dnstwist
Installation
Seção intitulada “Installation”From PyPI
Seção intitulada “From PyPI”pip install dnstwistFrom Source
Seção intitulada “From Source”git clone https://github.com/elceef/dnstwist.git
cd dnstwist
pip install -e .docker run -it elceef/dnstwist dnstwist example.comRequirements
Seção intitulada “Requirements”- Python 3.7+
dnspython— DNS resolutionrequests— HTTP requestsurllib3— URL parsingGeoIP2database (optional, for geolocation)
Basic Usage
Seção intitulada “Basic Usage”Simple Permutation Check
Seção intitulada “Simple Permutation Check”dnstwist example.comCheck and Resolve DNS
Seção intitulada “Check and Resolve DNS”dnstwist -r example.comExtended Output with Registered Domains
Seção intitulada “Extended Output with Registered Domains”dnstwist -r --registered example.comVerbose Mode
Seção intitulada “Verbose Mode”dnstwist -v example.comPermutation Types
Seção intitulada “Permutation Types”Bitsquatting
Seção intitulada “Bitsquatting”Domain names differing by single bit flip in DNS wire format.
dnstwist --bitsquatting example.comHomoglyph Attack
Seção intitulada “Homoglyph Attack”Visually similar characters (e.g., rn → m, 0 → O).
dnstwist --homoglyph example.comInsertion
Seção intitulada “Insertion”Add characters within domain name.
dnstwist --insertion example.comOmission
Seção intitulada “Omission”Remove single characters from domain.
dnstwist --omission example.comRepetition
Seção intitulada “Repetition”Double consecutive characters.
dnstwist --repetition example.comReplacement
Seção intitulada “Replacement”Replace characters with similar ones.
dnstwist --replacement example.comTransposition
Seção intitulada “Transposition”Swap adjacent characters.
dnstwist --transposition example.comVowel Swap
Seção intitulada “Vowel Swap”Replace vowels with other vowels.
dnstwist --vowelswap example.comAddition
Seção intitulada “Addition”Add common TLD variations and prefixes/suffixes.
dnstwist --addition example.comHyphenation
Seção intitulada “Hyphenation”Add hyphens at various positions.
dnstwist --hyphenation example.comAll Permutation Types
Seção intitulada “All Permutation Types”dnstwist -a example.comDNS Resolution
Seção intitulada “DNS Resolution”Resolve A Records
Seção intitulada “Resolve A Records”dnstwist -r example.comResolve AAAA Records (IPv6)
Seção intitulada “Resolve AAAA Records (IPv6)”dnstwist -r --aaaa example.comResolve with Specific Nameserver
Seção intitulada “Resolve with Specific Nameserver”dnstwist -r -ns 8.8.8.8 example.comCheck Registration Status
Seção intitulada “Check Registration Status”dnstwist --registered example.comVerify DNSSEC
Seção intitulada “Verify DNSSEC”dnstwist -r --dnssec example.comMX Record Checking
Seção intitulada “MX Record Checking”Detect MX Records
Seção intitulada “Detect MX Records”dnstwist -r example.com | grep MXFull MX Verification
Seção intitulada “Full MX Verification”dnstwist -r --mx example.comMail Server Analysis
Seção intitulada “Mail Server Analysis”dnstwist -r -mx example.com | head -20GeoIP Lookup
Seção intitulada “GeoIP Lookup”Enable GeoIP Resolution
Seção intitulada “Enable GeoIP Resolution”dnstwist -r --geoip example.comDownload GeoIP2 Database
Seção intitulada “Download GeoIP2 Database”# Requires MaxMind account
curl https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=YOUR_KEY&suffix=tar.gz -o geolite2.tar.gz
tar xzf geolite2.tar.gzUse Custom GeoIP Database
Seção intitulada “Use Custom GeoIP Database”dnstwist -r --geoip --db /path/to/GeoLite2-City.mmdb example.comWeb Page Similarity Detection
Seção intitulada “Web Page Similarity Detection”Fuzzy Hash Comparison
