Most DNS enumeration tools ask a server for records. dnstracer asks a different question: where does this answer actually come from? It determines where a given nameserver gets its information for a hostname and follows the chain of DNS servers back to the authoritative source. That makes it the odd one out in the enumeration toolkit - less about dumping records, more about understanding delegation and trust. This article is part of the PingLabz DNS enumeration guide, and the capture below is real output from Kali in our lab.
What dnstracer does
DNS is a hierarchy. When you resolve a name on the public internet, the query walks down a delegation chain: the root servers point at the TLD servers, which point at the domain's authoritative servers, which give the final answer. dnstracer makes that chain visible. Starting from a server you choose (or the root servers), it follows the referrals down until it reaches the server that answers authoritatively, showing each hop and whether the answer was authoritative or cached.
For a recon analyst, that is useful for mapping who controls a domain's DNS, spotting third-party DNS providers, and understanding delegation before deciding which servers to probe. dnstracer is in the Kali repos: sudo apt install dnstracer.
Tracing in the lab
In an isolated lab there is no root hierarchy - the BIND9 server is directly authoritative for the zone - so dnstracer resolves to a single authoritative hop. Pointing it at the lab server with -s, enabling the overview (-o) and asking for an A record shows exactly that:
root@kali:~# dnstracer -s 192.168.99.100 -r 2 -o -q A www.pinglabz.lab
Tracing to www.pinglabz.lab[a] via 192.168.99.100, maximum of 2 retries
192.168.99.100 (192.168.99.100) Got authoritative answer
192.168.99.100 (192.168.99.100) www.pinglabz.lab -> 10.0.53.10The key phrase is Got authoritative answer. dnstracer confirms that 192.168.99.100 is not just relaying a cached record - it is the authority for this name, and it maps www.pinglabz.lab to 10.0.53.10. Against a real public domain the same command produces a multi-line tree: the root servers, the TLD servers, and finally the domain's authoritative nameservers, with each hop labelled by whether it gave an authoritative answer or a referral. That tree is dnstracer's real value - it shows the delegation path, not just the final IP.
The options that matter
Where dnstracer fits
dnstracer is a specialist, not an all-rounder. It will not brute force subdomains or dump a zone. Its job is delegation and provenance: confirming which server is authoritative, spotting inconsistencies where different servers give different answers, and mapping who actually runs a domain's DNS. In practice you use it alongside the enumeration tools - dnsrecon and dnsenum tell you what the records are, and dnstracer tells you where they come from. It is also handy for debugging your own delegation when a name resolves differently than you expect.
The defender's view
dnstracer does not extract anything sensitive - it walks public delegation that has to be visible for DNS to work. But it is a useful diagnostic on your own side: use it to confirm your nameservers all give authoritative answers and agree with each other, and to verify a delegation change has propagated as intended. Inconsistent authoritative answers between your nameservers are a real misconfiguration that dnstracer surfaces quickly. General DNS hardening lives in the DNS enumeration pillar.
Related tools
Pair dnstracer with the record-dumping tools dnsrecon and dnsenum. For subdomain discovery use dnsmap or massdns, and to audit a zone's contents use dnswalk. When recon is complete, scan the hosts you found with the Nmap cluster.
Key takeaways
dnstracer answers the provenance question in DNS enumeration: it follows the delegation chain from a chosen server (or the root) down to the authoritative source, showing each hop and whether it answered authoritatively. It is a specialist for mapping who controls a domain's DNS and for spotting inconsistent or misdelegated answers, not a record dumper or brute forcer. Use it beside dnsrecon and dnsenum, and use it on your own domains to confirm your nameservers are authoritative and in agreement.
Only run dnstracer against domains you own or are explicitly authorised to test. The output here is from a private lab.