Dnsrecon is used in checking of NS records and all the common DNS record types like MX,SOA,NS,A,TXT. This tool was originally written by Carlos Perez in 2006 and written in ruby.
- To start dnsrecon go to linux terminal and type dnsrecon. After launching dnsrecon it will throw simple list of available options as shown below.
- Now, type dnsrecon -d hackthissite.org
- As you see after typing above command, it returns the default DNS records types. Such as (NS) Name Servers for the target, (MX) Mail Servers and others, which are detailed as below:
- SOA (Start of Authority): Primary name server for the domain, so primary name server is 220.127.116.11 as shown in screen shot above
- NS (Name Server): Name server is the DNS for our target website. The Name Server of our target website is running on buddyns.com
- MX (Mail Server record): Mail Server of our target website is running on googlemail.com
- A (Address Mapping records): This record tell that our target website is running on 18.104.22.168 to 22.214.171.124 IP address range.
- AAAA (IP Version 6 Address records): This record tell the IPV6 IP addresses of our target website.
- SFF (Sender Policy Framework): This record identifies which mail servers are authorized to send email of the target domain.
- TXT: This record is used for verification purposes and email validations.
Zone transfer is the process of copying a zone file from one name server to another name server. This can be from primary name server to secondary name server. This process is used to take backup of Name Servers. Typically these records are not accessible from internet. If DNS server is misconfigured then this can be used by attacker to get the DNS records of target website using zone transfer functionality.
- Type dnsrecon -d zonetransfer.me -a
======= SNIP ==========
======= SNIP ==========
- As you can see in above images lot of information has returned from a zone transfer. This is the information that should not be available to anyone on the internet. As it exposes whole network infrastructure of the target. This command even provides information that can be used in social engineering attacks and other penetration activities.
- In the above screen shot DNS records like – NS, MX, TXT, AAAA, SOA records have been found with the IP address associated with it. Further these IP addresses can be used by attacker to carry out further attacks.
- If you want to save the above records and all the other information in a database file for the future use, we can use dnsrecon with –db option to save the terminal output to a database file, for the future use:
dnsrecon -d zonetransfer.me -a –db /home/iicybersecurity/dnsreconoutput-db
- After running the command the output of DNS recon is saved in .db file (SQLite file), which will be created in above mentioned path. Now you can open file in SQLite browser as shown below:
- In SQLite browser click on Browse Data TAB to view saved output of dnsrecon, as shown below:
According to ethical hacking researcher in international institute of cyber security DNS attacks are very commonly used to gather information about the target so understanding of DNS recon is good for network administrators.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.