DNS host enumeration tool.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



                       Version 0.1.1 / 24.05.2012

--=[ Disclaimer ]=-----------------------------------------------------//

This document describes DNSNINJA, a tool to perform dictionary based
queries against DNS servers. The author of this document provides the
software AS IS and and cannot be made responsible for any damage that
may occur while using this tool.

This software may contain errors or may not work properly in certain
circumstances. Therefore, use this tool at your own risk. 

You can use this tool free of charge and you are allowed to freely
modify and distribute it. Please check section "License" for more

--[ Contents ]----------------------------------------------------------

1 - Introduction

2 - The Tool
  2.1 - Overview
  2.2 - Features
  2.3 - Usage
	2.3.1 - Command-line Arguments
    2.3.2 - Doing Forward DNS Lookups
    2.3.3 - Doing Reverse DNS Lookups
    2.3.4 - Saving Results to a File
  2.4 - Building from Source
  2.5 - License
  2.6 - Source Code Repository
  2.7 - Similar Tools
  2.8 - Reporting Bugs and Features

3 - Bibliography

4 - Contact

--[ 1 - Introduction ]--------------------------------------------------

DNS servers are an important source of information during information
gathering in a penetration testing project. Attackers / penetration
testers use data in DNS servers to obtain knowledge about live systems.
DNS servers become even more important in the IPv6 world, where simple
subnet scanning won't be possible anymore due to the huge address space
This tool shall support penetration testers during their information 
gathering activities and reduce the need for manual, repetitive tasks.

--[ 2 - The Tool ]------------------------------------------------------

----[ 2.1 - Overview ]--------------------------------------------------

DNSNINJA is a tool to query DNS servers by either using a prepared word
list to send forward DNS lookup queries or a list of ip addresses to
send reverse DNS lookup queries. It allows the user to quickly enumerate
hosts in a DNS domain or an ip range. The tool is mainly aimed at 
pentesters and shall provide support in their daily job during 
information gathering. 

A tool like this can generate heavy load on the target. It is therefore
adviced to take caution. System administrators at the target's site
could interpret such scans as a certain type of attack and take counter-
measures. Therefore, use with caution.

You have been warned.

----[ 2.2 - Features ]--------------------------------------------------

the current version of DNSNINJA offers the following features:

  + Supports multi-threading
  + Do forward DNS lookups based on wordlist
  + Do reverse DNS lookups based on a list of ip addresses
  + Query up to five DNS servers in parallel to distribute the load
  + Save the results to a text file
  + Supports different log levels

----[ 2.3 - Usage ]-----------------------------------------------------

This chapter explains basic usage of DNSNINJA.

----[ 2.3.1 - Command-line Arguments ]----------------------------------

The following command-line arguments are supported:

--reverse, -r                   

    Do a reverse DNS lookup. If not specified, a forward DNS lookup will
    be performed.

--servers=<ip1,ip2,...>, -s <ip1,ip2,...>
	List of DNS servers, which shall be used as targets for DNS queries.

--domain=<domain name>, -d <domain name>

    Specify the domain to be queried. Only used when doing forward 
    DNS lookups (e.g. -d foo.org).

--inputfile=<filename>, -i <filename>      

    The file containing either a list of ip addresses or host names, 
    depending on the lookup mode (reverse, forward).
--outputfile=<filename>, -o <filename>     

    Allows you to write the query results into a simple, comma-separated
    text file. This allows you to further process the results in other 
--loglevel=<level>, -l <level>         

    Specifies the desired log level. The following levels are supported:
        1 = ERROR (Log errors only)
        2 = INFO (Log additional information)
        3 = DEBUG (Log debug level information)

--version, -v

    Displays version information.

--help, -h 

    Display help page.

----[ 2.3.2 - Doing Forward DNS Lookups ]-------------------------------

Usage of this tool is quite simple. Do do a simple forward DNS lookup
search based on a wordlist, run the following command:

$ ./dnsninja -s 111.222.333.444 -d mydomain.com -i myhosts.txt

This connects to the DNS server 111.222.333.444 and sends queries for the
mydomain.com domain. It uses the file myhosts.txt which contains entries like

$ cat myhosts.txt

The myhosts.txt file and the specified domain are used to form DNS queries
such as:


If a host has been found, the ip address of this host is returned.

----[ 2.3.3 - Doing Reverse DNS Lookups ]-------------------------------

Doing reverse DNS lookups works similar. To do reverse DNS lookups based
on a list of ip addresses, run the following command:

$ ./dnsninja -r -s 111.222.333.444 -i myips.txt

Again, the DNS server 111.222.333.444 is contacted to DNS PTR queries will
be sent to this machine. As a result, you will receive the name of the 
domains associated with that ip. 

----[ 2.3.4 - Saving Output to a File ]---------------------------------

DNSNINJA displays the results on screen. But sometimes it is desirable
to save the results to a text file. You can do this by specifying the
-o option on the command line like this:

$ ./dnsninja -s 111.222.333.444 -d mydomain.com 
    -i myhosts.txt -o results.txt

----[ 2.4 - Building from Source ]--------------------------------------

Befor you can build the tool from source, your system must meet some
preconditions. Currently they are:

  + gcc must be installed.
  + make must be installed.

The source distribution can be built from source by conducting the
following steps on your box:

  1. Copy the file dnsninja-<version>.tar.gz to your linux box. Make
     sure, it is located in a dedicated directory, since extraction
	 will put the files directly in there.

  2. Extract the tarball using:

     $ tar xvf dnsninja-<version>.tar.gz

  3. Compile the source code using:

     $ make

	 Optionally, you can compile it in debug mode in order to add debug
	 information to the resulting binary. You'll need that only if you
	 like to debug using gdb. To create a debug binary invoke:

     $ make DEBUG=1

The resulting binary is now ready to use.

As for now, I've tested the binary on the following platforms and it
just runs fine:

+ Arch Linux
+ Debian 6 Squeeze
+ Cygwin 

----[ 2.5 - License ]---------------------------------------------------

Copyright 2012 André Gasser

DNSNINJA is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

DNSNINJA is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with DNSNINJA.  If not, see <http://www.gnu.org/licenses/>.

----[ 2.6 - Source Code Repository ]------------------------------------

The latest version of the tool is always available here:

+ https://github.com/shoka/dnsninja

----[ 2.7 - Similar Tools ]---------------------------------------------

This tool was partly inspired by other tools like this. These are:

+ dnsmap by pagvac

+ dns-discovery by m0nad

----[ 2.8 - Reporting Bugs and Features ]-------------------------------

This software is probably far away from a bug-free state. Because of
this, I am very glad to receive feedback from you regarding DNSNINJA.
You can either contact me by mail or, even better, open a new issue on

----[ 3 - Bibliography ]------------------------------------------------

[1] Reverse DNS lookups

[2] RFC 1034 - Domain Names - Concepts and Facilities

[3] RFC 1035 - Domain Implementation and Specification

----[ 4 - Contact ]-----------------------------------------------------

Mail:      andre.gasser@gmx.ch
Jabber:    sh0ka@jabber.ccc.de
Blog:      http://blog.andregasser.net