I wrote this tool back in late 2006 and it has been my favorite tool for enumeration thru DNS, in great part because I wrote it and it gives the output in a way that I can manipulate it in my own style.  One of the features that I used the most and gave me excellent results is the SRV record enumeration. The script will perform the following:

• Standard Record Enumeration for a given domain (A, NS, SOA and MX).
• Top Leven Domain Expansion for a given domain.
• Zone Transfer against all NS records of a given domain.
• Reverse Lookup against a given IP Range given a start and end IP.
• SRV Record enumeration, enumerating:
  • _gc._tcp.
  • _kerberos._tcp.
  • _kerberos._udp.
  • _ldap._tcp.
  • _test._tcp.
  • _sips._tcp.
  • _sip._udp.
  • _sip._tcp.
  • _aix._tcp.
  • _aix._tcp.
  • _finger._tcp.
  • _ftp._tcp.
  • _http._tcp.
  • _nntp._tcp.
  • _telnet._tcp.
  • _whois._tcp.
  • _h323cs._tcp.
  • _h323cs._udp.
  • _h323be._tcp.
  • _h323be._udp.
  • _h323ls._tcp.
  • _h323ls._udp.
• Brute force hostnames and subdomains of a given target domain using a wordlist.

To install the necessary ruby dependencies using ruby gems, run the following commands as root:

gem install pNet-DNS
gem install ip

The script can be downloaded from dnsrecon.rb

I do hope that others find it as useful as I have, this tool will be included in BT4 among others of the tools that I have discussed in this blog.

Help Screen of the script:

root@bt:~# ./dnsrecon.rb 
Dnsrecon 1.6
By Carlos Perez
Email: carlos_perez[at]darkoperator.com 
This is a simple tool written for target enumeration during authorized penetration test
engagements. This tool provides different methods for enumerating targets thru DNS service. 
-t, --type
                Select the type of enumeration to be done.
                std     Query for SOA, NS and MX Record of a target domain.
                tld     Top Level Domain enumeration of a target domain.
                axf     Perform a Zone transfer against all NS server Records
                        of a target domain.
                rvs     Reverse Record Lookup enumeration against a targeted
                        IP range.
                srv     Service Record Enumeration of VOIP, Active Directory and
                        Network Services service records.
                brt     Bruteforce subdomain and host records using a wordlist. 
-d, --target
                Domain to be targeted for enumeration. 
-i, --ip
                Starting IP and end IP for a range to be used for reverse lookup
                enumeration of a targeted domain. Exmpl. 192.168.1.1,192.168.1.253 
-w, --wordlist
                Wordlist to be use for brutforce enumeration of host names and subdomains. 
-s, --dns
                Alternate DNS server to use.
-h, --help
                This help message.

Here is an Example of the tool enumerating SRV Record and Standard Record.

root@bt:~# ./dnsrecon.rb -t srv -d avaya.com
_sip._udp.avaya.com,198.152.17.90,5060
_sip._tcp.avaya.com,198.152.17.90,5060



root@bt:~# ./dnsrecon.rb -t std -d google.com

google.com,209.85.171.100,A

google.com,74.125.67.100,A

google.com,74.125.45.100,A

ns1.google.com,216.239.32.10,SOA

ns4.google.com,216.239.38.10,NS

ns1.google.com,216.239.32.10,NS

ns2.google.com,216.239.34.10,NS

ns3.google.com,216.239.36.10,NS

smtp4.google.com,72.14.221.25,MX,10

smtp1.google.com,209.85.237.25,MX,10

smtp2.google.com,64.233.165.25,MX,10

smtp3.google.com,209.85.137.25,MX,10