dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probes using retryabledns library.
Combine with subfinder.
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
dnsx [flags]
Flags:
INPUT:
-l, -list string list of sub(domains)/hosts to resolve (file or stdin)
-d, -domain string list of domain to bruteforce (file or comma separated or stdin)
-w, -wordlist string list of words to bruteforce (file or comma separated or stdin)
QUERY:
-a query A record (default)
-aaaa query AAAA record
-cname query CNAME record
-ns query NS record
-txt query TXT record
-ptr query PTR record
-mx query MX record
-soa query SOA record
-axfr query AXFR
-caa query CAA record
FILTER:
-re, -resp display dns response
-ro, -resp-only display dns response only
-rc, -rcode string filter result by dns status code (eg. -rcode noerror,servfail,refused)
PROBE:
-cdn display cdn name
RATE-LIMIT:
-t, -threads int number of concurrent threads to use (default 100)
-rl, -rate-limit int number of dns request/second to make (disabled as default) (default -1)
OUTPUT:
-o, -output string file to write output
-json write output in JSONL(ines) format
DEBUG:
-hc, -health-check run diagnostic check up
-silent display only results in the output
-v, -verbose display verbose output
-raw, -debug display raw dns response
-stats display stats of the running scan
-version display version of dnsx
OPTIMIZATION:
-retry int number of dns attempts to make (must be at least 1) (default 2)
-hf, -hostsfile use system host file
-trace perform dns tracing
-trace-max-recursion int Max recursion for dns trace (default 32767)
-resume resume existing scan
-stream stream mode (wordlist, wildcard, stats and stop/resume will be disabled)
CONFIGURATIONS:
-r, -resolver string list of resolvers to use (file or comma separated)
-wt, -wildcard-threshold int wildcard filter threshold (default 5)
-wd, -wildcard-domain string domain name for wildcard filtering (other flags will be ignored)
For more examples see Github.com
$ subfinder -silent -d hackerone.com | dnsx -silent -a -resp
hackerone.com [104.16.99.52]
hackerone.com [104.16.100.52]
docs.hackerone.com [185.199.109.153]
docs.hackerone.com [185.199.108.153]
docs.hackerone.com [185.199.110.153]
docs.hackerone.com [185.199.111.153]
a.ns.hackerone.com [162.159.0.31]
mta-sts.forwarding.hackerone.com [185.199.108.153]
mta-sts.forwarding.hackerone.com [185.199.109.153]
mta-sts.forwarding.hackerone.com [185.199.110.153]
mta-sts.forwarding.hackerone.com [185.199.111.153]
api.hackerone.com [104.16.99.52]
api.hackerone.com [104.16.100.52]
www.hackerone.com [104.16.99.52]
www.hackerone.com [104.16.100.52]
mta-sts.hackerone.com [185.199.108.153]
mta-sts.hackerone.com [185.199.109.153]
mta-sts.hackerone.com [185.199.110.153]
mta-sts.hackerone.com [185.199.111.153]
b.ns.hackerone.com [162.159.1.31]
mta-sts.managed.hackerone.com [185.199.108.153]
gslink.hackerone.com [18.65.39.14]
mta-sts.managed.hackerone.com [185.199.109.153]
mta-sts.managed.hackerone.com [185.199.110.153]
mta-sts.managed.hackerone.com [185.199.111.153]
gslink.hackerone.com [18.65.39.101]
gslink.hackerone.com [18.65.39.9]
gslink.hackerone.com [18.65.39.56]
support.hackerone.com [104.16.53.111]
support.hackerone.com [104.16.51.111]
resources.hackerone.com [3.98.63.202]
resources.hackerone.com [52.60.160.16]
resources.hackerone.com [52.60.165.183]
$ subfinder -silent -d hackerone.com | dnsx -silent -a -resp-only
104.16.99.52
104.16.100.52
162.159.1.31
104.16.99.52
104.16.100.52
185.199.110.153
185.199.111.153
185.199.108.153
185.199.109.153
104.16.99.52
104.16.100.52
104.16.51.111
104.16.53.111
185.199.108.153
185.199.111.153
185.199.110.153
185.199.111.153
subfinder -silent -d hackerone.com | dnsx -silent -cname -resp
support.hackerone.com [hackerone.zendesk.com]
resources.hackerone.com [read.uberflip.com]
mta-sts.hackerone.com [hacker0x01.github.io]
mta-sts.forwarding.hackerone.com [hacker0x01.github.io]
events.hackerone.com [whitelabel.bigmarker.com]