Skip to content
/ RecceDNS Public

A DNS reconnaissance/enumeration tool developed in Rust πŸ¦€

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AlexOgden/RecceDNS

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

487 Commits
.github
.github
Β 
Β 
docs
docs
Β 
Β 
src
src
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Cargo.lock
Cargo.lock
Β 
Β 
Cargo.toml
Cargo.toml
Β 
Β 
Dockerfile.basic
Dockerfile.basic
Β 
Β 
Dockerfile.lists
Dockerfile.lists
Β 
Β 
LICENSE
LICENSE
Β 
Β 

Repository files navigation

RecceDNS

RecceDNS is a DNS enumeration/OSINT tool written in Rust that provides functionality to gather information about domain names. It performs various DNS queries to discover subdomains, IP addresses, and other DNS records associated with a target domain. The tool is designed to be fast, efficient, and easy to use. This tool places emphasis on high-performance subdomain bruteforcing with advanced functionality for rapid enumeration and rate limiting mitigation.

I originally started working on this project to learn Rust, improve on network programming, and gain a deeper understanding of DNS. This software includes its own stub resolver built from scratch, it is not a fully-featured DNS implementation and only supports the functionality required of it. I am still learning/improving my Rust skills, if you're experienced in Rust and think something could be improved, be more idomatic, or any other suggestions, feel free to let me know or submit a pull request!

Features

  • Enumerate the following DNS records:
    • A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, PTR
  • Check if domain is using DNSSEC.
  • Check for wildcard domains.
  • Check resolver(s) for NXDOMAIN hijacking.
  • Support for multiple resolvers.
    • Select sequentially or randomly.
  • Support for both UDP and TCP.
  • Bruteforce subdomains with a wordlist.
    • Show the resource record data for each subdomain or simply just show the domain.
    • Retry failed queries. If a query fails for networking/protocol issues, retry at the end of enumeration or disable.
    • Use an optional delay between queries (Fixed, Random Range, and Adaptive).
  • SRV enumeration, use a wordlist with the query argument set to SRV to find common SRV records.
  • Reverse IP PTR for a single IP address, CIDR notation, or range.
  • Search for subdomains based Certificate Transparency using crt.sh.
  • Expland TLD enumeration for a given domain on the full IANA TLD list.
  • Coloured output with progress reporting on bruteforce subdomain enumeration.
  • Output results to a JSON file.
  • High Performance Features:
    • Multi-Threaded bruteforce enumeration.
    • Use multiple DNS resolvers.
    • Dynamically disable resolver for random time if rate limited.
    • Adaptive delay (increases and decreases dynamically within bounds to reduce rate-limiting).
    • Asyncronous UDP socket pooling - thousands of queries without locking up file resources.

Getting Started

πŸ”¨ Cloning and Building from Source

To clone the repository and build the software, follow these steps:

  1. Clone the repository:

    git clone --depth 1 [email protected]:AlexOgden/RecceDNS.git
cd reccedns

  2. Build the project: Ensure you have Rust installed. If not, you can install it from rust-lang.org.

    cargo build --release

  3. Run the tests (optional):

    cargo test

After building, you can find the executable in the target/release directory.

πŸ“¦ Pre-Built Binaries

Pre-built binaries are available in the releases section for the following platforms:

  • Windows (x86_64)
  • macOS (x86_64, arm64)
  • Linux (x86_64, arm64, armv7)

You can download these binaries directly from the releases page without building from source.

🐳 Docker Images

Official Docker images are available:

  • Basic: Minimal image with only RecceDNS installed.
  • Lists: Includes RecceDNS and pre-installed DNS subdomain lists from SecLists in /opt/wordlists.

Usage Examples:

Basic image:

docker pull ghcr.io/alexogden/reccedns:latest
docker run --rm -it ghcr.io/alexogden/reccedns:latest -m c -d 1.1.1.1 -t github.com

Lists image:

docker pull ghcr.io/alexogden/reccedns:lists
docker run --rm -it ghcr.io/alexogden/reccedns:lists -m s -t github.com -w /opt/wordlists/list.txt -D A:10-50 -d 1.1.1.1

See the releases page for the latest versions.

Arguments

Note:
All command-line arguments can also be set using environment variables.
CLI arguments always take precedence over environment variables.

