dnsrecon Cheat Sheet
Python DNS enumeration tool for records, zone transfers, brute force, and cache snooping.
Overview
dnsrecon performs standard DNS enumeration: SOA/NS/MX/TXT, AXFR checks, subdomain brute force, reverse lookups, and SRV record discovery. Output formats suit scripting and reporting.
Authorized testing only. Brute forcing subdomains sends high query volume—coordinate with client DNS teams on internal zones.
Install
sudo apt install -y dnsrecondnsrecon -hEssential commands
Standard scan
dnsrecon -d target.example.com -t stdZone transfer
dnsrecon -d target.example.com -t axfrSubdomain brute force
dnsrecon -d target.example.com -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtCommon workflows
Full combo —
dnsrecon -d target.example.com -t std,brt,srv,axfr -D subdomains.txt --xml report.xmlReverse lookup range —
dnsrecon -r 10.10.10.0/24 -n 10.10.10.1Custom nameserver (internal AD DNS) —
dnsrecon -d corp.local -n 10.10.10.10 -t std,srv,axfrSave CSV —
dnsrecon -d target.example.com -t brt -D wordlist.txt --csv dnsrecon.csvFlags reference
-d | Domain |
|---|---|
-n | Name server IP |
-r | IP range for reverse |
-t | Type: std, axfr, brt, srv, bing, zonewalk, etc. |
-D | Wordlist for brute |
-T | Threads |
--xml / --csv / --json | Output formats |
-f | Filter IPs (resolve only) |
-a | Check all NS for zone transfer |
Tips
- -t srv helps find LDAP, Kerberos, SIP: _ldap._tcp, _kerberos._tcp.
- Use internal resolver -n when testing from corporate network vantage.
- Combine with dig for manual record validation.
- zonewalk tests DNSSEC NSEC walking when applicable.