dnstwist
Installation
Abschnitt betitelt „Installation“From PyPI
Abschnitt betitelt „From PyPI“pip install dnstwistFrom Source
Abschnitt betitelt „From Source“git clone https://github.com/elceef/dnstwist.git
cd dnstwist
pip install -e .docker run -it elceef/dnstwist dnstwist example.comRequirements
Abschnitt betitelt „Requirements“- Python 3.7+
dnspython— DNS resolutionrequests— HTTP requestsurllib3— URL parsingGeoIP2database (optional, for geolocation)
Basic Usage
Abschnitt betitelt „Basic Usage“Simple Permutation Check
Abschnitt betitelt „Simple Permutation Check“dnstwist example.comCheck and Resolve DNS
Abschnitt betitelt „Check and Resolve DNS“dnstwist -r example.comExtended Output with Registered Domains
Abschnitt betitelt „Extended Output with Registered Domains“dnstwist -r --registered example.comVerbose Mode
Abschnitt betitelt „Verbose Mode“dnstwist -v example.comPermutation Types
Abschnitt betitelt „Permutation Types“Bitsquatting
Abschnitt betitelt „Bitsquatting“Domain names differing by single bit flip in DNS wire format.
dnstwist --bitsquatting example.comHomoglyph Attack
Abschnitt betitelt „Homoglyph Attack“Visually similar characters (e.g., rn → m, 0 → O).
dnstwist --homoglyph example.comInsertion
Abschnitt betitelt „Insertion“Add characters within domain name.
dnstwist --insertion example.comOmission
Abschnitt betitelt „Omission“Remove single characters from domain.
dnstwist --omission example.comRepetition
Abschnitt betitelt „Repetition“Double consecutive characters.
dnstwist --repetition example.comReplacement
Abschnitt betitelt „Replacement“Replace characters with similar ones.
dnstwist --replacement example.comTransposition
Abschnitt betitelt „Transposition“Swap adjacent characters.
dnstwist --transposition example.comVowel Swap
Abschnitt betitelt „Vowel Swap“Replace vowels with other vowels.
dnstwist --vowelswap example.comAddition
Abschnitt betitelt „Addition“Add common TLD variations and prefixes/suffixes.
dnstwist --addition example.comHyphenation
Abschnitt betitelt „Hyphenation“Add hyphens at various positions.
dnstwist --hyphenation example.comAll Permutation Types
Abschnitt betitelt „All Permutation Types“dnstwist -a example.comDNS Resolution
Abschnitt betitelt „DNS Resolution“Resolve A Records
Abschnitt betitelt „Resolve A Records“dnstwist -r example.comResolve AAAA Records (IPv6)
Abschnitt betitelt „Resolve AAAA Records (IPv6)“dnstwist -r --aaaa example.comResolve with Specific Nameserver
Abschnitt betitelt „Resolve with Specific Nameserver“dnstwist -r -ns 8.8.8.8 example.comCheck Registration Status
Abschnitt betitelt „Check Registration Status“dnstwist --registered example.comVerify DNSSEC
Abschnitt betitelt „Verify DNSSEC“dnstwist -r --dnssec example.comMX Record Checking
Abschnitt betitelt „MX Record Checking“Detect MX Records
Abschnitt betitelt „Detect MX Records“dnstwist -r example.com | grep MXFull MX Verification
Abschnitt betitelt „Full MX Verification“dnstwist -r --mx example.comMail Server Analysis
Abschnitt betitelt „Mail Server Analysis“dnstwist -r -mx example.com | head -20GeoIP Lookup
Abschnitt betitelt „GeoIP Lookup“Enable GeoIP Resolution
Abschnitt betitelt „Enable GeoIP Resolution“dnstwist -r --geoip example.comDownload GeoIP2 Database
Abschnitt betitelt „Download GeoIP2 Database“# Requires MaxMind account
curl https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=YOUR_KEY&suffix=tar.gz -o geolite2.tar.gz
tar xzf geolite2.tar.gzUse Custom GeoIP Database
Abschnitt betitelt „Use Custom GeoIP Database“dnstwist -r --geoip --db /path/to/GeoLite2-City.mmdb example.comWeb Page Similarity Detection
