dnsmap

dnsmap is a DNS subdomain enumeration tool designed for pentesters during the information gathering phase of security assessments. It brute-forces common subdomains using a built-in wordlist of around 1000 English and Spanish words or an external wordlist. The tool helps discover hidden infrastructure like remote access servers, unpatched systems, internal IP addresses, and embedded devices via Dynamic DNS services.

Subdomain bruteforcing is particularly useful when traditional techniques like zone transfers fail, which are rarely allowed publicly. dnsmap reveals non-obvious netblocks, RFC 1918 internal addresses, and new domain names through standard DNS resolving. It does not require root privileges and should not be run with them for security reasons.

The package includes dnsmap for single domain scanning and dnsmap-bulk for mass scanning multiple domains from a file. Originally released in 2006, it's maintained for ethical hacking, forensics, and security testing.

dnsmap performs DNS lookups by appending words from its built-in wordlist (defined in src/dnsmap.h) or a user-specified external wordlist to the target domain (e.g., smtp.example.com). It introduces random delays between queries (default max 10ms) to avoid bandwidth issues. Results are filtered optionally by ignoring specified IPs and saved in timestamped plain text or CSV files. dnsmap-bulk automates this process across multiple domains using dnsmap with default settings as backend.