dnstwist

Installation

From PyPI

pip install dnstwist

From Source

git clone https://github.com/elceef/dnstwist.git
cd dnstwist
pip install -e .

Docker

docker run -it elceef/dnstwist dnstwist example.com

Requirements

• Python 3.7+
• dnspython — DNS resolution
• requests — HTTP requests
• urllib3 — URL parsing
• GeoIP2 database (optional, for geolocation)

Basic Usage

Simple Permutation Check

dnstwist example.com

Check and Resolve DNS

dnstwist -r example.com

Extended Output with Registered Domains

dnstwist -r --registered example.com

Verbose Mode

dnstwist -v example.com

Permutation Types

Bitsquatting

Domain names differing by single bit flip in DNS wire format.

dnstwist --bitsquatting example.com

Homoglyph Attack

Visually similar characters (e.g., rn → m, 0 → O).

dnstwist --homoglyph example.com

Insertion

Add characters within domain name.

dnstwist --insertion example.com

Omission

Remove single characters from domain.

dnstwist --omission example.com

Repetition

Double consecutive characters.

dnstwist --repetition example.com

Replacement

Replace characters with similar ones.

dnstwist --replacement example.com

Transposition

Swap adjacent characters.

dnstwist --transposition example.com

Vowel Swap

Replace vowels with other vowels.

dnstwist --vowelswap example.com

Addition

Add common TLD variations and prefixes/suffixes.

dnstwist --addition example.com

Hyphenation

Add hyphens at various positions.

dnstwist --hyphenation example.com

All Permutation Types

dnstwist -a example.com

DNS Resolution

Resolve A Records

dnstwist -r example.com

Resolve AAAA Records (IPv6)

dnstwist -r --aaaa example.com

Resolve with Specific Nameserver

dnstwist -r -ns 8.8.8.8 example.com

Check Registration Status

dnstwist --registered example.com

Verify DNSSEC

dnstwist -r --dnssec example.com

MX Record Checking

Detect MX Records

dnstwist -r example.com | grep MX

Full MX Verification

dnstwist -r --mx example.com

Mail Server Analysis

dnstwist -r -mx example.com | head -20

GeoIP Lookup

Enable GeoIP Resolution

dnstwist -r --geoip example.com

Download GeoIP2 Database

# Requires MaxMind account
curl https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=YOUR_KEY&suffix=tar.gz -o geolite2.tar.gz
tar xzf geolite2.tar.gz

Use Custom GeoIP Database

dnstwist -r --geoip --db /path/to/GeoLite2-City.mmdb example.com

Web Page Similarity Detection

Fuzzy Hash Comparison

dnstwist -r --ssdeep example.com

Detect Phishing Pages

dnstwist -r --ssdeep --verify example.com

HTTP Banner Grabbing

dnstwist -r --http example.com

HTTPS Certificate Analysis

dnstwist -r --cert example.com

Output Formats

CSV Output

dnstwist -r --csv example.com > results.csv

JSON Output

dnstwist -r --json example.com > results.json

List Format (Default)

dnstwist -r example.com > results.txt

Domain Names Only

dnstwist example.com | cut -d' ' -f1

Registered Domains Only

dnstwist -r example.com | grep -E "^[a-z].*\[" | cut -d' ' -f1

Dictionary-Based Generation

Add Dictionary Words

dnstwist -w /path/to/wordlist.txt example.com

Generate with Common Dictionary

dnstwist -w /usr/share/dict/words example.com

Dictionary-Only Mode

dnstwist -w wordlist.txt --dictionary-only example.com

Wordlist Format

# One word per line
malware
phishing
security
admin

Combine with Permutations

dnstwist -w wordlist.txt -a example.com

WHOIS Lookups

Basic WHOIS Query

dnstwist -r example.com | grep WHOIS

Registrar Information

whois examplee.com

Bulk WHOIS Batch

dnstwist -r --whois example.com

Monitoring and Automation

Run Periodic Checks (Bash Loop)

while true; do
  dnstwist -r --json example.com > check_$(date +%s).json
  sleep 3600  # Check hourly
done