Abschnitt betitelt „Web Page Similarity Detection“Fuzzy Hash Comparison
Abschnitt betitelt „Fuzzy Hash Comparison“dnstwist -r --ssdeep example.comDetect Phishing Pages
Abschnitt betitelt „Detect Phishing Pages“dnstwist -r --ssdeep --verify example.comHTTP Banner Grabbing
Abschnitt betitelt „HTTP Banner Grabbing“dnstwist -r --http example.comHTTPS Certificate Analysis
Abschnitt betitelt „HTTPS Certificate Analysis“dnstwist -r --cert example.comOutput Formats
Abschnitt betitelt „Output Formats“CSV Output
Abschnitt betitelt „CSV Output“dnstwist -r --csv example.com > results.csvJSON Output
Abschnitt betitelt „JSON Output“dnstwist -r --json example.com > results.jsonList Format (Default)
Abschnitt betitelt „List Format (Default)“dnstwist -r example.com > results.txtDomain Names Only
Abschnitt betitelt „Domain Names Only“dnstwist example.com | cut -d' ' -f1Registered Domains Only
Abschnitt betitelt „Registered Domains Only“dnstwist -r example.com | grep -E "^[a-z].*\[" | cut -d' ' -f1Dictionary-Based Generation
Abschnitt betitelt „Dictionary-Based Generation“Add Dictionary Words
Abschnitt betitelt „Add Dictionary Words“dnstwist -w /path/to/wordlist.txt example.comGenerate with Common Dictionary
Abschnitt betitelt „Generate with Common Dictionary“dnstwist -w /usr/share/dict/words example.comDictionary-Only Mode
Abschnitt betitelt „Dictionary-Only Mode“dnstwist -w wordlist.txt --dictionary-only example.comWordlist Format
Abschnitt betitelt „Wordlist Format“# One word per line
malware
phishing
security
adminCombine with Permutations
Abschnitt betitelt „Combine with Permutations“dnstwist -w wordlist.txt -a example.comWHOIS Lookups
Abschnitt betitelt „WHOIS Lookups“Basic WHOIS Query
Abschnitt betitelt „Basic WHOIS Query“dnstwist -r example.com | grep WHOISRegistrar Information
Abschnitt betitelt „Registrar Information“whois examplee.comBulk WHOIS Batch
Abschnitt betitelt „Bulk WHOIS Batch“dnstwist -r --whois example.comMonitoring and Automation
Abschnitt betitelt „Monitoring and Automation“Run Periodic Checks (Bash Loop)
Abschnitt betitelt „Run Periodic Checks (Bash Loop)“while true; do
dnstwist -r --json example.com > check_$(date +%s).json
sleep 3600 # Check hourly
doneContinuous Monitoring with cron
Abschnitt betitelt „Continuous Monitoring with cron“# Add to crontab -e
0 * * * * /usr/local/bin/dnstwist -r --json example.com >> /var/log/dnstwist.logReal-Time Monitoring Script
Abschnitt betitelt „Real-Time Monitoring Script“#!/bin/bash
domain="example.com"
baseline=$(dnstwist -r --json "$domain")
while true; do
current=$(dnstwist -r --json "$domain")
if [ "$baseline" != "$current" ]; then
echo "Change detected at $(date)" | mail -s "dnstwist Alert" admin@example.com
baseline="$current"
fi
sleep 300
doneLog Results to Database
Abschnitt betitelt „Log Results to Database“dnstwist -r --json example.com | jq . | sqlite3 dnstwist.dbAPI and CI Integration
Abschnitt betitelt „API and CI Integration“JSON API Output for Integration
Abschnitt betitelt „JSON API Output for Integration“dnstwist -r --json example.com | jq '.[] | select(.dns_a != null)'Parse JSON Results
Abschnitt betitelt „Parse JSON Results“dnstwist -r --json example.com | jq '.[] | {domain, dns_a, dns_aaaa, whois_created}'Filter Registered Domains
Abschnitt betitelt „Filter Registered Domains“dnstwist -r --json example.com | jq '.[] | select(.dns_a != null) | .domain'GitHub Actions Integration
Abschnitt betitelt „GitHub Actions Integration“name: dnstwist Security Check
on: [schedule]
jobs:
dnstwist:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v2
- run: pip install dnstwist
- run: dnstwist -r --json example.com > results.json
