There is currently no way to throttle the speed of queries generated by dnsrecon in cases where more stealth is preferred.

Hi,

Is it possible to pass a list of domain names to DNSRecon? I couldn't see anything in the docs regarding this.

Regards,

Carl

I don't think the following code behaves as expected.

I think that lines 313 to 316 should be indented (the value of t never changes) and perhaps have the order of cc and t in the string construction reversed. As it is, it will currently loop over domain name + country code + the last value in stld which is currently .travel.

Example output:

[*] Trying sammich.fr.travel
[*] Trying sammich.ga.travel
[*] Trying sammich.gb.travel
[*] Trying sammich.gd.travel
[*] Trying sammich.ge.travel
[*] Trying sammich.gf.travel
[*] Trying sammich.gg.travel
[*] Trying sammich.gh.travel
[*] Trying sammich.gi.travel
[*] Trying sammich.gl.travel
[*] Trying sammich.gm.travel
[*] Trying sammich.gn.travel
[*] Trying sammich.gp.travel

It will never loop over any other stld values due to the current indention.

I'd be happy to submit a PR if you wish. Just let me know the desired loop pattern.

$ dig AXFR blabla.fr @dns.blabla.fr | grep webuse
lamort.blabla.fr.   21600   IN  CNAME   webuser.blabla.fr.
webuser.blabla.fr.  21600   IN  A   1.2.3.4

Doing same operation with dnsrecon and JSON output:

[
    {
    "arguments": "dnsrecon/dnsrecon.py -t axfr -d blabla.fr -n dns.blabla.fr --json samples/dnsrecon-axfr-blabla.fr.json",
    "date": "2015-03-03 11:52:43.031781",
    "type": "ScanInfo"
    },

...
  {
    "address": "1.2.3.4",
    "name": "webuser.blabla.fr",
    "type": "A",
    "zone_server": "X.X.X.X"
  },
...
  {
    "address": "1.2.3.4",
    "name": "lamort.blabla.fr",
    "target": "webuse",
    "type": "CNAME",
    "zone_server": "X.X.X.X"
  },
...
]  

'webuser' becomes 'webuse' with 'dnsrecon'.

Records are translated to key value pairs before passing them to the prettify function, when writing data to XML.
The prettify function tries to encode these pairs into unicode. This could fail if the string contains bytes > 128 dec.

The problem starts around line 657, but will only be noticed at around line 643 (ElementTree.tostring)

My lousy fix is the following, but I'm sure real programmers would come up with something more decent:

@@ -657,7 +657,14 @@ def dns_record_from_dict(record_dict_list, scan_info, domain):
         if type(r) is not str:
             try:
                 for k, v in r.items():
-                    elem.attrib[k] = v
+                    try:
+                        k = unicode(str(k))
+                        v = unicode(str(v))
+                        elem.attrib[k] = v
+                    except:
+                        print ("Could not convert key or value to unicode: '%s = %s'" % (repr(k), repr(v)))
+                        print ("In element: %s" % repr(elem.attrib))
+                        continue
                 xml_doc.append(elem)
             except AttributeError:
                 continue

Good morning,
I think it would be useful to have a flag to specify the port of the dns server.

Thanks,
Alessio

Looks like I messed up zonetransfer.me trying to get DNSSEC working but in the process broke dnsrecon...

./dnsrecon.py -t zonewalk -d zonetransfer.me -n 81.4.108.41
[*] Performing NSEC Zone Walk for zonetransfer.me
[*] Getting SOA record for zonetransfer.me
Traceback (most recent call last):
  File "./dnsrecon.py", line 1681, in <module>
    main()
  File "./dnsrecon.py", line 1595, in main
    ds_zone_walk(res, domain)
  File "./dnsrecon.py", line 1225, in ds_zone_walk
    soa_rcd = res.get_soa()[0][2]
  File "./recon/dnsrecon/lib/dnshelper.py", line 200, in get_soa
    ipv4_answers = self._res.query(name, 'A')
  File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 824, in query
    raise NoNameservers
dns.resolver.NoNameservers

Most resolvers don't pass along IP address information, so you should be able to scale up brute force attacks by spreading queries across multiple resolvers.

You could include a list of popular servers by default (Verizon, Google, OpenDNS, etc). Public-DNS.tk maintains a list of open DNS resolvers that includes IP addresses and uptime statistics. You could download it on demand and filter them based on uptime, there are ~50K IP addresses with a 100% uptime rating. I would recommend you shuffle and throttle to 5 queries per second.