Argument Environment Variable Description
-m, --mode <MODE> RECCEDNS_MODE Operation mode. Possible values:
β€’ b: Basic Enumeration
β€’ s: Subdomain Enumeration
β€’ r: Reverse PTR IP
β€’ c: Certificate Search
β€’ t: TLD Expansion
-t, --target <TARGET> RECCEDNS_TARGET Target base domain or IP (single, CIDR, or range).
Examples: google.com, 192.168.2.3, 192.168.2.0/24, 192.168.2.1-192.168.2.230
-d, --dns-resolvers <DNS_RESOLVERS> RECCEDNS_DNS_RESOLVERS DNS resolver(s) (IPv4, comma-separated).
Default: 1.1.1.1.
Multiple resolvers can be selected randomly or sequentially (see -r).
-p, --protocol <TRANSPORT_PROTOCOL> RECCEDNS_PROTOCOL (Optional) Transport protocol for DNS queries.
Values: UDP (default), TCP
-w, --wordlist <WORDLIST> RECCEDNS_WORDLIST Path to subdomain wordlist. Required for enumeration mode.
-v, --verbose RECCEDNS_VERBOSE Print extra information. Default: false
-q, --query-types <QUERY_TYPE> RECCEDNS_QUERY_TYPES Resource-record(s) to query.
Values: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, ANY (default).
Comma-separated list. Not all types available in every mode.
--no-welcome RECCEDNS_NO_WELCOME Don't show the welcome ASCII art.
--no-dns-check RECCEDNS_NO_DNS_CHECK Don't check if DNS servers are working before starting.
--no-recursion RECCEDNS_NO_RECURSION Set recursion-desired to false in DNS queries.
--no-retry RECCEDNS_NO_RETRY Don't retry failed queries.
--no-print-records RECCEDNS_NO_PRINT_RECORDS Don't print DNS records in subdomain enumeration (show only subdomains).
--no-query-stats RECCEDNS_NO_QUERY_STATS Don't calculate/print average query time.
--no-print-errors RECCEDNS_NO_PRINT_ERRORS Don't print failed queries during subdomain enumeration (errors still show on retry). Use -Q to silence all output.
--show-resolver RECCEDNS_SHOW_RESOLVER Print which resolver was used for each query.
-D, --delay <MS|RANGE|ADAPTIVE> RECCEDNS_DELAY Delay between queries (subdomain enumeration).
β€’ Fixed: 1000 (ms)
β€’ Range: 100-200 (random ms)
β€’ Adaptive: A or A:10-750 (dynamic, A alone uses 10-500 as the default range)
-r, --use-random RECCEDNS_USE_RANDOM When multiple resolvers are provided, randomly select one for each query.
--json <path> RECCEDNS_JSON_OUTPUT Output results to a JSON file. .json will be appended if not provided.
-Q, --quiet RECCEDNS_QUIET Don't print any results to the terminal. Useful for large targets when outputting to JSON.
-T, --threads <N> RECCEDNS_THREADS Number of threads for subdomain enumeration.
Defaults to (logical cores - 1), max 6 if more than 6 cores.

Example Usage

Basic Enumeration

reccedns -m b -d 1.1.1.1 -t github.com

Bruteforce Subdomains

Any Records

reccedns -m s -d 1.1.1.1 -w .\subdomains-top1million-5000.txt -t github.com

A (IPv4) Only

reccedns -m s -d 1.1.1.1 -q a -w .\subdomains-top1million-5000.txt -t github.com

SRV Enumeration

reccedns -m s -d 1.1.1.1 -q srv -w .\srv_names.txt -t github.com

Multiple Resolvers - Sequential Selection

reccedns -m s -d 1.1.1.1,9.9.9.9,8.8.8.8 -q a,aaaa -w .\subdomains-top1million-5000.txt -t github.com

Multiple Resolvers - Random Selection

reccedns -m s -d 1.1.1.1,9.9.9.9,8.8.8.8 --use-random --show-resolver -q a -w .\subdomains-top1million-5000.txt -t github.com

With Consistent Delay

reccedns -m s -d 1.1.1.1 -w .\subdomains-top1million-5000.txt -t github.com --delay 50

With Random-Range Delay

reccedns -m s -d 1.1.1.1 -w .\subdomains-top1million-5000.txt -t github.com --delay 50-900

With Adaptive Delay

reccedns -m s -d 1.1.1.1 -w .\subdomains-top1million-5000.txt -t github.com --delay A:5-750

With Specified Thread Count

reccedns -m s -d 1.1.1.1 -w .\subdomains-top1million-5000.txt -t github.com -T 6

Output to JSON

reccedns -m s -d 1.1.1.1 -w .\combined_names.txt -t github.com -T 6 -q A,AAAA,MX --json query_output

Don't Print Errors During Enumeration (still prints on retry)

reccedns -m s -d 8.8.8.8 -w .\combined_names -t github.com -T 4 --no-print-errors

Reverse PTR IP Search

Single IP Address

reccedns -m r -d 1.1.1.1 -t 192.168.0.1

CIDR Notation

reccedns -m r -d 1.1.1.1 -t 192.168.0.0/24

IP Range

reccedns -m r -d 1.1.1.1 -t 192.168.0.0-192.168.1.254

Certificate Search

reccedns -m c -t github.com

TLD Expansion

Check 'github' with the full list of IANA TLDs

reccedns -m t -d 8.8.8.8 -t github.com

Don't Print the Actual DNS Records

reccedns -m t -d 8.8.8.8 -t github.com --no-print-records

Only Check Using A Records

reccedns -m t -d 8.8.8.8 -t github.com -q a

Check with A and AAAA

reccedns -m t -d 8.8.8.8 -t github.com -q a,aaaa

Provide a Wordlist with TLDs

reccedns -m t -d 8.8.8.8 -t github.com -w tlds.txt

About

A DNS reconnaissance/enumeration tool developed in Rust πŸ¦€

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 7

v0.13.0 Latest
Apr 25, 2025
+ 6 releases

Packages

 
 
 

Contributors 2

  •  
  •  

Languages