dnsx
Resolve DNS queries for multiple hostnames
TLDR
Query the A record of a (sub)domain and show [re]sponse received
Query all the DNS records (A, AAAA, CNAME, NS, TXT, SRV, PTR, MX, SOA, AXFR, CAA)
Query a specific type of DNS record
Output response only (do not show the queried domain or subdomain)
Display raw response of a query, specifying resolvers to use and retry attempts for failures
Brute force DNS records using a placeholder
Brute force DNS records from a list of domains and wordlists, appending output to a file with no color codes
Extract CNAME records for the given list of subdomains, with rate limiting DNS queries per second
SYNOPSIS
dnsx [OPTIONS] -l <hosts_file> | <piped_input>
Example: subfinder -d example.com | dnsx -a -resp -silent
PARAMETERS
-a
Perform A record lookup (IPv4 address).
-aaaa
Perform AAAA record lookup (IPv6 address).
-axfr
Perform AXFR record lookup (zone transfer).
-cname
Perform CNAME record lookup (canonical name).
-mx
Perform MX record lookup (mail exchange).
-ns
Perform NS record lookup (name server).
-ptr
Perform PTR record lookup (reverse DNS pointer).
-soa
Perform SOA record lookup (start of authority).
-spf
Perform SPF record lookup (sender policy framework).
-txt
Perform TXT record lookup (arbitrary text data).
-dmarc
Perform DMARC record lookup (Domain-based Message Authentication, Reporting & Conformance).
-l <file>
File containing a list of hosts/domains to lookup.
-o <file>
Output file to write results.
-r <file>
File containing a list of resolvers to use for DNS queries.
-s <resolver>
Specify a single custom resolver to use (e.g., 8.8.8.8).
-t <int>
Number of concurrent goroutines (threads) for lookups (default: 25).
-retry <int>
Number of retries for DNS lookups (default: 1).
-wt <int>
Wait time in seconds between lookups for rate limiting (default: 1).
-timeout <int>
Timeout in seconds for DNS lookups (default: 5).
-resp
Show the full DNS response details.
-resp-only
Show only the DNS response without the domain name.
-json
Output results in JSON format.
-silent
Show silent output (only results, no banners or verbose info).
-v
Show verbose output.
-debug
Show debug output for detailed troubleshooting.
-version
Show the version of dnsx.
-h
Show the help message and exit.
-cf <file>
Specify a YAML configuration file for dnsx settings.
-skip-wildcard
Skip wildcard DNS resolutions.
-cdn
Enable CDN (Content Delivery Network) filtering based on known CDN IP ranges.
-dns-filter
Enable DNS filtering to remove duplicate or unwanted records.
-ro
Resolve Only mode (don't perform specific record type lookups; just resolve domain to IP).
-rt <type>
Specify recursion type (e.g., 'no-recursion').
-rc <code>
Filter by DNS response code (e.g., 'NOERROR', 'NXDOMAIN').
-system-resolvers
Use system DNS resolvers (from /etc/resolv.conf).
-nxdomain
Include NXDOMAIN responses in output.
-no-fallback
Do not fallback to system resolvers if custom ones fail.
-cdn-file <file>
File containing a custom list of CDN identifiers for filtering.
-rl <int>
Rate limit requests per second.
DESCRIPTION
dnsx is a powerful and highly efficient command-line utility developed by ProjectDiscovery for comprehensive DNS enumeration and resolution. Designed for bulk processing, it can perform various types of DNS lookups, including A, AAAA, CNAME, MX, NS, PTR, SOA, SPF, TXT, and DMARC records, on a list of domain names. Its primary use cases revolve around reconnaissance, bug bounty hunting, and penetration testing workflows, allowing security professionals to quickly gather extensive DNS information for a given set of targets.
One of its key strengths lies in its ability to process thousands of domains concurrently, leveraging Go's concurrency model. Users can specify custom DNS resolvers, utilize a list of resolvers, or fall back to system resolvers. It supports various output formats, including plain text and JSON, making it easy to integrate with other tools in a pipeline. dnsx is an essential component in many automated subdomain enumeration and vulnerability scanning setups, often used in conjunction with tools like subfinder (for subdomain discovery) and httpx (for HTTP probing) to build a complete picture of an organization's attack surface.
CAVEATS
dnsx is a specialized tool not typically part of standard Linux distributions. It needs to be installed, usually via Go's package manager (e.g., go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest).
Its performance is highly dependent on the quality and responsiveness of the DNS resolvers used. Overly aggressive concurrency (-t flag) or low timeouts (-timeout flag) with unreliable resolvers can lead to missed results or false negatives.
<I>PIPELINE INTEGRATION</I>
dnsx is often used in conjunction with other ProjectDiscovery tools, especially in a piped fashion. For instance, subdomains found by subfinder can be directly piped into dnsx to resolve their A records:
subfinder -d example.com | dnsx -a -silent
This allows for highly efficient and automated workflow creation for asset discovery and vulnerability assessment.
<I>CUSTOM RESOLVERS</I>
To improve lookup speed and accuracy, users can provide a list of custom DNS resolvers using the -r flag or a single resolver with the -s flag. Using public, fast, and reliable resolvers (e.g., Google, Cloudflare, OpenDNS) or even private resolvers can significantly enhance the effectiveness of dnsx.
HISTORY
dnsx is an integral part of the ProjectDiscovery open-source tool suite, widely adopted by cybersecurity professionals for automated reconnaissance. Developed in Go, it was designed to provide a fast, efficient, and flexible solution for DNS enumeration, addressing the need for bulk DNS lookups in security testing workflows. Its development aligns with ProjectDiscovery's philosophy of creating highly performant and modular tools that can be chained together via standard I/O (stdin/stdout) to build complex scanning pipelines. It has seen continuous development, with features being added to improve filtering, error handling, and performance, solidifying its position as a go-to tool for DNS-related tasks.
