DNSRecon: a powerful DNS reconnaissance tool
Reading time: 10 minutes
When it comes to the efficacy and proper functioning of any modern distributed network such as the Internet, few technologies seldom rise to the level of pivotal as DNS does.
The Domain Name System (DNS) accounts for the de-centralization of both publicly and non-publicly known hosts, structured in a hierarchical fashion, that are ultimately responsible for translating friendly domain names into their machine address counterparts, properly directing trillions of web requests to their ultimate destination.
This amount of interdependence makes DNS an exclusive target of a host of information gathering practices that seek to extract every significant piece of information there is from an organization's network. For example, every penetration tester out there worth their salt can attest to the importance of conducting tasks such as DNS enumeration—a technique capable of finding all related DNS records from a given domain name.
DNS is also beset with its own assortment of inherent weaknesses, such as the ability to share this internal domain information with basically anyone who asks, or the potential for cache poisoning where users can be redirected to any site chosen by an attacker.
This article will explore DNSRecon, one of the most recognized tools from a handful of DNS information gathering software currently available as part of the Kali Linux distribution. Let's dive right in!
- What is DNSRecon?
- Installing DNSRecon
- DNSRecon usage and examples
- Alternatives to DNSRecon
- Final words
What is DNSRecon?
DNSRecon, as it is known today, is the Python equivalent of a Ruby script originally written by Carlos Perez toward the end of 2006. In his own words, this tool largely emerged from his personal need to reflect DNS-related data collection in an intuitive manner while the Python version allowed him to practice his newly acquired skills with the programming language.
DNSRecon can perform a variety of functions ranging from security assessments to basic network troubleshooting by allowing users to:
- Check DNS server cache records for A, AAAA and CNAME records given a list of host records in a text file
- Enumerate general DNS records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT)
- Check all NS records for zone transfers
- Check for wildcard resolution
- Perform common SRV record enumeration and top-level domain (TLD) expansion
- Check brute force subdomain and host A and AAAA records given a domain and a wordlist
- Perform a PTR record lookup for a given IP range or CIDR
- Perform subdomain and host enumeration via Google Dorks
- Present findings in text file format for easy manipulation
Installing DNSRecon
Ubuntu Linux (Github-based) installation
Whether you are installing DNSRecon using a specific Linux distribution's package manager or simply from its source repository, Python 3.6+ will be required.
After that, the installation steps are as follows:
-
Install the git package if not available (e.g., sudo apt install git) and python3-pip to handle package management requirements for Python.
-
Clone the source archive to your preferred location on disk:
git clone https://github.com/darkoperator/dnsrecon.git -
Once inside the dnsrecon directory, install the library requirements like so:
python3-pip install -r requirements.txt --no-warn-script-location -
Run
python3 dnsrecon.py -h
The following screencast recaps the above process:
Alternatively, the command sudo apt install dnsrecon should accomplish the same outcome.
CentOS Linux (Github-based) installation
Installing DNSRecon on CentOS follows the same pattern as in the Ubuntu case. Again, a Python version higher than 3.6 is required as well as access to the language package management tool (PIP).
DNSRecon usage and examples
If you feel you don't want to spend the time setting all of this up and simply need a turnkey alternative, Kali Linux comes with DNSRecon already installed. As shown below, DNSRecon Kali-based installation is one of three DNS analysis tools including dnsenum and fierce- all falling within the realm of information gathering techniques provided by the popular distro.
When launching DNSRecon without any specific parameters, we are presented with the usage (-h) menu and a reminder that the -d (domain) option is the only minimum requirement.
The output looks like this:
user@kali:~$ dnsrecon -h
usage: dnsrecon.py [-h] -d DOMAIN [-n NS_SERVER] [-r RANGE] [-D DICTIONARY] [-f] [-a] [-s] [-b] [-y] [-k] [-w] [-z] [--threads THREADS] [--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV] [-j JSON] [--iw] [--disable_check_recursion] [--disable_check_bindversion] [-v] [-t TYPE]
Let's explore a few of these options in combination with the intended action or technique they are associated with:
Base domain enumeration: As previously stated, domain enumeration aims at accomplishing as much reconnaissance as possible to find interesting targets or hosts. This includes noting any distinctive aspects such as subdomains and other zone information, as well as every other piece of valid DNS data, quickly and efficiently.
The simplest way to accomplish this using DNSRecon in Kali is to type:
dnsrecon -d www.acme.com
To save the results to SQLite format, the --db switch can do just that:
dnsrecon -d www.acme.com --db /path/to/sqllite.file
The output of a typical base enumeration looks like so:
user@kali:~$ dnsrecon -d www.reddit.com
[*] Performing General Enumeration of Domain: www.reddit.com
[-] DNSSEC is not configured for www.reddit.com
[*] SOA ns1.fastly.net 23.235.32.32
[-] Could not Resolve NS Records for www.reddit.com
[-] Could not Resolve MX Records for www.reddit.com
[*] CNAME www.reddit.com reddit.map.fastly.net
[*] A reddit.map.fastly.net 151.101.1.140
[*] A reddit.map.fastly.net 151.101.193.140
[*] A reddit.map.fastly.net 151.101.65.140
[*] A reddit.map.fastly.net 151.101.129.140
[*] Enumerating SRV Records
[+] 0 Records Found
Cache snooping: DNS snooping refers to the (mainly) non-recursive querying of an organization's caching DNS server(s) to find: (1) if the answer is directly retrieved from cache; and (2) if resolved (cached) queries from local domain users, or even system owners, are available—this can be useful to an attacker since it can reveal hostnames coming in contact with that DNS server along with the browsing habits of those users at any given time.