Was wondering if you might want to use one of the subdomain lists I created from the Alexa Top 1 Million sites AXFR results - http://www.ethicalhack3r.co.uk/zone-transfers-on-the-alexa-top-1-million-part-2/

Would like to see dnsrecon in pypi, would make a lot of difference using to tool / embedding it in other projects and so on.

My ideal scenario would be:

pip install dnsrecon

and have everyting set up.

See:
https://packaging.python.org/tutorials/packaging-projects/

I just made a typo when entering the types

-t brt,axfr

but I'd also specified -c to save to file. The brute force ran but then nothing was saved as it tried to do the axft and failed. It should save at the end of each phase rather than at the end and it should also check the types before doing anything else to detect typos.

Hello!

I'm trying to check my own domain lineratedev.net and do not have any success:

./dnsrecon.py -d lineratedev.net
[*] Performing General Enumeration of Domain: lineratedev.net
[*] DNSSEC is configured for lineratedev.net
Traceback (most recent call last):
  File "./dnsrecon.py", line 1682, in <module>
    main()
  File "./dnsrecon.py", line 1640, in main
    spf_enum, do_whois, zonewalk)
  File "./dnsrecon.py", line 957, in general_enum
    dns_sec_check(domain, res)
  File "./dnsrecon.py", line 862, in dns_sec_check
    nsectype = get_nsec_type(domain, res)
  File "./dnsrecon.py", line 847, in get_nsec_type
    answer = get_a_answer(target, res._res.nameservers[0], res._res.timeout)
  File "./dnsrecon.py", line 1204, in get_a_answer
    answer = dns.query.udp(query, ns, timeout)
  File "/usr/local/lib/python2.7/dist-packages/dns/query.py", line 254, in udp
    one_rr_per_rrset=one_rr_per_rrset)
  File "/usr/local/lib/python2.7/dist-packages/dns/message.py", line 808, in from_wire
    reader.read()
  File "/usr/local/lib/python2.7/dist-packages/dns/message.py", line 751, in read
    raise TrailingJunk
dns.message.TrailingJunk: The DNS packet passed to from_wire() has extra junk at the end of it.

Do you have some ideas how I could resolve this issue?

Thank you!

Hello. Do you have a finished image or icon for this program?

I just did a typo and did

-t std,axft

The standard scan ran then it gave this error:

[-] This type of scan is not in the list axft

It would be better if you checked all the types requested at the start and failed early.

Hi,
I would like to update the package in Kali / Debian (https://bugs.kali.org/view.php?id=5365)
But you released a new version 0.8.2 a few days ago and the previous version was 0.8.14:
0.8.2 is lower than 0.8.14.
Could you release a new version higher than 0.8.14, for example 0.8.20?

Thanks!

I keep getting an error when I put in the following line, with a real domain, and for the life of me, can't figure out what is going wrong. It seems to output everything to the screen, but after the reverse lookup is done I get the error after. Any help would be greatly appreciated

dnsrecon.py -d -n 8.8.8.8 -t std -a -s -g -w --xml output.xml

Traceback (most recent call last):
File "dnsrecon.py", line 1627, in
main()
File "dnsrecon.py", line 1572, in main
xml_enum_doc = dns_record_from_dict(returned_records, scan_info, domain)
File "dnsrecon.py", line 660, in dns_record_from_dict
for k, v in r.items():
AttributeError: 'list' object has no attribute 'items'

When I provide the nameserver as a domain name rather than as an IP address, DnsHelper throws a fit. Here is an example stack trace with a few things redacted:

» python ./dnsrecon.py -d xxx.com -n yyy.zzz.xxx.com. -t std
[*] Performing General Enumeration of Domain:
Traceback (most recent call last):
File "./dnsrecon.py", line 1493, in
main()
File "./dnsrecon.py", line 1362, in main
spf_enum, do_whois, zonewalk)
File "./dnsrecon.py", line 845, in general_enum
dns_sec_check(domain,res)
File "./dnsrecon.py", line 787, in dns_sec_check
answer = res._res.query(domain, 'DNSKEY')
File "/Library/Python/2.7/site-packages/dns/resolver.py", line 785, in query
source_port=source_port)
File "/Library/Python/2.7/site-packages/dns/query.py", line 219, in udp
if _addresses_equal(af, from_address, destination) or
File "/Library/Python/2.7/site-packages/dns/query.py", line 150, in _addresses_equal
n2 = dns.inet.inet_pton(af, a2[0])
File "/Library/Python/2.7/site-packages/dns/inet.py", line 50, in inet_pton
return dns.ipv4.inet_aton(text)
File "/Library/Python/2.7/site-packages/dns/ipv4.py", line 43, in inet_aton
raise dns.exception.SyntaxError
dns.exception.SyntaxError

Came across a bug I though I should report.

