dnstwist
Installation
Sezione intitolata “Installation”From PyPI
Sezione intitolata “From PyPI”pip install dnstwistFrom Source
Sezione intitolata “From Source”git clone https://github.com/elceef/dnstwist.git
cd dnstwist
pip install -e .docker run -it elceef/dnstwist dnstwist example.comRequirements
Sezione intitolata “Requirements”- Python 3.7+
dnspython— DNS resolutionrequests— HTTP requestsurllib3— URL parsingGeoIP2database (optional, for geolocation)
Basic Usage
Sezione intitolata “Basic Usage”Simple Permutation Check
Sezione intitolata “Simple Permutation Check”dnstwist example.comCheck and Resolve DNS
Sezione intitolata “Check and Resolve DNS”dnstwist -r example.comExtended Output with Registered Domains
Sezione intitolata “Extended Output with Registered Domains”dnstwist -r --registered example.comVerbose Mode
Sezione intitolata “Verbose Mode”dnstwist -v example.comPermutation Types
Sezione intitolata “Permutation Types”Bitsquatting
Sezione intitolata “Bitsquatting”Domain names differing by single bit flip in DNS wire format.
dnstwist --bitsquatting example.comHomoglyph Attack
Sezione intitolata “Homoglyph Attack”Visually similar characters (e.g., rn → m, 0 → O).
dnstwist --homoglyph example.comInsertion
Sezione intitolata “Insertion”Add characters within domain name.
dnstwist --insertion example.comOmission
Sezione intitolata “Omission”Remove single characters from domain.
dnstwist --omission example.comRepetition
Sezione intitolata “Repetition”Double consecutive characters.
dnstwist --repetition example.comReplacement
Sezione intitolata “Replacement”Replace characters with similar ones.
dnstwist --replacement example.comTransposition
Sezione intitolata “Transposition”Swap adjacent characters.
dnstwist --transposition example.comVowel Swap
Sezione intitolata “Vowel Swap”Replace vowels with other vowels.
dnstwist --vowelswap example.comAddition
Sezione intitolata “Addition”Add common TLD variations and prefixes/suffixes.
dnstwist --addition example.comHyphenation
Sezione intitolata “Hyphenation”Add hyphens at various positions.
dnstwist --hyphenation example.comAll Permutation Types
Sezione intitolata “All Permutation Types”dnstwist -a example.comDNS Resolution
Sezione intitolata “DNS Resolution”Resolve A Records
Sezione intitolata “Resolve A Records”dnstwist -r example.comResolve AAAA Records (IPv6)
Sezione intitolata “Resolve AAAA Records (IPv6)”dnstwist -r --aaaa example.comResolve with Specific Nameserver
Sezione intitolata “Resolve with Specific Nameserver”dnstwist -r -ns 8.8.8.8 example.comCheck Registration Status
Sezione intitolata “Check Registration Status”dnstwist --registered example.comVerify DNSSEC
Sezione intitolata “Verify DNSSEC”dnstwist -r --dnssec example.comMX Record Checking
Sezione intitolata “MX Record Checking”Detect MX Records
Sezione intitolata “Detect MX Records”dnstwist -r example.com | grep MXFull MX Verification
Sezione intitolata “Full MX Verification”dnstwist -r --mx example.comMail Server Analysis
Sezione intitolata “Mail Server Analysis”dnstwist -r -mx example.com | head -20GeoIP Lookup
Sezione intitolata “GeoIP Lookup”Enable GeoIP Resolution
Sezione intitolata “Enable GeoIP Resolution”dnstwist -r --geoip example.comDownload GeoIP2 Database
Sezione intitolata “Download GeoIP2 Database”# Requires MaxMind account
curl https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=YOUR_KEY&suffix=tar.gz -o geolite2.tar.gz
tar xzf geolite2.tar.gzUse Custom GeoIP Database
Sezione intitolata “Use Custom GeoIP Database”dnstwist -r --geoip --db /path/to/GeoLite2-City.mmdb example.comWeb Page Similarity Detection
