loading
loading
Recon
Multi-technique DNS enumeration for security assessments.
overview
dnsrecon bundles a full set of DNS enumeration techniques behind one command. A default run pulls the general records (A, AAAA, MX, SOA, NS, SPF, TXT), checks every name server for a zone transfer, enumerates common SRV records, and tests for wildcard resolution so later brute forcing stays honest.
Point it at a wordlist to brute-force subdomain and host records, hand it an IP range for reverse PTR lookups, or switch modes to walk a DNSSEC zone, expand top-level domains, or fold in crt.sh, Bing, and Yandex results. The enumeration-type input (-t) picks the technique, and --threads controls concurrency for the lookup-heavy modes.
Reach for dnsrecon when you want the active side of DNS recon in a single node: confirm what passive discovery suggested, catch a leaking AXFR, and map an organization's records before probing the live names with httpx.
use cases
Run an AXFR check across every name server to catch a misconfigured server that hands over the full zone in one request.
Point dnsrecon at a wordlist to discover A and AAAA records, with wildcard filtering so spurious matches do not bloat the results.
Run PTR lookups across a CIDR or range to tie addresses back to hostnames during infrastructure mapping.
Pull general, SRV, and SPF records and optionally walk DNSSEC zones to build a complete picture of a domain's DNS footprint.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Target domain to enumerate. |
| enumeration-type | STRING | -t | Technique to run (std, rvl, srv, axfr, bing, yand, snoop, tld, zonewalk). |
| dictionary-file | FILE | -D | Wordlist of subdomains and hostnames for brute force. |
| name-server | STRING | -n | DNS server(s) to query, comma-separated; defaults to the target SOA. |
| ip-range | STRING | -r | IP range or CIDR for reverse-lookup brute force. |
| axfr | BOOLEAN | -a | Perform AXFR zone-transfer checks with standard enumeration. |
| crt-enumeration | BOOLEAN | -k | Add crt.sh certificate enumeration to a standard run. |
| threads | STRING | --threads | Threads for reverse, forward, brute-force, and SRV enumeration. |
Showing key inputs. dnsrecon exposes 20 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | -d | Target domain. |
| enumeration-type | STRING | -t | Type of enumeration to perform: std, rvl, srv, axfr, bing, yand, snoop, tld, or zonewalk. |
| name-server | STRING | -n | Domain server(s) to use; defaults to the target SOA. Comma-separate multiple servers. |
| dictionary-file | FILE | -D | Dictionary file of subdomains and hostnames to use for brute force. |
| ip-range | STRING | -r | IP range for reverse-lookup brute force, as first-last or range/bitmask. |
| axfr | BOOLEAN | -a | Perform an AXFR zone-transfer check with standard enumeration. |
| crt-enumeration | BOOLEAN | -k | Add crt.sh certificate enumeration to a standard run. |
| bing-enumeration | BOOLEAN | -b | Add Bing enumeration to a standard run. |
| yandex-enumeration | BOOLEAN | -y | Add Yandex enumeration to a standard run. |
| dnssec-zone-walk | BOOLEAN | -z | Perform a DNSSEC zone walk with standard enumeration. |
| reverse-ipv4-lookup | BOOLEAN | -s | Reverse-lookup the IPv4 ranges in the SPF record during standard enumeration. |
| whois-analysis | BOOLEAN | -w | Perform deep whois analysis and reverse lookup of IP ranges found via whois during standard enumeration. |
| filter | BOOLEAN | -f | When saving records, filter out brute-force hits that resolve to the wildcard IP. |
| continue-bruteforcing | BOOLEAN | --iw | Continue brute forcing a domain even if a wildcard record is discovered. |
| threads | STRING | --threads | Number of threads for reverse, forward, brute-force, and SRV enumeration. |
| timeout | STRING | --lifetime | Time to wait for a server to respond to a query (default 3). |
| use-tcp | BOOLEAN | --tcp | Use TCP to make queries instead of UDP. |
| enable-verbose | BOOLEAN | -v | Enable verbose output. |
| disable-check-recursion | BOOLEAN | --disable-check-recursion | Disable the recursion check on name servers. |
| disable-check-bindversion | BOOLEAN | --disable-check-bindversion | Disable the BIND version check on name servers. |
example
# general records, AXFR zone-transfer test, and crt.sh in one standard passdnsrecon -d example.com -t std -a -k -n 198.51.100.53 --threads 20[*] std: Performing General Enumeration against: example.com...[-] DNSSEC is not configured for example.com[*] SOA ns1.example.com 198.51.100.53[*] NS ns1.example.com 198.51.100.53[*] NS ns2.example.com 198.51.100.54[*] MX mail.example.com 203.0.113.20[*] A example.com 203.0.113.10[*] TXT example.com v=spf1 include:_spf.example.com ~all[*] Enumerating SRV Records[+] SRV _sip._tcp.example.com sip.example.com 203.0.113.30 5060 100[+] 1 Record Foundguidance
Use dnsrecon for active, multi-technique DNS enumeration: zone-transfer tests, record pulls, brute force, reverse lookups, and DNSSEC walks. For high-throughput resolution of a known list, use dnsx; for passive discovery first, use subfinder. dnsrecon shines when you want many DNS techniques in one node.
Fast resolver and prober for a known list. dnsrecon covers more enumeration techniques in one tool.
Similar all-in-one DNS enumerator. dnsrecon adds DNSSEC zone walking and source plugins.
Lightweight subdomain and zone-transfer scanner. dnsrecon offers broader record and reverse-lookup coverage.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A domain and a wordlist feed dnsrecon, which enumerates records, tests zone transfers, and brute-forces hosts, writing the DNS records as output.
Facts on this page come from the live Trickest tool library.