Version: 0.8.6

$ ./dnsrecon.py -d REDACTED -t std,rvl,brt,srv,axfr,goo,snoop,tld,zonewalk
[*] Performing General Enumeration of Domain:
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to REDACTED
[!] All queries will resolve to this address!!
[-] DNSSEC is not configured for REDACTED
[-] Could not Resolve SOA Record for REDACTED
[-] Could not Resolve NS Records for REDACTED
[-] Could not Resolve MX Records for REDACTED
[*]      A REDACTED REDACTED
[*] Enumerating SRV Records
[-] No SRV Records Found for REDACTED
[*] 0 Records Found
Traceback (most recent call last):
  File "./dnsrecon.py", line 1611, in <module>
    main()
  File "./dnsrecon.py", line 1483, in main
    if len(ip_list) > 0:
UnboundLocalError: local variable 'ip_list' referenced before assignment

Please add a flag to exit the scrip if a wildcard is detected.

Currently, the program notifies the user and asks if they want to quit.

I'd love to be able to install dnsrecon via pypi instead of cloning the repo and installing dependencies manually.
The project would need a setup.py file, uploading to pypi is straight-forward.

The 0.8.12 version seems has been released officially.
However, there is neither tag no archive to download.

Please create it

Running with these parameters:

-t std,axfr,brt -D ~/dns2.txt -d abc.org.uk --csv abc-dns-enum.csv

I get as far as

[*] Expanding IP ranges found in DNS and TXT records for Reverse Look-up

and the it locks up. I've checked with tcpdump and no more traffic is sent out and I've left it for 5 minutes and nothing happened. It is a very small and basic domain, two TXT records, one pointing at outlook.com and one just text.

Hi,
i'm trying to use this tool on my arch OS.
i've this error :

Traceback (most recent call last):
  File "./dnsrecon.py", line 1664, in <module>
    main()
  File "./dnsrecon.py", line 1622, in main
    spf_enum, do_whois, zonewalk)
  File "./dnsrecon.py", line 1067, in general_enum
    goo_rcd = goo_result_process(res, scrape_google(domain))
  File "./dnsrecon.py", line 531, in scrape_google
    sock = urllib.urlopen(url)
AttributeError: module 'urllib' has no attribute 'urlopen'

what i've to install?
thanks

The problem relates to specific syntax of DIG command that have to be used, standard commands or windows nslookup will also fail.

Could you add the following check to your tool please;
'dig axfr domain.com @ns1.domain.com'

Many thanks,

Alexander

Was the mDNS support dropped? In previous descriptions of the tool, it was advertised it could enumerate mDNS records (e.g. https://tools.kali.org/information-gathering/dnsrecon)

The file lib/mdnsenum.py isn't loaded by anywhere

With 7b7c7b3, dnsrecon does not produce complete JSON file output except:

[
    {
        "arguments": "dnsrecon/dnsrecon.py -r X.X.X.X/16 -t rvl --json output.json -n 8.8.8.8",
        "date": "2015-02-26 15:07:32.811102",
        "type": "ScanInfo"
    }
]

The following error message in ds_zone_walk indicates that a request to a server timed out and that the user can configure this time:

This value is actually not user configurable. It is hard set to 3 seconds when the res object is recreated.

This is a straightforward fix and I can PR it if you'd let me know your preference for handling it:

1. This value uses the same value as --lifetime
2. This value uses a new value specified on the command line, for example --lifetime-walk
3. This value is not user configurable and the error message is updated.

Hello @darkoperator ! I hope your are doing well sir.

It should be good if it is possible to have the shodan-python(1) intragrated with an "online" or "offline" (such as passive or active validation).

Expanding the SPF and/or whois networks through Shodan's query "net:xyz.xyz.xyz.xyz/24(or whatever net it found)", looking for new names. Giving the option to validate if the name found still responds or not depending on what user have set on options.

Something like:
--shodan "api-key" or "file-with-api-key" --shodan-passive --shodan-active

I love this tool and use it for so long, thank you for all your effort to maintain it. Cheers!

1 - https://github.com/achillean/shodan-python

We currently incorporate your tool into ArchAssault (https://archassault.org/) and we aim to have licenses associated with all our included packages.

Could you add a license to the repo and include it in the tagged release? It would be appreciated.

In bruteforce mode founded records are not wrote to the output file because brt_enum_records are not added to returned_records.

Issue: https://github.com/darkoperator/dnsrecon/blob/master/dnsrecon.py#L1535

Sample command:
python dnsrecon.py --domain <domain> --type brt --threads 1 --iw --json out.json

I attached a proposed patch:
dnsrecon.txt

GIT SHA:
c96739859cc25177df0a9a3a3b7bdcfe62d87394 - c967398

Hi.

