dnsgen
Overview
섹션 제목: “Overview”dnsgen is a Python tool that generates new domain names from existing subdomains through permutation and combination techniques. It’s designed to complement DNS enumeration tools like massdns by creating candidate domain names that can then be resolved against DNS servers. This approach helps discover hidden subdomains and related domains that wouldn’t be found through traditional wordlist-based brute forcing alone.
The tool analyzes patterns in known subdomains and generates variations, making it effective for finding naming patterns and discovering previously unknown infrastructure.
Installation
섹션 제목: “Installation”Via pip
섹션 제목: “Via pip”pip install dnsgenFrom source
섹션 제목: “From source”git clone https://github.com/AlexisAhmed/dnsgen.git
cd dnsgen
pip install -r requirements.txt
python dnsgen.pyVerify installation
섹션 제목: “Verify installation”dnsgen --version
dnsgen --helpBasic Usage
섹션 제목: “Basic Usage”| Command | Description |
|---|---|
dnsgen input.txt | Generate combinations from domains in input.txt |
dnsgen - | Read domains from stdin |
dnsgen input.txt -o output.txt | Save generated domains to output.txt |
dnsgen input.txt -l | List only valid/existing domain combinations |
Common Patterns
섹션 제목: “Common Patterns”Subdomain enumeration workflow
섹션 제목: “Subdomain enumeration workflow”# 1. Get initial subdomains (using assetfinder, amass, etc.)
assetfinder example.com | sort -u > subdomains.txt
# 2. Generate combinations with dnsgen
dnsgen subdomains.txt > candidates.txt
# 3. Resolve candidates with massdns
massdns -r /path/to/resolvers.txt candidates.txt -t A -o SUsing with pipes
섹션 제목: “Using with pipes”# Chain assetfinder to dnsgen
assetfinder example.com | dnsgen - > generated.txt
# Generate and immediately pipe to massdns
dnsgen subdomains.txt | massdns -r resolvers.txt - -t AGenerate from certificate transparency logs
섹션 제목: “Generate from certificate transparency logs”# First get domains from CT logs
crt.sh -d example.com | dnsgen - > ct_generated.txt
# Or combine multiple sources
(assetfinder example.com && crt.sh -d example.com) | dnsgen -Advanced Options
섹션 제목: “Advanced Options”| Flag | Usage | Description |
|---|---|---|
-w, --wordlist | -w words.txt | Use custom wordlist for generation |
-l, --limit | -l 100 | Limit output to N results |
-f, --fast | dnsgen -f input.txt | Fast mode, reduce permutations |
-d, --domain | -d example.com | Specify target domain explicitly |
Permutation Techniques
섹션 제목: “Permutation Techniques”Mutation generation
섹션 제목: “Mutation generation”dnsgen uses several generation methods:
# Given: api.prod.example.com, api.staging.example.com
# Inserts: adds prefix/suffix combinations
# - api.prod.staging.example.com
# - prod-staging.example.com
# Replacements: swaps environment names
# - api.dev.example.com
# - api.test.example.com
# Separators: tests delimiter variations
# - api_prod.example.com
# - api-prod.example.comFiltering and Validation
섹션 제목: “Filtering and Validation”Basic filtering
섹션 제목: “Basic filtering”# Generate and filter for specific patterns
dnsgen input.txt | grep -E "^(api|admin|dev)" > filtered.txt
# Remove duplicates
dnsgen input.txt | sort -u > unique.txt
# Count generated domains
dnsgen input.txt | wc -lIntegration with resolution
섹션 제목: “Integration with resolution”# Generate, then validate with dig
dnsgen input.txt | while read domain; do
dig +short "$domain" @8.8.8.8 && echo "$domain is valid"
done
# Or use nslookup
dnsgen input.txt | while read domain; do
nslookup "$domain" 8.8.8.8 | grep -q "Name:" && echo "$domain"
doneReal-World Scenarios
섹션 제목: “Real-World Scenarios”Bug bounty reconnaissance
