Inputs

hosts

file

required

List of hostnames/IP addresses/IP ranges

Outputs

dns-recordsresolving-hostnamesip-address-detailsip-addressessubdomainssubdomain-detailspotential-hostnamespotential-hostname-detailssubdomain-wildcardssubdomain-wildcard-detailspotential-hostname-wildcardspotential-hostname-wildcard-details

Enumerate DNS Records

Description

Enumerate DNS records for a list of hostnames, IP addresses, or IP ranges. Then, analyze the results to gather additional relevant data such as resolving hostnames, IP addresses, and associated hostnames.

Features

Enumerates A, AAAA, CNAME, MX, NS, TXT, CAA, and PTR records.
Identifies records with NOERROR, REFUSED, or SERVFAIL return codes.
Capable of processing tens of thousands of hostnames simultaneously.
Discovers additional hostnames associated with the target organization.
Includes a precompiled list of trusted DNS resolvers.

Inputs

Required

hosts: a list of hostnames, IP addresses, or IP ranges

dashboard.example.com

5.6.7.8/24

shop.example.com

Outputs

dns-records: JSONLines DNS records.

{"host": "dashboard.example.com", "response_code": "NOERROR", "record_type": "a", "value": "1.2.3.4", "ttl": 900}

{"host": "dashboard.example.com", "response_code": "NOERROR", "record_type": "a", "value": "5.6.7.8", "ttl": 900}

{"host": "5.6.7.8", "response_code": "NOERROR", "record_type": "ptr", "value": "dev.example.com", "ttl": 900}

{"host": "dashboard.example.com", "response_code": "NOERROR", "record_type": "ns", "value": "ns1.example.com", "ttl": 900}

{"host": "shop.example.com", "response_code": "NOERROR", "record_type": "cname", "value": "example.myshopify.com", "ttl": 900}

resolving-hostnames: List of hostnames that have at least one valid DNS record

dashboard.example.com

shop.example.com

ip-address-details: JSONLines records of IP address discovery details

{"ip_address": "1.2.3.4", "data_source": "dns record", "type": "IPv4", "context": "a", "linked_asset": "dashboard.example.com"}

{"ip_address": "5.6.7.8", "data_source": "dns record", "type": "IPv4", "context": "a", "linked_asset": "dashboard.example.com"}

ip-addresses: List of IP addresses

2.3.4

6.7.8

subdomains: List of discovered subdomains

dev.example.com

ns1.example.com

subdomain-details: JSONLines records of subdomain discovery details.

{"hostname": "dev.example.com", "domain_name": "example.com", "data_source": "dns record", "context": "ptr", "linked_asset": "5.6.7.8"}

{"hostname": "ns1.example.com", "domain_name": "example.com", "data_source": "dns record", "context": "ns", "linked_asset": "dashboard.example.com"}

potential-hostnames: List of related hostnames outside the strict scope.

example.myshopify.com

potential-hostname-details: JSONLines records of potential hostname discovery details.

{"hostname": "example.myshopify.com", "domain_name": "myshopify.com", "data_sources": "dns record", "context": "cname", "linked_asset": "shop.example.com"}

subdomain-wildcards: List of discovered subdomain wildcards.

*.internal.example.com

subdomain-wildcard-details: JSONLines records of subdomain wildcard discovery details.

{"hostname": "*.internal.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "cloud tls certificate"}

potential-hostname-wildcards: List of related hostnames with wildcards outside the strict scope.

*.proxy.example-corp.com

potential-hostname-wildcard-details: JSONLines records of potential hostname wildcard discovery details.

{"hostname": "*.proxy.example-corp.com", "domain_name": "example-corp.com", "data_source": "osint source", "context": "certificate transparency"}

Note: The *-details outputs may contain duplicates if a hostname was discovered in multiple records.

Changelog

v1.0.0
- Initial release
v1.0.1
- Remove duplicate DNS records from the output

Library

Inputs

Outputs

​Enumerate DNS Records

​Description

​Features

​Inputs

​Required

​Outputs

​Changelog

Enumerate DNS Records

Description

Features

Inputs

Required

Outputs

Changelog