sudo apt-get update
sudo apt-get install dnsenum
git clone https://github.com/fwaeytens/dnsenum.git
cd dnsenum
chmod +x dnsenum.pl
./dnsenum.pl --help
brew install dnsenum
# Requires Perl and dependencies
sudo cpan Net::DNS Net::NetAddr::IP Net::Whois::IP XML::Writer
dnsenum example.com
dnsenum -v example.com
dnsenum example.com -o output.txt
dnsenum example.com -o output.xml -x
# Query A records (IPv4 addresses)
dnsenum example.com
# Query NS records (nameservers)
dnsenum --nsr example.com
# Query MX records (mail servers)
dnsenum --mx example.com
# Query SOA records
dnsenum --soa example.com
# Query using specific nameserver
dnsenum example.com -s 8.8.8.8
# Query using multiple nameservers
dnsenum example.com -s 8.8.8.8 -s 1.1.1.1
# DNSenum automatically attempts zone transfers
dnsenum example.com
# Test against specific nameserver
dnsenum example.com --nsr
# Verbose zone transfer attempts
dnsenum -v example.com
# If zone transfer succeeds, all zone records are dumped
dnsenum example.com -o zonefile.txt
# Use default wordlist
dnsenum --enum example.com
# Shorter syntax
dnsenum -f example.com
# Use custom subdomain wordlist
dnsenum --enum -f /path/to/wordlist.txt example.com
# Example wordlist locations
dnsenum -f /usr/share/wordlists/dnsmap.txt example.com
dnsenum -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt example.com
# Enable threading for faster enumeration
dnsenum --threads 16 example.com
# Combine with custom wordlist
dnsenum --threads 32 -f /path/to/wordlist.txt example.com
# Brute force with output filtering
dnsenum --enum example.com -o results.txt
# Scrape Google for subdomains
dnsenum -g example.com
# Use all enumeration methods
dnsenum --enum -g -f wordlist.txt example.com
# With threading
dnsenum --enum -g --threads 16 example.com
# Scrape Google with increased results (requires patience)
dnsenum -g example.com -o results.txt
# Retrieve WHOIS data
dnsenum --whois example.com
# Detailed WHOIS information
dnsenum -v --whois example.com
# Get WHOIS for discovered IPs
dnsenum example.com | grep -i address
dnsenum example.com
# 8 threads
dnsenum --threads 8 example.com
# 16 threads (recommended)
dnsenum --threads 16 example.com
# 32 threads (aggressive)
dnsenum --threads 32 -f wordlist.txt example.com
# Brute force with thread control
dnsenum --enum --threads 20 -f wordlist.txt example.com
# Save as text file
dnsenum example.com -o output.txt
# Save as XML (detailed structure)
dnsenum example.com -o output.xml -x
# Generate both text and XML
dnsenum example.com -o results.txt
dnsenum example.com -o results.xml -x
# Verbose output to console
dnsenum -v example.com
# Standard output (less verbose)
dnsenum example.com
# Quiet mode (minimal output)
dnsenum example.com 2>/dev/null
# Use non-standard DNS port
dnsenum example.com -s 8.8.8.8:5353
# Add delay to avoid rate limiting (in milliseconds)
dnsenum --delay 100 example.com
# Attempt AXFR from all nameservers
dnsenum --nsr example.com
# Full enumeration with all methods
dnsenum \
--enum \
-f /usr/share/wordlists/subdomains.txt \
--threads 16 \
-g \
--whois \
-o results.txt \
example.com
dnsenum example.com -o scan_basic.txt
dnsenum \
--enum \
-f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
--threads 16 \
example.com
dnsenum \
--enum \
-f /usr/share/wordlists/dnsmap.txt \
--threads 32 \
-g \
--whois \
--nsr \
-v \
-o full_enum_$(date +%s).txt \
-x \
example.com
dnsenum \
--enum \
--threads 20 \
-f wordlist.txt \
-g \
example.com | tee -a enum_log.txt
| Record Type | Purpose | Example |
|---|
| A | IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 address | example.com → 2606:2800:220:1:248:1893:25c8:1946 |
| CNAME | Canonical name (alias) | www.example.com → example.com |
| MX | Mail server priority | mail.example.com (priority 10) |
| NS | Nameserver | ns1.example.com |
| SOA | Start of Authority | Primary nameserver info |
| TXT | Text records (SPF, DKIM) | v=spf1 include:_spf.google.com |
| SRV | Service records | _sip._tcp.example.com |
# SecLists (comprehensive)
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# DNSMap wordlist
/usr/share/wordlists/dnsmap.txt
# Common subdomains
/usr/share/wordlists/amass/subdomains.txt
# Clone SecLists
git clone https://github.com/danielmiessler/SecLists.git
# Use specific wordlist
dnsenum -f SecLists/Discovery/DNS/subdomains-top1million-5000.txt example.com
| Feature | DNSenum | dnsrecon | dig | nslookup |
|---|
| Zone Transfer | Yes | Yes | Yes | No |
| Subdomain Brute Force | Yes | Yes | No | No |
| Google Scraping | Yes | No | No | No |
| Multi-threading | Yes | No | No | No |
| WHOIS Lookup | Yes | No | No | No |
| XML Output | Yes | Yes | No | No |
| Learning Curve | Easy | Medium | Medium | Easy |
| Speed | Fast | Medium | Very Fast | Very Fast |
# Make script executable
chmod +x dnsenum.pl
./dnsenum.pl example.com
# Install required Perl modules
sudo cpan Net::DNS
sudo cpan Net::NetAddr::IP
sudo cpan Net::Whois::IP
sudo cpan XML::Writer
# Verify DNS connectivity
nslookup example.com 8.8.8.8
# Try alternative nameserver
dnsenum -s 1.1.1.1 example.com
# Add delay between requests
dnsenum --delay 500 example.com
# Reduce threading
dnsenum --threads 4 example.com
# Verify domain validity
dnsenum google.com
# Check with verbose output
dnsenum -v example.com
# Try specific nameserver
dnsenum -s 8.8.8.8 example.com
- Obtain written permission before enumerating any domain you don’t own
- DNS enumeration may trigger intrusion detection systems
- Use during authorized penetration tests only
- Respect rate limiting to avoid denial of service
- Check local laws regarding network reconnaissance activities
- Start with zone transfer attempts — fastest method if successful
- Use Google scraping for quick results — complements brute forcing
- Customize wordlists — add company-specific naming conventions
- Save output — enables comparative analysis over time
- Combine tools — use with dnsrecon or Amass for comprehensive mapping
- Monitor resources — high threading can consume bandwidth
- Verify findings — cross-check results with alternative tools
