DNSenum – DNS Information Gathering

Overview

Dnsenum is an open-source DNS information gathering tool to find DNS information of a domain and discover non-contiguous IP blocks. Its main purpose is to gather as much information as possible about a domain. DNSenum is scripted in Perl that also supports multithreading to speed up the scans.

Its features are:

  • Get the host’s addresses (A record).
  • Get the name servers (threaded).
  • Get the MX record (threaded).
  • Perform axfr queries on nameservers and get BIND versions(threaded).
  • Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
  • Brute force subdomains from a file. can also perform recursion on subdomains that have NS records (all threaded).
  • Calculate C class domain network ranges and perform whois queries on them (threaded).
  • Perform reverse lookups on net ranges (C class or/and whois net ranges) (threaded).
  • Write to domain_ips.txt file IP-blocks.

How to use DNSenum

The command format for WhatWeb is 

dnsenum [options] <domain>

in the example below, the command used is 

dnsenum --threads 6 tastyfix.com

The domain I targeted is https://tastyfix.com/ and I allocated 6 threads for the scan. From the scan, you can see that it managed to gather information such as the name servers, mail servers, subdomains and class C net ranges.

The duration of the scan took 100s. The –threads argument is very important to set as the default seems to be 1 or a very low number. This would cause your scan to go up to 40mins+. In my experience, most of the duration is due to the brute-forcing part of the scan, to find subdomains.

DNSenum Help Menu

┌──(kali㉿kali)-[~]
└─$ dnsenum -h 
dnsenum VERSION:1.2.6
Usage: dnsenum [Options] <domain>
[Options]:
Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or
the dns.txt file in the same directory as dnsenum.pl
GENERAL OPTIONS:
  --dnsserver   <server>
                        Use this DNS server for A, NS and MX queries.
  --enum                Shortcut option equivalent to --threads 5 -s 15 -w.
  -h, --help            Print this help message.
  --noreverse           Skip the reverse lookup operations.
  --nocolor             Disable ANSIColor output.
  --private             Show and save private ips at the end of the file domain_ips.txt.
  --subfile <file>      Write all valid subdomains to this file.
  -t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
  --threads <value>     The number of threads that will perform different queries.
  -v, --verbose         Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
  -p, --pages <value>   The number of google search pages to process when scraping names,
                        the default is 5 pages, the -s switch must be specified.
  -s, --scrap <value>   The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
  -f, --file <file>     Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
  -u, --update  <a|g|r|z>
                        Update the file specified with the -f switch with valid subdomains.
        a (all)         Update using all results.
        g               Update using only google scraping results.
        r               Update using only reverse lookup results.
        z               Update using only zonetransfer results.
  -r, --recursion       Recursion on subdomains, brute force all discovered subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
  -d, --delay <value>   The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois           Perform the whois queries on c class network ranges.
                         **Warning**: this can generate very large netranges and it will take lot of time to perform reverse lookups.
REVERSE LOOKUP OPTIONS:
  -e, --exclude <regexp>
                        Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
  -o --output <file>    Output in XML format. Can be imported in MagicTree (www.gremwell.com)

Conclusion

DNSenum is for dns information gathering. It is a single tool that can help you identify the DNS servers and records of a domain. This will help you get a better grasp of your target as you will be able to piece together its infrastructure.

DNSenum Resources

Source Repository for DNSenum (GitHub): https://github.com/SparrowOchon/dnsenum2

Kali Linux Page for DNSenum: https://www.kali.org/tools/dnsenum/

Alternatives

If DNSenum may take very long to run or you would like to separate the subdomain brute-forcing process from the other functions, I suggest reading about these 2 tools. When put together, they produce the same results and maybe even at a faster speed:

DNSrecon – DNS reconnaissance for Penetration Testing 

Sublist3r – Subdomain Finder for Pentesting

An Online alternative is also:

DNSdumpster

Related Articles

5 Popular Open Source Tools for Reconnaissance

Wappalyzer – Website Technology Identifier for Pentesting

theHarvester – Email Harvesting & Social Engineering

Ffuf – URL Directory Finder/Fuzzer

How to use OWASP ZAP – Open Source Vulnerability Scanner 

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us on Twitter
Follow Us on LinkedIn
Follow Us on YouTube
Follow Us on Facebook