dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.
dnsx is successor of dnsprobe that includes new features, multiple bugs fixes, and tailored for better user experience, few notable flags are
resp-only that allows to control and print the exact information you are looking for.
We also ported DNS wildcard filtering feature to dnsx from shuffledns as a standalone support.
- Simple and Handy utility to query DNS records.
- Supports A, AAAA, CNAME, PTR, NS, MX, TXT, SOA
- Handles wildcard subdomains in automated way.
- Optimized for ease of use.
- Stdin and stdout support to work with other tools.
The installation is easy. You can download the pre-built binaries for your platform from the Releases page. Extract them using tar, move it to your
$PATH and you’re ready to go.
Download latest binary from https://github.com/projectdiscovery/dnsx/releases ▶ tar -xvf dnsx-linux-amd64.tar ▶ mv dnsx-linux-amd64 /usr/local/bin/dnsx ▶ dnsx -h
dnsx requires go1.15+ to install successfully. Run the following command to get the repo:
▶ GO111MODULE=on go get -v github.com/projectdiscovery/dnsx/cmd/dnsx
▶ git clone https://github.com/projectdiscovery/dnsx.git; cd dnsx/cmd/dnsx; go build; mv dnsx /usr/local/bin/; dnsx -version
Install via brew
If you’re macOS user and using Homebrew, you can install via
brew install dnsx
This will display help for the tool. Here are all the switches it supports.
|a||Query A record||dnsx -a|
|aaaa||Query AAAA record||dnsx -aaaa|
|cname||Query CNAME record||dnsx -cname|
|ns||Query NS record||dnsx -ns|
|ptr||Query PTR record||dnsx -ptr|
|txt||Query TXT record||dnsx -txt|
|mx||Query MX record||dnsx -mx|
|soa||Query SOA record||dnsx -soa|
|raw||Operates like dig||dnsx -raw|
|l||File input list of subdomains/host||dnsx -l list.txt|
|json||JSON output||dnsx -json|
|r||File or comma separated resolvers||dnsx -r 18.104.22.168|
|rl||Limit of DNS request/second||dnsx -rl 100|
|resp||Display response data||dnsx -cname -resp|
|resp-only||Display only response data||dnsx -cname resp-only|
|retry||Number of DNS retries||dnsx -retry 1|
|silent||Show only results in the output||dnsx -silent|
|o||File to write output to (optional)||dnsx -o output.txt|
|t||Concurrent threads to make||dnsx -t 250|
|verbose||Verbose output||dnsx -verbose|
|version||Show version of dnsx||dnsx -version|
|wd||Wildcard domain name for filtering||dnsx -wd example.com|
|wt||Wildcard Filter Threshold||dnsx -wt 5|
dnsx can be used to filter dead records from the list of passive subdomains obtained from various sources, for example
▶ subfinder -silent -d hackerone.com | dnsx _ __ __ __| | _ __ ___ \ \/ / / _' || '_ \ / __| \ / | (_| || | | |\__ \ / \ \__,_||_| |_||___//_/\_\ v1.0 projectdiscovery.io [WRN] Use with caution. You are responsible for your actions [WRN] Developers assume no liability and are not responsible for any misuse or damage. a.ns.hackerone.com www.hackerone.com api.hackerone.com docs.hackerone.com mta-sts.managed.hackerone.com mta-sts.hackerone.com resources.hackerone.com b.ns.hackerone.com mta-sts.forwarding.hackerone.com events.hackerone.com support.hackerone.com
dnsx can be used to extract A records for the given list of subdomains, for example:
▶ subfinder -silent -d hackerone.com | dnsx -silent -a -resp a.ns.hackerone.com [22.214.171.124] b.ns.hackerone.com [126.96.36.199] mta-sts.hackerone.com [188.8.131.52] events.hackerone.com [184.108.40.206] mta-sts.managed.hackerone.com [220.127.116.11] resources.hackerone.com [18.104.22.168] resources.hackerone.com [22.214.171.124] www.hackerone.com [126.96.36.199] support.hackerone.com [188.8.131.52]
dnsx can be used to extract CNAME records for the given list of subdomains, for example:
▶ subfinder -silent -d hackerone.com | dnsx -silent -cname -resp support.hackerone.com [hackerone.zendesk.com] resources.hackerone.com [read.uberflip.com] mta-sts.hackerone.com [hacker0x01.github.io] mta-sts.forwarding.hackerone.com [hacker0x01.github.io] events.hackerone.com [whitelabel.bigmarker.com]
dnsx can be used to extract subdomains from given network range using
PTR query, for example:
mapcidr -cidr 184.108.40.206/24 -silent | dnsx -silent -resp-only -ptr cors.api.paypal.com trinityadminauth.paypal.com cld-edge-origin-api.paypal.com appmanagement.paypal.com svcs.paypal.com trinitypie-serv.paypal.com ppn.paypal.com pointofsale-new.paypal.com pointofsale.paypal.com slc-a-origin-pointofsale.paypal.com fpdbs.paypal.com
A special feature of dnsx is its ability to handle multi-level DNS based wildcards and do it so with very less number of DNS requests. Sometimes all the subdomains will resolve which will lead to lots of garbage in the results. The way dnsx handles this is it will keep track of how many subdomains point to an IP and if the count of the Subdomains increase beyond a certain small threshold, it will check for wildcard on all the levels of the hosts for that IP iteratively.
dnsx -l airbnb-subs.txt -wd airbnb.com -o output.txt
- As default, dnsx checks for A record.
- As default dnsx uses Google, Cloudflare, Quad9 resolver.
- Domain name input is mandatory for wildcard elimination.
- DNS record flag can not be used when using wildcard filtering.
dnsx (this link opens in a new window) by projectdiscovery (this link opens in a new window)
dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.