Skip to content

ForkItAllSec/dnsx

BranchesTags
Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

308 Commits
.github
.github
Β 
Β 
cmd
cmd
Β 
Β 
integration_tests
integration_tests
Β 
Β 
internal
internal
Β 
Β 
libs/dnsx
libs/dnsx
Β 
Β 
static
static
Β 
Β 
.gitignore
.gitignore
Β 
Β 
.goreleaser.yml
.goreleaser.yml
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
LICENSE.md
LICENSE.md
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 
sonar-project.properties
sonar-project.properties
Β 
Β 

Repository files navigation

dnsx

Fast and multi-purpose DNS toolkit allow to run multiple DNS queries.

Features β€’ Installation β€’ Usage β€’ Running dnsx β€’ Wildcard β€’ Notes β€’ Join Discord

dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probes using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers, additionally supports DNS wildcard filtering like shuffledns.

Features

dnsx

  • Simple and Handy utility to query DNS records.
  • A, AAAA, CNAME, PTR, NS, MX, TXT, SOA query support
  • DNS Resolution / Brute-force support
  • Custom resolver input support
  • Multiple resolver format (TCP/UDP/DOH/DOT) support
  • stdin and stdout support
  • Automatic wildcard handling support

Installation Instructions

dnsx requires go1.17 to install successfully. Run the following command to get the repo -

go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

Usage

dnsx -h

This will display help for the tool. Here are all the switches it supports.

INPUT:  -l, -list string list of sub(domains)/hosts to resolve (file or stdin)  -d, -domain string list of domain to bruteforce (file or comma separated or stdin)  -w, -wordlist string list of words to bruteforce (file or comma separated or stdin) QUERY:  -a query A record (default)  -aaaa query AAAA record  -cname query CNAME record  -ns query NS record  -txt query TXT record  -ptr query PTR record  -mx query MX record  -soa query SOA record FILTERS:  -resp display dns response  -resp-only display dns response only  -rcode, -rc string filter result by dns status code (eg. -rcode noerror,servfail,refused) RATE-LIMIT:  -t, -c int number of concurrent threads to use (default 100)  -rl, -rate-limit int number of dns request/second to make (disabled as default) (default -1) OUTPUT:  -o, -output string file to write output  -json write output in JSONL(ines) format DEBUG:  -silent display only results in the output  -v, -verbose display verbose output  -raw, -debug display raw dns response  -stats display stats of the running scan  -version display version of dnsx OPTIMIZATION:  -retry int number of dns retries to make (default 2)  -hf, -hostsfile use system host file  -trace perform dns tracing  -trace-max-recursion int Max recursion for dns trace (default 32767)  -flush-interval int flush interval of output file (default 10)  -resume resume existing scan CONFIGURATIONS:  -r, -resolver string list of resolvers to use (file or comma separated)  -wt, -wildcard-threshold int wildcard filter threshold (default 5)  -wd, -wildcard-domain string domain name for wildcard filtering (other flags will be ignored)

Running dnsx

DNS Resolving

dnsx can be used to filter active hostnames from the list of passive subdomains obtained from various sources, for example:-

subfinder -silent -d hackerone.com | dnsx -silent a.ns.hackerone.com www.hackerone.com api.hackerone.com docs.hackerone.com mta-sts.managed.hackerone.com mta-sts.hackerone.com resources.hackerone.com b.ns.hackerone.com mta-sts.forwarding.hackerone.com events.hackerone.com support.hackerone.com

dnsx can be used to print A records for the given list of subdomains, for example:-

subfinder -silent -d hackerone.com | dnsx -silent -a -cname -resp www.hackerone.com [104.16.100.52] www.hackerone.com [104.16.99.52] hackerone.com [104.16.99.52] hackerone.com [104.16.100.52] api.hackerone.com [104.16.99.52] api.hackerone.com [104.16.100.52] mta-sts.forwarding.hackerone.com [185.199.108.153] mta-sts.forwarding.hackerone.com [185.199.109.153] mta-sts.forwarding.hackerone.com [185.199.110.153] mta-sts.forwarding.hackerone.com [185.199.111.153] mta-sts.forwarding.hackerone.com [hacker0x01.github.io] a.ns.hackerone.com [162.159.0.31] resources.hackerone.com [52.60.160.16] resources.hackerone.com [3.98.63.202] resources.hackerone.com [52.60.165.183] resources.hackerone.com [read.uberflip.com] resources.hackerone.com [nlb-ext-traefik-ca-central-1-d39d611502919b07.elb.ca-central-1.amazonaws.com] mta-sts.hackerone.com [185.199.110.153] mta-sts.hackerone.com [185.199.111.153] mta-sts.hackerone.com [185.199.109.153] mta-sts.hackerone.com [185.199.108.153] mta-sts.hackerone.com [hacker0x01.github.io] gslink.hackerone.com [13.35.210.17] gslink.hackerone.com [13.35.210.38] gslink.hackerone.com [13.35.210.83] gslink.hackerone.com [13.35.210.19] gslink.hackerone.com [d3rxkn2g2bbsjp.cloudfront.net] b.ns.hackerone.com [162.159.1.31] docs.hackerone.com [185.199.109.153] docs.hackerone.com [185.199.110.153] docs.hackerone.com [185.199.111.153] docs.hackerone.com [185.199.108.153] docs.hackerone.com [hacker0x01.github.io] support.hackerone.com [104.16.51.111] support.hackerone.com [104.16.53.111] support.hackerone.com [hackerone.zendesk.com] mta-sts.managed.hackerone.com [185.199.108.153] mta-sts.managed.hackerone.com [185.199.109.153] mta-sts.managed.hackerone.com [185.199.110.153] mta-sts.managed.hackerone.com [185.199.111.153] mta-sts.managed.hackerone.com [hacker0x01.github.io]

