Dns Recon Cheatsheet

DNS BruteForcing

DNS Wordlists

Description URL
Top 1000 https://github.com/bitquark/dnspop/tree/master/results
Top 10000 https://github.com/bitquark/dnspop/tree/master/results
Top 100000 https://github.com/bitquark/dnspop/tree/master/results
Top 1000000 https://github.com/bitquark/dnspop/tree/master/results
Various Others https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS


$ dnsrecon -d <domain> -D <dir/wordlist> -t brt

Output Formats

  • –xml
  • –json
  • –csv
  • –db # SQLite file


$ nmap --script dns-brute --script-args dns-brute.domain=<domain>,dns-brute.threads=5


$ fierce -dns <domain> -wordlist <dir/wordlist>

DNS Lookups


Type Description
ANY Any type
A A type record
AXFR Zone Transfer
CNAME Canonical Name
IXFR Incremental Zone Transfer
MX Mail Exchange
NS Name Server
SOA State of Authority
TXT Text

Standard Lookup


$ dig <domain>


$ dnsrecon -t std -d <domain>

Only return IP address

$ dig <domain> +short

Use specific NS

$ dig @<name server> <domain>

Reverse DNS lookup

$ dig -x <ip> +short

Reverse IP lookup for range

$ dnsrecon -t rvs -i,

Query specific type

$ dig -t <type> <domain> <other options>

DNS Zone Transfer


$ dig -t axfr <domain>


$ dnsrecon -d <domain> -t axfr

NSLookup (Windows)

$ nslookup
> set type=any
> ls -d <domain>

Free site tools

Domain Description API
https://www.virustotal.com Database of malware samples. Can search my file, sum, or other characteristics (ip/domain) Yes
https://www.dnsdumpster.com DNS recon using open source data. Gives graphs / maps of IP address locations as well No
https://crt.sh/?q=%25bitrot.sh Certificate search. Can tie in domains based on common certs No
https://censys.io scans.io driven data. Can look up domains, certificates, etc Yes
http://searchdns.netcraft.com Web based domain search tool No
https://www.shodan.io Shodan open net scanner. Yes
https://reverse.report Another scans.io based site with global reverse DNS records. No
comments powered by Disqus