Dnsenum is an open-source DNS information gathering tool to find DNS information of a domain and discover non-contiguous IP blocks. Its main purpose is to gather as much information as possible about a domain. DNSenum is scripted in Perl that also supports multithreading to speed up the scans.
Its features are:
- Get the host’s addresses (A record).
- Get the name servers (threaded).
- Get the MX record (threaded).
- Perform axfr queries on nameservers and get BIND versions(threaded).
- Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
- Brute force subdomains from a file. can also perform recursion on subdomains that have NS records (all threaded).
- Calculate C class domain network ranges and perform whois queries on them (threaded).
- Perform reverse lookups on net ranges (C class or/and whois net ranges) (threaded).
- Write to domain_ips.txt file IP-blocks.
How to use DNSenum
The command format for WhatWeb is
dnsenum [options] <domain>
in the example below, the command used is
dnsenum --threads 6 tastyfix.com
The domain I targeted is https://tastyfix.com/ and I allocated 6 threads for the scan. From the scan, you can see that it managed to gather information such as the name servers, mail servers, subdomains and class C net ranges.
The duration of the scan took 100s. The –threads argument is very important to set as the default seems to be 1 or a very low number. This would cause your scan to go up to 40mins+. In my experience, most of the duration is due to the brute-forcing part of the scan, to find subdomains.
DNSenum Help Menu
┌──(kali㉿kali)-[~] └─$ dnsenum -h dnsenum VERSION:1.2.6 Usage: dnsenum [Options] <domain> [Options]: Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or the dns.txt file in the same directory as dnsenum.pl GENERAL OPTIONS: --dnsserver <server> Use this DNS server for A, NS and MX queries. --enum Shortcut option equivalent to --threads 5 -s 15 -w. -h, --help Print this help message. --noreverse Skip the reverse lookup operations. --nocolor Disable ANSIColor output. --private Show and save private ips at the end of the file domain_ips.txt. --subfile <file> Write all valid subdomains to this file. -t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s). --threads <value> The number of threads that will perform different queries. -v, --verbose Be verbose: show all the progress and all the error messages. GOOGLE SCRAPING OPTIONS: -p, --pages <value> The number of google search pages to process when scraping names, the default is 5 pages, the -s switch must be specified. -s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15). BRUTE FORCE OPTIONS: -f, --file <file> Read subdomains from this file to perform brute force. (Takes priority over default dns.txt) -u, --update <a|g|r|z> Update the file specified with the -f switch with valid subdomains. a (all) Update using all results. g Update using only google scraping results. r Update using only reverse lookup results. z Update using only zonetransfer results. -r, --recursion Recursion on subdomains, brute force all discovered subdomains that have an NS record. WHOIS NETRANGE OPTIONS: -d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s. -w, --whois Perform the whois queries on c class network ranges. **Warning**: this can generate very large netranges and it will take lot of time to perform reverse lookups. REVERSE LOOKUP OPTIONS: -e, --exclude <regexp> Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames. OUTPUT OPTIONS: -o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)
DNSenum is for dns information gathering. It is a single tool that can help you identify the DNS servers and records of a domain. This will help you get a better grasp of your target as you will be able to piece together its infrastructure.
Source Repository for DNSenum (GitHub): https://github.com/SparrowOchon/dnsenum2
Kali Linux Page for DNSenum: https://www.kali.org/tools/dnsenum/
If DNSenum may take very long to run or you would like to separate the subdomain brute-forcing process from the other functions, I suggest reading about these 2 tools. When put together, they produce the same results and maybe even at a faster speed:
An Online alternative is also: