DNSenum

What is DNSenum?

DNSenum is a DNS enumeration tool used in the Reconnaissance phase of penetration testing. It automates the collection of DNS information about a target domain — including A, MX, NS, and TXT records — and can attempt zone transfers, brute-force subdomains using a wordlist, and perform reverse lookups on discovered IP ranges. It is a fast way to map out a domain's attack surface before deeper testing begins.

Installation

# Update packages
sudo apt update

# Install (pre-installed on Kali, otherwise:)
sudo apt install dnsenum -y

# Verify installation
dnsenum --help

Basic Usage

# Basic enumeration of a domain
dnsenum example.com

# Enumerate with subdomain brute-force using a wordlist
dnsenum --dnsserver 8.8.8.8 -f /usr/share/wordlists/dirb/common.txt example.com

# Attempt a DNS zone transfer
dnsenum --noreverse example.com

# Save output to an XML file
dnsenum -o output.xml example.com

# Use a specific DNS server and increase threads
dnsenum --dnsserver 1.1.1.1 --threads 10 example.com

# Disable reverse lookups (faster for large scans)
dnsenum --noreverse --nocolor example.com

What DNSenum Collects

• A records — IP addresses the domain resolves to
• NS records — authoritative nameservers for the domain
• MX records — mail servers handling email for the domain
• TXT records — SPF, DKIM, verification tokens, and other metadata
• Zone transfer attempt — tries to dump the full DNS zone from each nameserver
• Subdomain brute-force — discovers hidden subdomains via wordlist
• Reverse lookups — maps IP ranges back to hostnames

Common Use Cases

• Authorized penetration testing engagements
• CTF (Capture The Flag) reconnaissance challenges
• Internal security audits
• Bug bounty reconnaissance and subdomain discovery

Further Reading

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.