https://github.com/bl4ckstack/dnx
DNX - Domain Explorer A fast Perl tool for subdomain discovery and reconnaissance. Uses passive/active techniques to find and validate subdomains for security testing.
https://github.com/bl4ckstack/dnx
bugbounty cli ctf cybersecurity domain-scanning information-gathering network-security osint passive-recon pentesting perl reconnaissance security-tools subdomain-enumeration
Last synced: 21 days ago
JSON representation
DNX - Domain Explorer A fast Perl tool for subdomain discovery and reconnaissance. Uses passive/active techniques to find and validate subdomains for security testing.
- Host: GitHub
- URL: https://github.com/bl4ckstack/dnx
- Owner: bl4ckstack
- License: mit
- Created: 2025-11-19T18:51:47.000Z (7 months ago)
- Default Branch: main
- Last Pushed: 2025-11-20T05:41:50.000Z (7 months ago)
- Last Synced: 2025-11-20T07:17:16.652Z (7 months ago)
- Topics: bugbounty, cli, ctf, cybersecurity, domain-scanning, information-gathering, network-security, osint, passive-recon, pentesting, perl, reconnaissance, security-tools, subdomain-enumeration
- Language: Perl
- Homepage:
- Size: 562 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# DNX: Domain Explorer
[](https://www.perl.org/)
[](LICENSE)
[](dnx)
[](dnx)
> Production-ready subdomain enumeration for security researchers. Fast, intelligent, and respectful of rate limits.
## Why DNX?
Stop cobbling together multiple tools. DNX combines passive reconnaissance with active brute-forcing in one clean package. Written in Perl for speed and portability.
**10 API sources + parallel DNS resolution + wildcard detection + takeover checks = Complete subdomain discovery**
## Quick Start
```bash
# Install dependencies and run
make deps
./dnx --domain target.com
# Full scan with all features
./dnx -d target.com --wordlist subdomains.txt --threads 50 \
--recursive --http-probe --takeover-check
# Passive only (zero packets to target)
./dnx -d target.com --passive
```
## Installation
### One-Line Install
```bash
make deps && sudo make install
```
### Manual Setup
```bash
# Install Perl modules
cpanm LWP::UserAgent JSON Net::DNS Term::ANSIColor
# Make executable
chmod +x dnx
# Optional: Install system-wide
sudo cp dnx /usr/local/bin/
```
### Makefile Commands
```bash
make # Syntax check
make deps # Install dependencies
make install # Install to /usr/local/bin
make uninstall # Remove from system
make test # Run tests
make clean # Clean cache and outputs
make help # Show all commands
```
## Features
**Passive Enumeration** • Query 10 sources without touching the target
**Active Brute-Force** • Parallel DNS resolution with custom wordlists
**Wildcard Detection** • Automatically filter false positives
**Smart Caching** • 24-hour cache reduces API load
**Multi-Format Output** • Text, JSON, CSV exports
**Progress Tracking** • Real-time progress bars and ETA
**Graceful Exit** • Ctrl+C saves partial results
**DNS Rotation** • Distribute queries across multiple resolvers
**Record Type Support** • A, AAAA, CNAME, MX, NS, TXT, SOA
**Recursive Discovery** • Find subdomains of subdomains
**Zone Transfer** • Attempt AXFR on misconfigured servers
**HTTP Probing** • Test service availability and extract titles
**Takeover Detection** • Identify vulnerable subdomains
## Data Sources
### Free APIs (No Key Required)
**crt.sh** • Certificate Transparency logs
**HackerTarget** • DNS and threat intelligence
**ThreatCrowd** • Crowdsourced threat data
**AlienVault OTX** • Open Threat Exchange
**Riddler.io** • Comprehensive DNS database
**BufferOver** • DNS enumeration service
**URLScan** • URL scanning and analysis
### Premium APIs (Optional)
**VirusTotal** • Enhanced subdomain discovery
**Shodan** • Internet-wide scanning data
**SecurityTrails** • Historical DNS data
## Usage
### Basic Scans
```bash
# Quick passive scan
./dnx -d github.com
# Passive + brute-force
./dnx -d stripe.com --wordlist subdomains.txt
# High-speed mode (50 threads)
./dnx -d target.com -w large-list.txt --threads 50
# Save results
./dnx -d target.com -o results.json --format json