Sezione intitolata “Web Page Similarity Detection”Fuzzy Hash Comparison
Sezione intitolata “Fuzzy Hash Comparison”dnstwist -r --ssdeep example.comDetect Phishing Pages
Sezione intitolata “Detect Phishing Pages”dnstwist -r --ssdeep --verify example.comHTTP Banner Grabbing
Sezione intitolata “HTTP Banner Grabbing”dnstwist -r --http example.comHTTPS Certificate Analysis
Sezione intitolata “HTTPS Certificate Analysis”dnstwist -r --cert example.comOutput Formats
Sezione intitolata “Output Formats”CSV Output
Sezione intitolata “CSV Output”dnstwist -r --csv example.com > results.csvJSON Output
Sezione intitolata “JSON Output”dnstwist -r --json example.com > results.jsonList Format (Default)
Sezione intitolata “List Format (Default)”dnstwist -r example.com > results.txtDomain Names Only
Sezione intitolata “Domain Names Only”dnstwist example.com | cut -d' ' -f1Registered Domains Only
Sezione intitolata “Registered Domains Only”dnstwist -r example.com | grep -E "^[a-z].*\[" | cut -d' ' -f1Dictionary-Based Generation
Sezione intitolata “Dictionary-Based Generation”Add Dictionary Words
Sezione intitolata “Add Dictionary Words”dnstwist -w /path/to/wordlist.txt example.comGenerate with Common Dictionary
Sezione intitolata “Generate with Common Dictionary”dnstwist -w /usr/share/dict/words example.comDictionary-Only Mode
Sezione intitolata “Dictionary-Only Mode”dnstwist -w wordlist.txt --dictionary-only example.comWordlist Format
Sezione intitolata “Wordlist Format”# One word per line
malware
phishing
security
adminCombine with Permutations
Sezione intitolata “Combine with Permutations”dnstwist -w wordlist.txt -a example.comWHOIS Lookups
Sezione intitolata “WHOIS Lookups”Basic WHOIS Query
Sezione intitolata “Basic WHOIS Query”dnstwist -r example.com | grep WHOISRegistrar Information
Sezione intitolata “Registrar Information”whois examplee.comBulk WHOIS Batch
Sezione intitolata “Bulk WHOIS Batch”dnstwist -r --whois example.comMonitoring and Automation
Sezione intitolata “Monitoring and Automation”Run Periodic Checks (Bash Loop)
Sezione intitolata “Run Periodic Checks (Bash Loop)”while true; do
dnstwist -r --json example.com > check_$(date +%s).json
sleep 3600 # Check hourly
doneContinuous Monitoring with cron
Sezione intitolata “Continuous Monitoring with cron”# Add to crontab -e
0 * * * * /usr/local/bin/dnstwist -r --json example.com >> /var/log/dnstwist.logReal-Time Monitoring Script
Sezione intitolata “Real-Time Monitoring Script”#!/bin/bash
domain="example.com"
baseline=$(dnstwist -r --json "$domain")
while true; do
current=$(dnstwist -r --json "$domain")
if [ "$baseline" != "$current" ]; then
echo "Change detected at $(date)" | mail -s "dnstwist Alert" admin@example.com
baseline="$current"
fi
sleep 300
doneLog Results to Database
Sezione intitolata “Log Results to Database”dnstwist -r --json example.com | jq . | sqlite3 dnstwist.dbAPI and CI Integration
Sezione intitolata “API and CI Integration”JSON API Output for Integration
Sezione intitolata “JSON API Output for Integration”dnstwist -r --json example.com | jq '.[] | select(.dns_a != null)'Parse JSON Results
Sezione intitolata “Parse JSON Results”dnstwist -r --json example.com | jq '.[] | {domain, dns_a, dns_aaaa, whois_created}'Filter Registered Domains
Sezione intitolata “Filter Registered Domains”dnstwist -r --json example.com | jq '.[] | select(.dns_a != null) | .domain'GitHub Actions Integration
Sezione intitolata “GitHub Actions Integration”name: dnstwist Security Check
on: [schedule]
jobs:
dnstwist:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v2
- run: pip install dnstwist
- run: dnstwist -r --json example.com > results.json
