Zone Walking is a technique that is used by attackers to enumerate the full content of DNSSEC-signed DNS zones. We will cover more about it in later chapters; in this recipe, we will use DNSRecon.

DNSRecon is already included in Kali Linux, and we can use it for Zone Walking. Zone Walking is a technique used to find subdomains using domains whose NSEC records are set. However, before we jump into Zone Walking, let's take a quick look at the other features of this tool.

1. To view the help, we type the following:

dnsrecon -h

The following screenshot shows the output of the preceding command:

2. To do a simple recon of name servers, A records, SOA records, MX records, and so on, we can run the following command:

dnsrecon -d packtpub.com -n 8.8.8.8

The following screenshot shows the output of the preceding command:

3. Now let's take an example of a domain that has NSEC records. To do a zone walk, we can simply run the following command:

dnsrecon -z -d icann.org -n 8.8.8.8

The following screenshot shows the output of the preceding command:

4. We can do this manually by using the dig command along with dig +short NSEC domainname.com.
5. The previous dig command will throw us one subdomain, and then we can rerun the same command with the subdomain we got in previous step to find the next subdomain: dig +short NSEC a.domain.com.

When signing a zone, DNSSEC automatically chains all labels in alphabetical order using NSEC Resource Records. This is used to prove the absence of names.

For example, if someone requests the non-existent name name3, the name server responds with the NSEC entry name2 NSEC name5, indicating that no other entry exists between name2 and name5. We take advantage of that by starting with the first entry and then getting all domains by calling successive queries and getting other subdomains.