TELCOSEC
// FEATURED SOFTWARE :: PRJ 081
SECURITYRUSTACTIVE

RDNSx: Reverse DNS Reconnaissance Tool for Telecom Networks

Rust-Powered DNS Security & Telecom Recon Toolkit

Industrial-strength asynchronous DNS toolkit engineered in Rust. Specifically optimized for mapping massive telecommunications infrastructure, GGSN/PGW interface discovery, and carrier-grade subdomain enumeration. Capable of high-throughput DNSSEC chain analysis and deep SPF/DMARC/DKIM configuration auditing.

ACCESS REPOSITORY [↗]

// GET ACCESS

Register to deploy RDNSx via the TelcoSec platform.

PLATFORM ACCESS [→]
PRJ_ID: ACAD_24STATUS: ACTIVE
SYSTEM TELEMETRY
LanguageRUST
RuntimeTOKIO async
Throughput1M+ queries/s
Access LevelL-2
CategorySECURITY
Status● ACTIVE
MODULE STATUS
RDNS RECON ACTIVE
TELCO IP MAPPING ACTIVE
ZONE TRANS DETECT DEGRADED
PTR RECORDS FUZZER ACTIVE
// LIVE EXECUTION PREVIEW
$ rdnsx --target 192.168.88.0/24 --threads 512 --ptr --dnssec --output json-l
[▶] INIT: Loading Tokio runtime — 512 concurrent resolvers
[▶] SCAN: Processing 65,536 PTR records in 4 worker threads
[✓] GGSN: ggsn-01.epc.carrier.net [192.168.88.12]
[✓] PGW: pgw-sadb02.sp.carrier.net [192.168.88.89]
[✓] STP: stp-prod-eu01.interconnect.net [192.168.88.104]
[!] AXFR: Zone transfer exposed — ns1.carrier.net
[!] WILDCARD: PTR pool detected 10.x.x.x → *.node.sp.carrier.net
[✗] DNSSEC: Chain validation failure on sub.carrier.net
[▶] Complete: 847 unique hosts resolved in 4.2s — output → rdnsx_out.jsonl
// RESEARCH CAPABILITIES
  • RDNS RECON

    Advanced reverse DNS reconnaissance for mapping carrier infrastructure using custom resolver logic that bypasses OS-level caches.

  • TELCO IP MAPPING

    Mapping IP ranges to specific carrier nodes and regions, including GGSN/PGW interfaces and hidden internal Signaling Transfer Points.

  • ZONE TRANS DETECTOR

    Detecting misconfigured zone transfers in carrier DNS that expose full internal namespace mappings to unauthorized parties.

  • PTR RECORDS FUZZER

    Intelligent fuzzing of PTR records with wildcard suppression heuristics to surface unique high-value infrastructure hosts.

// TECHNICAL SPECIFICATIONS
:: ASYNC RUNTIME
Tokio-based multi-threaded event loop for high-concurrency packet processing.
:: RESOLVER STRATEGY
Custom recursive and iterative resolver logic bypassing OS-level caches.
:: TELCO OPTIMIZATION
Heuristic analysis of wildcards and load-balancing patterns common in GGSN/PGW architectures.
:: OUTPUT FORMATS
JSON-L, CSV, and Grepable output for seamless pipeline integration.
// 01 WHY RUST
01

MEMORY SAFETY

Zero-cost abstractions and the borrow checker ensure memory safety without a garbage collector, preventing buffer overflows in low-level DNS parsing.

02

ASYNC THROUGHPUT

Leveraging the Tokio runtime for non-blocking I/O, RDNSx handles millions of concurrent DNS queries with minimal CPU overhead.

03

PREDICTABLE PERF

Minimal runtime footprint and deterministic performance make it ideal for deployment in constrained environments or long-running monitoring pipelines.

// 02 STRATEGIC USE CASES

CORE INFRA MAPPING

Reverse DNS is often the only way to discover internal GGSN and PGW interfaces not exposed via standard forward DNS.

  • > Discovering hidden APN endpoints
  • > Mapping S5/S8 interconnect interfaces
  • > Identifying localized RAN controllers

COMPLIANCE AUDITING

Telecom operators must ensure internal infrastructure hostnames do not leak sensitive information through PTR records.

  • > DNSSEC validation across carrier zones
  • > SPF/DMARC leakage detection
  • > Unauthorized zone transfer (AXFR) auditing
// 03 DETAILED ARCHITECTURE

RDNSx is designed to handle the complex routing and DNS environments characteristic of Tier-1 telecommunications networks. In typical enterprise IT setups, reverse DNS records are either fully populated or entirely absent. In contrast, mobile carrier networks often deploy hybrid, localized, or split-horizon DNS setups. To successfully map these networks, RDNSx implements a custom resolver client built on top of trust-dns-proto. This allows the toolkit to bypass the operating system's local DNS cache, query authoritative servers directly, and dynamically adjust query timeouts to prevent false-negative timeouts on congested GGSN or PGW backhauls.

The tool features custom heuristics to detect wildcard PTR records and load-balanced DNS pools. In many mobile networks, carriers configure large blocks of IP addresses to resolve to generic, auto-generated names (e.g., node-10-1-2-3.sp.carrier.net). RDNSx automatically identifies these patterns, groups them to reduce clutter, and filters them out of final reports, allowing analysts to focus on unique, high-value infrastructure targets such as internal Signaling Transfer Points (STPs), SMSCs, or core router interfaces.