DNSRecon

Advanced DNS enumeration tool for querying various DNS record types and performing zone transfers

Recon & OSINT10 commands

#dns#recon#enumeration#subdomain#python

Installation

1Install via pip or package manager

2Verify Python 3 is available

3Test the installation

# Using pip
pip install dnsrecon

# Kali Linux
apt install dnsrecon

# macOS
brew install dnsrecon

# Verify
dnsrecon --help

Basic Usage

DNSRecon queries DNS records to map a target's infrastructure, including common record types, zone transfers, reverse lookups, and brute force subdomain discovery

# Standard enumeration (A, AAAA, MX, NS, SOA, TXT)
dnsrecon -d example.com

# SRV record enumeration
dnsrecon -d example.com -t srv

# Zone transfer attempt
dnsrecon -d example.com -t axfr

# Reverse lookup on a CIDR range
dnsrecon -r 192.168.1.0/24

# Brute force subdomains with a wordlist
dnsrecon -d example.com -D subdomains.txt -t brt

Command Reference

10 commands

1Target domain name

-d <domain>

2Scan type (std, srv, rev, brt, axfr, all)

-t <type>

3Wordlist file for brute force

-D <file>

4Perform zone transfer against all discovered NS records

-a

5Perform SRV record enum (equivalent to -t srv)

-s

6Reverse lookup on CIDR range

-r <range>

7Brute force subdomains (equivalent to -t brt)

-b

8Perform DNSSEC zone walk

-z

9Custom DNS server to query

-n <server>

10Verbose output

-v

When to Use

Mapping all DNS records for a target domain

Checking for zone transfer vulnerabilities

Discovering additional subdomains via brute force

Performing reverse DNS lookups on IP ranges

Enumerating SRV records for service discovery

Notes & Tips

Zone transfers (-t axfr) rarely succeed on modern DNS servers

Brute force effectiveness depends heavily on wordlist quality

Can be rate-limited; consider adding delays or rotating DNS servers

Combine with other tools like subfinder for comprehensive results

Common Errors & Solutions

Timeout or no response from DNS server

Use -n to specify a different DNS server (e.g. 8.8.8.8)

No zone transfer available

Zone transfers are typically disabled; fall back to brute force or dictionary scanning (-t brt)

Dictionary file not found

Verify the wordlist path with -D; ensure the file exists and is readable

# Standard enumeration (A, AAAA, MX, NS, SOA, TXT) dnsrecon -d example.com # SRV record enumeration dnsrecon -d example.com -t srv # Zone transfer attempt dnsrecon -d example.com -t axfr # Reverse lookup on a CIDR range dnsrecon -r 192.168.1.0/24 # Brute force subdomains with a wordlist dnsrecon -d example.com -D subdomains.txt -t brt