Thanks for a great project. The Zone transfer (AXFR) doesn't seem to work on Version: 0.8.13.

Version 0.8.13
$ dnsrecon.py -a -d DOMAIN
Get the error:
[*] Resolving SOA Record
[-] Could not obtain the domains SOA Record.

Doing the same thing on the same domain with Version 0.8.11
$ dnsrecon.py -a -d DOMAIN
Version: 0.8.11
[*] Resolving SOA Record
[+] SOA ...

Best regards Ysagi

version: 0.8.11 (Python 2.7.14)
cmdline: dnsrecon -t std,srv,goo,zonewalk,brt -D /usr/share/dnsrecon/namelist.txt -g -z --threads 1 --lifetime 10 -d redacted.com > dnsrecon-redacted.com.txt

Traceback (most recent call last):
File "./dnsrecon.py", line 1670, in
main()
File "./dnsrecon.py", line 1507, in main
std_enum_records = general_enum(res, domain, xfr, goo, bing, spf_enum, do_whois, zonewalk)
File "./dnsrecon.py", line 1046, in general_enum
goo_rcd = goo_result_process(res, scrape_google(domain))
NameError: global name 'goo_result_process' is not defined

I hadn't used the tool before and was trying a few options. I incorrectly used an IP address with the domain flag option. It errored far into the code away from the input parsing, due to line 1415 of dnsrecon.py not validating the input format.

 elif opt in ('-d', '--domain'):
            domain = arg

I think it would be good to refactor this section to use argparse.

Traceback (most recent call last):
File "/usr/bin/dnsrecon", line 71, in
from lib.gooenum import *
ImportError: No module named gooenum

Hi,

Do you also have a version I could include in a project to use DNSRecon as a library/module? I would like to write a python script that uses DNSRecon but where I can add some additional info from Whois and Google.

Thanks!

You'll get this error if you logged in under user account without permissions to write into dictionary file. So if you are regular user and use nameslist.txt from regular package installation e.g. on kali linux
dnsrecon -d example.com -t brt -D /usr/share/dnsrecon/namelist.txt --iw -f > /tmp/dnsrecon1 you'll get permission error because in the code file is open for read and write f = open(dict, 'r+').

dnsrecon save the results in a csv file.
CSV Contents:

Type,Name,Address,Target,Port,String
A,www.example.com,123.123.123.23
A,ftp.example.com,123.123.123.21
A,app.example.com,123.123.123.20

msf > import_dnsrecon_csv -f result.csv

"Address" Columns are imported successfully , but "Name" columns are missing.

For example:
address mac name os_name os_flavor os_sp purpose info comments

123.123.123.20
123.123.123.21
123.123.123.23

Writing TXT records to a sqlite database will cause the following failure:

Traceback (most recent call last):
File "dnsrecon.py", line 1666, in
main()
File "dnsrecon.py", line 1638, in main
write_db(results_db, returned_records)
File "dnsrecon.py", line 796, in write_db
'values( "%(type)s", "%(name)s" ,"%(strings)s" )' % n
KeyError: 'name'

The TXT record don't have a 'name' key, I'm not sure if that should be correct.
A fix could be (line 795-796):
query = 'insert into data( type, text) ' +
'values( "%(type)s", "%(strings)s" )' % n

From the command:

./dnsrecon.py -t std,brt,axfr -d xxx.com -D dns2.txt -c ~/clients/xxx_dns

[-]
[*] Saving records to CSV file: /home/robin/clients/xxx_dns
Traceback (most recent call last):
File "./dnsrecon.py", line 1630, in
main()
File "./dnsrecon.py", line 1587, in main
write_to_file(make_csv(returned_records), csv_file)
File "./dnsrecon.py", line 732, in make_csv
csv_data += n['type'] + "," + n['name'] + ",,,,'" + n['strings'] + "'\n"
KeyError: 'name'

I've tried the -f switch to filter out brute forced records that resolve to the wildcard IP address, but it doesn't seem to work for either saving as csv or xml.

The current head fails to run due to an inconsistent use of tabs and spaces within the brute_tlds function on line 306 in dnsrecon.py

This can easily be fixed by opening the file in vim and running :retab. I suggest running CI tests in the future, it's free for opensource projects and stops stuff from breaking so easily :)

Colleague got this doing a basic scan with output to CSV, didn't send me full command line. I ran similar scan with brute force and zone transfer and it worked OK. I think he re-ran the command without .csv on filename and it worked but this could have been coincidence or he could have changed something else.

