dnsmap

Scan for subdomains using the internal wordlist

$ dnsmap [example.com]

$ dnsmap [example.com] -w [path/to/wordlist.txt]

$ dnsmap [example.com] -c [path/to/file.csv]

$ dnsmap [example.com] -i [123.45.67.89,98.76.54.32]

dnsmap <target_domain> [options]

<target_domain>
    The target domain for which to scan for subdomains (e.g., example.com).

-w <wordlist_file>
    Specifies a custom wordlist file to use for subdomain brute-forcing instead of the default built-in list.

-r <results_file>
    Saves the discovered subdomains and their corresponding IP addresses to the specified output file.

-i <ip_address>
    Ignores DNS resolutions that point to the specified IP address. This is particularly useful for filtering out wildcard DNS entries.

-d <delay_seconds>
    Sets a delay in seconds between each DNS query. This helps to avoid overwhelming DNS servers and reduces the chance of triggering rate limits or detection.

-v
    Enables verbose output, displaying more detailed information about the scanning process.

-h or --help
    Displays the command's help message, showing available options and usage examples.

dnsmap is a command-line utility designed for passive and active subdomain reconnaissance. It operates primarily by brute-forcing DNS records using a pre-defined or user-supplied wordlist. For each word in the list, dnsmap attempts to resolve subdomain.target_domain.com to an IP address. If a resolution occurs, it indicates a potential live subdomain. This tool is widely used by penetration testers and security researchers to discover hidden or less-obvious subdomains that might host vulnerable services or provide additional attack vectors.

A key feature of dnsmap is its ability to handle wildcard DNS responses, where a DNS server returns an IP for any non-existent subdomain. The -i option allows users to specify an IP address to ignore, filtering out these wildcard hits and providing cleaner results. While straightforward, dnsmap remains a valuable initial step in the information gathering phase of a security assessment, helping to expand the attack surface by identifying all accessible subdomains associated with a target.

1. Wordlist Dependency: dnsmap's effectiveness heavily relies on the quality and comprehensiveness of the supplied wordlist. It will only discover subdomains present in the list, potentially missing others.
2. Performance: Scanning large wordlists with a significant delay (using -d) can make the process very slow.
3. Wildcard DNS: While the -i option helps, perfectly identifying and filtering all wildcard entries can sometimes be challenging, leading to noisy results.
4. Rate Limiting/Blocking: High volumes of DNS queries can trigger rate limits on DNS servers or be detected and blocked by intrusion prevention systems (IPS).
5. Ethical Considerations: Always ensure you have explicit permission before performing scans on any domain. Unauthorized scanning can be illegal and unethical.

By default, if no custom wordlist is specified with -w, dnsmap utilizes a small, built-in wordlist containing common subdomain names. For more comprehensive results, providing a larger, custom wordlist is highly recommended.

It is crucial to use dnsmap responsibly and ethically. Only perform scans on domains for which you have explicit authorization. Unauthorized scanning can lead to legal repercussions.

dnsmap emerged as a straightforward tool in the early 2010s, primarily used by penetration testers for initial reconnaissance. Its simplicity and effectiveness in basic subdomain brute-forcing contributed to its adoption in security workflows. While newer, more sophisticated tools have since appeared, often incorporating multiple enumeration techniques and passive intelligence gathering, dnsmap remains a classic example of a direct, active brute-force approach to subdomain discovery. It is typically distributed as a standalone script (often Python or Perl) or as part of larger security toolkits like Kali Linux, showcasing its enduring utility for a specific, focused task.

dig(1), host(1), nslookup(1), fierce(1), amass(1), sublist3r