DNS

dnswalk: Audit a DNS Zone for Consistency

dnswalk DNS enumeration on Kali Linux with real lab output
In: DNS, DNS Enumeration, Kali Linux, Security, Penetration Testing

dnswalk is the DNS enumeration tool that defenders should love as much as attackers do. It is a DNS debugger: it transfers a zone and then checks the database for internal consistency and correctness - missing PTR records, mismatched addresses, bad delegations, and more. Where the other tools in this cluster extract information, dnswalk audits it. This article is part of the PingLabz DNS enumeration guide, and the capture below is real output from Kali in our lab.

What dnswalk does

dnswalk performs a zone transfer of a domain and then runs a battery of consistency checks against the records it receives. It flags forward records with no matching reverse (PTR) record, reverse records that do not match their forward counterpart, CNAMEs pointing at nonexistent names, missing or inconsistent delegations, and other structural problems. It is a Perl script built on the Net::DNS library, and it has one quirk worth remembering: the domain argument must end with a trailing dot.

Because it depends on being able to transfer the zone, dnswalk is at its most useful where you legitimately can - auditing your own domains. It ships with Kali; elsewhere, sudo apt install dnswalk.

Auditing the lab zone

Run with recursion (-r) and debug (-d) against the fully-qualified domain (note the trailing dot):

root@kali:~# dnswalk -r -d pinglabz.lab.
Checking pinglabz.lab.
SOA=ns1.pinglabz.lab   contact=hostmaster.pinglabz.lab.
WARN: gw.pinglabz.lab A 192.168.99.1: no PTR record
WARN: ns1.pinglabz.lab A 192.168.99.100: no PTR record
Getting zone transfer of pinglabz.lab. from ns1.pinglabz.lab...done.
0 failures, 2 warnings, 0 errors.

dnswalk transferred the zone from ns1, then reported its findings. The two warnings are real problems it caught: gw and ns1 both have A records in the 192.168.99.0/24 range, but the lab only defined a reverse zone for 10.0.53.0/24, so those two hosts have no matching PTR record. That is exactly the kind of consistency gap dnswalk exists to find. The summary line - 0 failures, 2 warnings, 0 errors - is the report card for the zone.

For an attacker, dnswalk doubles as another way to dump a zone when transfers are allowed. For an administrator, it is a quick way to sanity-check a zone file after edits: forward-and-reverse mismatches, dangling CNAMEs, and delegation slips are precisely the errors that cause hard-to-diagnose resolution problems in production.

The checks and flags that matter

trailing dot
The domain argument must end with a "." (pinglabz.lab.) or dnswalk refuses to run.
-r
Recurse into subdomains, walking delegations below the target zone.
-d
Debug output - show progress and the checks as they run.
-F
Perform "facist" (strict) checking for spurious and questionable records.
-a
Turn on warning for duplicate A records.
WARN / FAIL / ERROR
Severity levels in the output - warnings are style issues, failures and errors are real breakage.

Where dnswalk fits

dnswalk sits at the overlap of offense and defense. As a recon tool it is a zone-transfer client with extra analysis, so if AXFR is open it dumps and critiques the zone in one go. But its real home is on the administrator's side: run it after every zone change to catch missing PTRs, mismatches, and dangling records before they cause outages. It depends entirely on being able to transfer the zone, which - if you have locked allow-transfer down properly - means you run it from a host that is allowed, not from the open internet.

The defender's view

This is the tool to add to your own DNS hygiene routine. Schedule dnswalk against your zones (from an authorised secondary) and treat its failures and errors as a punch list. But remember what makes it work: a zone transfer. If dnswalk can pull your zone from an unauthorised host, that is the finding - restrict allow-transfer to your secondaries. The complete hardening checklist is in the DNS enumeration pillar.

dnswalk is the auditor's counterpart to the extractors dnsrecon and dnsenum. For subdomain discovery when transfers are blocked, use dnsmap or massdns, and to understand delegation use dnstracer. Once your recon or audit is done, scan live hosts with the Nmap cluster.

Key takeaways

dnswalk transfers a zone and audits it for consistency - missing PTRs, forward/reverse mismatches, dangling CNAMEs, and delegation errors. In the lab it correctly flagged two hosts with no reverse record and summarised the zone as 0 failures, 2 warnings, 0 errors. Remember the trailing dot on the domain. It is as valuable to defenders auditing their own zones as it is to attackers dumping an open one - and either way, the fact that it needs a zone transfer to work is the reminder to lock those transfers down.

Only run dnswalk against domains you own or are explicitly authorised to test. The output here is from a private lab.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.