Information Gatheringdnsphishingtyposquattinghomographfuzzyhashgeoip

dnstwist

dnstwist generates a list of similarly looking domain names for a given domain and performs DNS queries for them. It checks MX records for active mail servers and estimates webpage similarity based on fuzzy hashes to detect typosquatters, phishing attacks, fraud and corporate espionage.

Description

dnstwist is a domain name permutation engine designed for detecting homograph phishing attacks, typosquatting, fraud and brand impersonation. It creates variations of a given domain name that look similar and queries DNS records including A, AAAA, NS and MX to identify potentially malicious domains.

For MX records, it specifically checks if there is an active mail server that could intercept misdirected emails, aiding in the detection of email phishing setups. The tool also evaluates webpage similarity using fuzzy hashes, providing insight into content mimicry used in phishing campaigns.

This functionality is particularly useful in cybersecurity investigations for proactive threat hunting against typosquatters and impersonators targeting brands.

How It Works

dnstwist generates permutations of the input domain name using fuzzing algorithms to create visually similar domains. It then performs DNS queries for A, AAAA, NS, and MX records on these permutations. For MX records, it verifies active mail servers capable of intercepting emails. Webpage similarity is estimated using fuzzy hashes, with options for LSH algorithm. Additional features include HTTP/SMTP banner grabbing, GeoIP lookups, and customizable output formats.

Installation

bash

sudo apt install dnstwist

Flags

-a, --allPrint all DNS records instead of the first ones

-b, --bannersDetermine HTTP and SMTP service banners

-d, --dictionary FILEGenerate more domains using dictionary FILE

-f, --format FORMATOutput format: cli, csv, json, list (default: cli)

--fuzzers LISTUse only selected fuzzing algorithms (separated with commas)

-g, --geoipLookup for GeoIP location

--lsh [LSH]Evaluate web page similarity with LSH algorithm

Examples

Display help and usage information for dnstwist

dnstwist -h

Generate domain permutations for example.com and perform default DNS queries (A, AAAA, NS, MX)

dnstwist example.com

Print all DNS records for permutations of example.com instead of just the first ones

dnstwist -a example.com

Determine HTTP and SMTP service banners for permutation domains of example.com

dnstwist -b example.com

Generate additional domains using a custom dictionary file for example.com

dnstwist -d /path/to/dictionary.txt example.com

Output results in JSON format for permutations of example.com

dnstwist -f json example.com

Perform GeoIP lookups on permutation domains of example.com

dnstwist --geoip example.com

Updated 2026-04-16kali.org ↗