DNSRecon 域名信息查询

域名系统（英文：Domain Name System，缩写：DNS）是互联网的一项服务。它作为将域名和IP地址相互映射的一个分布式数据库，能够使人更方便地访问互联网。DNS使用UDP端口53。当前，对于每一级域名长度的限制是63个字符，域名总长度则不能超过253个字符。DNSRecon由Python开发可以进行一些与域名相关的信息查询操作。

查找子域名

• baidu.com

┌──(***㉿kali)-[~]
└─$ dnsrecon -d baidu.com
[*] std: Performing General Enumeration against: baidu.com...
[-] DNSSEC is not configured for baidu.com
[*] 	 SOA dns.baidu.com 110.242.68.134
[*] 	 NS dns.baidu.com 110.242.68.134
[*] 	 NS ns3.baidu.com 112.80.248.64
[*] 	 NS ns3.baidu.com 36.152.45.193
[*] 	 NS ns4.baidu.com 14.215.178.80
[*] 	 NS ns4.baidu.com 111.45.3.226
[*] 	 NS ns2.baidu.com 220.181.33.31
[*] 	 NS ns7.baidu.com 180.76.76.92
[*] 	 NS ns7.baidu.com 240e:bf:b801:1002:0:ff:b024:26de
[*] 	 NS ns7.baidu.com 240e:940:603:4:0:ff:b01b:589a
[*] 	 MX mx.maillb.baidu.com 111.202.115.85
[*] 	 MX usmx01.baidu.com 12.0.243.41
[*] 	 MX mx1.baidu.com 111.202.115.85
[*] 	 MX mx1.baidu.com 220.181.3.85
[*] 	 MX mx.n.shifen.com 111.202.115.85
[*] 	 MX mx.n.shifen.com 111.206.215.185
[*] 	 MX mx50.baidu.com 12.0.243.41
[*] 	 MX jpmx.baidu.com 119.63.196.201
[*] 	 A baidu.com 39.156.66.10
[*] 	 A baidu.com 110.242.68.66
[*] 	 TXT baidu.com v=spf1 include:spf1.baidu.com include:spf2.baidu.com include:spf3.baidu.com include:spf4.baidu.com a mx ptr -all
[*] 	 TXT baidu.com _globalsign-domain-verification=qjb28W2jJSrWj04NHpB0CvgK9tle5JkOq-EcyWBgnE
[*] 	 TXT baidu.com google-site-verification=GHb98-6msqyx_qqjGl5eRatD3QTHyVB6-xQ3gJB5UwM
[*] Enumerating SRV Records
[+] 	 SRV _sip._tls.baidu.com sip.baidu.com 111.202.115.68 443
[+] 	 SRV _sipfederationtls._tcp.baidu.com sip.n.shifen.com 111.202.115.68 5061
[+] 	 SRV _sip._tcp.baidu.com vcs.wshifen.com 61.135.165.170 5060
[+] 	 SRV _xmpp-server._tcp.baidu.com xmpp.wshifen.com 61.135.165.169 5269
[+] 	 SRV _h323ls._udp.baidu.com vcs.wshifen.com 61.135.165.170 1719
[+] 	 SRV _sips._tcp.baidu.com vcs.wshifen.com 61.135.165.170 5061
[+] 	 SRV _h323cs._tcp.baidu.com vcs.wshifen.com 61.135.165.170 1720
[+] 	 SRV _xmpp-client._tcp.baidu.com xmpp.wshifen.com 61.135.165.169 5222
[+] 	 SRV _autodiscover._tcp.baidu.com email.baidu.com 111.202.115.87 443
[+] 9 Records Found

超找ip范围内的域名 rvl: Reverse lookup of a given CIDR or IP range.

