How to Perform DNS Enumeration in Python

Learn how you can extract DNS information of a domain name such as nameservers, IP addresses, email services and more using dnspython library in Python.
  · 4 min read · Updated jan 2023 · Ethical Hacking

Struggling with multiple programming languages? No worries. Our Code Converter has got you covered. Give it a go!

DNS Enumeration is the process of collecting information about a specific domain's DNS configuration. It is one of the most common reconnaissance techniques that can be useful for many purposes, such as identifying nameservers, learning about the email services being used in a particular domain, and many more.

You can also extract domain name information using the WHOIS database, but that's not the purpose of this tutorial, as we'll interact with DNS.

We will be using the dnspython library in Python to help us perform DNS queries and parse the responses conveniently. Let's install it:

$ pip install dnspython

Once the library is installed, open up a new Python file dns_enumeration.py, and add the following:

import dns.resolver

# Set the target domain and record type
target_domain = "thepythoncode.com"
record_types = ["A", "AAAA", "CNAME", "MX", "NS", "SOA", "TXT"]
# Create a DNS resolver
resolver = dns.resolver.Resolver()
for record_type in record_types:
    # Perform DNS lookup for the specified domain and record type
    try:
        answers = resolver.resolve(target_domain, record_type)
    except dns.resolver.NoAnswer:
        continue
    # Print the answers
    print(f"{record_type} records for {target_domain}:")
    for rdata in answers:
        print(f" {rdata}")

We specify the most common DNS records: A, AAAA, CNAME, MX, NS, SOA, and TXT. You can look at this Wikipedia page to see all the available DNS records and their functions.

We create the Resolver object and use the resolve() method that accepts the target domain and the record type to extract the DNS information.

Here’s my output:

$ python dns_enumeration.py
 
DNS records for thepythoncode.com (A):
99.81.207.218
52.19.6.38    
34.247.123.251
DNS records for thepythoncode.com (MX):
0 thepythoncode-com.mail.protection.outlook.com.
DNS records for thepythoncode.com (NS):
sparrow.ezoicns.com.
siamese.ezoicns.com.
giraffe.ezoicns.com.
manatee.ezoicns.com.
DNS records for thepythoncode.com (SOA):
giraffe.ezoicns.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
DNS records for thepythoncode.com (TXT):
"v=spf1 include:spf.protection.outlook.com -all"
"NETORGFT5410317.onmicrosoft.com"
"google-site-verification=yJTOgIk39vl3779N3QhPF-mAR36QE00J6LdXHeID4fM"

Awesome! A lot of helpful info here:

  • We can see that thepythoncode.com is mapping to three different IP addresses (the A record); we can then use services such as IPInfo to know more about these IP addresses.
  • The MX (Mail Exchange) record is used to identify the servers responsible for handling incoming emails for a domain. In our case, we clearly see that this domain is using the Outlook service.
  • For the NS record, thepythoncode.com has four different nameservers from ezoicns.com. NS records identify the DNS servers responsible for handling DNS queries for the domain. In other words, when a client wants to look up the IP address (such as a regular web browser) for thepythoncode.com, it will query one of these DNS servers for information.
  • SOA records contain administrative information about the zone and other information about DNS’s configuration, such as the time-to-live (TTL) for DNS records.
  • Finally, the TXT records store arbitrary text data associated with a domain. In our case, the TXT records contain various verification codes and other information used by different services to verify that they have permission to access the domain name. For example, the record "google-site-verification=yJTOgIk39vl3779N3QhPF-mAR36QE00J6LdXHeID4fM" is used by Google to verify that a website owner has permission to access Google services for their domain.
  • The SPF (Sender Policy Framework) record in the TXT records is used to help protect against email spam and spoofing, as they contain instructions for receiving mail servers about which servers are allowed to send an email for a particular domain.

Alright! That's it for the tutorial; I hope it's helpful for you to extract DNS information about a domain name.

Are you interested in learning more about ethical hacking and building tools to protect against cyber threats? Our Ethical Hacking with Python Ebook is the perfect resource for you! This comprehensive guide covers building tools in various topics, including information gathering, malware, and network packet manipulation. You'll learn how to build tools like a reverse shell, password cracking tools, and many more (More than 35 pentesting tools).

With step-by-step instructions and clear explanations, this EBook is perfect for both beginners and experienced professionals looking to expand their knowledge in the field of ethical hacking with Python. Don't miss out on this opportunity to become an expert in cyber security – get your copy today!

Learn also: How to Get Domain Name Information in Python.

Happy hacking ♥

Found the article interesting? You'll love our Python Code Generator! Give AI a chance to do the heavy lifting for you. Check it out!

View Full Code Explain My Code
Sharing is caring!



Read Also



Comment panel

    Got a coding query or need some guidance before you comment? Check out this Python Code Assistant for expert advice and handy tips. It's like having a coding tutor right in your fingertips!