Your company here ā€” click to reach over 10,000 unique daily visitors

dnsmap - Man Page

scan for subdomains using bruteforcing techniques

Examples (TL;DR)


dnsmap <target-domain> [options]


dnsmap scans a domain for common subdomains using a built-in or an external wordlist (if specified with -w option). The internal wordlist has around 1000 words in English and Spanish as ns1, firewall, servicios and smtp. So will be possible search for smtp.example.com inside example.com automatically. Results can be saved in CSV and human-readable format for further processing. dnsmap does NOT require root privileges to be run, and should NOT be run with such privileges for security reasons.

dnsmap was originally released back in 2006 and was inspired by the fictional story "The Thief No One Saw" by Paul Craig, which can be found in the book "Stealing the Network - How to 0wn the Box".

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company's IP netblocks, domain names, phone numbers, etc.

Subdomain bruteforcing is another technique that should be used in the enumeration stage, as it's especially useful when other domain enumeration techniques such as zone transfers don't work (is rare to see zone transfers being publicly allowed these days by the way).

Fun things that can happen:

  1. Finding interesting remote access servers (e.g.: https://extranet.example.com).
  2. Finding badly configured and/or unpatched servers (e.g.: test.example.com).
  3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks of your target organization (registry lookups - aka whois is your friend).
  4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).
  5. Discover embedded devices configured using Dynamic DNS services (e.g.: IP Cameras). This method is an alternative to finding devices via Google hacking techniques.


-w <wordlist-file>

Use an external wordlist instead of the built-in one. You can use programs as crunch or cupp to generate personalized wordlists.

-r <regular-results-file>

Save results to a plain text file. If a file name isn't supplied, dnsmap will create an unique filename which includes the current timestamp. e.g.: dnsmap_example_com_br_2019_11_15_214812.txt. So, you can provide a directory name only, as -r /tmp.

-c <csv-results-file>

Save results in CSV format in a file. If a file name isn't provided, dnsmap will create something as dnsmap_example_com_br_2019_11_15_220114.csv. This is a similar behaviour from -r option.

-d <delay-millisecs>

Limit of random delay in milliseconds between successive queries. Delay value is a maximum random value. e.g. if you enter 1000, each DNS request will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds of maximum delay between DNS lookups. It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is interfering with your online experience. i.e.: killing your bandwidth. If used, delay must be between 1 and 300000 milliseconds (5 minutes).

-i <ips-to-ignore>

IP addresses to ignore in the results (useful if you get obtaining false positives). Use commas without spaces to separate the IP addresses. The maximum number of IPs to filter is 5. Example:,

Internal Wordlist

The built-in wordlist is defined in src/dnsmap.h file. If needed, see the file to know all words.


Subdomain bruteforcing using dnsmap's built-in wordlist:

    $ dnsmap example.com

Subdomain bruteforcing using a user-supplied wordlist:

    $ dnsmap example.com -w wordlist.txt

Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :

    $ dnsmap example.com -r /tmp

Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, and waiting a random maximum of 300 milliseconds between each request:

    $ dnsmap example.com -r /tmp/ -d 300

Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format, filtering 2 user-provided IP and using a user-supplied wordlist:

    $ dnsmap example.com -d 800 -r /tmp/ -c /tmp/ -i, -w ./wordlist_TLAs.txt


Currently, dnsmap does not yet support parallel scanning and hence take quite a long time.

New bugs should be reported at https://github.com/resurrecting-open-source-projects/dnsmap/issues

See Also

crunch(1), cupp(1), dnsmap-bulk(1)


dnsmap was originally written by "pagvac" in 2006. Currently it is maintained by volunteers, inside dnsmap project, at https://github.com/resurrecting-open-source-projects/dnsmap/

This manpage was written by Joao Eriberto Mota Filho.

Referenced By


25 Feb 2021 dnsmap-0.36 scan for subdomains using bruteforcing techniques