Traceback (most recent call last):
  File "./dnsrecon.py", line 1676, in <module>
      main()
        File "./dnsrecon.py", line 1653, in main
            write_to_file(make_csv(returned_records), csv_file)
              File "./dnsrecon.py", line 753, in make_csv
                  csv_data += n['type'] + "," + n['name'] + ",," + n['target'] + ",\n"
                  KeyError: 'target'

Line 782 of dnsrecon.py will process NSEC3 records, which results in a stacktrace as shown below:

Traceback (most recent call last):
File "dnsrecon.py", line 1666, in
main()
File "dnsrecon.py", line 1638, in main
write_db(results_db, returned_records)
File "dnsrecon.py", line 784, in write_db
'values( "%(type)s", "%(target)s", "%(address)s" )' % n
KeyError: 'target'

Suggestion for a fix (line 782):
elif re.match(r'NS$', n['type']):

On 3.4.5-pentoo (Gentoo with Pentoo overlay), using python 3.2, I'm getting the following error using current dnsrecon (0.8.0) from git.

Error:

python dnsrecon.py

Traceback (most recent call last):
File "dnsrecon.py", line 55, in
import dns.message
ImportError: No module named dns.message

eselect python list

Available Python interpreters:
[1] python2.7
[2] python3.2 *

dnsrecon does not throw errors with python 2.7.

Hi,

Just been using dnsrecon and some of the domains are throwing this error!

Exception in thread Thread-4 (most likely raised during interpreter shutdown):
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 808, in __bootstrap_inner
File "dnsrecon.py", line 102, in run
File "/usr/lib/python2.7/Queue.py", line 168, in get
File "/usr/lib/python2.7/threading.py", line 333, in wait
<type 'exceptions.TypeError'>: 'NoneType' object is not callable

Is there anything I can do to handle this?

Carl

Hi,

For some domains an exception is raised when dnsrecon try to get SOA record:

[*] Performing General Enumeration of Domain: *******
[*] Checking for Zone Transfer for ******* name servers
[*] Resolving SOA Record
[-] Could not obtain the domains SOA Record.
[-] DNSSEC is not configured for *******
Traceback (most recent call last):
  File "/opt/dnsrecon/dnsrecon.py", line 1707, in <module>
    main()
  File "/opt/dnsrecon/dnsrecon.py", line 1665, in main
    std_enum_records = general_enum(res, domain, xfr, goo, bing, spf_enum, do_whois, do_crt, zonewalk)
  File "/opt/dnsrecon/dnsrecon.py", line 951, in general_enum
    found_soa_records = res.get_soa()
  File "/opt/dnsrecon/lib/dnshelper.py", line 217, in get_soa
    name = rdata[0].mname.to_text()
AttributeError: 'CNAME' object has no attribute 'mname'

After some investigations, it seems that rdata[0] is a dns.rdtypes.ANY.CNAME.CNAME type and don't have mname attribute.

I added a simple workaround, to resolve the problem:

--- a/lib/dnshelper.py
+++ b/lib/dnshelper.py
@@ -214,6 +214,8 @@ class DnsHelper:
                answers = response.authority
            for rdata in answers:
                # A zone only has one SOA record so we select the first.
+                if not isinstance(rdata[0], dns.rdtypes.ANY.SOA.SOA):
+                    return []
                name = rdata[0].mname.to_text()
                ipv4_answers = self._res.query(name, 'A', tcp=tcp)
                for ardata in ipv4_answers:

Can you confirm the solution validity ?

Hi,

I think it would be useful to have a flag that would run all the different 'types' of checks. Would save having to input them all.

Thanks,
Ryan

While writing PTR records to the sqlite database, the following failure will occur.

At line 776, variable 'n' is used to iterate through the array 'data'. In the following lines, 'n' is assumed to be of the type 'list'.
When using reverse lookups to resolve PTR records, this breaks as shown below:

File "dnsrecon.py", line 1666, in
main()
File "dnsrecon.py", line 1638, in main
write_db(results_db, returned_records)
File "dnsrecon.py", line 778, in write_db
if re.match(r'PTR|^[A]$|AAAA', n['type']):
TypeError: list indices must be integers, not str

This error occurs, because the PTR records aren't stored as separate items in the list 'data'. Instead all the PTR records together are an array (or a list by itself ... not sure... ).

I don't have a suggested fix, but it should be somewhere in the output of the reverse lookups.

I have performed dnsrecon on evernote.com but resulted in finding 0 SRV documents. So i tried to reverse lookup.Then it gave 504 records.
but none of those links are working.
what to could be the possible reason for those links not working.