DNS

dnsenum: Enumerate a Domain's DNS End to End

dnsenum DNS enumeration on Kali Linux with real lab output
In: DNS, DNS Enumeration, Kali Linux, Security, Penetration Testing

dnsenum is the classic DNS enumeration tool - a multithreaded Perl script that has been in every pentester's kit for over a decade. Point it at a domain and it gathers the host address, the nameservers, the mail servers, attempts a zone transfer on each nameserver, brute forces subdomains, and can even work out and reverse-sweep the surrounding network ranges, all in one report. This article is part of the PingLabz DNS enumeration guide, and every capture below is real output from a Kali box against a BIND9 server in our lab.

What dnsenum does

The point of dnsenum is to gather as much information about a domain as possible in a single run. It performs, in order: get the host's A record, get the nameservers, get the MX records, run AXFR against each nameserver and grab BIND versions, scrape Google for extra subdomains, brute force subdomains from a file (with optional recursion on any subdomain that has its own NS records), calculate class-C network ranges, run whois on them, and reverse-lookup the results. It is deliberately thorough.

dnsenum ships with Kali. Elsewhere: sudo apt install dnsenum.

Running dnsenum against the lab

A focused run points dnsenum at a specific server with --dnsserver, supplies a brute-force wordlist with -f, and skips the noisy reverse-lookup phase with --noreverse:

root@kali:~# dnsenum --dnsserver 192.168.99.100 --nocolor --noreverse -f /home/j/dns-recon/subs.txt pinglabz.lab
dnsenum VERSION:1.3.1

-----   pinglabz.lab   -----

Host's addresses:
__________________
pinglabz.lab.                    604800   IN    A     10.0.53.10

Name Servers:
______________
ns1.pinglabz.lab.                604800   IN    A     192.168.99.100
ns2.pinglabz.lab.                604800   IN    A     10.0.53.11

Mail (MX) Servers:
___________________
mail.pinglabz.lab.               604800   IN    A     10.0.53.20
mail2.pinglabz.lab.              604800   IN    A     10.0.53.21

Trying Zone Transfers and getting Bind Versions:
_________________________________________________

Trying Zone Transfer for pinglabz.lab on ns2.pinglabz.lab ...

Trying Zone Transfer for pinglabz.lab on ns1.pinglabz.lab ...
pinglabz.lab.        604800  IN  SOA  ( ...
pinglabz.lab.        604800  IN  NS   ns1.pinglabz.lab.
pinglabz.lab.        604800  IN  MX   10
_kerberos._tcp.pinglabz.lab.  604800  IN  SRV  0
_ldap._tcp.pinglabz.lab.      604800  IN  SRV  0
admin.pinglabz.lab.  604800  IN  A    10.0.53.99
dc01.pinglabz.lab.   604800  IN  A    10.0.53.5
jenkins.pinglabz.lab. 604800 IN  A    10.0.53.91
vpn.pinglabz.lab.    604800  IN  A    10.0.53.30

dnsenum lays the report out in labelled sections, which is why people still love it: host address, nameservers, and mail servers up top, then it tries a zone transfer on each nameserver. ns2 (the dead address) returns nothing; ns1 hands over the full zone, including the SRV records that reveal LDAP and Kerberos - a strong hint that Active Directory sits behind this domain.

The options that matter

--dnsserver <ip>
Use this specific server for A, NS and MX queries. Point it straight at the target's nameserver.
-f <file>
Wordlist for subdomain brute forcing. Takes priority over the default dns.txt.
-r / --recursion
Recursively brute force any discovered subdomain that has its own NS record.
--enum
Shortcut for --threads 5 -s 15 -w (threads, Google scrape, whois). Convenient but noisy.
--noreverse
Skip reverse lookups. Faster and quieter when you only care about forward records.
-o <file>
Write XML output, importable into tools like MagicTree.

dnsenum vs dnsrecon

The two tools cover almost the same ground, and both belong in your kit. dnsenum's report layout (labelled sections, BIND version grab, automatic network-range discovery and reverse sweeps) reads beautifully and is great for a first look. dnsrecon is more granular, actively maintained in Python, and exports structured XML/CSV/JSON that fits into automation. Many testers run dnsenum for the readable summary and dnsrecon when they need machine-readable output or a specific enumeration type.

The defender's view

dnsenum tries a zone transfer on every nameserver it finds, so the same fix applies: restrict allow-transfer to your secondaries. The tool also grabs BIND version strings, so consider setting version "none"; in your BIND options to stop advertising your software version. The network-range discovery and reverse sweeps only work when your PTR records are populated for public ranges - another reason internal addressing does not belong in public zones. The full checklist is in the DNS enumeration pillar.

For structured output and SRV-focused enumeration, pair dnsenum with dnsrecon. When you need heavier brute forcing, use dnsmap or massdns. To audit a transferred zone for errors, run dnswalk. When recon turns up live hosts, move to scanning them with the Nmap cluster.

Key takeaways

dnsenum is the readable all-in-one DNS enumerator: host addresses, nameservers, mail servers, per-nameserver zone transfers, subdomain brute forcing, and network-range discovery in one labelled report. Point it at the target's nameserver with --dnsserver, add a wordlist with -f, and use --noreverse to stay quiet. It overlaps with dnsrecon by design - run both, and defend against both by restricting zone transfers and hiding your BIND version.

Only run dnsenum against domains you own or are explicitly authorised to test. The output here is from a private lab.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.