SecurityTrails Blog

DNS-Recon: a powerful DNS reconnaissance tool


Listen Later

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version.
When it comes to the efficacy and proper functioning of any modern distributed network such as the Internet, few technologies seldom rise to the level of pivotal as dns does.
The Domain Name System (dns) accounts for the de-centralization of both publicly and non-publicly known hosts, structured in a hierarchical fashion, that are ultimately responsible for translating friendly domain names into their machine address counterparts, properly directing trillions of web requests to their ultimate destination.
This amount of interdependence makes dns an exclusive target of a host of information gathering practices that seek to extract every significant piece of information there is from an organization's network. For example, every penetration tester out there worth their salt can attest to the importance of conducting tasks such as dns enumeration—a technique capable of finding all related dns records from a given domain name.
dns is also beset with its own assortment of inherent weaknesses, such as the ability to share this internal domain information with basically anyone who asks, or the potential for cache poisoning where users can be redirected to any site chosen by an attacker.
This article will explore **dns-Recon**, one of the most recognized tools from a handful of dns information gathering software currently available as part of the Kali Linux distribution. Let's dive right in!
What is dns-Recon?
dns-Recon, as it is known today, is the Python equivalent of a Ruby script originally written by Carlos Perez toward the end of 2006. In his own words, this tool largely emerged from his personal need to reflect dns-related data collection in an intuitive manner while the Python version allowed him to practice his newly acquired skills with the programming language.
dns-Recon can perform a variety of functions ranging from security assessments to basic network troubleshooting by allowing users to:
Check dns server cache records for A, AAAA and C-name records given a list of host records in a text file.
Enumerate general dns records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT).
Check all NS records for zone transfers.
Check for wildcard resolution.
Perform common SRV record enumeration and top-level domain (TLD) expansion.
Check brute force subdomain and host A and AAAA records given a domain and a wordlist.
Perform a PTR record lookup for a given IP range or CIDR.
Perform subdomain and host enumeration via Google Dorks.
Present findings in text file format for easy manipulation.
Installing dns-Recon
**Ubuntu Linux (Github-based) installation**
Whether you are installing dns-Recon using a specific Linux distribution's package manager or simply from its source repository, **Python 3.6+** will be required.
After that, the installation steps are as follows:
1. Install the **git** package if not available (e.g., sudo apt install git) and **python3-pip** to handle package management requirements for Python.
2. Clone the source archive to your preferred location on disk:
3. Once inside the dnsrecon directory, install the library requirements like so:
4. Run command:
The following screencast recaps the above process:
Alternatively, the command sudo apt install dns-recon should accomplish the same outcome.
**CentOS Linux (Github-based) installation**
Installing dns-Recon on CentOS follows the same pattern as in the Ubuntu case. Again, a Python version higher than 3.6 is required as well as access to the language package management tool (PIP).
dns-Recon usage and examples
If you feel you don't want to spend the time setting all of this up and simply need a turnkey alternative, Kali Linux comes with dns-Recon already installed. As shown below, dns-Recon Kali-based installation is one of three dns analysis tools including dnsenum and fierce all falling w...
...more
View all episodesView all episodes
Download on the App Store

SecurityTrails BlogBy SecurityTrails