MassDNS

Installation

From Source (Recommended)

# Clone repository
git clone https://github.com/blechschmidt/massdns.git
cd massdns

# Install dependencies (Debian/Ubuntu)
sudo apt-get install build-essential libcurl4-openssl-dev libssl-dev libnss3-dev

# Compile
make

# Install globally
sudo make install

# Verify installation
massdns --version

Pre-built Binary

# Download latest release
wget https://github.com/blechschmidt/massdns/releases/download/v1.3.5/massdns-1.3.5.tar.gz

# Extract and install
tar xzf massdns-1.3.5.tar.gz
cd massdns-1.3.5
sudo cp bin/massdns /usr/local/bin/

Docker

# Run in Docker container
docker run -it blechschmidt/massdns massdns --help

# With volume mount
docker run -v /path/to/domains:/data blechschmidt/massdns massdns -r /data/resolvers.txt /data/domains.txt

Basic Syntax

# Basic DNS resolution
massdns -r resolvers.txt domains.txt

# Write output to file
massdns -r resolvers.txt domains.txt -o output.txt

# Specify record type
massdns -r resolvers.txt domains.txt -t A

# Check single domain
massdns -r resolvers.txt -d example.com

Resolver Lists

Understanding Resolvers

Resolvers are public DNS servers that MassDNS queries. Quality of resolver list directly impacts results.

# Download resolver list (recommended)
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt

# Or use from SecLists
wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/public-dns-servers.txt

# Verify resolver list
wc -l resolvers.txt
head resolvers.txt

Creating Custom Resolver List

# Format: IP:PORT (one per line)
cat > custom-resolvers.txt << 'EOF'
8.8.8.8:53
1.1.1.1:53
8.8.4.4:53
1.0.0.1:53
9.9.9.9:53
149.112.112.112:53
EOF

Testing Resolvers

# Validate resolver quality
massdns -r resolvers.txt -s 100 -c 50 domains.txt

# Check resolver health
echo "google.com" | massdns -r resolvers.txt -

# Count active resolvers
massdns -r resolvers.txt --statistics domains.txt

Output Formats

Text Format (Default)

# Standard text output
massdns -r resolvers.txt domains.txt

# Output example:
# example.com. A 93.184.216.34
# test.example.com. A 192.0.2.1

JSON Format

# JSON output (recommended for parsing)
massdns -r resolvers.txt -o J domains.txt > output.json

# JSON format example:
# {
#   "name": "example.com",
#   "type": "A",
#   "class": "IN",
#   "status": "NOERROR",
#   "data": {
#     "answers": [{
#       "name": "example.com",
#       "type": "A",
#       "class": "IN",
#       "ttl": 3599,
#       "data": "93.184.216.34"
#     }]
#   }
# }

Binary Format

# Binary output (faster, smaller file)
massdns -r resolvers.txt -o b domains.txt -w output.bin

# Parse binary output
massdns --root

# Convert to text
cat output.bin | massdns -r resolvers.txt -w - | tee output.txt

CSV Format

# Custom output format
massdns -r resolvers.txt domains.txt -o c

# Pipe to CSV processing
massdns -r resolvers.txt domains.txt | awk '{print $1","$2","$3}' > output.csv

Record Types

Type	Command	Description
A	-t A	IPv4 address records
AAAA	-t AAAA	IPv6 address records
CNAME	-t CNAME	Canonical name records
MX	-t MX	Mail exchange records
NS	-t NS	Nameserver records
TXT	-t TXT	Text records (SPF, DKIM, DMARC)
SOA	-t SOA	Start of authority records
PTR	-t PTR	Pointer records (reverse DNS)
SRV	-t SRV	Service records
ALL	-t ALL	All record types

Record Type Examples

# Query A records only
massdns -r resolvers.txt -t A domains.txt

# Query multiple record types
massdns -r resolvers.txt -t A,AAAA,CNAME domains.txt

# Get all records
massdns -r resolvers.txt -t ALL domains.txt

# MX records for mail server enumeration
massdns -r resolvers.txt -t MX domains.txt

# TXT records for security info
massdns -r resolvers.txt -t TXT domains.txt

Performance Tuning

Option	Description	Example
-s	Socket count (threads)	-s 500 (default: 500)
-c	Concurrent queries	-c 10000 (default: 10000)
-w	Ignore replies from invalid resolvers	-w 0
-a	Attempt count before timeout	-a 1
--root	Use root nameservers	--root