```
### Advanced Techniques
```bash
# Custom DNS resolvers
./dnx -d target.com --resolvers 1.1.1.1,8.8.8.8,9.9.9.9
# Multiple record types
./dnx -d target.com --record-types A,AAAA,MX,NS,TXT
# Recursive discovery
./dnx -d target.com --recursive --recursion-depth 2
# Zone transfer attempt
./dnx -d target.com --zone-transfer
# HTTP probing with takeover detection
./dnx -d target.com --http-probe --takeover-check
# Slow and stealthy
./dnx -d target.com --threads 5 --rate-limit 3
# With API keys for maximum coverage
./dnx -d target.com \
--shodan-key YOUR_SHODAN_KEY \
--virustotal-key YOUR_VT_KEY \
--securitytrails-key YOUR_ST_KEY
# Quiet mode for scripting
./dnx -d target.com -q -o subdomains.txt
# Verbose debugging
./dnx -d target.com -v --wordlist test.txt
```
### Input Flexibility
DNX handles various input formats automatically:
```bash
# All of these work:
./dnx -d example.com
./dnx -d https://example.com
./dnx -d http://example.com/path
./dnx -d example.com:443
```
## Command-Line Options
| Option | Description | Default |
|--------|-------------|---------|
| `-d, --domain` | Target domain (required) | - |
| `-w, --wordlist` | Brute-force wordlist | - |
| `-t, --threads` | Concurrent threads | 20 |
| `--timeout` | DNS timeout (seconds) | 5 |
| `-o, --output` | Output file | stdout |
| `-f, --format` | text, json, csv | text |
| `-p, --passive` | Passive only (no DNS) | false |
| `--no-bruteforce` | Skip brute-force | false |
| `-q, --quiet` | Minimal output | false |
| `-v, --verbose` | Detailed logging | false |
| `-r, --recursive` | Recursive discovery | false |
| `--recursion-depth` | Recursion depth | 3 |
| `-z, --zone-transfer` | Attempt AXFR | false |
| `--http-probe` | Probe HTTP services | false |
| `--takeover-check` | Check for takeovers | false |
| `--resolvers` | DNS servers (comma-separated) | 8.8.8.8,1.1.1.1 |
| `--rate-limit` | API requests/second | 10 |
| `--record-types` | DNS types to query | A |
| `--shodan-key` | Shodan API key | - |
| `--virustotal-key` | VirusTotal API key | - |
| `--securitytrails-key` | SecurityTrails API key | - |
| `-h, --help` | Show help | - |
| `--version` | Show version | - |
## Configuration File
Create `~/.dnx/config.ini` for persistent settings:
```ini
# Performance
threads = 30
timeout = 5
rate_limit = 10
# Output
format = text
# DNS Resolvers
resolvers = 8.8.8.8,1.1.1.1,9.9.9.9
# API Keys (optional)
shodan_api_key = YOUR_KEY_HERE
virustotal_api_key = YOUR_KEY_HERE
securitytrails_api_key = YOUR_KEY_HERE
```
## API Keys Setup
### VirusTotal
1. Sign up: https://www.virustotal.com/
2. Get key: https://www.virustotal.com/gui/my-apikey
3. Use it:
```bash
export VIRUSTOTAL_API_KEY="your_key"
./dnx -d target.com --virustotal-key "your_key"
```
### Shodan
1. Sign up: https://account.shodan.io/register
2. Get key: https://account.shodan.io/
3. Use it:
```bash
export SHODAN_API_KEY="your_key"
./dnx -d target.com --shodan-key "your_key"
```
### SecurityTrails
1. Sign up: https://securitytrails.com/
2. Get key: https://securitytrails.com/app/account/credentials
3. Use it:
```bash
export SECURITYTRAILS_API_KEY="your_key"
./dnx -d target.com --securitytrails-key "your_key"
```
## Output Formats
### Text (Default)
Clean, colorized terminal output:
```
www.github.com 140.82.121.4
api.github.com 140.82.121.6
docs.github.com 185.199.108.153
```
### JSON
Structured data for automation:
```json
{
"domain": "github.com",
"timestamp": "2025-11-19 12:34:56",
"count": 157,
"subdomains": [
{
"subdomain": "www.github.com",
"ip": "140.82.121.4"
}
]
}
```
### CSV
Import into spreadsheets:
```csv
subdomain,ip
www.github.com,140.82.121.4
api.github.com,140.82.121.6
```
## Performance
### Benchmarks
**Passive Scan:** 5-15 seconds (network dependent)
**1K wordlist @ 20 threads:** 30-60 seconds
**10K wordlist @ 50 threads:** 5-10 minutes
**100K wordlist @ 100 threads:** 30-45 minutes
### Optimization Tips
```bash
# Maximum speed (use with caution)
./dnx -d target.com -w huge.txt --threads 100 --timeout 3