dnsx can be used to extract A records for the given list of subdomains, for example:-

subfinder -silent -d hackerone.com | dnsx -silent -a -resp-only 104.16.99.52 104.16.100.52 162.159.1.31 104.16.99.52 104.16.100.52 185.199.110.153 185.199.111.153 185.199.108.153 185.199.109.153 104.16.99.52 104.16.100.52 104.16.51.111 104.16.53.111 185.199.108.153 185.199.111.153 185.199.110.153 185.199.111.153

dnsx can be used to extract CNAME records for the given list of subdomains, for example:-

subfinder -silent -d hackerone.com | dnsx -silent -cname -resp support.hackerone.com [hackerone.zendesk.com] resources.hackerone.com [read.uberflip.com] mta-sts.hackerone.com [hacker0x01.github.io] mta-sts.forwarding.hackerone.com [hacker0x01.github.io] events.hackerone.com [whitelabel.bigmarker.com]

dnsx can be used to probe by given dns status code on given list of sub(domains), for example:-

subfinder -silent -d hackerone.com | dnsx -silent -rcode noerror,servfail,refused ns.hackerone.com [NOERROR] a.ns.hackerone.com [NOERROR] b.ns.hackerone.com [NOERROR] support.hackerone.com [NOERROR] resources.hackerone.com [NOERROR] mta-sts.hackerone.com [NOERROR] www.hackerone.com [NOERROR] mta-sts.forwarding.hackerone.com [NOERROR] docs.hackerone.com [NOERROR]

dnsx can be used to extract subdomains from given network range using PTR query, for example:-

echo 173.0.84.0/24 | dnsx -silent -resp-only -ptr cors.api.paypal.com trinityadminauth.paypal.com cld-edge-origin-api.paypal.com appmanagement.paypal.com svcs.paypal.com trinitypie-serv.paypal.com ppn.paypal.com pointofsale-new.paypal.com pointofsale.paypal.com slc-a-origin-pointofsale.paypal.com fpdbs.paypal.com

DNS Bruteforce

dnsx can be used to bruteforce subdomains for given domain or list of domains using d and w flag.

dnsx -silent -d facebook.com -w dns_worldlist.txt blog.facebook.com booking.facebook.com api.facebook.com analytics.facebook.com beta.facebook.com apollo.facebook.com ads.facebook.com box.facebook.com alpha.facebook.com apps.facebook.com connect.facebook.com c.facebook.com careers.facebook.com code.facebook.com

dnsx can be used to bruteforce targeted subdomain using single or multiple keyword input, as d or w flag supports file or comma separated keyword inputs.

dnsx -silent -d domains.txt -w jira,grafana,jenkins grafana.1688.com grafana.8x8.vc grafana.airmap.com grafana.aerius.nl jenkins.1688.com jenkins.airbnb.app jenkins.airmap.com jenkins.ahn.nl jenkins.achmea.nl jira.amocrm.com jira.amexgbt.com jira.amitree.com jira.arrival.com jira.atlassian.net jira.atlassian.com

dnsx support stdin input for all the input flags (list,domain,wordlist), as default l flag is supported for stdin, other input flag can be used by specifying the flag input with dash (-).

cat domains.txt | dnsx -silent -w jira,grafana,jenkins -d - grafana.1688.com grafana.8x8.vc grafana.airmap.com grafana.aerius.nl jenkins.1688.com jenkins.airbnb.app jenkins.airmap.com jenkins.ahn.nl jenkins.achmea.nl jira.amocrm.com jira.amexgbt.com jira.amitree.com jira.arrival.com jira.atlassian.net jira.atlassian.com

Wildcard filtering

A special feature of dnsx is its ability to handle multi-level DNS based wildcards and do it so with very less number of DNS requests. Sometimes all the subdomains will resolve which will lead to lots of garbage in the results. The way dnsx handles this is it will keep track of how many subdomains point to an IP and if the count of the Subdomains increase beyond a certain small threshold, it will check for wildcard on all the levels of the hosts for that IP iteratively.

dnsx -l subdomain_list.txt -wd airbnb.com -o output.txt

πŸ“‹ Notes

  • As default, dnsx checks for A record.
  • As default dnsx uses Google, Cloudflare, Quad9 resolver.
  • Custom resolver list can be used using r flag.
  • Domain name (wd) input is mandatory for wildcard elimination.
  • DNS record flag can not be used when using wildcard filtering.
  • DNS resolution (l) and DNS Bruteforcing (w) can't be used together.

dnsx is made with πŸ–€ by the projectdiscovery team.

About

dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

projectdiscovery.io

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

11 tags

Packages

 
 
 

Contributors

Languages

  • Go 96.4%
  • Shell 2.4%
  • Other 1.2%