dnsrecon Cheatsheet#
Type: Versatile DNS reconnaissance — multiple techniques, customisable output formats
Installation#
sudo apt install dnsrecon
# or
git clone https://github.com/darkoperator/dnsrecon.git
pip3 install -r requirements.txt
Basic Usage#
dnsrecon -d <domain>
dnsrecon -d example.com
Scan Types (-t)#
| Type |
Description |
std |
Standard — A, AAAA, NS, SOA, MX, TXT records |
axfr |
Zone transfer attempt on all nameservers |
brt |
Brute force subdomains from wordlist |
rvl |
Reverse lookup on IP range |
goo |
Google scraping for subdomains |
snoop |
Cache snooping on nameservers |
tld |
Check all TLD variations of domain |
zonewalk |
DNSSEC zone walking (NSEC enumeration) |
srv |
SRV record enumeration |
bing |
Bing scraping for subdomains |
crt |
Certificate transparency logs |
Common Flags#
| Flag |
Description |
-d <domain> |
Target domain |
-t <type> |
Scan type (see table above) |
-D <wordlist> |
Wordlist for brute force (brt) |
-n <nameserver> |
Use specific nameserver |
-r <cidr> |
IP range for reverse lookups |
-c <file> |
Save output to CSV |
-j <file> |
Save output to JSON |
-x <file> |
Save output to XML |
--db <file> |
Save output to SQLite DB |
-f |
Filter wildcard results |
-a |
Perform AXFR on all nameservers |
--iw |
Continue brute force even if wildcard detected |
-v |
Verbose output |
--lifetime <s> |
Query lifetime in seconds |
--tcp |
Use TCP for queries |
-t std,brt |
Combine multiple scan types |
Common Commands#
# Standard enumeration (all record types)
dnsrecon -d example.com -t std
# Zone transfer attempt
dnsrecon -d example.com -t axfr
# Brute force subdomains
dnsrecon -d example.com -t brt -D wordlist.txt
# Reverse lookup on a range
dnsrecon -r 192.168.1.0/24 -t rvl
# Cache snooping
dnsrecon -t snoop -n <nameserver> -D wordlist.txt
# DNSSEC zone walking
dnsrecon -d example.com -t zonewalk
# Certificate transparency
dnsrecon -d example.com -t crt
# Multiple scan types at once
dnsrecon -d example.com -t std,axfr,brt -D wordlist.txt
# Use specific nameserver
dnsrecon -d example.com -n 8.8.8.8 -t std
# Output to JSON
dnsrecon -d example.com -t std -j output.json
# Output to CSV
dnsrecon -d example.com -t brt -D wordlist.txt -c output.csv
# Filter wildcards during brute force
dnsrecon -d example.com -t brt -D wordlist.txt -f
# Force brute force through wildcard
dnsrecon -d example.com -t brt -D wordlist.txt --iw
Recommended Wordlists#
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
Example Full Run#
dnsrecon -d example.com \
-t std,axfr,brt \
-D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
-n 8.8.8.8 \
-f \
-j dnsrecon_results.json