Seção intitulada “Fuzzy Hash Comparison”dnstwist -r --ssdeep example.comDetect Phishing Pages
Seção intitulada “Detect Phishing Pages”dnstwist -r --ssdeep --verify example.comHTTP Banner Grabbing
Seção intitulada “HTTP Banner Grabbing”dnstwist -r --http example.comHTTPS Certificate Analysis
Seção intitulada “HTTPS Certificate Analysis”dnstwist -r --cert example.comOutput Formats
Seção intitulada “Output Formats”CSV Output
Seção intitulada “CSV Output”dnstwist -r --csv example.com > results.csvJSON Output
Seção intitulada “JSON Output”dnstwist -r --json example.com > results.jsonList Format (Default)
Seção intitulada “List Format (Default)”dnstwist -r example.com > results.txtDomain Names Only
Seção intitulada “Domain Names Only”dnstwist example.com | cut -d' ' -f1Registered Domains Only
Seção intitulada “Registered Domains Only”dnstwist -r example.com | grep -E "^[a-z].*\[" | cut -d' ' -f1Dictionary-Based Generation
Seção intitulada “Dictionary-Based Generation”Add Dictionary Words
Seção intitulada “Add Dictionary Words”dnstwist -w /path/to/wordlist.txt example.comGenerate with Common Dictionary
Seção intitulada “Generate with Common Dictionary”dnstwist -w /usr/share/dict/words example.comDictionary-Only Mode
Seção intitulada “Dictionary-Only Mode”dnstwist -w wordlist.txt --dictionary-only example.comWordlist Format
Seção intitulada “Wordlist Format”# One word per line
malware
phishing
security
adminCombine with Permutations
Seção intitulada “Combine with Permutations”dnstwist -w wordlist.txt -a example.comWHOIS Lookups
Seção intitulada “WHOIS Lookups”Basic WHOIS Query
Seção intitulada “Basic WHOIS Query”dnstwist -r example.com | grep WHOISRegistrar Information
Seção intitulada “Registrar Information”whois examplee.comBulk WHOIS Batch
Seção intitulada “Bulk WHOIS Batch”dnstwist -r --whois example.comMonitoring and Automation
Seção intitulada “Monitoring and Automation”Run Periodic Checks (Bash Loop)
Seção intitulada “Run Periodic Checks (Bash Loop)”while true; do
dnstwist -r --json example.com > check_$(date +%s).json
sleep 3600 # Check hourly
doneContinuous Monitoring with cron
Seção intitulada “Continuous Monitoring with cron”# Add to crontab -e
0 * * * * /usr/local/bin/dnstwist -r --json example.com >> /var/log/dnstwist.logReal-Time Monitoring Script
Seção intitulada “Real-Time Monitoring Script”#!/bin/bash
domain="example.com"
baseline=$(dnstwist -r --json "$domain")
while true; do
current=$(dnstwist -r --json "$domain")
if [ "$baseline" != "$current" ]; then
echo "Change detected at $(date)" | mail -s "dnstwist Alert" admin@example.com
baseline="$current"
fi
sleep 300
doneLog Results to Database
Seção intitulada “Log Results to Database”dnstwist -r --json example.com | jq . | sqlite3 dnstwist.dbAPI and CI Integration
Seção intitulada “API and CI Integration”JSON API Output for Integration
Seção intitulada “JSON API Output for Integration”dnstwist -r --json example.com | jq '.[] | select(.dns_a != null)'Parse JSON Results
Seção intitulada “Parse JSON Results”dnstwist -r --json example.com | jq '.[] | {domain, dns_a, dns_aaaa, whois_created}'Filter Registered Domains
Seção intitulada “Filter Registered Domains”dnstwist -r --json example.com | jq '.[] | select(.dns_a != null) | .domain'GitHub Actions Integration
Seção intitulada “GitHub Actions Integration”name: dnstwist Security Check
on: [schedule]
jobs:
dnstwist:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-python@v2
- run: pip install dnstwist
- run: dnstwist -r --json example.com > results.json
