MassDNS

Installation

From Source (Recommended)

# Clone repository
git clone https://github.com/blechschmidt/massdns.git
cd massdns

# Install dependencies (Debian/Ubuntu)
sudo apt-get install build-essential libcurl4-openssl-dev libssl-dev libnss3-dev

# Compile
make

# Install globally
sudo make install

# Verify installation
massdns --version

Pre-built Binary

# Download latest release
wget https://github.com/blechschmidt/massdns/releases/download/v1.3.5/massdns-1.3.5.tar.gz

# Extract and install
tar xzf massdns-1.3.5.tar.gz
cd massdns-1.3.5
sudo cp bin/massdns /usr/local/bin/

Docker

# Run in Docker container
docker run -it blechschmidt/massdns massdns --help

# With volume mount
docker run -v /path/to/domains:/data blechschmidt/massdns massdns -r /data/resolvers.txt /data/domains.txt

Basic Syntax

# Basic DNS resolution
massdns -r resolvers.txt domains.txt

# Write output to file
massdns -r resolvers.txt domains.txt -o output.txt

# Specify record type
massdns -r resolvers.txt domains.txt -t A

# Check single domain
massdns -r resolvers.txt -d example.com

Resolver Lists

Understanding Resolvers

Resolvers are public DNS servers that MassDNS queries. Quality of resolver list directly impacts results.

# Download resolver list (recommended)
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt

# Or use from SecLists
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/public-dns-servers.txt

# Verify resolver list
wc -l resolvers.txt
head resolvers.txt

Creating Custom Resolver List

# Format: IP:PORT (one per line)
cat > custom-resolvers.txt << 'EOF'
8.8.8.8:53
1.1.1.1:53
8.8.4.4:53
1.0.0.1:53
9.9.9.9:53
149.112.112.112:53
EOF

Testing Resolvers

# Validate resolver quality
massdns -r resolvers.txt -s 100 -c 50 domains.txt

# Check resolver health
echo "google.com" | massdns -r resolvers.txt -

# Count active resolvers
massdns -r resolvers.txt --statistics domains.txt

Output Formats

Text Format (Default)

# Standard text output
massdns -r resolvers.txt domains.txt

# Output example:
# example.com. A 93.184.216.34
# test.example.com. A 192.0.2.1

JSON Format

# JSON output (recommended for parsing)
massdns -r resolvers.txt -o J domains.txt > output.json

# JSON format example:
# {
#   "name": "example.com",
#   "type": "A",
#   "class": "IN",
#   "status": "NOERROR",
#   "data": {
#     "answers": [{
#       "name": "example.com",
#       "type": "A",
#       "class": "IN",
#       "ttl": 3599,
#       "data": "93.184.216.34"
#     }]
#   }
# }

Binary Format

# Binary output (faster, smaller file)
massdns -r resolvers.txt -o b domains.txt -w output.bin

# Parse binary output
massdns --root

# Convert to text
cat output.bin | massdns -r resolvers.txt -w - | tee output.txt

CSV Format

# Custom output format
massdns -r resolvers.txt domains.txt -o c

# Pipe to CSV processing
massdns -r resolvers.txt domains.txt | awk '{print $1","$2","$3}' > output.csv

Record Types

Type	Command	Description
A	`-t A`	IPv4 address records
AAAA	`-t AAAA`	IPv6 address records
CNAME	`-t CNAME`	Canonical name records
MX	`-t MX`	Mail exchange records
NS	`-t NS`	Nameserver records
TXT	`-t TXT`	Text records (SPF, DKIM, DMARC)
SOA	`-t SOA`	Start of authority records
PTR	`-t PTR`	Pointer records (reverse DNS)
SRV	`-t SRV`	Service records
ALL	`-t ALL`	All record types

Record Type Examples

# Query A records only
massdns -r resolvers.txt -t A domains.txt

# Query multiple record types
massdns -r resolvers.txt -t A,AAAA,CNAME domains.txt

# Get all records
massdns -r resolvers.txt -t ALL domains.txt

# MX records for mail server enumeration
massdns -r resolvers.txt -t MX domains.txt

# TXT records for security info
massdns -r resolvers.txt -t TXT domains.txt

Performance Tuning

Option	Description	Example
`-s`	Socket count (threads)	`-s 500` (default: 500)
`-c`	Concurrent queries	`-c 10000` (default: 10000)
`-w`	Ignore replies from invalid resolvers	`-w 0`
`-a`	Attempt count before timeout	`-a 1`
`--root`	Use root nameservers	`--root`

