DNSx DNS Toolkit Cheat Sheet
Overview
DNSx is a fast and multi-purpose DNS toolkit developed by Project Discovery that allows running multiple DNS probes using the retryabledns library. It's designed to perform various DNS queries with a focus on speed and reliability. DNSx can handle multiple DNS record types and supports custom resolvers, making it a versatile tool for DNS reconnaissance and enumeration.
What sets DNSx apart from other DNS tools is its ability to process large numbers of domains efficiently and its integration capabilities with other security tools. It can filter out wildcard DNS records, perform DNS walking, and extract valuable information from DNS responses. DNSx is commonly used in the reconnaissance phase of security assessments to gather information about target domains and their infrastructure.
DNSx supports various input formats and can be easily integrated with other tools in a pipeline, making it an essential component in many security testing workflows. Its ability to filter results based on various criteria helps security professionals focus on the most relevant targets.
Installation
Using Go
# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
# Verify installation
dnsx -version
Using Docker
# Pull the latest Docker image
docker pull projectdiscovery/dnsx:latest
# Run DNSx using Docker
docker run -it projectdiscovery/dnsx:latest -h
Using Homebrew (macOS)
# Install using Homebrew
brew install dnsx
# Verify installation
dnsx -version
Using PDTM (Project Discovery Tools Manager)
# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest
# Install DNSx using PDTM
pdtm -i dnsx
# Verify installation
dnsx -version
On Kali Linux
# Install using apt
sudo apt install dnsx
# Verify installation
dnsx -version
Basic Usage
DNS Lookups
# Perform A record lookup for a single domain
dnsx -d example.com -a
# Perform A record lookup for multiple domains
dnsx -d example.com,hackerone.com -a
# Perform A record lookup from a list of domains
dnsx -l domains.txt -a
# Perform A record lookup from STDIN
cat domains.txt|dnsx -a
Record Types
# Query A records (IPv4 addresses)
dnsx -l domains.txt -a
# Query AAAA records (IPv6 addresses)
dnsx -l domains.txt -aaaa
# Query CNAME records (Canonical names)
dnsx -l domains.txt -cname
# Query NS records (Name servers)
dnsx -l domains.txt -ns
# Query TXT records (Text records)
dnsx -l domains.txt -txt
# Query MX records (Mail exchange servers)
dnsx -l domains.txt -mx
# Query SOA records (Start of authority)
dnsx -l domains.txt -soa
# Query PTR records (Pointer records)
dnsx -l domains.txt -ptr
# Query multiple record types
dnsx -l domains.txt -a -cname -ns
Output Options
# Save results to a file
dnsx -l domains.txt -a -o results.txt
# Output in JSON format
dnsx -l domains.txt -a -json -o results.json
# Output in CSV format
dnsx -l domains.txt -a -csv -o results.csv
# Silent mode (only results)
dnsx -l domains.txt -a -silent
Advanced Usage
Resolver Configuration
# Use specific DNS resolvers
dnsx -l domains.txt -a -resolver 1.1.1.1,8.8.8.8
# Use resolvers from a file
dnsx -l domains.txt -a -resolver-file resolvers.txt
# Use system resolvers
dnsx -l domains.txt -a -system-resolver
Response Filtering
# Filter by response containing specific string
dnsx -l domains.txt -a -resp-only -resp "1.2.3.4"
# Filter by response matching regex
dnsx -l domains.txt -a -resp-only -resp-regex "^1\.2\.[0-9]+\.[0-9]+$"
Wildcard Filtering
# Enable wildcard filtering
dnsx -l domains.txt -a -wildcard
# Set wildcard threshold
dnsx -l domains.txt -a -wildcard-threshold 5
DNS Walking
# Enable DNS walking
dnsx -l domains.txt -a -walk
# Set DNS walking threads
dnsx -l domains.txt -a -walk -walk-threads 20
Performance Optimization
Concurrency and Rate Limiting
# Set concurrency (default: 100)
dnsx -l domains.txt -a -c 200
# Set rate limit
dnsx -l domains.txt -a -rate-limit 100
# Set retries
dnsx -l domains.txt -a -retries 3
Timeout Options
# Set timeout for DNS queries (milliseconds)
dnsx -l domains.txt -a -timeout 5000
Optimization for Large Scans
# Use stream mode for large inputs
dnsx -l large-domains.txt -a -stream
# Increase concurrency for faster scanning
dnsx -l domains.txt -a -c 500
Integration with Other Tools
Pipeline with Subfinder
# Find subdomains and resolve them
subfinder -d example.com -silent|dnsx -a -silent
# Find subdomains and check for specific record types
subfinder -d example.com -silent|dnsx -a -cname -silent
Pipeline with HTTPX
# Resolve domains and probe for HTTP services
dnsx -l domains.txt -a -silent|httpx -silent
# Resolve domains, filter by IP, and probe for HTTP services
dnsx -l domains.txt -a -silent -resp "1.2.3.4"|httpx -silent
Pipeline with Naabu
# Resolve domains and scan for open ports
dnsx -l domains.txt -a -silent|naabu -silent
