LinuxCommandLibrary

dnsmap

Discover subdomain names by brute-force

TLDR

Scan for subdomains using the internal wordlist

$ dnsmap [example.com]
copy

Specify a list of subdomains to check for
$ dnsmap [example.com] -w [path/to/wordlist.txt]
copy

Store results to a CSV file
$ dnsmap [example.com] -c [path/to/file.csv]
copy

Ignore 2 IPs that are false positives (up to 5 possible)
$ dnsmap [example.com] -i [123.45.67.89,98.76.54.32]
copy

SYNOPSIS

dnsmap [options] <target_domain>

PARAMETERS

-w <wordlist>
    Specify custom wordlist file (default: /usr/share/dnsmap/dnsmap.txt)

-r <reportfile>
    Output report prefix (default: dnsmap_<target>)

-f <filterfile>
    Filter file for ignoring common false positives (default: /usr/share/dnsmap/dnsmap.filter)

-R <num>
    Maximum recursion depth (default: 2)

-t <num>
    Number of worker threads (default: 10)

-l <num>
    Maximum results per subdomain (default: 10000)

-o <num>
    Maximum open sockets (default: 200)

-p <port>
    DNS server port (default: 53)

-q
    Quiet mode, suppress screen output

-h
    Display help and exit

DESCRIPTION

dnsmap is a passive reconnaissance tool for mapping a target domain's DNS infrastructure. It generates common subdomain names from a customizable wordlist and queries each one via DNS lookups, without relying on zone transfers or active scanning techniques that might alert defenders. The tool performs recursive enumeration up to a specified depth, capturing IP addresses, CNAMEs, and other records.

Designed for network security testing and OSINT, dnsmap outputs results in multiple formats: human-readable .map files, Graphviz .dot for visualization, and .gnode for further processing. It's multithreaded for efficiency, supports filtering to reduce noise, and limits results per subdomain to prevent overload.

Ideal for identifying hidden subdomains, virtual hosts, and network topology during penetration testing or red teaming. While 'passive,' it generates significant query traffic, so use responsibly to avoid detection.

CAVEATS

Generates high DNS query volume; may trigger rate limiting, IDS alerts, or blacklisting by providers. Not suitable for large-scale stealth ops.

OUTPUT FORMATS

Generates <prefix>.map (text), <prefix>.dot (Graphviz), <prefix>.gnode (structured data). View graphs with dot -Tpng file.dot -o graph.png.

EXAMPLE USAGE

dnsmap -w /usr/share/wordlists/dnsmap.txt -r output example.com
Produces output files prefixed with 'output'.

HISTORY

Developed by Maksym 'gnod' Petkus starting in 2006 as part of the Owl PHP Proxy project. Evolved into a standalone tool, maintained on SourceForge with releases up to 0.30 (2011). Widely used in Kali Linux for pentesting.

SEE ALSO

dig(1), host(1), dnsenum(1), nmap(1)

Copied to clipboard