Beyond A Records: How Full DNS Reconnaissance Uncovers Hidden Attack Surface + Video

Listen to this Post

Featured Image

Introduction:

In the world of cybersecurity, most reconnaissance efforts stop at A records—the basic mapping of domain names to IP addresses. Yet this is precisely where the most dangerous attack surfaces remain hidden. DNS records contain a wealth of information about an organization’s infrastructure, from third-party service dependencies to misconfigured email security and even direct takeover opportunities. By querying all available DNS record types using tools like ProjectDiscovery’s dnsx, penetration testers and security professionals can dramatically expand their visibility and uncover critical vulnerabilities that would otherwise go unnoticed.

Learning Objectives:

  • Master the use of `dnsx` for comprehensive DNS reconnaissance across all record types
  • Understand how CNAME, MX, NS, and TXT records reveal different layers of organizational infrastructure
  • Identify subdomain takeover opportunities, DNS takeover risks, and misconfigurations in SPF/DKIM setups
  • Learn to integrate `dnsx` into automated reconnaissance workflows with other ProjectDiscovery tools

1. Installing and Setting Up dnsx

`dnsx` is a fast, multi-purpose DNS toolkit built on the retryabledns library, designed for running multiple DNS queries efficiently with support for custom resolvers and wildcard filtering. It is the successor to `dnsprobe` and includes enhanced features for better user experience.

Installation Methods:

Via Go (Recommended):

go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

Via APT (Kali Linux):

sudo apt install dnsx

Via Binary:

Download pre-built binaries from the releases page and extract:

tar -xvf dnsx-linux-amd64.tar
sudo mv dnsx-linux-amd64 /usr/local/bin/dnsx

Via Homebrew (macOS/Linux):

brew install dnsx

Post-Installation Verification:

dnsx -h

If the command is not found, ensure your Go bin path is in your system PATH:

export PATH=$PATH:$HOME/go/bin
source $HOME/.bashrc

2. Querying All DNS Records with -recon Flag

The `-recon` flag is the cornerstone of comprehensive DNS reconnaissance. It queries all identifiable DNS records for a given domain, including A, AAAA, CNAME, NS, TXT, SRV, PTR, MX, SOA, AXFR, and CAA.

Basic Reconnaissance Command:

echo example.com | dnsx -recon -re

Understanding the Output:

  • A/AAAA Records: IPv4/IPv6 addresses where the domain resolves
  • CNAME Records: Aliases that reveal third-party services and subdomain takeover opportunities
  • MX Records: Mail exchange servers exposing email infrastructure
  • NS Records: Nameservers that control the zone, revealing DNS takeover opportunities
  • TXT Records: Often leak SPF/DKIM configurations, internal tooling references, and SaaS verification tokens
  • SOA Records: Start of Authority information about the zone
  • AXFR: Zone transfer attempts (should be restricted)

Advanced Recon with Output Control:

 JSON output for programmatic processing
echo ethiack.com | dnsx -recon -json -o dns_recon.json

Silent mode for clean output
echo ethiack.com | dnsx -recon -silent

3. Targeted Record Queries for Specific Intelligence

While `-recon` provides a complete picture, targeted queries allow focused analysis of specific attack vectors.

Querying CNAME Records (Subdomain Takeover Detection):

echo example.com | dnsx -cname -resp

CNAME records pointing to external services (e.g., custom-domain.s3.amazonaws.com, azurewebsites.net, github.io) may be vulnerable to subdomain takeover if the target service is no longer provisioned.

Querying MX Records (Email Infrastructure Mapping):

echo example.com | dnsx -mx -resp

MX records reveal mail servers and their priorities, helping attackers understand email security posture and potential entry points.

Querying NS Records (DNS Takeover Assessment):

echo example.com | dnsx -1s -resp

NS records show which nameservers control the zone. Delegated subdomains with their own NS records may be vulnerable to DNS takeover if the delegated zone expires.

Querying TXT Records (Configuration Leak Detection):

echo example.com | dnsx -txt -resp

TXT records commonly contain:

  • SPF policies (email spoofing prevention)
  • DKIM public keys
  • Domain verification tokens for Google, Microsoft, AWS, and other SaaS platforms
  • Internal service identifiers

4. Bulk Reconnaissance and Automation

`dnsx` excels at processing large lists of domains or subdomains through stdin/stdout piping, making it ideal for automated reconnaissance pipelines.

Processing a List of Domains:

cat domains.txt | dnsx -recon -silent -o all_records.txt

Extracting Only Live Hosts with IP Addresses:

cat subdomains.txt | dnsx -a -resp -silent

Extracting Only IP Addresses (No Domain Context):

cat subdomains.txt | dnsx -a -resp-only -silent

Reverse DNS Lookup on IP Ranges (CIDR):

cat ips.txt | dnsx -ptr -resp-only -silent

Integration with Subfinder:

subfinder -silent -d target.com | dnsx -recon -silent -json -o target_recon.json

This workflow discovers subdomains using Subfinder, then performs full DNS reconnaissance on each discovered host.

