• Home »
  • »
  • Backtrack 4: Information Gathering: DNS: Dnswalk – A DNS database debugger

Backtrack 4: Information Gathering: DNS: Dnswalk – A DNS database debugger

This is one of the first articles in our Backtrack tutorial series. Alex and I will be be going through the entire distro of Backtrack 4 and writing a post on each tool. There is no one blog or web site which has a tutorial on each tool in backtrack so we are going to attempt to do that.

Today I will be writing about Dnswalk. Dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as for correctness according to accepted practices with the Domain Name System. A zone transfer is when a DNS server performs a complete dump of the database for a domain and sends the information from the primary DNS server to the secondary DNS servers. The domain name specified on the command line MUST end with a ‘.’. You can specify a forward domain, such as dnswalk example.com. or a reverse domain, such as dnswalk 3.2.1.in-addr.arpa

Lets take a look at the help section:


  1. root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk --help
  2. ./dnswalk version [unknown] calling Getopt::Std::getopts (version 1.05 [paranoid]),
  3. running under Perl version 5.10.0.
  5. Usage: dnswalk [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
  7. The following single-character options are accepted:
  8.         With arguments: -D
  9.         Boolean (without arguments): -r -f -i -a -d -m -F -l
  11. Options may be merged together.  -- stops processing of options.
  12. Space is not required between options and their arguments.
  13.   [Now continuing due to backward compatibility and excessive paranoia.
  14.    See ``perldoc Getopt::Std'' about $Getopt::Std::STANDARD_HELP_VERSION.]
  15. Usage: dnswalk domain
  16. domain MUST end with a '.'

One thing that is anoying about the help section for this tool is that none of the command line switches and arguments are explained. Luckily Dnswalk has a man page online.

Recursively descend sub-domains of the specified domain. Use with care.
Turn on warning of duplicate A records. (see below)
Print debugging and ‘status’ information to stderr. (Use only if redirecting stdout) See DIAGNOSTICS section.
Perform checks only if the zone has been modified since the previous run.
perform “fascist” checking. When checking an A record, compare the PTR name for each IP address with the forward name and report mismatches. (see below) I recommend you try this option at least once to see what sorts of errors pop up – you might be surprised!.
Suppress check for invalid characters in a domain name. (see below)
Perform “lame delegation” checking. For every NS record, check to see that the listed host is indeed returning authoritative answers for this domain.

Ok so lets try a example:
NOTE: The domain was end in a “.” in order for Dnswalk to be able to use it.


  1. root@bt:/pentest/enumeration/dns/dnswalk# ./dnswalk -r -d example.com.
  2. Checking example.com.
  3. Getting zone transfer of example.com. from ns1.g9dns.net...done.
  4. SOA=ns1.g9dns.net contact=registry.g9dns.net
  5. WARN: www.ftp.example.com A no PTR record
  6. WARN: www.example.com A no PTR record
  7. WARN: dev.example.com A no PTR record
  8. WARN: example.com A no PTR record
  9. WARN: www.mail.example.com A no PTR record
  10. 0 failures, 5 warnings, 0 errors.

In this example we didn’t really get any useful output because zone -transfers are becoming increasingly difficult to preform however sometimes it can still return some useful information.

Penetration Tester’s Open Source Toolkit, Vol. 2 (Paperback)

List Price: $61.95
New From: $14.50 USD In Stock
Used from: $0.01 USD In Stock