{"id":13438434,"url":"https://github.com/blechschmidt/massdns","last_synced_at":"2025-05-13T18:14:49.456Z","repository":{"id":41078189,"uuid":"61796725","full_name":"blechschmidt/massdns","owner":"blechschmidt","description":"A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)","archived":false,"fork":false,"pushed_at":"2025-01-21T18:00:06.000Z","size":884,"stargazers_count":3326,"open_issues_count":15,"forks_count":478,"subscribers_count":75,"default_branch":"master","last_synced_at":"2025-04-25T15:48:42.281Z","etag":null,"topics":["bulk-dns","dns","dns-bruteforcer","dns-client","dns-lookup","dns-resolution","dns-resolver","massdns","reconnaissance","subbrute","subdomain"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blechschmidt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-06-23T10:30:39.000Z","updated_at":"2025-04-24T12:37:46.000Z","dependencies_parsed_at":"2024-03-09T01:32:15.065Z","dependency_job_id":"d2196557-ae27-4a03-b58d-7546cf7850d4","html_url":"https://github.com/blechschmidt/massdns","commit_stats":{"total_commits":276,"total_committers":27,"mean_commits":"10.222222222222221","dds":0.5869565217391304,"last_synced_commit":"bad45b873057637ae69b9d9f4c1c179126f97a48"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Fmassdns","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Fmassdns/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Fmassdns/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blechschmidt%2Fmassdns/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blechschmidt","download_url":"https://codeload.github.com/blechschmidt/massdns/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254000885,"owners_count":21997443,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bulk-dns","dns","dns-bruteforcer","dns-client","dns-lookup","dns-resolution","dns-resolver","massdns","reconnaissance","subbrute","subdomain"],"created_at":"2024-07-31T03:01:05.508Z","updated_at":"2025-05-13T18:14:49.413Z","avatar_url":"https://github.com/blechschmidt.png","language":"C","readme":"# MassDNS\n## A high-performance DNS stub resolver\n\nMassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain\nnames in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over\n350,000 names per second using publicly available resolvers.\n\n## Contributors\n* [Quirin Scheitle](https://github.com/quirins), [Technical University of Munich](https://www.net.in.tum.de/members/scheitle/)\n\n## Compilation\nClone the git repository and `cd` into the project root folder. Then run `make` to build from source.\nIf you are not on Linux, run `make nolinux`. On Windows, the [Cygwin](https://cygwin.com/) packages `gcc-core`, `git` and `make` are required.\n\n## Usage\n```\nUsage: ./bin/massdns [options] [domainlist]\n -b --bindto Bind to IP address and port. (Default: 0.0.0.0:0)\n --busy-poll Use busy-wait polling instead of epoll.\n -c --resolve-count Number of resolves for a name before giving up. (Default: 50)\n --drop-group Group to drop privileges to when running as root. (Default: nogroup)\n --drop-user User to drop privileges to when running as root. (Default: nobody)\n --extended-input Input names are followed by a space-separated list of resolvers.\n These are used before falling back to the resolvers file.\n --filter Only output packets with the specified response code.\n --flush Flush the output file whenever a response was received.\n -h --help Show this help.\n --ignore Do not output packets with the specified response code.\n -i --interval Interval in milliseconds to wait between multiple resolves of the same\n domain. (Default: 500)\n -l --error-log Error log file path. (Default: /dev/stderr)\n --norecurse Use non-recursive queries. Useful for DNS cache snooping.\n -o --output Flags for output formatting.\n --predictable Use resolvers incrementally. Useful for resolver tests.\n --processes Number of processes to be used for resolving. (Default: 1)\n -q --quiet Quiet mode.\n --rand-src-ipv6 Use a random IPv6 address from the specified subnet for each query.\n --rcvbuf Size of the receive buffer in bytes.\n --retry Unacceptable DNS response codes.\n (Default: All codes but NOERROR or NXDOMAIN)\n -r --resolvers Text file containing DNS resolvers.\n --root Do not drop privileges when running as root. Not recommended.\n -s --hashmap-size Number of concurrent lookups. (Default: 10000)\n --sndbuf Size of the send buffer in bytes.\n --status-format Format for real-time status updates, json or ansi (Default: ansi)\n --sticky Do not switch the resolver when retrying.\n --socket-count Socket count per process. (Default: 1)\n -t --type Record type to be resolved. (Default: A)\n --verify-ip Verify IP addresses of incoming replies.\n -w --outfile Write to the specified output file instead of standard output.