Optimization Commands

# High-speed resolution
massdns -r resolvers.txt -s 5000 -c 50000 domains.txt

# Conservative settings (reliable results)
massdns -r resolvers.txt -s 100 -c 1000 -a 3 domains.txt

# For large datasets
massdns -r resolvers.txt -s 1000 -c 10000 domains.txt --root

# With timing information
massdns -r resolvers.txt domains.txt -t 2

Subdomain Enumeration Workflow

Step 1: Generate Subdomain List

Using subfinder:

# Install subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Generate subdomains
subfinder -d example.com -o subdomains.txt

Using Amass:

# Install Amass
go install -v github.com/OWASP/Amass/v3/...@master

# Enumerate subdomains
amass enum -d example.com -o subdomains.txt

Using All3:

# Install All3
python3 -m pip install all3

# Generate wordlist subdomains
all3 example.com

Step 2: Resolve with MassDNS

# Basic resolution
massdns -r resolvers.txt -t A subdomains.txt -o J > resolved.json

# Filter only successful resolutions
massdns -r resolvers.txt -t A subdomains.txt | grep -v SERVFAIL > resolved.txt

Step 3: Extract Valid Domains

# From JSON output
jq -r '.data.answers[0].data' resolved.json | grep -v null

# Filter NXDOMAIN responses
grep -v "NXDOMAIN" resolved.txt | awk '{print $1, $3}'

# Get unique IPs
massdns -r resolvers.txt subdomains.txt | awk '{print $3}' | sort -u

Complete Subdomain Enumeration Pipeline

#!/bin/bash
# subdomain-enum.sh - Complete subdomain enumeration

TARGET="example.com"

echo "[*] Step 1: Generate subdomains with subfinder"
subfinder -d "$TARGET" -o subdomains.txt -silent

echo "[*] Step 2: Resolve with MassDNS"
massdns -r resolvers.txt -t A -o J subdomains.txt > resolved.json

echo "[*] Step 3: Extract valid subdomains"
jq -r '.name' resolved.json | sort -u > valid_subdomains.txt

echo "[*] Step 4: Extract IPs"
jq -r '.data.answers[0].data' resolved.json | grep -v null | sort -u > ips.txt

echo "[+] Enumeration complete!"
echo "[+] Valid subdomains: $(wc -l < valid_subdomains.txt)"
echo "[+] Unique IPs: $(wc -l < ips.txt)"

Filtering Live Domains

Remove Non-Responsive Domains

# Filter out NXDOMAIN responses
massdns -r resolvers.txt domains.txt | grep -v NXDOMAIN > live_domains.txt

# Filter by response status
grep -E "NOERROR|NOANSWER" resolved.txt > status_filtered.txt

# Get only domains with A records
massdns -r resolvers.txt domains.txt | grep " A " > a_records.txt

Extract Live IPs

# Get all resolved IPs
massdns -r resolvers.txt domains.txt -o J | jq -r '.data.answers[0].data' | grep -v null | sort -u

# IP validation
massdns -r resolvers.txt domains.txt | awk '{print $3}' | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'

# Count unique IPs
massdns -r resolvers.txt domains.txt -o J | jq -r '.data.answers[0].data' | sort -u | wc -l

Deduplication

# Remove duplicate entries
sort -u domains.txt > domains_dedup.txt

# Count before/after
echo "Before: $(wc -l < domains.txt)"
echo "After: $(wc -l < domains_dedup.txt)"

Rate Limiting

Controlling Query Rate

# Limit to 1000 queries per second
massdns -r resolvers.txt domains.txt -s 100 -c 1000

# Reduce thread count for stability
massdns -r resolvers.txt domains.txt -s 50

# Delay between batches
for batch in split_domains_*; do
  massdns -r resolvers.txt "$batch"
  sleep 5
done

Handling Rate Limiting

# If receiving SERVFAIL responses
massdns -r resolvers.txt domains.txt -a 2 -c 5000

# Retry failed domains
grep SERVFAIL resolved.txt | awk '{print $1}' > failed.txt
massdns -r resolvers.txt failed.txt -a 3 > retried.txt

Common Workflows

Bug Bounty Reconnaissance

#!/bin/bash
# bug-bounty-recon.sh

TARGET="example.com"
RESULTS="recon_results"

mkdir -p "$RESULTS"

# 1. Subdomain enumeration
echo "[*] Generating subdomains..."
subfinder -d "$TARGET" -o "$RESULTS/subdomains_raw.txt" -silent
sort -u "$RESULTS/subdomains_raw.txt" > "$RESULTS/subdomains.txt"

