How to walk DNSSEC Zones: dnsrecon

After the implementation of DNS and DNSSEC (see the last posts) it is good to do some reconnaissance attacks against the own DNS servers. Especially to see the NSEC or NSEC3 differences, i.e., whether zone walking (enumeration) is feasible or not.

For many different kinds of DNS reconnaissance the tool dnsrecon can be used. In this post I will focus on the -z  option which is used for DNSSEC zone walking, i.e., walk leaf by leaf of the whole DNS zone.

This blogpost is part of a series about DNSSEC. Refer to this list for all articles.


There are official installation instructions (great!) that work without any errors. On my Ubuntu 16.04.1 LTS it worked exactly like this:

Note the helping page which gives a few hints how dnsrecon can be used to do dictionary or brute force attacks, or even how to use Google to search for subdomains and hosts.

DNSSEC Zone Walking

To walk a zone use the -z  option. In the following example I am walking through my own domain  which uses only NSEC (instead of NSEC3) and is therefore prone to zone walks. The enumeration starts at line 21:

"Autumn leaves" by Nicu Buculei is licensed under CC BY-SA 2.0
Autumn leaves” by Nicu Buculei is licensed under CC BY-SA 2.0

That is: All (!) FQDNs are exposed within a few seconds. No brute-force or dictionary attacks are needed. The NSEC records reveal the whole zone!

However, note that not all records are listed though, e.g., my TLSA (DANE) or SSHFP records. Furthermore, not all types are listed correctly, e.g., CNAMEs. But it’s just because the dnsrecon tool does not query all of them. It is not because it’s not possible.

Following is a Wireshark (tcpdump) capture that shows an example while dnsrecon was running:

dnsrecon Wireshark Screenshot

Trying to walk NSEC3

Well, as per design (RFC 5155), this is not possible. NSEC3 uses hashes instead of plain text domain names. That is, zone walking is not feasible anymore. In the following example I am trying to walk through my domain  which uses NSEC3. Starting with line 23, nothing happens:

That’s it. If you want to hide your DNS zones, use NSEC3. But as already noted many times, security by obscurity is not a good design at all. ;) If you want to understand your DNS replies easily, NSEC3 is not preferred.

Another Tool: dnssecwalk

Just after finishing this post I found another tool that perfectly fits for walking DNSSEC zones. It comes out of the great THC-IPv6 toolkit from van Hauser. (Google for installation guides. There are many out there.) The usage of the dnssecwalk  tool is really easy and it reveals all (!) records incl. the TLSA ones:


Featured image: “Füße” by Robert Agthe is licensed under CC BY 2.0.

3 thoughts on “How to walk DNSSEC Zones: dnsrecon

Leave a Reply

Your email address will not be published. Required fields are marked *