Optimization Commands

# High-speed resolution
massdns -r resolvers.txt -s 5000 -c 50000 domains.txt

# Conservative settings (reliable results)
massdns -r resolvers.txt -s 100 -c 1000 -a 3 domains.txt

# For large datasets
massdns -r resolvers.txt -s 1000 -c 10000 domains.txt --root

# With timing information
massdns -r resolvers.txt domains.txt -t 2

Subdomain Enumeration Workflow

Step 1: Generate Subdomain List

Using subfinder:

# Install subfinder
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

# Generate subdomains
subfinder -d example.com -o subdomains.txt

Using Amass:

# Install Amass
go install -v github.com/OWASP/Amass/v3/...@master

# Enumerate subdomains
amass enum -d example.com -o subdomains.txt

Using All3:

# Install All3
python3 -m pip install all3

# Generate wordlist subdomains
all3 example.com

Step 2: Resolve with MassDNS

# Basic resolution
massdns -r resolvers.txt -t A subdomains.txt -o J > resolved.json

# Filter only successful resolutions
massdns -r resolvers.txt -t A subdomains.txt | grep -v SERVFAIL > resolved.txt

Step 3: Extract Valid Domains

# From JSON output
jq -r '.data.answers[0].data' resolved.json | grep -v null

# Filter NXDOMAIN responses
grep -v "NXDOMAIN" resolved.txt | awk '{print $1, $3}'

# Get unique IPs
massdns -r resolvers.txt subdomains.txt | awk '{print $3}' | sort -u

Complete Subdomain Enumeration Pipeline

#!/bin/bash
# subdomain-enum.sh - Complete subdomain enumeration

TARGET="example.com"

echo "[*] Step 1: Generate subdomains with subfinder"
subfinder -d "$TARGET" -o subdomains.txt -silent

echo "[*] Step 2: Resolve with MassDNS"
massdns -r resolvers.txt -t A -o J subdomains.txt > resolved.json

echo "[*] Step 3: Extract valid subdomains"
jq -r '.name' resolved.json | sort -u > valid_subdomains.txt

echo "[*] Step 4: Extract IPs"
jq -r '.data.answers[0].data' resolved.json | grep -v null | sort -u > ips.txt

echo "[+] Enumeration complete!"
echo "[+] Valid subdomains: $(wc -l < valid_subdomains.txt)"
echo "[+] Unique IPs: $(wc -l < ips.txt)"

Filtering Live Domains

Remove Non-Responsive Domains

# Filter out NXDOMAIN responses
massdns -r resolvers.txt domains.txt | grep -v NXDOMAIN > live_domains.txt

# Filter by response status
grep -E "NOERROR|NOANSWER" resolved.txt > status_filtered.txt

# Get only domains with A records
massdns -r resolvers.txt domains.txt | grep " A " > a_records.txt

Extract Live IPs

# Get all resolved IPs
massdns -r resolvers.txt domains.txt -o J | jq -r '.data.answers[0].data' | grep -v null | sort -u

# IP validation
massdns -r resolvers.txt domains.txt | awk '{print $3}' | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'

# Count unique IPs
massdns -r resolvers.txt domains.txt -o J | jq -r '.data.answers[0].data' | sort -u | wc -l

Deduplication

# Remove duplicate entries
sort -u domains.txt > domains_dedup.txt

# Count before/after
echo "Before: $(wc -l < domains.txt)"
echo "After: $(wc -l < domains_dedup.txt)"

Rate Limiting

Controlling Query Rate

# Limit to 1000 queries per second
massdns -r resolvers.txt domains.txt -s 100 -c 1000

# Reduce thread count for stability
massdns -r resolvers.txt domains.txt -s 50

# Delay between batches
for batch in split_domains_*; do
  massdns -r resolvers.txt "$batch"
  sleep 5
done

Handling Rate Limiting

# If receiving SERVFAIL responses
massdns -r resolvers.txt domains.txt -a 2 -c 5000

# Retry failed domains
grep SERVFAIL resolved.txt | awk '{print $1}' > failed.txt
massdns -r resolvers.txt failed.txt -a 3 > retried.txt