\n\nOutput flags:\n L - domain list output\n S - simple text output\n F - full text output\n B - binary output\n J - ndjson output\n\nAdvanced flags for the domain list output mode:\n 0 - Include NOERROR replies without answers.\n\nAdvanced flags for the simple output mode:\n d - Include records from the additional section.\n i - Indent any reply record.\n l - Separate replies using a line feed.\n m - Only output reply records that match the question name.\n n - Include records from the answer section.\n q - Print the question.\n r - Print the question with resolver IP address, Unix timestamp and return code prepended.\n s - Separate packet sections using a line feed.\n t - Include TTL and record class within the output.\n u - Include records from the authority section.\n\nAdvanced flags for the ndjson output mode:\n e - Write a record for each terminal query failure.\n```\n\nFor a detailed description of the command line interface, please consult the man page using `man ./doc/massdns.1`.\n\n### Example\nResolve all AAAA records from domains within domains.txt using the resolvers within `resolvers.txt` in `lists` and\nstore the results within results.txt:\n```\n$ ./bin/massdns -r lists/resolvers.txt -t AAAA domains.txt \u003e results.txt\n```\n\nThis is equivalent to:\n```\n$ ./bin/massdns -r lists/resolvers.txt -t AAAA -w results.txt domains.txt\n```\n\n#### Example output\nBy default, MassDNS will output response packets in text format which looks similar to the following:\n```\n;; Server: 77.41.229.2:53\n;; Size: 93\n;; Unix time: 1513458347\n;; -\u003e\u003eHEADER\u003c\u003c- opcode: QUERY, status: NOERROR, id: 51298\n;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0\n\n;; QUESTION SECTION:\nexample.com. IN A\n\n;; ANSWER SECTION:\nexample.com. 45929 IN A 93.184.216.34\n\n;; AUTHORITY SECTION:\nexample.com. 24852 IN NS b.iana-servers.net.\nexample.com. 24852 IN NS a.iana-servers.net.\n```\n\nThe resolver IP address is included in order to make it easier for you to filter the output in case you detect that some resolvers produce bad results.\n\n### Resolving\nThe repository includes the file `resolvers.txt` consisting of a filtered subset of the resolvers provided by the [subbrute project](https://github.com/TheRook/subbrute).\nPlease note that the usage of MassDNS may cause a significant load on the used resolvers and result in abuse complaints being sent to your ISP.\nAlso note that the provided resolvers are not guaranteed to be trustworthy. The resolver list is currently outdated with a large share of resolvers being dysfunctional.\n\nMassDNS's custom, malloc-free DNS implementation currently only supports the most common records. You are welcome to help changing this by collaborating.\n\n#### PTR records\nMassDNS includes a Python script allowing you to resolve all IPv4 PTR records by printing their respective queries to the standard output.\n```\n$ ./scripts/ptr.py | ./bin/massdns -r lists/resolvers.txt -t PTR -w ptr.txt\n```\nPlease note that the labels within `in-addr.arpa` are reversed. In order to resolve the domain name of `1.2.3.4`, MassDNS expects `4.3.2.1.in-addr.arpa` as input query name.\nAs a consequence, the Python script does not resolve the records in an ascending order which is an advantage because sudden heavy spikes at the name servers of IPv4 subnets are avoided.\n\n#### Reconnaissance by brute-forcing subdomains\n**Perform reconnaissance scans responsibly and adjust the `-s` parameter to not overwhelm authoritative name servers.**\n\nSimilar to [subbrute](https://github.com/TheRook/subbrute), MassDNS allows you to brute force subdomains using the included `subbrute.py` script:\n```\n$ ./scripts/subbrute.py example.com lists/names.txt | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt\n```\n\nAs an additional method of reconnaissance, the `ct.py` script extracts subdomains from certificate transparency logs by scraping the data from [crt.sh](https://crt.sh):\n```\n$ ./scripts/ct.py example.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w results.txt\n```\n\nThe files `names.txt` and `names_small.txt`, which have been copied from the [subbrute project](https://github.com/TheRook/subbrute), contain names of commonly used subdomains. Also consider using [Jason Haddix' subdomain compilation](https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056/raw/f58e82c9abfa46a932eb92edbe6b18214141439b/all.txt) with over 1,000,000 names or the [Assetnote wordlist](https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt) with over 9,000,000 million names.\n\nMassDNS also includes a `recon.py` wrapper script (beta status) in the `scripts` folder, which performs subdomain enumeration against authoritative name servers directly and thus does not require third-party resolvers. The concurrency is determined automatically by MassDNS and supports hundreds of thousands of queries per second, while delivering reliable results. On a cheap dedicated server, the Assetnode wordlist can be enumerated in less than a minute. A current limitation is that zone delegation is only handled up to the delegation point. For example, if `example.org` is enumerated and `sub.example.org` is delegated to another name server, `abc.sub.example.org` will not be found by this script if `abc.sub` is contained in the word list. However, the script will report this fact as `?.sub.example.org` in this case.