┌──(***㉿kali)-[~]
└─$ dnsrecon -r 211.103.171.80-211.103.172.90 -t rvl
[*] Performing Reverse Lookup from 211.103.171.80 to 211.103.172.90
[+] 	 PTR mail.cncard.com 211.103.171.83
[+] 	 PTR mail.fumu.com 211.103.171.92
[+] 2 Records Found

从bing中搜寻子域名

┌──(***㉿kali)-[~]
└─$ dnsrecon -d baidu.com -t bing                          
[*] bing: baidu.com...
[*] 	 CNAME www.baidu.com www.a.shifen.com
[*] 	 A www.a.shifen.com 110.242.68.3
[*] 	 A www.a.shifen.com 110.242.68.4
[*] 	 CNAME ww.baidu.com ps_other.a.shifen.com
[*] 	 A ps_other.a.shifen.com 110.242.68.66
[*] 	 A home.baidu.com 183.232.232.54
[*] 	 A home.baidu.com 111.206.209.69
[*] 	 A home.baidu.com 180.101.49.156
[*] 	 CNAME hcl.baidu.com hao123.n.shifen.com
[*] 	 A hao123.n.shifen.com 110.242.68.247
[*] 	 CNAME hcl.baidu.com hao123.n.shifen.com
[*] 	 CNAME baike.baidu.com bk.baidu.com
[*] 	 CNAME bk.baidu.com bk.n.shifen.com
[*] 	 A bk.n.shifen.com 111.206.208.228
[*] 	 A bk.n.shifen.com 111.206.208.229
[*] 	 CNAME baike.baidu.com bk.baidu.com
[*] 	 CNAME bk.baidu.com bk.n.shifen.com
[*] 	 CNAME xueshu.baidu.com www.a.shifen.com
[*] 	 A www.a.shifen.com 110.242.68.4
[*] 	 A www.a.shifen.com 110.242.68.3
[*] 	 CNAME ziyuan.baidu.com ziyuan.n.shifen.com
[*] 	 A ziyuan.n.shifen.com 153.3.236.79
[*] 	 A ziyuan.n.shifen.com 112.80.255.152
[*] 	 CNAME star.baidu.com astar.baidu.com
[*] 	 CNAME astar.baidu.com astar.n.shifen.com
[*] 	 A astar.n.shifen.com 110.242.69.223
[*] 	 A bsb.baidu.com 180.101.49.171
[*] 	 A bsb.baidu.com 124.237.176.84
[*] 	 CNAME baijiahao.baidu.com baijiahao.n.shifen.com
[*] 	 A baijiahao.n.shifen.com 111.206.209.3
[*] 	 CNAME cloud.baidu.com bce.baidu.n.shifen.com
[*] 	 A bce.baidu.n.shifen.com 112.80.255.170
[*] 	 A bce.baidu.n.shifen.com 163.177.151.200
[*] 	 CNAME pan.baidu.com yiyun.n.shifen.com
[*] 	 A yiyun.n.shifen.com 110.242.69.43
[*] 	 CNAME pan.baidu.com yiyun.n.shifen.com
[*] 	 CNAME top.baidu.com top.n.shifen.com
[*] 	 A top.n.shifen.com 111.206.209.60
[*] 	 CNAME mobile.baidu.com appc.n.shifen.com
[*] 	 A appc.n.shifen.com 112.80.255.227
[*] 	 A appc.n.shifen.com 110.242.69.12
[*] 	 CNAME mobile.baidu.com appc.n.shifen.com
[*] 	 CNAME union.baidu.com union.e.shifen.com
[*] 	 A union.e.shifen.com 111.206.208.169
[*] 	 CNAME wenku.baidu.com wenku.n.shifen.com
[*] 	 A wenku.n.shifen.com 111.206.210.110
[*] 	 A wenku.n.shifen.com 111.206.210.11
[*] 	 CNAME image.baidu.com image.n.shifen.com
[*] 	 A image.n.shifen.com 110.242.69.132
[*] 	 CNAME fanyi.baidu.com ipv46.fanyi-bfe.n.shifen.com
[*] 	 A ipv46.fanyi-bfe.n.shifen.com 110.242.68.186
[*] 	 CNAME passport.baidu.com passport.n.shifen.com
[*] 	 A passport.n.shifen.com 111.206.208.243
[*] 	 A passport.n.shifen.com 111.206.208.245
[*] 	 CNAME passport.baidu.com passport.n.shifen.com
[*] 	 CNAME mr.baidu.com mbdown.n.shifen.com
[*] 	 A mbdown.n.shifen.com 111.206.209.136
[*] 	 A mbdown.n.shifen.com 110.242.68.155
[*] 	 CNAME zhongbao.baidu.com crowdtestatmp.n.shifen.com
[*] 	 A crowdtestatmp.n.shifen.com 110.242.69.167
[*] 	 CNAME yun.baidu.com yiyun.n.shifen.com
[*] 	 A yiyun.n.shifen.com 110.242.69.43
