dnsmap
DNS domain name brute forcing tool that scans for common subdomains using built-in or external wordlists. Results can be saved in CSV and human-readable formats for further processing.
Description
dnsmap is a DNS subdomain enumeration tool designed for pentesters during the information gathering phase of security assessments. It brute-forces common subdomains using a built-in wordlist of around 1000 English and Spanish words or an external wordlist. The tool helps discover hidden infrastructure like remote access servers, unpatched systems, internal IP addresses, and embedded devices via Dynamic DNS services.
Subdomain bruteforcing is particularly useful when traditional techniques like zone transfers fail, which are rarely allowed publicly. dnsmap reveals non-obvious netblocks, RFC 1918 internal addresses, and new domain names through standard DNS resolving. It does not require root privileges and should not be run with them for security reasons.
The package includes dnsmap for single domain scanning and dnsmap-bulk for mass scanning multiple domains from a file. Originally released in 2006, it's maintained for ethical hacking, forensics, and security testing.
How It Works
dnsmap performs DNS lookups by appending words from its built-in wordlist (defined in src/dnsmap.h) or a user-specified external wordlist to the target domain (e.g., smtp.example.com). It introduces random delays between queries (default max 10ms) to avoid bandwidth issues. Results are filtered optionally by ignoring specified IPs and saved in timestamped plain text or CSV files. dnsmap-bulk automates this process across multiple domains using dnsmap with default settings as backend.
Installation
sudo apt install dnsmapFlags
Examples
dnsmap example.com -w /usr/share/wordlists/dnsmap.txtdnsmap example.comdnsmap example.com -w wordlist.txtdnsmap example.com -r /tmpdnsmap example.com -r /tmp/ -d 300dnsmap example.com -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txtdnsmap-bulk.sh domains.txtdnsmap-bulk domains.txt /tmp/results/