dnsgen
Overview
dnsgen is a Python tool that generates new domain names from existing subdomains through permutation and combination techniques. It’s designed to complement DNS enumeration tools like massdns by creating candidate domain names that can then be resolved against DNS servers. This approach helps discover hidden subdomains and related domains that wouldn’t be found through traditional wordlist-based brute forcing alone.
The tool analyzes patterns in known subdomains and generates variations, making it effective for finding naming patterns and discovering previously unknown infrastructure.
Installation
Via pip
pip install dnsgenFrom source
git clone https://github.com/AlexisAhmed/dnsgen.git
cd dnsgen
pip install -r requirements.txt
python dnsgen.pyVerify installation
dnsgen --version
dnsgen --helpBasic Usage
| Command | Description |
|---|---|
dnsgen input.txt | Generate combinations from domains in input.txt |
dnsgen - | Read domains from stdin |
dnsgen input.txt -o output.txt | Save generated domains to output.txt |
dnsgen input.txt -l | List only valid/existing domain combinations |
Common Patterns
Subdomain enumeration workflow
# 1. Get initial subdomains (using assetfinder, amass, etc.)
assetfinder example.com | sort -u > subdomains.txt
# 2. Generate combinations with dnsgen
dnsgen subdomains.txt > candidates.txt
# 3. Resolve candidates with massdns
massdns -r /path/to/resolvers.txt candidates.txt -t A -o SUsing with pipes
# Chain assetfinder to dnsgen
assetfinder example.com | dnsgen - > generated.txt
# Generate and immediately pipe to massdns
dnsgen subdomains.txt | massdns -r resolvers.txt - -t AGenerate from certificate transparency logs
# First get domains from CT logs
crt.sh -d example.com | dnsgen - > ct_generated.txt
# Or combine multiple sources
(assetfinder example.com && crt.sh -d example.com) | dnsgen -Advanced Options
| Flag | Usage | Description |
|---|---|---|
-w, --wordlist | -w words.txt | Use custom wordlist for generation |
-l, --limit | -l 100 | Limit output to N results |
-f, --fast | dnsgen -f input.txt | Fast mode, reduce permutations |
-d, --domain | -d example.com | Specify target domain explicitly |
Permutation Techniques
Mutation generation
dnsgen uses several generation methods:
# Given: api.prod.example.com, api.staging.example.com
# Inserts: adds prefix/suffix combinations
# - api.prod.staging.example.com
# - prod-staging.example.com
# Replacements: swaps environment names
# - api.dev.example.com
# - api.test.example.com
# Separators: tests delimiter variations
# - api_prod.example.com
# - api-prod.example.comFiltering and Validation
Basic filtering
# Generate and filter for specific patterns
dnsgen input.txt | grep -E "^(api|admin|dev)" > filtered.txt
# Remove duplicates
dnsgen input.txt | sort -u > unique.txt
# Count generated domains
dnsgen input.txt | wc -lIntegration with resolution
# Generate, then validate with dig
dnsgen input.txt | while read domain; do
dig +short "$domain" @8.8.8.8 && echo "$domain is valid"
done
# Or use nslookup
dnsgen input.txt | while read domain; do
nslookup "$domain" 8.8.8.8 | grep -q "Name:" && echo "$domain"
doneReal-World Scenarios
Bug bounty reconnaissance
# Comprehensive subdomain enumeration
assetfinder example.com > subs.txt
amass enum -d example.com >> subs.txt
crt.sh -d example.com | awk -F',' '{print $NF}' >> subs.txt
sort -u subs.txt > unique_subs.txt
# Generate candidates
dnsgen unique_subs.txt > candidates.txt
# Resolve with public DNS
massdns -r /opt/massdns/lists/resolvers.txt candidates.txt -t A -o S > resolved.txtInternal network enumeration
# Generate from known internal subdomains
dnsgen internal_subs.txt > internal_candidates.txt
# Resolve against internal DNS
massdns -r internal_resolvers.txt internal_candidates.txt -t AMonitoring for new infrastructure
# Regularly generate candidates from known domains
dnsgen known_domains.txt > current_candidates.txt
# Compare to previous results
diff previous_candidates.txt current_candidates.txt | grep "^>" > new_candidates.txt
# Resolve new candidates
massdns -r resolvers.txt new_candidates.txt -t AOutput Examples
Sample output format
api.prod.example.com
api.staging.example.com
api.dev.example.com
api-prod.example.com
api_prod.example.com
prod.api.example.com
staging.api.example.com
dev.api.example.com
prod-api.example.com
prod_api.example.comWith validation (using -l flag)
dnsgen input.txt -l
# Only outputs domains that can be validatedPerformance Tips
Limit permutations for large input sets
# Fast mode for large wordlists
dnsgen -f large_input.txt > output.txt
# Or pipe through head to limit
dnsgen input.txt | head -10000 > output.txtParallel processing with xargs
# Process subdomains in parallel
cat input.txt | xargs -I {} dnsgen {} >> combined.txtTroubleshooting
Tool not found
# Verify installation location
which dnsgen
# Or run as module
python -m dnsgen input.txtEmpty output
# Check input file format (one domain per line)
cat input.txt
# Verify file isn't empty
wc -l input.txt
# Test with simple input
echo "example.com" | dnsgen -Memory issues with large inputs
# Split input file
split -l 5000 large.txt chunk_
# Process chunks separately
for chunk in chunk_*; do
dnsgen "$chunk" >> output.txt
doneIntegration with Other Tools
With subfinder
subfinder -d example.com -o subs.txt
dnsgen subs.txt > candidates.txt
massdns -r resolvers.txt candidates.txt -t AWith httprobe for live host detection
dnsgen subdomains.txt | while read domain; do
echo "$domain" | httprobe
doneWith nuclei for vulnerability scanning
dnsgen subdomains.txt | massdns -r resolvers.txt - -t A | \
cut -d' ' -f3 | nuclei -l - -t http-serversBest Practices
- Use dnsgen as part of a multi-stage enumeration process
- Combine with other subdomain discovery tools for comprehensive results
- Regularly update input domain lists for better permutation patterns
- Use resolver lists with public, fast-responding nameservers
- Validate generated domains before bulk resolution to avoid false positives
- Document all discovered domains and their resolution status
- Respect rate limits when resolving large candidate lists
Resources
- GitHub: https://github.com/AlexisAhmed/dnsgen
- massdns: https://github.com/blechschmidt/massdns
- Subdomain enumeration guide: https://host.io/subdomain-enumeration