# DNS Reconnaissance Tool

A comprehensive DNS reconnaissance tool designed for investigators to gather intelligence on hostnames and IP addresses through multiple data sources.

## Features

- **DNS Resolution**: Query multiple DNS servers (1.1.1.1, 8.8.8.8, 9.9.9.9)
- **TLD Expansion**: Automatically try all IANA TLDs for hostname-only inputs
- **Certificate Transparency**: Query crt.sh for SSL certificate information
- **Recursive Discovery**: Automatically discover and analyze subdomains
- **External Intelligence**: Optional Shodan and VirusTotal integration
- **Multiple Interfaces**: Both CLI and web interface available
- **Comprehensive Reports**: JSON and text output formats

## Installation

```bash
# Clone or create the project structure
mkdir dns-recon-tool && cd dns-recon-tool

# Install dependencies
pip install -r requirements.txt
```

## Usage

### Command Line Interface

```bash
# Basic domain scan
python -m src.main example.com

# Try all TLDs for hostname
python -m src.main example

# With API keys and custom depth
python -m src.main example.com --shodan-key YOUR_KEY --virustotal-key YOUR_KEY --max-depth 3

# Save reports
python -m src.main example.com --output results

# JSON only output
python -m src.main example.com --json-only
```

### Web Interface

```bash
# Start web server
python -m src.main --web

# Custom port
python -m src.main --web --port 8080
```

Then open http://localhost:5000 in your browser.

## Configuration

The tool uses the following default settings:
- DNS Servers: 1.1.1.1, 8.8.8.8, 9.9.9.9
- Max Recursion Depth: 2
- Rate Limits: DNS (10/s), crt.sh (2/s), Shodan (0.5/s), VirusTotal (0.25/s)

## API Keys

For enhanced reconnaissance, obtain API keys from:
- [Shodan](https://shodan.io) - Port scanning and service detection
- [VirusTotal](https://virustotal.com) - Security analysis and reputation

## Output

The tool generates two types of reports:

### JSON Report
Complete machine-readable data including:
- All discovered hostnames and IPs
- DNS records by type
- Certificate information
- External service results
- Metadata and timing

### Text Report
Human-readable summary with:
- Executive summary
- Hostnames by discovery depth
- IP address analysis
- DNS record details
- Certificate analysis
- Security findings

## Architecture

```
src/
├── main.py              # CLI entry point
├── web_app.py           # Flask web interface  
├── config.py            # Configuration management
├── data_structures.py   # Data models
├── dns_resolver.py      # DNS functionality
├── certificate_checker.py # crt.sh integration
├── shodan_client.py     # Shodan API
├── virustotal_client.py # VirusTotal API
├── tld_fetcher.py       # IANA TLD handling
├── reconnaissance.py    # Main logic
└── report_generator.py  # Report generation
```