dnsenum is the classic DNS enumeration tool - a multithreaded Perl script that has been in every pentester's kit for over a decade. Point it at a domain and it gathers the host address, the nameservers, the mail servers, attempts a zone transfer on each nameserver, brute forces subdomains, and can even work out and reverse-sweep the surrounding network ranges, all in one report. This article is part of the PingLabz DNS enumeration guide, and every capture below is real output from a Kali box against a BIND9 server in our lab.
What dnsenum does
The point of dnsenum is to gather as much information about a domain as possible in a single run. It performs, in order: get the host's A record, get the nameservers, get the MX records, run AXFR against each nameserver and grab BIND versions, scrape Google for extra subdomains, brute force subdomains from a file (with optional recursion on any subdomain that has its own NS records), calculate class-C network ranges, run whois on them, and reverse-lookup the results. It is deliberately thorough.
dnsenum ships with Kali. Elsewhere: sudo apt install dnsenum.
Running dnsenum against the lab
A focused run points dnsenum at a specific server with --dnsserver, supplies a brute-force wordlist with -f, and skips the noisy reverse-lookup phase with --noreverse:
root@kali:~# dnsenum --dnsserver 192.168.99.100 --nocolor --noreverse -f /home/j/dns-recon/subs.txt pinglabz.lab
dnsenum VERSION:1.3.1
----- pinglabz.lab -----
Host's addresses:
__________________
pinglabz.lab. 604800 IN A 10.0.53.10
Name Servers:
______________
ns1.pinglabz.lab. 604800 IN A 192.168.99.100
ns2.pinglabz.lab. 604800 IN A 10.0.53.11
Mail (MX) Servers:
___________________
mail.pinglabz.lab. 604800 IN A 10.0.53.20
mail2.pinglabz.lab. 604800 IN A 10.0.53.21
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for pinglabz.lab on ns2.pinglabz.lab ...
Trying Zone Transfer for pinglabz.lab on ns1.pinglabz.lab ...
pinglabz.lab. 604800 IN SOA ( ...
pinglabz.lab. 604800 IN NS ns1.pinglabz.lab.
pinglabz.lab. 604800 IN MX 10
_kerberos._tcp.pinglabz.lab. 604800 IN SRV 0
_ldap._tcp.pinglabz.lab. 604800 IN SRV 0
admin.pinglabz.lab. 604800 IN A 10.0.53.99
dc01.pinglabz.lab. 604800 IN A 10.0.53.5
jenkins.pinglabz.lab. 604800 IN A 10.0.53.91
vpn.pinglabz.lab. 604800 IN A 10.0.53.30dnsenum lays the report out in labelled sections, which is why people still love it: host address, nameservers, and mail servers up top, then it tries a zone transfer on each nameserver. ns2 (the dead address) returns nothing; ns1 hands over the full zone, including the SRV records that reveal LDAP and Kerberos - a strong hint that Active Directory sits behind this domain.
The options that matter
dnsenum vs dnsrecon
The two tools cover almost the same ground, and both belong in your kit. dnsenum's report layout (labelled sections, BIND version grab, automatic network-range discovery and reverse sweeps) reads beautifully and is great for a first look. dnsrecon is more granular, actively maintained in Python, and exports structured XML/CSV/JSON that fits into automation. Many testers run dnsenum for the readable summary and dnsrecon when they need machine-readable output or a specific enumeration type.
The defender's view
dnsenum tries a zone transfer on every nameserver it finds, so the same fix applies: restrict allow-transfer to your secondaries. The tool also grabs BIND version strings, so consider setting version "none"; in your BIND options to stop advertising your software version. The network-range discovery and reverse sweeps only work when your PTR records are populated for public ranges - another reason internal addressing does not belong in public zones. The full checklist is in the DNS enumeration pillar.
Related tools
For structured output and SRV-focused enumeration, pair dnsenum with dnsrecon. When you need heavier brute forcing, use dnsmap or massdns. To audit a transferred zone for errors, run dnswalk. When recon turns up live hosts, move to scanning them with the Nmap cluster.
Key takeaways
dnsenum is the readable all-in-one DNS enumerator: host addresses, nameservers, mail servers, per-nameserver zone transfers, subdomain brute forcing, and network-range discovery in one labelled report. Point it at the target's nameserver with --dnsserver, add a wordlist with -f, and use --noreverse to stay quiet. It overlaps with dnsrecon by design - run both, and defend against both by restricting zone transfers and hiding your BIND version.
Only run dnsenum against domains you own or are explicitly authorised to test. The output here is from a private lab.