How to do it...

1. To view the help, we type the following:

dnsrecon -h

The following screenshot shows the output of the preceding command:

1. To do a simple recon of name servers, A records, SOA records, MX records, and so on, we can run the following command:

dnsrecon -d packtpub.com -n 8.8.8.8

The following screenshot shows the output of the preceding command:

1. Now let's take an example of a domain that has NSEC records. To do a zone walk, we can simply run the following command:

dnsrecon -z -d icann.org -n 8.8.8.8

The following screenshot shows the output of the preceding command:

1. We can do this manually by using the dig command along with dig +short NSEC domainname.com.
2. The previous dig command will throw us one subdomain, and then we can rerun the same command with the subdomain we got in previous step to find the next subdomain: dig +short NSEC a.domain.com.