🕵️‍♂️ WHOIS & DNS Recon for Bug Bounty Hunters

Effective bug bounty reconnaissance starts with understanding your target’s online presence. WHOIS and DNS recon provide valuable insights into domain ownership, infrastructure, and attack vectors. This guide focuses on practical techniques for bug bounty hunters.

1. Why WHOIS & DNS Recon Matters

Key Record Types & Their Bug Bounty Importance

Record Type Importance for Bug Bounty Hunters
WHOIS Registrant Email & ContactUsed for social engineering and username/email hunting.
WHOIS Registrar & DatesDomain age hints at security posture and legacy issues.
Nameservers (NS)DNS provider info; misconfigurations may allow takeover.
A / AAAAIP addresses for scanning and identifying targets.
MX (Mail Servers)Mail servers reveal phishing or interception vectors.
CNAME (Aliases)Linked services that might be vulnerable or misconfigured.
TXT (SPF, DKIM, DMARC)Email security; misconfigs lead to spoofing or leaks.
SOADNS zone authority info for advanced recon.

2. WHOIS Recon Techniques

Using whois CLI

whois example.com

Shows registrar, registrant contact, dates, and nameservers.

Online WHOIS Services

3. DNS Recon Essentials

Using dig

dig example.com any +noall +answer
dig mx example.com
dig ns example.com
dig txt example.com

Using nslookup

nslookup -type=any example.com
nslookup -type=mx example.com

4. Automating WHOIS & DNS Recon

For large scopes, automate with tools like amass, subfinder, and assetfinder.

Amass Example

amass enum -d example.com -o amass_results.txt
#!/usr/bin/env python3 import os import subprocess import sys from datetime import datetime from pathlib import Path from termcolor import cprint OUTPUT_DIR = Path("recon-output") OUTPUT_DIR.mkdir(exist_ok=True) def banner(): cprint("\n[+] WHOIS & DNS Recon Automation (BlackArch Edition)", "cyan", attrs=["bold"]) cprint(" by H4K2LIV3\n", "magenta") def run_command(command, title, output_file): cprint(f"\n[>] {title}", "yellow", attrs=["bold"]) try: result = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=60) print(result.stdout) output_file.parent.mkdir(parents=True, exist_ok=True) with open(output_file, "w") as f: f.write(result.stdout) if result.stderr: f.write("\n[ERRORS]\n" + result.stderr) except subprocess.TimeoutExpired: cprint("[-] Command timed out", "red") except Exception as e: cprint(f"[-] Error: {str(e)}", "red") def main(domain): banner() timestamp = datetime.now().strftime("%Y-%m-%d_%H-%M-%S") domain_dir = OUTPUT_DIR / f"{domain}_{timestamp}" domain_dir.mkdir(parents=True, exist_ok=True) tools = [ (f"whois {domain}", "WHOIS Info", "whois.txt"), (f"amass enum -d {domain} -o -", "Amass Subdomain Enumeration", "amass.txt"), (f"theharvester -d {domain} -b all", "theHarvester Emails & Users", "harvester.txt"), (f"dig {domain} any +noall +answer", "DIG Records (ANY)", "dig_any.txt"), (f"dig mx {domain}", "DIG MX Records", "dig_mx.txt"), (f"dig txt {domain}", "DIG TXT Records", "dig_txt.txt"), (f"nslookup -type=any {domain}", "Nslookup ANY", "nslookup_any.txt"), (f"dnsrecon -d {domain}", "DNSRecon Scan", "dnsrecon.txt"), (f"PERL5OPT=-Mwarnings=NONE dnsenum {domain}", "DNSEnum Scan", "dnsenum.txt") ] for cmd, desc, fname in tools: run_command(cmd, desc, domain_dir / fname) cprint(f"\n[âś“] All recon data saved in: {domain_dir}\n", "green", attrs=["bold"]) if __name__ == "__main__": if len(sys.argv) != 2: cprint("Usage: python3 blackarch_recon.py <domain.com>\n", "red", attrs=["bold"]) sys.exit(1) main(sys.argv[1])

Master these recon skills to enhance your bug bounty hunting success! 🔍🕵️‍♂️

← Go Back