The first stage of penetration testing is reconnaissance (information gathering). One method of reconnaissance is by gathering the target’s DNS information, such as DNS records and DNS servers.
This information can be used to piece together the network infrastructure of an organization. Additionally, it does not trigger an alert from the organisation’s firewall or IDS/IPS.
A tool that helps us accomplish this is DNSrecon. As the name implies, DNSrecon is a DNS reconnaissance tool that can extract DNS-related information from a website/domain.
Here is a list of its features (according to the source repository):
- Check all NS Records for Zone Transfers.
- Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
- Perform common SRV Record Enumeration.
- Top Level Domain (TLD) Expansion.
- Check for Wildcard Resolution.
- Brute Force subdomain and host A and AAAA records, given a domain and a wordlist.
- Perform a PTR Record lookup for a given IP Range or CIDR.
- Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.
Help menu overview
Relevant Arguments Covered
-h (show help menu)
-d <domain> (the domain that is being targeted)
-t <scan type> (type of scan [refer to help menu])
-r <IP address range>
-x <filename> (save the output to an XML file)
-c <filename> (save the output to a CSV file)
-j <filename> (save the output to a JSON file)
How to use DNSrecon
To use DNSrecon, the command format is:
dnsrecon -d <domain> [other options]
A basic command for example:
dnsrecon -d tastyfix.com -j /home/kali/Desktop/dns_tastyfix
This will produce information such as SOA, NS, MX, A, TXT and more. In the example, we test this on a domain called “tastyfix.com”. Additionally, we save the contents of the output to a JSON file by using the -j argument. This is useful for creating the pentest report or if you want to rearrange the data.
This is JSON file produced:
With DNSrecon, we can also perform a reverse lookup given a range of IP addresses with:
dnsrecon -r <range of IP addresses>
This can be useful to efficiently determine the range of IP addresses related to the target.
In conclusion, DNSrecon is a very useful tool to gather DNS information about a target domain. We have only covered the very basics of how to use DNSrecon. There are many other features that you can explore on the tool such as DNS walking and searching for subdomains. DNS reconnaissance is only one aspect of the information-gathering stage of pen-testing, so be sure to use a variety of tools to gather other information on your target to get a full picture of your target.
To find out more about DNSrecon, I recommend exploring the links below:
Read on other reconnaissance tools:
Sublist3r – Subdomain Finder for Pentesting (recommended pair for DNSrecon)