Mastering DNS Enumeration: A Comprehensive Guide to dnsmap and dnsmap-bulk for Subdomain Discovery and Security Assessments

What is dnsmap?

DNS

• dnsmap: dnsmap is a tool used for scanning a domain for common subdomains using bruteforcing techniques. It can use a built-in wordlist or an external wordlist to perform the scan. The tool was originally released in 2006 and is primarily intended for use by pentesters, ethical hackers, and forensics experts during the information gathering/enumeration phase of security assessments.

2. How to use dnsmap:

• dnsmap Command: The basic command structure for dnsmap is dnsmap <target-domain> [options]. For example, to scan "example.com" using the built-in wordlist, you would use dnsmap example.com.
• Options: Some important options include:
• -w <wordlist-file>: Use an external wordlist instead of the built-in one.
• -r <regular-results-file>: Save results to a plain text file.
• -c <csv-results-file>: Save results in CSV format.
• -d <delay-millisecs>: Set a maximum random delay between DNS requests.
• -i <ips-to-ignore>: Specify IP addresses to ignore in the results.

3. Examples:

• Here are some examples of how to use dnsmap:
• Basic scan: dnsmap example.com
• Scan with an external wordlist: dnsmap example.com -w wordlist.txt
• Save results to a specific directory: dnsmap example.com -r /tmp/
• Set a delay between requests: dnsmap example.com -d 300

4. dnsmap-bulk:

• dnsmap-bulk: This is a companion tool to dnsmap that allows you to perform bulk scans on multiple target domains. It reads a list of domains from a file and uses dnsmap for each domain.
• Example: dnsmap-bulk domains.txt /tmp/results/

5. Fun things that can happen during scans:

• dnsmap can help discover interesting servers, misconfigured servers, new domain names, internal IP addresses, and even embedded devices configured using Dynamic DNS services.

6. Additional Information:

• The built-in wordlist includes around 1000 words in English and Spanish.
• dnsmap does not require root privileges to run and should not be run with such privileges for security reasons.
• The tool is actively maintained, and any bugs can be reported on its GitHub page.

7. Authorship:

• dnsmap was originally written by “pagvac” in 2006 and is currently maintained by volunteers within the dnsmap project.

8. Limitations:

• Currently, dnsmap does not support parallel scanning, which means it may take a long time for large scans.

I hope this detailed explanation helps you understand dnsmap better. If you have any specific questions or if there’s anything else you’d like to know, feel free to ask!