Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

dnsmap was originally released back in 2006 and was inspired by the
fictional story "The Thief No One Saw" by Paul Craig, which can be found
in the book "Stealing the Network - How to 0wn the Box"

dnsmap is mainly meant to be used by pentesters during the information
gathering/enumeration phase of infrastructure security assessments. During the
enumeration stage, the security consultant would typically discover the target
company's IP netblocks, domain names, phone numbers, etc ...

Subdomain brute-forcing is another technique that should be used in the
enumeration stage, as it's especially useful when other domain enumeration
techniques such as zone transfers don't work (I rarely see zone transfers
being *publicly* allowed these days by the way).

If you are interested in researching stealth computer intrusion techniques,
I suggest reading this excellent (and fun) chapter which you can find for
*free* on the web:

I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has
been reviewed by the community:


Compiling should be straightforward:

$ make


$ gcc -Wall dnsmap.c -o dnsmap


# make install


# cp ./dnsmap /usr/local/bin/dnsmap

If you wish to bruteforce several target domains in bulk fashion, you can use the
included script. Just copy the script to /usr/local/bin/ so you can 
call it from any location. e.g.:

# cp ./ /usr/local/bin/

And set execute permissions. e.g.:

# chmod ugo+x /usr/local/bin/


Lack of multi-threading. This speed issue will hopefully be resolved in future versions.


1. Finding interesting remote access servers (e.g.:

2. Finding badly configured and/or unpatched servers (e.g.:

3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
   of your target organization (registry lookups - aka whois is your friend)

4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
   (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means
   that it *is* possible to enumerate internal servers of a target organization from the
   Internet by only using standard DNS resolving (as oppossed to zone transfers for instance).

5. Discover embedded devices configured using Dynamic DNS services (e.g.:
   This method is an alternative to finding devices via Google hacking techniques


Bruteforcing can be done either with dnsmap's built-in wordlist or a user-supplied wordlist.
Results can be saved in CSV and human-readable format for further processing. dnsmap does
NOT require root privileges to be run, and should NOT be run with such privileges for
security reasons.

The usage syntax can be obtained by simply running dnsmap without any parameters:

$ ./dnsmap

dnsmap 0.30 - DNS Network Mapper by pagvac (

usage: dnsmap <target-domain> [options]
-w <wordlist-file>
-r <regular-results-file>
-c <csv-results-file>
-d <delay-millisecs>
-i <ips-to-ignore> (useful if you're obtaining false positives)

Note: delay value is a maximum random value. e.g.: if you enter 1000, each DNS request
will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds
of maximum delay between DNS lookups

Subdomain bruteforcing using dnsmap's built-in word-list:

$ ./dnsmap

Subdomain bruteforcing using a user-supplied wordlist:

$ ./dnsmap -w wordlist.txt

Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :

$ ./dnsmap -r /tmp/

Since no filename was provided in the previous example, but rather only a path, dnsmap would
create an unique filename which includes the current timestamp. e.g.:

Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/,
and waiting a random maximum of 3 milliseconds between each request:

$ ./dnsmap -r /tmp/ -d 300

It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is
interfering with your online experience. i.e.: killing your bandwidth

Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format,
filtering 2 user-provided IP and using a user-supplied wordlist:

$ ./dnsmap -d 800 -r /tmp/ -c /tmp/ -i, -w ./wordlist_TLAs.txt

For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.:

$ ./ domains.txt /tmp/results/


OTHER SIMILAR TOOLS - choice is freedom!



Fierce Domain Scan





pagvac |
Feb 2010