[*] 	 CNAME yun.baidu.com yiyun.n.shifen.com
[*] 	 CNAME ai.baidu.com ai.n.shifen.com
[*] 	 A ai.n.shifen.com 110.242.69.34
[*] 	 CNAME www2.baidu.com www2.e.shifen.com
[*] 	 A www2.e.shifen.com 153.3.236.108
[*] 	 CNAME map.baidu.com map.n.shifen.com
[*] 	 A map.n.shifen.com 111.206.208.32
[*] 	 CNAME map.baidu.com map.n.shifen.com
[*] 	 CNAME zhidao.baidu.com iknow.baidu.com
[*] 	 CNAME iknow.baidu.com iknow.n.shifen.com
[*] 	 A iknow.n.shifen.com 111.206.209.78
[*] 	 A iknow.n.shifen.com 111.206.209.79
[*] 	 CNAME maps.baidu.com map.baidu.com
[*] 	 CNAME map.baidu.com map.n.shifen.com
[*] 	 A map.n.shifen.com 111.206.208.32
[*] 	 CNAME maps.baidu.com map.baidu.com
[*] 	 CNAME map.baidu.com map.n.shifen.com
[*] 	 CNAME b2b.baidu.com b2b.e.shifen.com
[*] 	 A b2b.e.shifen.com 111.206.209.93
[*] 	 CNAME b2b.baidu.com b2b.e.shifen.com
[*] 	 CNAME yuedu.baidu.com reading.n.shifen.com
[*] 	 A reading.n.shifen.com 110.242.69.248
[*] 	 CNAME lbsyun.baidu.com lbsyun.map.n.shifen.com
[*] 	 A lbsyun.map.n.shifen.com 111.206.208.72
[*] 	 CNAME lbsyun.baidu.com lbsyun.map.n.shifen.com
[*] 	 CNAME jingyan.baidu.com jingyan.n.shifen.com
[*] 	 A jingyan.n.shifen.com 110.242.69.184
[*] 	 A jingyan.n.shifen.com 111.206.209.109
[*] 	 A jingyan.n.shifen.com 111.206.209.111
[*] 	 CNAME jingyan.baidu.com jingyan.n.shifen.com
[*] 	 CNAME test.baidu.com crowdtestatmp.n.shifen.com
[*] 	 A crowdtestatmp.n.shifen.com 110.242.69.167
[*] 	 CNAME haokan.baidu.com nvideo.n.shifen.com
[*] 	 A nvideo.n.shifen.com 111.206.209.29
[*] 	 CNAME shouji.baidu.com appc.n.shifen.com
[*] 	 A appc.n.shifen.com 110.242.69.12
[*] 	 A appc.n.shifen.com 112.80.255.227
[*] 	 CNAME shouji.baidu.com appc.n.shifen.com
[*] 	 CNAME wan.baidu.com gamenew.n.shifen.com
[*] 	 A gamenew.n.shifen.com 110.242.69.7
[*] 	 A gamenew.n.shifen.com 110.242.69.67
[*] 	 A index.baidu.com 111.206.208.193
[*] 	 A index.baidu.com 220.181.107.164
[*] 	 CNAME cas.baidu.com cas.e.shifen.com
[*] 	 A cas.e.shifen.com 153.3.236.108
[*] 	 CNAME shurufa.baidu.com shurufa.n.shifen.com
[*] 	 A shurufa.n.shifen.com 111.206.209.92
[*] 	 A shurufa.n.shifen.com 112.80.248.251
[*] 	 A shurufa.n.shifen.com 157.255.77.167
[*] 	 CNAME haoma.baidu.com mobsec.n.shifen.com
[*] 	 A mobsec.n.shifen.com 112.80.248.171
[*] 	 CNAME haoma.baidu.com mobsec.n.shifen.com
[*] 	 CNAME naotu.baidu.com sugar.n.shifen.com
[*] 	 A sugar.n.shifen.com 112.80.248.37
[*] 	 CNAME jiameng.baidu.com jiameng.e.shifen.com
[*] 	 A jiameng.e.shifen.com 110.242.68.246
[*] 	 CNAME jiameng.baidu.com jiameng.e.shifen.com
[*] 	 CNAME aiqicha.baidu.com cs.e.shifen.com
[*] 	 A cs.e.shifen.com 110.242.68.102
[*] 	 CNAME hanyu.baidu.com hanyu.a.shifen.com
[*] 	 A hanyu.a.shifen.com 110.242.68.153
[*] 	 CNAME hanyu.baidu.com hanyu.a.shifen.com
[*] 	 CNAME kaifa.baidu.com kaifa.n.shifen.com
[*] 	 A kaifa.n.shifen.com 111.206.208.45
[*] 	 A kaifa.n.shifen.com 157.255.71.62
[*] 	 CNAME p.qiao.baidu.com p.qiao.e.shifen.com
[*] 	 A p.qiao.e.shifen.com 111.206.210.57
[*] 	 A p.qiao.e.shifen.com 111.206.210.56
[+] 130 Records Found