# Resolve domains, filter by IP, and scan for open ports
dnsx -l domains.txt -a -silent -resp "1.2.3.4"|naabu -silent
Output Customization
Custom Output Format
# Output only domain and IP
dnsx -l domains.txt -a -resp-only
# Output with additional information
dnsx -l domains.txt -a -json
# Count unique IPs
dnsx -l domains.txt -a -resp-only|sort -u|wc -l
# Sort output by IP
dnsx -l domains.txt -a -resp-only|sort -t ' ' -k2
Filtering Output
# Filter by IP
dnsx -l domains.txt -a -resp-only|grep "1.2.3.4"
# Filter by domain
dnsx -l domains.txt -a -resp-only|grep "example.com"
# Find unique IPs
dnsx -l domains.txt -a -resp-only|awk '\\\\{print $2\\\\}'|sort -u
Advanced Filtering
IP Filtering
# Filter by specific IP
dnsx -l domains.txt -a -resp-only -resp "1.2.3.4"
# Filter by IP range
dnsx -l domains.txt -a -resp-only -resp-regex "^1\.2\.3\.[0-9]+$"
Domain Filtering
# Filter by domain pattern
dnsx -l domains.txt -a -resp-only|grep "api"
# Filter by specific TLD
dnsx -l domains.txt -a -resp-only|grep "\.com$"
CNAME Filtering
# Find domains with specific CNAME
dnsx -l domains.txt -cname -resp-only -resp "cdn.example.com"
# Find domains with CNAME pointing to specific services
dnsx -l domains.txt -cname -resp-only -resp-regex "amazonaws\.com$"
Miscellaneous Features
Reverse DNS Lookup
# Perform reverse DNS lookup
dnsx -l ips.txt -ptr
# Perform reverse DNS lookup with response filtering
dnsx -l ips.txt -ptr -resp-only -resp "example.com"
DNS Trace
# Perform DNS trace
dnsx -d example.com -trace
# Perform DNS trace with specific resolver
dnsx -d example.com -trace -resolver 1.1.1.1
Health Check
# Check resolver health
dnsx -hc -resolver 1.1.1.1,8.8.8.8
# Check resolver health with timeout
dnsx -hc -resolver 1.1.1.1,8.8.8.8 -timeout 5000
Troubleshooting
Common Issues
- Resolver Issues ```bash # Try different resolvers dnsx -l domains.txt -a -resolver 1.1.1.1,8.8.8.8
# Check resolver health dnsx -hc -resolver 1.1.1.1,8.8.8.8 ```
- Timeout Issues ```bash # Increase timeout dnsx -l domains.txt -a -timeout 10000
# Increase retries dnsx -l domains.txt -a -retries 5 ```
- Rate Limiting ```bash # Reduce concurrency dnsx -l domains.txt -a -c 50
# Set rate limit dnsx -l domains.txt -a -rate-limit 50 ```
- Memory Issues
bash # Use stream mode for large inputs dnsx -l large-domains.txt -a -stream
Debugging
# Enable verbose mode
dnsx -l domains.txt -a -v
# Show debug information
dnsx -l domains.txt -a -debug
# Show statistics
dnsx -l domains.txt -a -stats
Configuration
Configuration File
DNSx uses a configuration file located at $HOME/.config/dnsx/config.yaml. You can customize various settings in this file:
# Example configuration file
concurrency: 100
rate-limit: 100
retries: 3
timeout: 5000
resolvers:
- 1.1.1.1
- 8.8.8.8
Environment Variables
# Set DNSx configuration via environment variables
export DNSX_CONCURRENCY=100
export DNSX_RATE_LIMIT=100
export DNSX_RETRIES=3
export DNSX_TIMEOUT=5000
export DNSX_RESOLVERS=1.1.1.1,8.8.8.8
Reference
Command Line Options
| Flag | Description |
|---|---|
-d, -domain |
Target domain to query |
-l, -list |
File containing list of domains to query |
-a |
Query A records |
-aaaa |
Query AAAA records |
-cname |
Query CNAME records |
-ns |
Query NS records |
-txt |
Query TXT records |
-mx |
Query MX records |
-soa |
Query SOA records |
-ptr |
Query PTR records |
-o, -output |
File to write output to |
-json |
Write output in JSON format |
-csv |
Write output in CSV format |
-silent |
Show only results in output |
-v, -verbose |
Show verbose output |
-resolver |
DNS resolvers to use |
-resolver-file |
File containing DNS resolvers |
-system-resolver |
Use system resolvers |
-resp-only |
Show only response in output |
-resp |
Filter response containing string |
-resp-regex |
Filter response matching regex |
-wildcard |
Enable wildcard filtering |
-wildcard-threshold |
Wildcard filtering threshold |
-walk |
Enable DNS walking |
-walk-threads |
Number of DNS walking threads |
-c, -concurrency |
Number of concurrent queries |
-rate-limit |
Maximum number of queries per second |
-retries |
Number of retries for failed queries |
-timeout |
Timeout for DNS queries in milliseconds |
-stream |
Stream mode for large inputs |
-hc |
Check resolver health |
-trace |
Perform DNS trace |
-version |
Show DNSx version |
Record Types
| Type | Description |
|---|---|
A |
IPv4 address records |
AAAA |
IPv6 address records |
CNAME |
Canonical name records |
NS |
Name server records |
TXT |
Text records |
MX |
Mail exchange records |
SOA |
Start of authority records |
PTR |
Pointer records |
Resources
This cheat sheet provides a comprehensive reference for using DNSx, from basic DNS queries to advanced filtering and integration with other tools. For the most up-to-date information, always refer to the official documentation.