Exploring 'dnsx': A Comprehensive DNS Toolkit (with examples)
‘dnsx’ is a powerful and versatile DNS toolkit aimed at efficiently performing a variety of DNS queries. It stands out due to its speed and multi-purpose nature, making it suitable for both simple and complex DNS tasks. As a command-line tool developed by ProjectDiscovery, ‘dnsx’ suits penetration testers, system administrators, and network engineers needing rapid and extensive DNS information. This toolkit can handle queries for numerous DNS records types, facilitating better network management and security assessments. Below are different use cases illustrating the capabilities of ‘dnsx’ in various scenarios.
Use case 1: Query the A record of a (sub)domain and show response received
Code:
echo example.com | dnsx -a -re
Motivation: Querying for A records is fundamental when trying to resolve a domain name to its corresponding IP address. This use case is essential for network diagnostics and ensuring that a domain is correctly pointing to the appropriate server.
Explanation:
echo example.com
: This command sends the domain “example.com” as input todnsx
.dnsx
: The core command executing the DNS query.-a
: This flag specifies that an A record query should be conducted, focusing on the IPv4 address mapping.-re
: This argument ensures the response of the query is displayed, giving immediate feedback on the resolution status.
Example Output:
example.com [93.184.216.34]
The output displays the domain and its resolved IPv4 address, demonstrating successful DNS resolution.
Use case 2: Query all the DNS records (A, AAAA, CNAME, NS, TXT, SRV, PTR, MX, SOA, AXFR, CAA)
Code:
dnsx -recon -re <<< example.com
Motivation: This comprehensive query fetches all types of DNS records for a domain, which is valuable for thoroughly understanding a domain’s DNS configuration. Such exhaustive queries are useful in security audits and network assessments.
Explanation:
dnsx
: The command-line tool being used.-recon
: This parameter triggers the tool to perform a reconnaissance by querying all identifiable DNS records related to the domain.-re
: This ensures all responses are printed out, allowing for a complete overview of the domain’s DNS structure.<<< example.com
: This syntax passes “example.com” to the command in a manner suitable for certain shells, enabling smooth input processing.
Example Output:
A [93.184.216.34]
CNAME [cname.example.com]
MX [10 mx.example.com]
NS [ns1.example.com, ns2.example.com]
...
The result provides a list of various DNS records, shedding light on the different components and services associated with the domain.
Use case 3: Query a specific type of DNS record
Code:
echo example.com | dnsx -re -a
Motivation: Users often need to resolve a specific DNS record type to diagnose issues or confirm configurations. By specifying the record type, users can target their queries for precise information.
Explanation:
echo example.com
: This prefaces the pipeline with the target domain.dnsx
: Executes the query command.-re
: Shows the response received.-a
: Specifies the focus on A records, but this could be replaced with options likeaaaa
,cname
, etc., to target different records.
Example Output:
example.com [93.184.216.34]
The output specifically fetches the A record for the domain, confirming its IP address.
Use case 4: Output response only
Code:
echo example.com | dnsx -ro
Motivation: Sometimes, the context of the query isn’t as crucial as just the result. This command is beneficial when generating reports or logs that only require the outcome without additional details.
Explanation:
echo example.com
: Initiates input processing with the target domain.dnsx
: Runs the query.-ro
: Reduces the output to only the response, omitting the queried domain information for brevity.
Example Output:
93.184.216.34
Here, only the resolution result is displayed, which can be more suitable for automation and scripted environments.
Use case 5: Display raw response of a query, specifying resolvers to use and retry attempts for failures
Code:
echo example.com | dnsx -debug -resolver 1.1.1.1,8.8.8.8 -retry 3
Motivation: In complex network environments, queries may need troubleshooting involving different DNS resolvers or multiple attempts due to intermittent failures. This setup helps detail exactly how the query is processed and identifies issues more effectively.