参考与更多

usage: dnsrecon.py [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY]
                   [-f] [-a] [-s] [-b] [-y] [-k] [-w] [-z] [--threads THREADS]
                   [--lifetime LIFETIME] [--tcp] [--db DB] [-x XML] [-c CSV]
                   [-j JSON] [--iw] [--disable_check_recursion]
                   [--disable_check_bindversion] [-V] [-v] [-t TYPE]

options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Target domain.
  -n NS_SERVER, --name_server NS_SERVER
                        Domain server to use. If none is given, the SOA of the target will be used. Multiple servers can be specified using a comma separated list.
  -r RANGE, --range RANGE
                        IP range for reverse lookup brute force in formats   (first-last) or in (range/bitmask).
  -D DICTIONARY, --dictionary DICTIONARY
                        Dictionary file of subdomain and hostnames to use for brute force. Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
  -f                    Filter out of brute force domain lookup, records that resolve to the wildcard defined IP address when saving records.
  -a                    Perform AXFR with standard enumeration.
  -s                    Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration.
  -b                    Perform Bing enumeration with standard enumeration.
  -y                    Perform Yandex enumeration with standard enumeration.
  -k                    Perform crt.sh enumeration with standard enumeration.
  -w                    Perform deep whois record analysis and reverse lookup of IP ranges found through Whois when doing a standard enumeration.
  -z                    Performs a DNSSEC zone walk with standard enumeration.
  --threads THREADS     Number of threads to use in reverse lookups, forward lookups, brute force and SRV record enumeration.
  --lifetime LIFETIME   Time to wait for a server to respond to a query. default is 3
  --tcp                 Use TCP protocol to make queries.
  --db DB               SQLite 3 file to save found records.
  -x XML, --xml XML     XML file to save found records.
  -c CSV, --csv CSV     Save output to a comma separated value file.
  -j JSON, --json JSON  save output to a JSON file.
  --iw                  Continue brute forcing a domain even if a wildcard record is discovered.
  --disable_check_recursion
                        Disables check for recursion on name servers
  --disable_check_bindversion
                        Disables check for BIND version on name servers
  -V, --version         Show DNSrecon version
  -v, --verbose         Enable verbose
  -t TYPE, --type TYPE  Type of enumeration to perform.
                        Possible types:
                            std:      SOA, NS, A, AAAA, MX and SRV.
                            rvl:      Reverse lookup of a given CIDR or IP range.
                            brt:      Brute force domains and hosts using a given dictionary.
                            srv:      SRV records.
                            axfr:     Test all NS servers for a zone transfer.
                            bing:     Perform Bing search for subdomains and hosts.
                            yand:     Perform Yandex search for subdomains and hosts.
                            crt:      Perform crt.sh search for subdomains and hosts.
                            snoop:    Perform cache snooping against all NS servers for a given domain, testing
                                      all with file containing the domains, file given with -D option.
                        
                            tld:      Remove the TLD of given domain and test against all TLDs registered in IANA.
                            zonewalk: Perform a DNSSEC zone walk using NSEC records.