Open DNS caching is advantageous within domain boundaries (i.e., topologically close clients), but never a good idea otherwise.
In the DNSRecon Kali package, cache snooping can be performed as follows:
dnsrecon -t snoop -n ns_server -d www.acme.com -D /path/to/dict.txt
As per the documentation, the -D option refers to the use of a dictionary file of subdomain and hostnames to use for brute force purposes while -t simply stands for the type of enumeration to perform.
Zone walking: This can be understood as the process of enumerating the entire content of DNSSEC-signed DNS zones—Domain Name System Security Extensions adds a layer of trust on top of DNS by providing authentication. This chain of trust approach, via cryptographic signatures, also provides an additional layer of integrity that prevents attacks such as DNS spoofing from taking place.
DNSRecon can help perform zone walking using NSEC (next secure record) records, which is a capability within DNSSEC to prove the non-existence of a specified record type by listing those that do exist. The command is used as follows:
dnsrecon -d www.acme.com -t zonewalk
Brute-forcing: This particular feature will attempt to conduct a brute-force discovery of domains and hosts using a supplied dictionary file.
The -std type is also a popular choice when enumerating general record types like SOA, NS, A, AAAA, MX and SRV records if available—service resource records (SRVs) can provide additional capabilities such as the provision to look for a specific port and/or protocol where the specified service resides. To conduct brute-forcing using DNSRecon, we need to type:
dnsrecon -d www.acme.com -D /path/to/dict.txt -t brt
Zone transfer: In recent times, successful enumeration of zone transfer elements has unquestionably become less frequent due to adequate security restrictions; however, a successful listing can still reveal internal resources that may be publicly available and thus easily targeted.
For example, an attacker may leverage such data to generate enough conditions for a denial-of-service (DoS) campaign. In DNSRecon, we proceed as follows:
dnsrecon -d www.acme.com -t axfr
Or simply:
dnsrecon.py -d www.acme.com -a
Reverse lookup: DNSRecon can easily perform reverse DNS lookups, or the (pointer) PTR-based search of DNS hostnames from IP addresses. The following command shows how to perform a reverse lookup given a range of IPs:
dnsrecon -r 208.67.222.200-208.67.222.255 -d microsoft.com
The output looks like:
user@kali:~$ dnsrecon -r 208.67.222.200-208.67.222.255 -d microsoft.com
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 208.67.222.200 to 208.67.222.255
[+] PTR resolver3.opendns.com 208.67.222.220
[+] PTR resolver1.opendns.com 208.67.222.222
[+] 2 Records Found
DSNRecon's additional features and capabilities extend far beyond those we've covered so far, and are worth investigating if a more in-depth analysis is required.
Alternatives to DNSRecon
How does DNSRecon stack up against some of the most popular DNS enumeration tools, including SecurityTrails' own DNS toolbox? Let's dive in:
-
Nmap: This so-called Swiss Army knife of reconnaissance tools has been extensively discussed and promoted not only in the bailiwick of cyber security but also as a handy utility capable of handling a multitude of system administration and even auditing functions. Nmap's command line version is complemented by an equally advanced graphical (GUI) tool with enough flexibility and portability to make it anyone's favorite.
-
Amass: another great addition to the OSINT arsenal, Amass is written by our friend Jeff Foley, and since day one has been one of our favorite tools for DNS recon and subdomain discovery. It's one of the most powerful terminal-based commands there is for gathering and accumulating large amounts of subdomain data.
-
Fierce: This utility is particularly suited to working with non-contiguous IP spaces and hostnames across large environments. Its semi-lightweight nature makes it a good alternative and precursor to other tools, such as Nmap, using a set of built-in features such as wordlists and threading capabilities for improved performance.
-
dnsX: A lesser-known successor to an earlier and similar tool written in Go, dnsX is a multi-purpose DNS probing toolkit that is particularly suited to handle multi-level DNS based wildcards and custom (user-supplied) resolvers. However, one of the utility's best features is its support for stdin and stdout redirection, allowing dnsX to be leveraged by other tools.
- SecurityTrails: Our own advanced DNS enumeration tool comes in the form of a free, fully-online app capable of performing passive enumeration akin to many enterprise-grade alternatives. In addition to standard approaches such as mapping or subdomain listing, the app offers both current and historical DNS records for easy modelling in a quick and intuitive manner.
Final words
With more and more organizations consisting of intricate, cloud-based and on-premises deployments requiring stricter security measures, DNS remains a considerable attack surface that isn't going away anytime soon. It is also a well-known fact that DNS security, along with all its correspondent underpinnings and traffic patterns, is still a largely under-monitored effort across these organizations.
From protocol design flaws that can lead an on-path attacker to carry out tactics such as query redirection to poor architectural planning that fails to integrate timely practices like DNSSEC, DNS reconnaissance tools will continue to yield a plethora of valuable data to security practitioners and malicious actors alike.
Penetration testing is a profession that requires a good amount of preparation and attention to detail—it isn't the pedestrian approach of simply choosing a target and throwing at it every resource you can find to accomplish the objective. Beginning with effective DNS enumeration, the penetration testing life cycle also entails doing so in a manner that generates the most actionable data possible.
DNSRecon has stood the test of time by providing just the right balance between performance and usability, making it a clear winner when it comes to either active or passive DNS reconnaissance efforts. From a blue team's perspective, using tools like DNSRecon can present unique opportunities for both monitoring and detection, highlighting areas of interest where additional attention may be required.
Finally, the open-source nature of tools like DNSRecon can never give carte blanche for illegitimate purposes. As with any other security tool at our disposal, please understand the regulatory and legal considerations surrounding our profession before you consider any unlawful practices.
