1. What is domRecon?
2. How does it work?
3. How long does a scan take?

domRecon is domain reconnaissance tool, it allows you to find subdomains of a domain name by using various different methods. I got the idea about doing a online domain scanner from using a perl script called Fierce.

First it tries to get lucky by preforming a DNS zone transfer (AXFR) but on most domains this will fail. It will then use a list of 369 common subdomain names and try a A record lookup on that subdomain. If this is successful it will scan the /24 range of the IP address mapped to the subdomain looking for more.

It depends, normal a complete scan would take about 20 seconds when checking 369 subdomains and scanning about 5 networks. However, large networks will take a lot longer. It all depends on the domains DNS server and network lag. Status messages are displayed which will update you on whats going on, just incase you think the scan has hanged.