Explanation:
--domain example.com: Specifies the target domain to scan.--db path/to/database.sqlite: Instructs ‘dnsrecon’ to save the results of the scan into an SQLite database at the specified path. This allows the user to maintain a persistent, structured storage of the collected information.
Example Output: The command generates an SQLite database file containing tables and entries related to the DNS records found for the domain ’example.com’. Each entry comprises data such as record type, host, and data.
Scan a domain, specifying the nameserver and performing a zone transfer
Code:
dnsrecon --domain example.com --name_server nameserver.example.com --type axfr
Motivation: A zone transfer lists all DNS records in a domain, often including subdomains not publicly visible. While it’s typically restricted to authorized requests, testing for zone transfer vulnerabilities is crucial as the exposure can be detrimental, revealing a comprehensive view of the domain’s network structure.
Explanation:
--domain example.com: Identifies the specific domain for which to attempt the zone transfer.--name_server nameserver.example.com: Specifies the particular DNS server to query for performing the zone transfer.--type axfr: Directs ‘dnsrecon’ to perform an AXFR (Authoritative Zone Transfer), querying the DNS server for a complete zone file if accessible.
Example Output: If successful, ‘dnsrecon’ returns all the DNS records from ’example.com’ as served by ’nameserver.example.com’, including all subdomains, A, AAAA, CNAME, MX, and TXT records, among others.
Scan a domain, using a brute-force attack and a dictionary of subdomains and hostnames
Code:
dnsrecon --domain example.com --dictionary path/to/dictionary.txt --type brt
Motivation: A brute-force attack using a dictionary file can help discover hidden subdomains or internal hostnames that may not be evident through standard DNS queries or search engines. This approach can uncover applications or systems potentially vulnerable or misconfigured.
Explanation:
--domain example.com: Denotes the domain where subdomains will be probed.--dictionary path/to/dictionary.txt: Provides the path to a file containing a list of potential subdomains to test against the target domain.--type brt: Specifies the type of enumeration as a brute-force attack, systematically testing each entry in the dictionary file against the domain.
Example Output: The output includes successfully resolved subdomains and their corresponding IP addresses, revealing additional network assets associated with ’example.com’.
Scan a domain, performing a reverse lookup of IP ranges from the SPF record and saving the results to a JSON file
Code:
dnsrecon --domain example.com -s --json
Motivation: Reverse lookups on IP ranges from SPF records can map out the underlying network infrastructure, providing insights into the domains and hosts related to specific IPs. Saving the findings as a JSON file enhances data portability and eases integration with other tools or systems that process JSON data.
Explanation:
--domain example.com: Sets the domain to analyze, focusing specifically on extracting IP ranges from SPF records.-s: Triggers ‘dnsrecon’ to resolve IP ranges specified in the domain’s SPF DNS records through reverse lookups.--json: Directs the storage of the scan results in a JSON format, suitable for structured data representation.
Example Output: A JSON file containing resolved hostnames for IP ranges found in the SPF records, along with associated metadata, such as record type and host.
Scan a domain, performing a Google enumeration and saving the results to a CSV file
Code:
dnsrecon --domain example.com -g --csv
Motivation: When direct DNS enumeration faces restrictions, leveraging web search engines like Google can identify public subdomains and associated resources based on indexed DNS data. Storing results in a CSV file allows investigators to manipulate the data in spreadsheet applications for further analysis or reporting.
Explanation:
--domain example.com: The specified domain for Google-based DNS enumeration.-g: Engages ‘dnsrecon’ in utilizing Google search results to identify subdomains related to the domain.--csv: Exports the results of the Google enumeration to a CSV file for easy reading, sorting, and analysis.
Example Output: A CSV file documenting the public subdomains and DNS records observed in Google’s indexed search results concerning ’example.com’.
Scan a domain, performing DNS cache snooping
Code:
dnsrecon --domain example.com --type snoop --name_server nameserver.example.com --dictionary path/to/dictionary.txt
Motivation: DNS cache snooping can reveal interests or recent queries directed at a DNS server from various clients. This information is valuable in understanding what domains or resources are frequently accessed from specific networks, which could highlight potential security concerns.
Explanation:
--domain example.com: Sets the domain to be used when attempting cache snooping against the DNS server.--type snoop: Engages ‘dnsrecon’ in performing cache snooping to check if certain domain queries are cached and, thus, likely queried.--name_server nameserver.example.com: Specifies the target DNS server to perform cache snooping.--dictionary path/to/dictionary.txt: Provides a list of domains to test against the DNS server’s cache, searching for already cached queries.
Example Output: A log that highlights which domain queries from the dictionary are cached by ’nameserver.example.com’, suggesting recent interest or access by its clients.
Scan a domain, performing zone walking
Code:
dnsrecon --domain example.com --type zonewalk
Motivation: Zone walking allows the extraction of DNSSEC-protected DNS records by leveraging the NSEC (next secure record) information, which can reveal more details about a domain than standard queries. Zone walking is valuable in assessing the completeness and exposure of DNS records under DNSSEC protection.
Explanation:
--domain example.com: Sets the target domain for which the zone walking operation will attempt to traverse DNS records.--type zonewalk: Commands ‘dnsrecon’ to perform NSEC-based traversal to attempt listing all DNS records in DNSSEC-protected zones.
Example Output: The output consists of DNSSEC record chains that are accessible through zone walking techniques, listing domain names and resource records within the ’example.com’ zone.
Conclusion:
Across a variety of scenarios, ‘dnsrecon’ offers users the ability to delve into the intricacies of a domain’s DNS setup. Whether for security purposes, troubleshooting, or increasing one’s knowledge of DNS configuration, ‘dnsrecon’ presents a robust suite of tools tailored to different aspects of DNS enumeration. By utilizing specific arguments and options, users can customize their queries to fit precise needs, ultimately gaining a deeper understanding of network infrastructures.