- uses: actions/upload-artifact@v2
with:
name: dnstwist-results
path: results.jsonGitLab CI Integration
Seção intitulada “GitLab CI Integration”dnstwist_scan:
image: python:3.9
script:
- pip install dnstwist
- dnstwist -r --json example.com > results.json
artifacts:
paths:
- results.jsonJenkins Pipeline
Seção intitulada “Jenkins Pipeline”pipeline {
stages {
stage('dnstwist Scan') {
steps {
sh 'pip install dnstwist'
sh 'dnstwist -r --json example.com > results.json'
archiveArtifacts artifacts: 'results.json'
}
}
}
}Advanced Options
Seção intitulada “Advanced Options”Custom Threads for Parallel Resolution
Seção intitulada “Custom Threads for Parallel Resolution”dnstwist -r --threads 10 example.comSet DNS Query Timeout
Seção intitulada “Set DNS Query Timeout”dnstwist -r --timeout 2 example.comName Server Configuration
Seção intitulada “Name Server Configuration”dnstwist -r -ns 1.1.1.1 example.comDisable DNSSEC Validation
Seção intitulada “Disable DNSSEC Validation”dnstwist -r --no-dnssec example.comQuiet Mode (Minimal Output)
Seção intitulada “Quiet Mode (Minimal Output)”dnstwist -q example.comTypical Workflows
Seção intitulada “Typical Workflows”Complete Phishing Investigation
Seção intitulada “Complete Phishing Investigation”dnstwist -r -a --ssdeep --geoip --json example.com > investigation.jsonMonitor High-Risk Domains
Seção intitulada “Monitor High-Risk Domains”for domain in company.com company.org company.net; do
echo "=== $domain ==="
dnstwist -r --registered "$domain"
doneGenerate Squatting Report
Seção intitulada “Generate Squatting Report”dnstwist -r --csv -a example.com > squatting_report.csv
# Then import into spreadsheet for analysisCheck Permutations Without Resolution
Seção intitulada “Check Permutations Without Resolution”dnstwist example.com | wc -l # Total permutations
dnstwist example.com # List all potential domainsFind Only Suspicious Registrations
Seção intitulada “Find Only Suspicious Registrations”dnstwist -r example.com | grep -E "\[A\]|\[MX\]" | grep -v "$(dig +short example.com)"Performance Tips
Seção intitulada “Performance Tips”- Reduce Threads for API Rate Limits:
--threads 2on restricted networks - Skip DNS Verification: Remove
-rflag for faster enumeration - Filter by Permutation Type: Use specific flags instead of
-ato reduce output - Export to CSV Early: Process data in spreadsheet tools rather than terminal
- Batch Multiple Domains: Create script to iterate and append to single JSON
Common Issues
Seção intitulada “Common Issues”DNS Timeout
Seção intitulada “DNS Timeout”# Increase timeout value
dnstwist -r --timeout 5 example.comRate Limiting
Seção intitulada “Rate Limiting”# Add delay between requests
dnstwist -r --threads 1 example.comGeoIP Database Not Found
Seção intitulada “GeoIP Database Not Found”# Ensure database is in expected location
dnstwist -r --geoip --db ~/GeoLite2-City.mmdb example.comMemory Usage with Large Wordlists
Seção intitulada “Memory Usage with Large Wordlists”# Process in chunks instead
split -l 1000 wordlist.txt chunk_
for chunk in chunk_*; do
dnstwist -w "$chunk" example.com
doneSecurity Best Practices
Seção intitulada “Security Best Practices”- Responsible Disclosure: Only test domains you own or have authorization for
- Rate Limiting: Respect DNS provider rate limits and ISP policies
- Logging: Enable verbose mode during investigations for audit trails
- Automation Consent: Inform stakeholders of automated monitoring
- Data Privacy: Securely store results containing sensitive information
- Legal Compliance: Verify domain monitoring is within acceptable use policies