Skip to content

darkoperator/dnsrecon

BranchesTags

Repository files navigation

DNSRecon

DNSRecon is a Python port of a Ruby script that I wrote to learn the language and about DNS in early 2007. This time I wanted to learn about Python and extend the functionality of the original tool and in the process re-learn how DNS works and how could it be used in the process of a security assessment and network troubleshooting.

This script provides the ability to perform:

  • Check all NS Records for Zone Transfers.
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  • Perform common SRV Record Enumeration.
  • Top Level Domain (TLD) Expansion.
  • Check for Wildcard Resolution.
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
  • Perform a PTR Record lookup for a given IP Range or CIDR.
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check..

Installation

Requirements

DNSRecon requires Python 3.12 or higher.

Using uv (Recommended)

  1. Install uv if you haven't already:

    curl -LsSf https://astral.sh/uv/install.sh | sh

  2. Clone the repository:

    git clone https://github.com/darkoperator/dnsrecon.git
cd dnsrecon

  3. Install dependencies and create virtual environment:

    uv sync

  4. Run DNSRecon:

    uv run dnsrecon

Development

To install development dependencies:

uv sync --extra dev

To run tests:

uv run pytest

To run linting and formatting:

uv run ruff check
uv run ruff format

Shodan Netblock Expansion

DNSRecon can use Shodan to expand netblocks discovered during standard enumeration from SPF (-s) and/or WHOIS (-w) data.

CLI examples

Passive Shodan enrichment (uses SPF + WHOIS netblocks):

uv run dnsrecon -d example.com -t std -s -w --shodan --shodan-key "$SHODAN_API_KEY"

Active validation of Shodan results (re-resolves hosts and confirms they still match the queried netblock):

uv run dnsrecon -d example.com -t std -s -w --shodan --shodan-active --shodan-key "$SHODAN_API_KEY"

You can also set the API key via environment variable instead of --shodan-key:

export SHODAN_API_KEY="your-shodan-api-key"
uv run dnsrecon -d example.com -t std -s -w --shodan

REST API examples

Start the REST API:

uv run restdnsrecon

Call /general_enum with Shodan expansion enabled:

curl -s \
  -H "X-Shodan-Api-Key: $SHODAN_API_KEY" \
  "http://127.0.0.1:5000/general_enum?domain=example.com&do_spf=true&do_whois=true&do_shodan=true"

Enable active validation in the API:

curl -s \
  -H "X-Shodan-Api-Key: $SHODAN_API_KEY" \
  "http://127.0.0.1:5000/general_enum?domain=example.com&do_spf=true&do_whois=true&do_shodan=true&shodan_active=true"

Packaging Versions

Packaging status

About

DNS Enumeration Script

Resources

Readme

License

GPL-2.0 license
Activity

Stars

3k stars

Watchers

91 watching

Forks

566 forks
Report repository

Releases 26

1.5.3 Latest
Dec 30, 2025
+ 25 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

No packages published

Contributors 69

+ 55 contributors

Languages