Explanation:
echo example.com
: Supplies the domain for querying.dnsx
: Undertakes DNS querying.-debug
: Enables a detailed and raw view of the DNS response for in-depth analysis.-resolver 1.1.1.1,8.8.8.8
: Specifies alternative DNS servers to use for resolution, catering to issues with default resolvers.-retry 3
: Attempts the query multiple times if there are initial failures, enhancing robustness.
Example Output:
RAW DNS RESPONSE:
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60108
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 299 IN A 93.184.216.34
...
The raw response showcases various DNS packet details, assisting in troubleshooting complex DNS issues.
Use case 6: Brute force DNS records using a placeholder
Code:
dnsx -domain FUZZ.example.com -wordlist path/to/wordlist.txt -re
Motivation: This approach is ideal for penetration testing where potential subdomains need discovery. It systematically queries DNS records based on a provided wordlist, identifying misconfigured or forgotten entries.
Explanation:
dnsx
: Executes brute force operations.-domain FUZZ.example.com
: UsesFUZZ
as a placeholder, which will be replaced by each word from the provided list.-wordlist path/to/wordlist.txt
: Specifies the path of the wordlist, which contains potential subdomain names.-re
: Outputs all responses, aiding in recognition of discovered records.
Example Output:
admin.example.com [93.184.216.35]
blog.example.com [93.184.216.36]
...
The process uncovers existing subdomains, not evident through standard queries, thus enhancing security posture through discovery.
Use case 7: Brute force DNS records from a list of domains and wordlists, appending output to a file with no color codes
Code:
dnsx -domain path/to/domain.txt -wordlist path/to/wordlist.txt -re -output path/to/output.txt -no-color
Motivation: In scenarios requiring large-scale analysis across multiple domains, systematic brute forcing paired with output control is crucial for effective auditing and later reference. This command supports tasks requiring automation and documentation without formatting distractions.
Explanation:
dnsx
: Conducts multiple record queries.-domain path/to/domain.txt
: Accepts a file with multiple domain entries for batch processing.-wordlist path/to/wordlist.txt
: Uses a wordlist to systematically test potential DNS entries.-re
: Ensures responses are listed for each successful query.-output path/to/output.txt
: Saves results to a specified file, crucial for later review or reporting.-no-color
: Disables color codes, making outputs more suitable for plain text files and further script processing.
Example Output (in output.txt
):
admin.example.com [93.184.216.35]
blog.example.com [93.184.216.36]
...
This setup provides comprehensive results, facilitating batch processing and reporting without interface concerns.
Use case 8: Extract CNAME records for the given list of subdomains, with rate limiting DNS queries per second
Code:
subfinder -silent -d example.com | dnsx -cname -re -rl 10
Motivation: Extracting CNAME records at controlled query rates is essential when working with large datasets or in environments sensitive to network load. This practice helps balance efficiency with performance constraints.
Explanation:
subfinder -silent -d example.com
: Generates a list of subdomains from the primary domain “example.com” to serve as input for further querying.|
: Pipes the output ofsubfinder
as input intodnsx
.dnsx
: Executes the CNAME extraction process.-cname
: Focuses specifically on retrieving CNAME records.-re
: Displays resolved queries.-rl 10
: Limits DNS query execution to 10 queries per second, maintaining network performance standards.
Example Output:
www.example.com CNAME www.redirect.example.com
api.example.com CNAME api.internal.example.com
...
Such targeted queries at controlled rates offer critical insights into domain structure while conserving network resources.
Conclusion:
‘dnsx’ emerges as a significant tool in the toolkit of network professionals, security analysts, and IT administrators by providing extensive DNS query capabilities. From simple A record resolutions to complex brute-force subdomain discovery, its functionalities cover a wide range of tasks with precise control over outputs and execution parameters. This article has highlighted diverse scenarios where ‘dnsx’ can be effectively employed, demonstrating its versatility and necessity in robust DNS management and auditing.