- uses: actions/upload-artifact@v2
with:
name: dnstwist-results
path: results.jsonGitLab CI Integration
Sezione intitolata “GitLab CI Integration”dnstwist_scan:
image: python:3.9
script:
- pip install dnstwist
- dnstwist -r --json example.com > results.json
artifacts:
paths:
- results.jsonJenkins Pipeline
Sezione intitolata “Jenkins Pipeline”pipeline {
stages {
stage('dnstwist Scan') {
steps {
sh 'pip install dnstwist'
sh 'dnstwist -r --json example.com > results.json'
archiveArtifacts artifacts: 'results.json'
}
}
}
}Advanced Options
Sezione intitolata “Advanced Options”Custom Threads for Parallel Resolution
Sezione intitolata “Custom Threads for Parallel Resolution”dnstwist -r --threads 10 example.comSet DNS Query Timeout
Sezione intitolata “Set DNS Query Timeout”dnstwist -r --timeout 2 example.comName Server Configuration
Sezione intitolata “Name Server Configuration”dnstwist -r -ns 1.1.1.1 example.comDisable DNSSEC Validation
Sezione intitolata “Disable DNSSEC Validation”dnstwist -r --no-dnssec example.comQuiet Mode (Minimal Output)
Sezione intitolata “Quiet Mode (Minimal Output)”dnstwist -q example.comTypical Workflows
Sezione intitolata “Typical Workflows”Complete Phishing Investigation
Sezione intitolata “Complete Phishing Investigation”dnstwist -r -a --ssdeep --geoip --json example.com > investigation.jsonMonitor High-Risk Domains
Sezione intitolata “Monitor High-Risk Domains”for domain in company.com company.org company.net; do
echo "=== $domain ==="
dnstwist -r --registered "$domain"
doneGenerate Squatting Report
Sezione intitolata “Generate Squatting Report”dnstwist -r --csv -a example.com > squatting_report.csv
# Then import into spreadsheet for analysisCheck Permutations Without Resolution
Sezione intitolata “Check Permutations Without Resolution”dnstwist example.com | wc -l # Total permutations
dnstwist example.com # List all potential domainsFind Only Suspicious Registrations
Sezione intitolata “Find Only Suspicious Registrations”dnstwist -r example.com | grep -E "\[A\]|\[MX\]" | grep -v "$(dig +short example.com)"Performance Tips
Sezione intitolata “Performance Tips”- Reduce Threads for API Rate Limits:
--threads 2on restricted networks - Skip DNS Verification: Remove
-rflag for faster enumeration - Filter by Permutation Type: Use specific flags instead of
-ato reduce output - Export to CSV Early: Process data in spreadsheet tools rather than terminal
- Batch Multiple Domains: Create script to iterate and append to single JSON
Common Issues
Sezione intitolata “Common Issues”DNS Timeout
Sezione intitolata “DNS Timeout”# Increase timeout value
dnstwist -r --timeout 5 example.comRate Limiting
Sezione intitolata “Rate Limiting”# Add delay between requests
dnstwist -r --threads 1 example.comGeoIP Database Not Found
Sezione intitolata “GeoIP Database Not Found”# Ensure database is in expected location
dnstwist -r --geoip --db ~/GeoLite2-City.mmdb example.comMemory Usage with Large Wordlists
Sezione intitolata “Memory Usage with Large Wordlists”# Process in chunks instead
split -l 1000 wordlist.txt chunk_
for chunk in chunk_*; do
dnstwist -w "$chunk" example.com
doneSecurity Best Practices
Sezione intitolata “Security Best Practices”- Responsible Disclosure: Only test domains you own or have authorization for
- Rate Limiting: Respect DNS provider rate limits and ISP policies
- Logging: Enable verbose mode during investigations for audit trails
- Automation Consent: Inform stakeholders of automated monitoring
- Data Privacy: Securely store results containing sensitive information
- Legal Compliance: Verify domain monitoring is within acceptable use policies