  1. Advanced Techniques: Custom Resolvers, Rate Limiting, and Wildcard Filtering

Using Custom DNS Resolvers:

echo example.com | dnsx -r 1.1.1.1,8.8.8.8 -recon

Custom resolvers help bypass DNS filtering, test from different geographic locations, or use DNS-over-HTTPS (DoH):

echo example.com | dnsx -r https://cloudflare-dns.com/dns-query -recon

Rate Limiting and Thread Control:

cat large_list.txt | dnsx -recon -t 50 -rl 20 -silent
  • -t, -threads: Number of concurrent threads (default 100)
  • -rl, -rate-limit: DNS requests per second (disabled by default)

Wildcard Subdomain Filtering:

echo example.com | dnsx -wd example.com -wt 5 -recon

Wildcard filtering removes false positives by identifying and filtering out wildcard DNS responses, ensuring only genuine subdomains are reported.

Filtering by DNS Status Code:

echo domains.txt | dnsx -rcode noerror -recon

6. Security Implications of DNS Reconnaissance Findings

Subdomain Takeover (CNAME):

When a CNAME points to an external service (e.g., AWS S3, Azure, GitHub Pages) that is no longer active, an attacker can claim that service and host malicious content under the target’s domain.

DNS Takeover (NS):

If a delegated subdomain’s nameservers are no longer authoritative (expired domain or deprovisioned service), an attacker can register the nameservers and control all DNS records for that subdomain.

Email Spoofing (TXT – SPF/DKIM):

Misconfigured SPF records (+all, `~all` with overly permissive includes) or missing DKIM signatures enable email spoofing and phishing attacks.

SaaS Token Leakage (TXT):

Verification tokens for Google Workspace, Microsoft 365, AWS SES, and other platforms in TXT records can expose which SaaS services the organization uses, guiding further targeted attacks.

Zone Transfer (AXFR):

If AXFR is enabled on a nameserver, attackers can enumerate the entire zone, discovering all subdomains and internal hostnames.

What Undercode Say:

  • Key Takeaway 1: Stopping at A records is no longer sufficient for modern security assessments—full DNS reconnaissance is essential to uncover the true attack surface.

  • Key Takeaway 2: `dnsx` provides a unified, high-performance interface for querying all DNS record types, making comprehensive reconnaissance accessible to both beginners and advanced practitioners.

Analysis:

The LinkedIn post by André Baptista (Co-founder & CTO of Ethiack) highlights a critical gap in many penetration testing methodologies: the over-reliance on basic A-record resolution. By demonstrating how CNAME, MX, NS, and TXT records reveal third-party dependencies, email infrastructure, zone control, and SaaS configurations, Baptista underscores that DNS is not merely a naming system but a rich source of intelligence for attackers. The `dnsx -recon 16` example is particularly telling—it shows how a single command can replace hours of manual DNS interrogation. This approach aligns with the shift toward continuous, automated security testing, where tools like Ethiack’s autonomous ethical hacking platform integrate such reconnaissance into broader vulnerability management workflows. The emphasis on subdomain takeover and DNS takeover opportunities reflects the growing awareness that infrastructure-as-code and cloud-1ative architectures introduce new classes of DNS-related vulnerabilities that traditional scanners miss.

Prediction:

  • +1 Organizations will increasingly adopt automated DNS reconnaissance as a standard component of their CI/CD pipelines, catching misconfigurations before they reach production.

  • +1 The integration of dnsx-like capabilities into broader ASM (Attack Surface Management) platforms will become mainstream, reducing the manual effort required for comprehensive external assessments.

  • -1 As more organizations rely on third-party SaaS and cloud services, the prevalence of subdomain takeovers will continue to rise, with attackers increasingly automating the detection and exploitation of dangling DNS records.

  • +1 DNS record analysis will evolve from a niche reconnaissance technique to a foundational security control, with regulatory frameworks beginning to mandate comprehensive DNS hygiene checks.

  • -1 The ease of use and power of tools like `dnsx` lower the barrier to entry for malicious actors, meaning defenders must adopt these same tools proactively to stay ahead of threats.

  • +1 The ProjectDiscovery ecosystem (Subfinder, dnsx, Nuclei, etc.) will continue to dominate the reconnaissance space, fostering a community-driven approach to vulnerability discovery that benefits the entire security industry.

  • -1 Organizations that fail to implement regular, automated DNS reconnaissance will remain vulnerable to takeover attacks that are increasingly trivial to discover and exploit.

▶️ Related Video (86% Match):

https://www.youtube.com/watch?v=-PTT6z4N4Ks

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: 0xacb Most – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky