• 检查所有的NS记录区域传送
  • 列举一般DNS记录给定域(MX,SOA,NS,A,AAAA,SPF和TXT)
  • 执行常见的SRV记录枚举。顶级域名(TLD)扩展
  • 检查通配符解析
  • 蛮力子域名和主机A和AAAA记录中的一个域和单词表
  • 对于给定的IP范围或CIDR执行PTR记录查询
  • 检查缓存记录A,AAAA和CNAME记录在一个文本文件中提供的主机记录列表的DNS服务器来检查
  • 枚举在使用谷歌的本地网络枚举主机和子共同的mDNS记录

DNSRecon首页 | 卡利DNSRecon回购

  • 作者:卡洛斯·佩雷斯
  • 许可:GPL第二版


dnsrecon - 一个强大的DNS枚举脚本
[email protected]:~# dnsrecon -h
Version: 0.8.7
Usage: dnsrecon.py

-h, --help Show this help message and exit
-d, --domain Domain to Target for enumeration.
-r, --range IP Range for reverse look-up brute force in formats (first-last)
or in (range/bitmask).
-n, --name_server Domain server to use, if none is given the SOA of the
target will be used
-D, --dictionary Dictionary file of sub-domain and hostnames to use for
brute force.
-f Filter out of Brute Force Domain lookup records that resolve to
the wildcard defined IP Address when saving records.
-t, --type Specify the type of enumeration to perform:
std To Enumerate general record types, enumerates.
SOA, NS, A, AAAA, MX and SRV if AXRF on the
NS Servers fail.

rvl To Reverse Look Up a given CIDR IP range.

brt To Brute force Domains and Hosts using a given

srv To Enumerate common SRV Records for a given


axfr Test all NS Servers in a domain for misconfigured
zone transfers.

goo Perform Google search for sub-domains and hosts.

snoop To Perform a Cache Snooping against all NS
servers for a given domain, testing all with
file containing the domains, file given with -D

tld Will remove the TLD of given domain and test against
all TLD's registered in IANA

zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.

-a Perform AXFR with the standard enumeration.
-s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
targeted domain with the standard enumeration.
-g Perform Google enumeration with the standard enumeration.
-w Do deep whois record analysis and reverse look-up of IP
ranges found thru whois when doing standard query.
-z Performs a DNSSEC Zone Walk with the standard enumeration.
--threads Number of threads to use in Range Reverse Look-up, Forward
Look-up Brute force and SRV Record Enumeration
--lifetime Time to wait for a server to response to a query.
--db SQLite 3 file to save found records.
--xml XML File to save found records.
--iw Continua bruteforcing a domain even if a wildcard record resolution is discovered.
-c, --csv Comma separated value file.
-v Show attempts in the bruteforce modes.


扫描域(-d example.com),使用字典来暴力破解的主机名(-D /usr/share/wordlists/dnsmap.txt),做一个标准的扫描(-t STD),输出保存到一个文件(-xml dnsrecon.xml):

[email protected]:~# dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
[*] Performing General Enumeration of Domain:
[*] DNSSEC is configured for example.com
[*] DNSKEYs: