__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

dnsrecon Cheatsheet

← Back to cheatsheets

← Home

DNSRecon is a powerful DNS enumeration tool written in Python. It performs various DNS record enumeration, zone transfers, subdomain brute forcing, and more.

Basic Usage

  • dnsrecon -d <domain> - Standard enumeration
  • dnsrecon -d <domain> -t std - Standard record enumeration

Enumeration Types (-t)

  • std - Standard record enumeration (SOA, NS, A, AAAA, MX, TXT)
  • rvl - Reverse lookup of IP range
  • brt - Brute force subdomains and hosts
  • srv - SRV record enumeration
  • axfr - Zone transfer
  • goo - Google search for subdomains
  • bing - Bing search for subdomains
  • snoop - DNS cache snooping
  • tld - TLD expansion
  • zonewalk - DNSSEC zone walk

Target Options

  • -d <domain> - Target domain
  • -r <range> - IP range for reverse lookup (CIDR or range)
  • -n <ns> - Name server to use
  • -D <file> - Wordlist for brute force

Output Options

  • -c <file> - CSV output file
  • -j <file> - JSON output file
  • -x <file> - XML output file
  • --db <file> - SQLite database output

Performance Options

  • --threads <num> - Number of threads
  • --lifetime <sec> - Query lifetime (timeout)
  • --tcp - Use TCP for queries

Other Options

  • -a - Perform AXFR with standard enumeration
  • -s - Perform reverse lookup on IP ranges in SPF records
  • -g - Perform Google enumeration
  • -b - Perform Bing enumeration
  • -k - Perform cache snooping
  • -w - Perform deep whois lookup
  • -z - Perform DNSSEC zone walk
  • -v - Verbose output

Common Examples

Standard Enumeration

dnsrecon -d example.com

Get all standard DNS records.

Zone Transfer

dnsrecon -d example.com -t axfr

Attempt zone transfer.

Subdomain Brute Force

dnsrecon -d example.com -t brt -D /usr/share/wordlists/subdomains.txt

Brute force subdomains with wordlist.

Reverse Lookup

dnsrecon -r 192.168.1.0/24

Reverse DNS lookup on IP range.

SRV Record Enumeration

dnsrecon -d example.com -t srv

Enumerate SRV records.

Full Enumeration

dnsrecon -d example.com -a -s -g -w

Standard enum with AXFR, SPF, Google, and Whois.

DNSSEC Zone Walk

dnsrecon -d example.com -z

Enumerate via DNSSEC zone walking.

Save to JSON

dnsrecon -d example.com -j output.json

Save results to JSON file.

Custom Name Server

dnsrecon -d example.com -n 8.8.8.8

Use specific DNS resolver.

Tips

  • Always try zone transfer (-t axfr) first
  • Use -a with standard enum to include AXFR attempt
  • Combine with other tools like amass for better coverage
  • Save results to JSON for easy parsing
  • DNSSEC zone walk can reveal records even when AXFR is blocked
  • Use --threads to speed up brute forcing
  • Check SRV records for internal services
  • Always get authorization before scanning

← Back to cheatsheets

← Home