Continuous Monitoring with cron

# Add to crontab -e
0 * * * * /usr/local/bin/dnstwist -r --json example.com >> /var/log/dnstwist.log

Real-Time Monitoring Script

#!/bin/bash
domain="example.com"
baseline=$(dnstwist -r --json "$domain")

while true; do
  current=$(dnstwist -r --json "$domain")
  if [ "$baseline" != "$current" ]; then
    echo "Change detected at $(date)" | mail -s "dnstwist Alert" admin@example.com
    baseline="$current"
  fi
  sleep 300
done

Log Results to Database

dnstwist -r --json example.com | jq . | sqlite3 dnstwist.db

API and CI Integration

JSON API Output for Integration

dnstwist -r --json example.com | jq '.[] | select(.dns_a != null)'

Parse JSON Results

dnstwist -r --json example.com | jq '.[] | {domain, dns_a, dns_aaaa, whois_created}'

Filter Registered Domains

dnstwist -r --json example.com | jq '.[] | select(.dns_a != null) | .domain'

GitHub Actions Integration

name: dnstwist Security Check
on: [schedule]
jobs:
  dnstwist:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-python@v2
      - run: pip install dnstwist
      - run: dnstwist -r --json example.com > results.json
      - uses: actions/upload-artifact@v2
        with:
          name: dnstwist-results
          path: results.json

GitLab CI Integration

dnstwist_scan:
  image: python:3.9
  script:
    - pip install dnstwist
    - dnstwist -r --json example.com > results.json
  artifacts:
    paths:
      - results.json

Jenkins Pipeline

pipeline {
  stages {
    stage('dnstwist Scan') {
      steps {
        sh 'pip install dnstwist'
        sh 'dnstwist -r --json example.com > results.json'
        archiveArtifacts artifacts: 'results.json'
      }
    }
  }
}

Advanced Options

Custom Threads for Parallel Resolution

dnstwist -r --threads 10 example.com

Set DNS Query Timeout

dnstwist -r --timeout 2 example.com

Name Server Configuration

dnstwist -r -ns 1.1.1.1 example.com

Disable DNSSEC Validation

dnstwist -r --no-dnssec example.com

Quiet Mode (Minimal Output)

dnstwist -q example.com

Typical Workflows

Complete Phishing Investigation

dnstwist -r -a --ssdeep --geoip --json example.com > investigation.json

Monitor High-Risk Domains

for domain in company.com company.org company.net; do
  echo "=== $domain ==="
  dnstwist -r --registered "$domain"
done

Generate Squatting Report

dnstwist -r --csv -a example.com > squatting_report.csv
# Then import into spreadsheet for analysis

Check Permutations Without Resolution

dnstwist example.com | wc -l  # Total permutations
dnstwist example.com          # List all potential domains

Find Only Suspicious Registrations

dnstwist -r example.com | grep -E "\[A\]|\[MX\]" | grep -v "$(dig +short example.com)"

Performance Tips

• Reduce Threads for API Rate Limits: --threads 2 on restricted networks
• Skip DNS Verification: Remove -r flag for faster enumeration
• Filter by Permutation Type: Use specific flags instead of -a to reduce output
• Export to CSV Early: Process data in spreadsheet tools rather than terminal
• Batch Multiple Domains: Create script to iterate and append to single JSON

Common Issues

DNS Timeout

# Increase timeout value
dnstwist -r --timeout 5 example.com

Rate Limiting

# Add delay between requests
dnstwist -r --threads 1 example.com

GeoIP Database Not Found

# Ensure database is in expected location
dnstwist -r --geoip --db ~/GeoLite2-City.mmdb example.com

Memory Usage with Large Wordlists

# Process in chunks instead
split -l 1000 wordlist.txt chunk_
for chunk in chunk_*; do
  dnstwist -w "$chunk" example.com
done

Security Best Practices

• Responsible Disclosure: Only test domains you own or have authorization for
• Rate Limiting: Respect DNS provider rate limits and ISP policies
• Logging: Enable verbose mode during investigations for audit trails
• Automation Consent: Inform stakeholders of automated monitoring
• Data Privacy: Securely store results containing sensitive information
• Legal Compliance: Verify domain monitoring is within acceptable use policies