- uses: actions/upload-artifact@v2
with:
name: dnstwist-results
path: results.jsonGitLab CI Integration
Abschnitt betitelt „GitLab CI Integration“dnstwist_scan:
image: python:3.9
script:
- pip install dnstwist
- dnstwist -r --json example.com > results.json
artifacts:
paths:
- results.jsonJenkins Pipeline
Abschnitt betitelt „Jenkins Pipeline“pipeline {
stages {
stage('dnstwist Scan') {
steps {
sh 'pip install dnstwist'
sh 'dnstwist -r --json example.com > results.json'
archiveArtifacts artifacts: 'results.json'
}
}
}
}Advanced Options
Abschnitt betitelt „Advanced Options“Custom Threads for Parallel Resolution
Abschnitt betitelt „Custom Threads for Parallel Resolution“dnstwist -r --threads 10 example.comSet DNS Query Timeout
Abschnitt betitelt „Set DNS Query Timeout“dnstwist -r --timeout 2 example.comName Server Configuration
Abschnitt betitelt „Name Server Configuration“dnstwist -r -ns 1.1.1.1 example.comDisable DNSSEC Validation
Abschnitt betitelt „Disable DNSSEC Validation“dnstwist -r --no-dnssec example.comQuiet Mode (Minimal Output)
Abschnitt betitelt „Quiet Mode (Minimal Output)“dnstwist -q example.comTypical Workflows
Abschnitt betitelt „Typical Workflows“Complete Phishing Investigation
Abschnitt betitelt „Complete Phishing Investigation“dnstwist -r -a --ssdeep --geoip --json example.com > investigation.jsonMonitor High-Risk Domains
Abschnitt betitelt „Monitor High-Risk Domains“for domain in company.com company.org company.net; do
echo "=== $domain ==="
dnstwist -r --registered "$domain"
doneGenerate Squatting Report
Abschnitt betitelt „Generate Squatting Report“dnstwist -r --csv -a example.com > squatting_report.csv
# Then import into spreadsheet for analysisCheck Permutations Without Resolution
Abschnitt betitelt „Check Permutations Without Resolution“dnstwist example.com | wc -l # Total permutations
dnstwist example.com # List all potential domainsFind Only Suspicious Registrations
Abschnitt betitelt „Find Only Suspicious Registrations“dnstwist -r example.com | grep -E "\[A\]|\[MX\]" | grep -v "$(dig +short example.com)"Performance Tips
Abschnitt betitelt „Performance Tips“- Reduce Threads for API Rate Limits:
--threads 2on restricted networks - Skip DNS Verification: Remove
-rflag for faster enumeration - Filter by Permutation Type: Use specific flags instead of
-ato reduce output - Export to CSV Early: Process data in spreadsheet tools rather than terminal
- Batch Multiple Domains: Create script to iterate and append to single JSON
Common Issues
Abschnitt betitelt „Common Issues“DNS Timeout
Abschnitt betitelt „DNS Timeout“# Increase timeout value
dnstwist -r --timeout 5 example.comRate Limiting
Abschnitt betitelt „Rate Limiting“# Add delay between requests
dnstwist -r --threads 1 example.comGeoIP Database Not Found
Abschnitt betitelt „GeoIP Database Not Found“# Ensure database is in expected location
dnstwist -r --geoip --db ~/GeoLite2-City.mmdb example.comMemory Usage with Large Wordlists
Abschnitt betitelt „Memory Usage with Large Wordlists“# Process in chunks instead
split -l 1000 wordlist.txt chunk_
for chunk in chunk_*; do
dnstwist -w "$chunk" example.com
doneSecurity Best Practices
Abschnitt betitelt „Security Best Practices“- Responsible Disclosure: Only test domains you own or have authorization for
- Rate Limiting: Respect DNS provider rate limits and ISP policies
- Logging: Enable verbose mode during investigations for audit trails
- Automation Consent: Inform stakeholders of automated monitoring
- Data Privacy: Securely store results containing sensitive information
- Legal Compliance: Verify domain monitoring is within acceptable use policies