dnswalk is the DNS enumeration tool that defenders should love as much as attackers do. It is a DNS debugger: it transfers a zone and then checks the database for internal consistency and correctness - missing PTR records, mismatched addresses, bad delegations, and more. Where the other tools in this cluster extract information, dnswalk audits it. This article is part of the PingLabz DNS enumeration guide, and the capture below is real output from Kali in our lab.
What dnswalk does
dnswalk performs a zone transfer of a domain and then runs a battery of consistency checks against the records it receives. It flags forward records with no matching reverse (PTR) record, reverse records that do not match their forward counterpart, CNAMEs pointing at nonexistent names, missing or inconsistent delegations, and other structural problems. It is a Perl script built on the Net::DNS library, and it has one quirk worth remembering: the domain argument must end with a trailing dot.
Because it depends on being able to transfer the zone, dnswalk is at its most useful where you legitimately can - auditing your own domains. It ships with Kali; elsewhere, sudo apt install dnswalk.
Auditing the lab zone
Run with recursion (-r) and debug (-d) against the fully-qualified domain (note the trailing dot):
root@kali:~# dnswalk -r -d pinglabz.lab.
Checking pinglabz.lab.
SOA=ns1.pinglabz.lab contact=hostmaster.pinglabz.lab.
WARN: gw.pinglabz.lab A 192.168.99.1: no PTR record
WARN: ns1.pinglabz.lab A 192.168.99.100: no PTR record
Getting zone transfer of pinglabz.lab. from ns1.pinglabz.lab...done.
0 failures, 2 warnings, 0 errors.dnswalk transferred the zone from ns1, then reported its findings. The two warnings are real problems it caught: gw and ns1 both have A records in the 192.168.99.0/24 range, but the lab only defined a reverse zone for 10.0.53.0/24, so those two hosts have no matching PTR record. That is exactly the kind of consistency gap dnswalk exists to find. The summary line - 0 failures, 2 warnings, 0 errors - is the report card for the zone.
For an attacker, dnswalk doubles as another way to dump a zone when transfers are allowed. For an administrator, it is a quick way to sanity-check a zone file after edits: forward-and-reverse mismatches, dangling CNAMEs, and delegation slips are precisely the errors that cause hard-to-diagnose resolution problems in production.
The checks and flags that matter
Where dnswalk fits
dnswalk sits at the overlap of offense and defense. As a recon tool it is a zone-transfer client with extra analysis, so if AXFR is open it dumps and critiques the zone in one go. But its real home is on the administrator's side: run it after every zone change to catch missing PTRs, mismatches, and dangling records before they cause outages. It depends entirely on being able to transfer the zone, which - if you have locked allow-transfer down properly - means you run it from a host that is allowed, not from the open internet.
The defender's view
This is the tool to add to your own DNS hygiene routine. Schedule dnswalk against your zones (from an authorised secondary) and treat its failures and errors as a punch list. But remember what makes it work: a zone transfer. If dnswalk can pull your zone from an unauthorised host, that is the finding - restrict allow-transfer to your secondaries. The complete hardening checklist is in the DNS enumeration pillar.
Related tools
dnswalk is the auditor's counterpart to the extractors dnsrecon and dnsenum. For subdomain discovery when transfers are blocked, use dnsmap or massdns, and to understand delegation use dnstracer. Once your recon or audit is done, scan live hosts with the Nmap cluster.
Key takeaways
dnswalk transfers a zone and audits it for consistency - missing PTRs, forward/reverse mismatches, dangling CNAMEs, and delegation errors. In the lab it correctly flagged two hosts with no reverse record and summarised the zone as 0 failures, 2 warnings, 0 errors. Remember the trailing dot on the domain. It is as valuable to defenders auditing their own zones as it is to attackers dumping an open one - and either way, the fact that it needs a zone transfer to work is the reminder to lock those transfers down.
Only run dnswalk against domains you own or are explicitly authorised to test. The output here is from a private lab.