How to Query and Retrieve All DNS Records from a Remote Server Programmatically


11 views

DNS record retrieval is a common task for network administrators and security researchers. When we talk about "getting all DNS records" from a remote server, we're typically referring to enumerating the DNS zone through authorized methods.

There are several technical methods to accomplish this:

  • Zone transfers (AXFR)
  • DNS queries for specific record types
  • Using DNS enumeration tools
  • API-based approaches for cloud DNS services

The most straightforward method uses the dig command-line tool:

dig example.com ANY

This queries for all record types, but note that many DNS servers restrict ANY queries due to abuse potential.

For servers that allow it, you can request a zone transfer:

dig @ns1.example.com example.com AXFR

However, most modern DNS servers restrict AXFR requests to authorized clients only.

Here's a Python script using the dnspython library to enumerate common record types:

import dns.resolver

def get_dns_records(domain):
    record_types = ['A', 'AAAA', 'MX', 'NS', 'SOA', 'TXT', 'CNAME']
    results = {}
    
    for record in record_types:
        try:
            answers = dns.resolver.resolve(domain, record)
            results[record] = [str(r) for r in answers]
        except dns.resolver.NoAnswer:
            continue
        except dns.resolver.NXDOMAIN:
            return None
    
    return results

print(get_dns_records('example.com'))

When querying DNS records programmatically:

  • Respect rate limits to avoid being blocked
  • Handle errors and timeouts gracefully
  • Cache results when performing repeated queries
  • Be aware of legal restrictions on DNS enumeration

For more thorough reconnaissance, consider these specialized tools:

  • dnsrecon - Comprehensive DNS enumeration tool
  • fierce - DNS reconnaissance tool
  • nmap - Includes DNS enumeration scripts

Retrieving all DNS records from a remote nameserver requires understanding both DNS protocol mechanics and proper query techniques. Unlike simple lookups, comprehensive record enumeration demands special approaches.

There are two primary approaches to gather DNS records:


# Authoritative query (direct to nameserver)
dig example.com ANY @ns1.example.com

# Recursive query (through resolver)
nslookup -query=ANY example.com

The dnspython library provides robust DNS query capabilities:


import dns.resolver

def get_all_records(domain):
    record_types = ['A', 'AAAA', 'MX', 'TXT', 'CNAME', 'NS', 'SOA']
    results = {}
    
    for record in record_types:
        try:
            answers = dns.resolver.resolve(domain, record)
            results[record] = [str(r) for r in answers]
        except dns.resolver.NoAnswer:
            continue
            
    return results

print(get_all_records('example.com'))

For administrators with proper access, AXFR (zone transfer) provides complete record access:


dig axfr example.com @ns1.example.com

Note: Most servers restrict AXFR requests to authorized IPs only.

  • Always obtain proper authorization before querying
  • Rate limit your queries to avoid being blocked
  • Handle DNS query failures gracefully in code

Other useful utilities include:

  • host -a example.com (Unix/Linux)
  • PowerShell's Resolve-DnsName
  • Node.js dns module