Information Gatheringdnsqueryresolverwildcardbruteforceprobe

dnsx

dnsx is a fast and multi-purpose DNS toolkit that performs multiple DNS queries using the retryabledns library with user-supplied resolvers. It supports DNS wildcard filtering and various record types like A, AAAA, CNAME, PTR, NS, MX, TXT, and SOA.

Description

dnsx is designed as a simple utility for querying DNS records and running multiple probes efficiently. It enables users to resolve lists of subdomains or hosts, bruteforce domains with wordlists, and filter results based on DNS status codes or response types. This tool is particularly useful in reconnaissance phases for discovering valid DNS records, tracing DNS paths, and identifying CDN or ASN information associated with hosts.

Use cases include DNS enumeration during security assessments, validating subdomain existence, and handling wildcard subdomains automatically to avoid false positives. It integrates well with other tools via stdin/stdout support, making it suitable for piping into or from other Kali Linux utilities in automated workflows.

The toolkit supports advanced features like rate limiting, retries, and proxy usage, ensuring reliable performance even with large input lists. Automatic update checks and health diagnostics further enhance its usability in production environments.

How It Works

dnsx operates using the retryabledns library to send concurrent DNS queries to specified resolvers, supporting multiple record types (A, AAAA, CNAME, NS, MX, TXT, SOA, SRV, PTR). It performs probes with configurable threads and retries, applies wildcard filtering by tracking response thresholds for specified domains, and handles DNS tracing with recursion limits. Filters process responses by status codes, types, or content, while optimizations like streaming mode and timeouts manage large-scale scans. Output can be formatted as JSONL with optional raw response omission, and CDN/ASN probing fetches additional host metadata.

Installation

bash

sudo apt install dnsx

Flags

-l, -list stringlist of sub(domains)/hosts to resolve (file or stdin)

-d, -domain stringlist of domain to bruteforce (file or comma separated or stdin)

-w, -wordlist stringlist of words to bruteforce (file or comma separated or stdin)

-aquery A record (default)

-aaaaquery AAAA record

-cnamequery CNAME record

-nsquery NS record

-txtquery TXT record

-srvquery SRV record

-ptrquery PTR record

-mxquery MX record

-re, -respdisplay dns response

-ro, -resp-onlydisplay dns response only

-rc, -rcode stringfilter result by dns status code (eg. -rcode noerror,servfail,refused)

-rtf, -response-type-filter stringreturn entries with no records for the specified query types (e.g., a, cname)

-cdndisplay cdn name

-asndisplay host asn information

-t, -threads intnumber of concurrent threads to use (default 100)

-rl, -rate-limit intnumber of dns request/second to make (disabled as default) (default -1)

-up, -updateupdate dnsx to latest version

-duc, -disable-update-checkdisable automatic dnsx update check

-o, -output stringfile to write output

-j, -jsonwrite output in JSONL(ines) format

-omit-raw, -oromit raw dns response from jsonl output

-hc, -health-checkrun diagnostic check up

-silentdisplay only results in the output

-v, -verbosedisplay verbose output

-raw, -debugdisplay raw dns response

-statsdisplay stats of the running scan

-versiondisplay version of dnsx

-nc, -no-colordisable color in output

-retry intnumber of dns attempts to make (must be at least 1) (default 2)

-hf, -hostsfileuse system host file

-traceperform dns tracing

-trace-max-recursion intMax recursion for dns trace (default 255)

-resumeresume existing scan

-streamstream mode (wordlist, wildcard, stats and stop/resume will be disabled)

-timeout valuemaximum time to wait for a DNS query to complete (default 3s)

-authconfigure ProjectDiscovery Cloud Platform (PDCP) api key (default true)

-r, -resolver stringlist of resolvers to use (file or comma separated)

-wt, -wildcard-threshold intwildcard filter threshold (default 5)

-wd, -wildcard-domain stringdomain name for wildcard filtering (other flags will be ignored - only json output is supported)

-proxy stringproxy to use (eg socks5://127.0.0.1:8080)

Examples

Display help and usage information for dnsx

dnsx -h

Query A records for a list of hosts from file

dnsx -l hosts.txt -a

Bruteforce subdomains using domain list and wordlist

dnsx -d domains.txt -w wordlist.txt

Query AAAA and CNAME records for a domain

dnsx -d example.com -aaaa -cname

Query NS, MX, and TXT records for subdomain list

dnsx -l subdomains.txt -ns -mx -txt

Probe CDN and ASN info for hosts and save output to file

dnsx -l hosts.txt -cdn -asn -o results.txt

Perform DNS tracing on input list and output in JSONL format

dnsx -l input.txt -trace -j

Updated 2026-Mar-02kali.org ↗