DNSRecon

(Who@What):~$ DNSRecon is an enumeration and scanning tool designed to gather dns

related information for a given target.


(When@Where):~$ DNSRecon is a reconnaissance tool. This tool would be best used in the
initial information gathering phase of a penetration test. DNSRecon is commonly found in penetration testing distros such as Kali Linux and Parrot. You can also download DNSRecon from https://github.com/darkoperator/dnsrecon.


(Why@How):~$ You would use DNSRecon to help gather name server information related to
your target. This information would come in the form of IP addresses, domain name servers, mail exchange servers, and host names. This information is collected by way of enumeration from google and bing, or by brute force from dictionary files.

 

In this demonstration, I will be using the version of DNSRecon that is provided in the Kali Linux distro.

Step 1: Open the DNSRecon. You have two main options for accomplishing this.

1. Use the GUI. Click on the Kali icon in the upper right corner. Navigate to Information gathering > DNS Analysis. Click on DNSRecon. 

A terminal window should appear listing the help information for DNSRecon. 

 

2. Open the terminal and type “dnsrecon”. 

   
   

Step 2: As we can see from the help section, to start a scan you will need to type in “dnsrecon” followed by “-d” followed by the target’s hostname or ip address. 

Step 3: Pressing enter will run the scan. Depending on your target and the success of the scan, your results will be listed below. 

  

Additional Features and Functions:

Saving: Oftentimes after performing a scan you will want to save your results. DNSRecon provides you the options of saving your results in four different formats: db, JSON, CSV, and XML. This can be accomplished typing the scan command followed by the parameters to save the file and its location. DB files are saved using the command --db. JSON files are saved with the -j command. CSV files are saved using the command -c. XML files are saved with -x command. The following command will save my scan results into a json file in my Desktop folder. 

Range Scan: If your target consists of a range of IP addresses you can type the range instead of a single target. The example below will scan the range of IP addresses of 10.0.0.1 - 10.0.0.255.

You can also use network masks. 

Zone Transfer: DNSRecon allows you to perform zone transfers with the -a command. 

Dictionary file: DNSRecon includes a few wordlists that can be used during brute force scans. These text files are located at /usr/share/dnsrecon/. Additionally, DNSRecon will allow you to use custom wordlists as dictionary files to assist in brute force scanning of subdomains and hostnames.