What is your go-to DNS enumeration methodology? [Discussion]

Hey 0x00ers!

I have been doing a lot of research lately around getting the best coverage when it comes to DNS enumeration. If you’re on a red team and doing asset discovery, or if you’re a bug bounty hunter and you get given scope with *.example.com, DNS enumeration is usually massively important to get right but also not miss anything in the process.

Personally, my DNS enumeration looks a lot like the following:

I run subfinder:

subfinder -d uber.com >> 

Then I’ll use amass, Amass is great because it pulls from a LOT of different sources and perms a lot of enumeration techniques to get really great coverage, this includes certificate transparency, DNS dumpster, Rapid7 Sonar, Google and loads of other sources.

amass enum -d uber.com

Then, just to make sure I didn’t miss anything, I’ll do a full on DNS bruteforce using MassDNS or ZDNS.

I’ve recently taken to using my new tool subgen, which just takes a wordlist as STDIN, concates your domain with the wordlist, and doesn’t allow the same subdomain string to be printed more than once (unique).

From this, you can pipe into whatever resolver tool you like best.

As far as wordlists go, I am a big fan of a sorted Jason Haddix’s all.txt, https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

cat ~/lists/sorted-all.txt | subgen -d uber.com | zdns A | jq -r "select(.data.answers[0].name) | .name" 

This is truly one of the fastest ways to all out bruteforce right now, a full bruteforce using that 25MB list takes a total of 20 minutes with Cloudflare DNS on a Digital Ocean SFO2 droplet, if you use MassDNS you can get it down to 10 minutes, just make sure you use the right resolvers with MassDNS.

cat ~/lists/jhaddix-all.txt | subgen -d uber.com |  massdns -r dns.txt -t A -o S -w results.txt

And use this for DNS (my best list right now, credit to @R3D_Z3R0 on Twitter.)

So - this brings me onto you, what do you use for your DNS enumeration methodology? Share with everybody so that we have a big resource here!


I almost do the same steps:

  • subfinder -d domain.com | tee -a domains
  • assetfinder -subs-only domain.com | tee -a domains
  • crobat-client -s domain.com | tee -a domains

Then of course sort -u to remove duplicates. I have to add the bruteforce solution at the end to find things I missed, like you said. For that I use subEnum.

When it comes to bug hunting, recon and DNS enumeration is probably half of the job. The more assets you find, the bigger the attack surface, thus the more the chances of finding something!



Finding the path less travelled, and finding more assets, gives you a place to actually start looking. Half-assing recon will only cause you headaches down the road.

Hey - just reading this again, can you run these three commands at the same time? Will tee allow you to write from multiple processes at once?

Maybe you’ll find this tool useful.

Just tested it, turns out you can. Did subfinder -d domain.com | tee -a domains in one terminal and assetfinder -subs-only anotherdomain.com | tee -a domains in another terminal and all results were saved in domains

1 Like


There’s no way that can be performant?

the tool isn’t that bad give it a try at least !