# 2. DNS resolution
echo "[*] Resolving subdomains..."
massdns -r resolvers.txt -t A -o J "$RESULTS/subdomains.txt" > "$RESULTS/dns_raw.json"

# 3. Extract live domains
echo "[*] Filtering live domains..."
jq -r 'select(.status=="NOERROR") | .name' "$RESULTS/dns_raw.json" | sort -u > "$RESULTS/live_domains.txt"

# 4. Extract IPs
jq -r '.data.answers[0].data' "$RESULTS/dns_raw.json" | grep -v null | sort -u > "$RESULTS/ips.txt"

# 5. Summary
echo "[+] Reconnaissance complete!"
echo "[+] Total subdomains: $(wc -l < "$RESULTS/subdomains.txt")"
echo "[+] Live subdomains: $(wc -l < "$RESULTS/live_domains.txt")"
echo "[+] Unique IPs: $(wc -l < "$RESULTS/ips.txt")"

Red Team Operations

#!/bin/bash
# red-team-enum.sh - Stealthy enumeration

TARGET="target.com"

# Multiple sources for comprehensive coverage
echo "[*] Merging subdomain sources..."
cat <(subfinder -d "$TARGET" -silent) \
    <(amass enum -d "$TARGET" -passive) \
    | sort -u > all_subs.txt

# Resolve with rate limiting
echo "[*] Resolving with rate control..."
massdns -r resolvers.txt -t A -s 200 -c 2000 all_subs.txt > resolved.txt

# Extract results
grep -v "NXDOMAIN" resolved.txt | awk '{print $1, $3}' > live.txt

Mass IP Geolocation

# Combine with other tools
massdns -r resolvers.txt domains.txt | awk '{print $3}' | \
  while read ip; do
    geoiplookup "$ip"
  done

Output Analysis

Parse JSON Results

# Extract all resolved domains
jq -r '.name' resolved.json | sort -u

# Get domains by status
jq -r 'select(.status=="NOERROR") | .name' resolved.json

# Extract specific A records
jq -r '.data.answers[] | select(.type=="A") | .data' resolved.json

# Count resolutions by status
jq -r '.status' resolved.json | sort | uniq -c

Statistics

# Success rate
echo "Success rate:"
echo "scale=2; $(grep NOERROR resolved.txt | wc -l) / $(wc -l < input.txt) * 100" | bc

# Average resolution time
grep -oP '\d+(?=ms)' resolved.txt | awk '{sum+=$1} END {print sum/NR" ms average"}'

# Top resolvers used
massdns --statistics domains.txt 2>&1 | grep "resolver"

Troubleshooting

Issue	Solution
No results	Check resolver list quality, ensure domains exist
Too slow	Increase `-s` (sockets) and `-c` (concurrency)
Too many failures	Reduce concurrency, increase attempt count `-a`
Memory issues	Split domain list, process in batches
Invalid resolvers	Update resolver list, test manually

Debug Commands

# Test single domain with verbose output
massdns -r resolvers.txt -d example.com

# Check resolver validity
for resolver in $(head -5 resolvers.txt); do
  echo "Testing $resolver"
  timeout 2 dig @${resolver%:*} example.com
done

# Monitor progress
massdns -r resolvers.txt domains.txt --statistics

# Verify output integrity
jq empty resolved.json && echo "Valid JSON" || echo "Invalid JSON"

Tool	Purpose
`subfinder`	Subdomain discovery tool
`amass`	Comprehensive network mapping
`dig/nslookup`	Manual DNS queries
`dnsenum`	DNS enumeration
`fierce`	DNS subdomain scanner
`dnsrecon`	DNS reconnaissance
`nuclei`	Vulnerability scanning

MassDNS

Installation

From Source (Recommended)

Pre-built Binary

Docker

Basic Syntax

Resolver Lists

Understanding Resolvers

Creating Custom Resolver List

Testing Resolvers

Output Formats

Text Format (Default)

JSON Format

Binary Format

CSV Format

Record Types

Record Type Examples

Performance Tuning

Optimization Commands

Subdomain Enumeration Workflow

Step 1: Generate Subdomain List

Step 2: Resolve with MassDNS

Step 3: Extract Valid Domains

Complete Subdomain Enumeration Pipeline

Filtering Live Domains

Remove Non-Responsive Domains

Extract Live IPs

Deduplication

Rate Limiting

Controlling Query Rate

Handling Rate Limiting

Common Workflows

Bug Bounty Reconnaissance

Red Team Operations

Mass IP Geolocation

Output Analysis

Parse JSON Results

Statistics

Troubleshooting

Debug Commands

Related Tools