섹션 제목: “Bug bounty reconnaissance”# Comprehensive subdomain enumeration
assetfinder example.com > subs.txt
amass enum -d example.com >> subs.txt
crt.sh -d example.com | awk -F',' '{print $NF}' >> subs.txt
sort -u subs.txt > unique_subs.txt
# Generate candidates
dnsgen unique_subs.txt > candidates.txt
# Resolve with public DNS
massdns -r /opt/massdns/lists/resolvers.txt candidates.txt -t A -o S > resolved.txtInternal network enumeration
섹션 제목: “Internal network enumeration”# Generate from known internal subdomains
dnsgen internal_subs.txt > internal_candidates.txt
# Resolve against internal DNS
massdns -r internal_resolvers.txt internal_candidates.txt -t AMonitoring for new infrastructure
섹션 제목: “Monitoring for new infrastructure”# Regularly generate candidates from known domains
dnsgen known_domains.txt > current_candidates.txt
# Compare to previous results
diff previous_candidates.txt current_candidates.txt | grep "^>" > new_candidates.txt
# Resolve new candidates
massdns -r resolvers.txt new_candidates.txt -t AOutput Examples
섹션 제목: “Output Examples”Sample output format
섹션 제목: “Sample output format”api.prod.example.com
api.staging.example.com
api.dev.example.com
api-prod.example.com
api_prod.example.com
prod.api.example.com
staging.api.example.com
dev.api.example.com
prod-api.example.com
prod_api.example.comWith validation (using -l flag)
섹션 제목: “With validation (using -l flag)”dnsgen input.txt -l
# Only outputs domains that can be validatedPerformance Tips
섹션 제목: “Performance Tips”Limit permutations for large input sets
섹션 제목: “Limit permutations for large input sets”# Fast mode for large wordlists
dnsgen -f large_input.txt > output.txt
# Or pipe through head to limit
dnsgen input.txt | head -10000 > output.txtParallel processing with xargs
섹션 제목: “Parallel processing with xargs”# Process subdomains in parallel
cat input.txt | xargs -I {} dnsgen {} >> combined.txtTroubleshooting
섹션 제목: “Troubleshooting”Tool not found
섹션 제목: “Tool not found”# Verify installation location
which dnsgen
# Or run as module
python -m dnsgen input.txtEmpty output
섹션 제목: “Empty output”# Check input file format (one domain per line)
cat input.txt
# Verify file isn't empty
wc -l input.txt
# Test with simple input
echo "example.com" | dnsgen -Memory issues with large inputs
섹션 제목: “Memory issues with large inputs”# Split input file
split -l 5000 large.txt chunk_
# Process chunks separately
for chunk in chunk_*; do
dnsgen "$chunk" >> output.txt
doneIntegration with Other Tools
섹션 제목: “Integration with Other Tools”With subfinder
섹션 제목: “With subfinder”subfinder -d example.com -o subs.txt
dnsgen subs.txt > candidates.txt
massdns -r resolvers.txt candidates.txt -t AWith httprobe for live host detection
섹션 제목: “With httprobe for live host detection”dnsgen subdomains.txt | while read domain; do
echo "$domain" | httprobe
doneWith nuclei for vulnerability scanning
섹션 제목: “With nuclei for vulnerability scanning”dnsgen subdomains.txt | massdns -r resolvers.txt - -t A | \
cut -d' ' -f3 | nuclei -l - -t http-serversBest Practices
섹션 제목: “Best Practices”- Use dnsgen as part of a multi-stage enumeration process
- Combine with other subdomain discovery tools for comprehensive results
- Regularly update input domain lists for better permutation patterns
- Use resolver lists with public, fast-responding nameservers
- Validate generated domains before bulk resolution to avoid false positives
- Document all discovered domains and their resolution status
- Respect rate limits when resolving large candidate lists
Resources
섹션 제목: “Resources”- GitHub: https://github.com/AlexisAhmed/dnsgen
- massdns: https://github.com/blechschmidt/massdns
- Subdomain enumeration guide: https://host.io/subdomain-enumeration