\n```\n$ ./scripts/recon.py -d google.com -l lists/best-dns-wordlist.txt \u003e google.txt\n```\n\n## Screenshots\n![Screenshot](https://www.cysec.biz/projects/massdns/screenshots/screenshot2.png)\n\n## Security\nMassDNS does not require root privileges and will therefore drop privileges to the user called \"nobody\" by default when being run as root.\nIf the user \"nobody\" does not exist, MassDNS will refuse execution. In this case, it is recommended to run MassDNS as another non-privileged user.\nThe privilege drop can be circumvented using the `--root` argument which is not recommended.\nAlso note that other branches than master should not be used in production at all.\n\n## Practical considerations\n### Performance tuning\nMassDNS is a simple single-threaded application designed for scenarios in which the network is the bottleneck. It is designed to be run on servers with high upload and download bandwidths. Internally, MassDNS makes use of a hash map which controls the concurrency of lookups. Setting the size parameter `-s` hence allows you to control the lookup rate. If you are experiencing performance issues, try adjusting the `-s` parameter in order to obtain a better success rate.\n\n### Rate limiting evasion\nIn case rate limiting by IPv6 resolvers is a problem, you can make use of `--rand-src-ipv6 \u003cyour_ipv6_prefix\u003e`. MassDNS will then use a raw socket for sending and receiving DNS packets and randomly pick a source IPv6 address from the specified prefix for each query. This requires that MassDNS is run with `CAP_NET_RAW` privileges. When making use of this method, you should have `iptables` or `nftables` drop the DNS traffic received by MassDNS such that no ICMP `Port unreachable` responses are generated by the operating system, e.g. using `ip6tables -p udp --sport 53 -I INPUT -j DROP`. Note that this rule is just examplary and would drop all DNS traffic, including traffic for other applications. You might want to adapt the rule to be more fine-grained to fit your use case.\n\n### Result authenticity\nIf the authenticity of results is highly essential, you should not rely on the included resolver list. Instead, set up a local [unbound](https://www.unbound.net/) resolver and supply MassDNS with its IP address. In case you are using MassDNS as a reconnaissance tool, you may wish to run it with the default resolver list first and re-run it on the found names with a list of trusted resolvers in order to eliminate false positives.\n\nIn case you are enumerating subdomains for a single name, e.g. for `example.com`, you may want to simply leave out third-party resolvers. In this case, you can directly probe the authoritative nameservers like so:\n```\n$ ./bin/massdns -r \u003c(./scripts/auth-addrs.sh example.com) --norecurse -o Je example-com-subdomains.txt \u003e results.txt\n```\n\n## Todo\n- Prevent flooding resolvers which are employing rate limits or refusing resolves after some time\n- Implement bandwidth limits\n- Employ cross-resolver checks to detect DNS poisoning and DNS spam (e.g. [Level 3 DNS hijacking](https://web.archive.org/web/20140302064622/http://james.bertelson.me/blog/2014/01/level-3-are-now-hijacking-failed-dns-requests-for-ad-revenue-on-4-2-2-x/))\n- Add wildcard detection for reconnaissance\n- Improve reconnaissance reliability by adding a mode which re-resolves found domains through a list of trusted (local) resolvers in order to eliminate false positives\n- Detect optimal concurrency automatically\n- Parse the command line properly and allow the usage/combination of short options without spaces\n","funding_links":[],"categories":["Asset Discovery","Subdomain-enum","\u003ca id=\"a76463feb91d09b3d024fae798b92be6\"\u003e\u003c/a\u003e侦察\u0026\u0026信息收集\u0026\u0026子域名发现与枚举\u0026\u0026OSINT","Recon","C","[↑](#contents)IP Address Discovery","Related Lists","C (286)","others","扫描器_资产收集_子域名","\u003ca id=\"170048b7d8668c50681c0ab1e92c679a\"\u003e\u003c/a\u003e工具","BUG BOUNTY / SECURITY RESEARCH","Programming/Comp Sci/SE Things"],"sub_categories":["IP Address Discovery","\u003ca id=\"05ab1b75266fddafc7195f5b395e4d99\"\u003e\u003c/a\u003e未分类-OSINT","Subdomain Enumeration","资源传输下载","Reconnaissance \u0026 Enumeration","Subdomain/DNS Stuff"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblechschmidt%2Fmassdns","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblechschmidt%2Fmassdns","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblechschmidt%2Fmassdns/lists"}