Common Workflows

Bug Bounty Reconnaissance

#!/bin/bash
# bug-bounty-recon.sh

TARGET="example.com"
RESULTS="recon_results"

mkdir -p "$RESULTS"

# 1. Subdomain enumeration
echo "[*] Generating subdomains..."
subfinder -d "$TARGET" -o "$RESULTS/subdomains_raw.txt" -silent
sort -u "$RESULTS/subdomains_raw.txt" > "$RESULTS/subdomains.txt"

# 2. DNS resolution
echo "[*] Resolving subdomains..."
massdns -r resolvers.txt -t A -o J "$RESULTS/subdomains.txt" > "$RESULTS/dns_raw.json"

# 3. Extract live domains
echo "[*] Filtering live domains..."
jq -r 'select(.status=="NOERROR") | .name' "$RESULTS/dns_raw.json" | sort -u > "$RESULTS/live_domains.txt"

# 4. Extract IPs
jq -r '.data.answers[0].data' "$RESULTS/dns_raw.json" | grep -v null | sort -u > "$RESULTS/ips.txt"

# 5. Summary
echo "[+] Reconnaissance complete!"
echo "[+] Total subdomains: $(wc -l < "$RESULTS/subdomains.txt")"
echo "[+] Live subdomains: $(wc -l < "$RESULTS/live_domains.txt")"
echo "[+] Unique IPs: $(wc -l < "$RESULTS/ips.txt")"

Red Team Operations

#!/bin/bash
# red-team-enum.sh - Stealthy enumeration

TARGET="target.com"

# Multiple sources for comprehensive coverage
echo "[*] Merging subdomain sources..."
cat <(subfinder -d "$TARGET" -silent) \
    <(amass enum -d "$TARGET" -passive) \
    | sort -u > all_subs.txt

# Resolve with rate limiting
echo "[*] Resolving with rate control..."
massdns -r resolvers.txt -t A -s 200 -c 2000 all_subs.txt > resolved.txt

# Extract results
grep -v "NXDOMAIN" resolved.txt | awk '{print $1, $3}' > live.txt

Mass IP Geolocation

# Combine with other tools
massdns -r resolvers.txt domains.txt | awk '{print $3}' | \
  while read ip; do
    geoiplookup "$ip"
  done

Output Analysis

Parse JSON Results

# Extract all resolved domains
jq -r '.name' resolved.json | sort -u

# Get domains by status
jq -r 'select(.status=="NOERROR") | .name' resolved.json

# Extract specific A records
jq -r '.data.answers[] | select(.type=="A") | .data' resolved.json

# Count resolutions by status
jq -r '.status' resolved.json | sort | uniq -c

Statistics

# Success rate
echo "Success rate:"
echo "scale=2; $(grep NOERROR resolved.txt | wc -l) / $(wc -l < input.txt) * 100" | bc

# Average resolution time
grep -oP '\d+(?=ms)' resolved.txt | awk '{sum+=$1} END {print sum/NR" ms average"}'

# Top resolvers used
massdns --statistics domains.txt 2>&1 | grep "resolver"

Troubleshooting

Issue	Solution
No results	Check resolver list quality, ensure domains exist
Too slow	Increase -s (sockets) and -c (concurrency)
Too many failures	Reduce concurrency, increase attempt count -a
Memory issues	Split domain list, process in batches
Invalid resolvers	Update resolver list, test manually

Debug Commands

# Test single domain with verbose output
massdns -r resolvers.txt -d example.com

# Check resolver validity
for resolver in $(head -5 resolvers.txt); do
  echo "Testing $resolver"
  timeout 2 dig @${resolver%:*} example.com
done

# Monitor progress
massdns -r resolvers.txt domains.txt --statistics

# Verify output integrity
jq empty resolved.json && echo "Valid JSON" || echo "Invalid JSON"

Related Tools

Tool	Purpose
subfinder	Subdomain discovery tool
amass	Comprehensive network mapping
dig/nslookup	Manual DNS queries
dnsenum	DNS enumeration
fierce	DNS subdomain scanner
dnsrecon	DNS reconnaissance
nuclei	Vulnerability scanning