Tutorial: DNS Enumeration using Python

Explanation of DNS Enumeration

DNS Enumeration is a method of collecting data about a domain's configurations. DNS, or the Domain Name System, translates human readable domain names (for example, www.amazon.com) to machine readable IP addresses (something such as 192.0.2.44). The process of DNS Enumeration returns various important information about the target like DNS record types, host names, IP addresses and much more depending upon the configuration of that target system.The main objective of DNS enumeration is to collect as much information as possible about a particular victim to identify potential vulnerabilities.

In this article, I will show you how you can perform DNS enumeration using the Python language. We will be utilizing the dnspython library that will help us carry out DNS requests which will return us with DNS records for the website we choose.

to install dnspython all you need to do is run this command:
$ pip install dnspython

When you have finished installing the library, create a new file called dns_enumeration.py(or whatever you want to call it).

The Coding Part

To begin with, we need to specify the domain we want to analyze (we will use twitter.com) and what kind of DNS record types we want the program to return. For this tutorial, we'll just have the program return the six most common DNS record types:

import dns.resolver# Set the target domain and record typetarget_domain = "twitter.com" #using twitter as an examplerecord_types = ["A", "AAAA", "CNAME", "MX", "NS", "SOA", "TXT"]

(Don't forget to import the library)

You might be asking, what is a DNS record type? You can think of a set of DNS records like a business listing on Yelp. That listing will give you a bunch of useful information about a business such as their location, hours, services offered, etc. All domains are required to have at least a few essential DNS records for a user to be able to access their website using a domain name, and there are several optional records that serve additional purposes. In this case, the record types will give us information about the domain like the IP address, IPV6 address, which server contains the DNS records, etc.

Now, we can move on to creating a DNS resolver as well as creating the code that will perform the DNS lookup:

# Create a DNS resolverresolver = dns.resolver.Resolver()for record_type in record_types:    # Performs DNS lookup for the defined domain and record type    try:        answers = resolver.resolve(target_domain, record_type)    except dns.resolver.NoAnswer:        continue

A DNS resolver, also known as a resolver, is a server on the Internet that converts domain names into IP addresses.When you use the Internet, every time you connect to a website using its domain name, your computer needs to know that website's IP address. So your computer contacts a DNS resolver, and gets the current IP address of the domain you want to access.

Last part is we need to print out the results from the queries (this is pretty simple):

    # Prints the results    print(f"{record_type} records for {target_domain}:")    for rdata in answers:        print(f" {rdata}")

(f-strings are string literals that have an f at the beginning and curly braces containing expressions that will be replaced with their values)

When you run the program you should get an output that looks like this (depends on what domain you choose):

And that's the end of the tutorial! If you want to dive further, here are some links that I provided for you to read more:

• https://www.cloudflare.com/learning/dns/dns-records/
• https://www.computerhope.com/jargon/d/dns-resolver.htm
• https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns

If you liked this article, consider liking it and following me! If you want to see more tutorials like this in the future, comment down below!

Full source code: https://github.com/sleepyrob0t/DNS-Enumeration-Python

-Jsquared