# Balanced approach
./dnx -d target.com -w medium.txt --threads 30 --timeout 5
# Stealth mode
./dnx -d target.com -w small.txt --threads 5 --rate-limit 3
```
**Pro Tips:**
- Start with passive enumeration
- Use targeted wordlists (quality over quantity)
- Increase threads only if your network can handle it
- Custom resolvers can dramatically improve speed
- Cache is your friend (24-hour retention)
## DNS Record Types
Query multiple record types simultaneously:
```bash
./dnx -d target.com --record-types A,AAAA,MX,NS,TXT
```
| Type | Purpose |
|------|---------|
| **A** | IPv4 addresses |
| **AAAA** | IPv6 addresses |
| **CNAME** | Canonical name aliases |
| **MX** | Mail exchange servers |
| **NS** | Name servers |
| **TXT** | Text records (SPF, DKIM, etc.) |
| **SOA** | Start of authority |
## Advanced Features
### Recursive Discovery
Find subdomains of discovered subdomains:
```bash
./dnx -d target.com --recursive --recursion-depth 2
```
Automatically tries common patterns on found subdomains:
- www, dev, staging, test, api, admin, portal
### Zone Transfer (AXFR)
Attempt DNS zone transfer on misconfigured servers:
```bash
./dnx -d target.com --zone-transfer
```
Queries all nameservers and attempts AXFR. Rarely successful on modern infrastructure, but worth trying.
### HTTP Probing
Test if discovered subdomains have active HTTP/HTTPS services:
```bash
./dnx -d target.com --http-probe
```
Features:
- Tests both HTTP and HTTPS
- Extracts page titles
- Records HTTP status codes
- Follows redirects
### Subdomain Takeover Detection
Check for vulnerable CNAME records pointing to:
```bash
./dnx -d target.com --takeover-check
```
**Detects:**
- GitHub Pages (github.io)
- Heroku (herokuapp.com)
- AWS S3 (amazonaws.com)
- Azure (azurewebsites.net)
- CloudFront (cloudfront.net)
Identifies dangling DNS records that could be exploited.
## Real-World Examples
### Bug Bounty Reconnaissance
```bash
# Full enumeration with all sources
./dnx -d target.com \
--wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
--threads 50 \
--record-types A,AAAA,CNAME \
--recursive \
--http-probe \
--takeover-check \
--output target-subdomains.json \
--format json
```
### Red Team Engagement
```bash
# Passive only (zero footprint)
./dnx -d target.com --passive --no-bruteforce -o recon.txt
# Review results, then targeted brute-force
./dnx -d target.com -w custom-wordlist.txt --threads 10
```
### Continuous Monitoring
```bash
# Daily cron job
0 2 * * * /usr/local/bin/dnx -d mycompany.com -q -o /var/log/subdomains-$(date +\%Y\%m\%d).json -f json
# Compare changes
diff /var/log/subdomains-20250119.json /var/log/subdomains-20250120.json
```
### Mass Scanning
```bash
# Scan multiple domains
for domain in $(cat domains.txt); do
./dnx -d $domain -p -o results/$domain.json -f json
sleep 5
done
```
### Comprehensive Security Assessment
```bash
# Kitchen sink approach
./dnx -d target.com \
--wordlist huge-list.txt \
--threads 50 \
--passive \
--recursive --recursion-depth 2 \
--zone-transfer \
--http-probe \
--takeover-check \
--record-types A,AAAA,CNAME,MX,NS,TXT \
--shodan-key $SHODAN_KEY \
--virustotal-key $VT_KEY \
--securitytrails-key $ST_KEY \
--output full-assessment.json \
--format json
```
## Wordlists
DNX includes a basic wordlist. For comprehensive scanning:
**SecLists (Recommended)**
```bash
git clone https://github.com/danielmiessler/SecLists.git
./dnx -d target.com -w SecLists/Discovery/DNS/subdomains-top1million-110000.txt
```
**Other Quality Lists:**
- https://github.com/rbsec/dnscan
- https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
- https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
## Smart Features
### Graceful Exit
Press `Ctrl+C` anytime:
- Saves all discovered subdomains
- Shows elapsed time and statistics
- Cleans up temporary files
- No data loss
### Wildcard Detection
Automatically filters false positives:
```
[!] Wildcard DNS detected for *.target.com → 1.2.3.4
[*] Filtering wildcard responses...
```
### Smart Caching
Results cached for 24 hours:
- Reduces API load
- Faster repeated scans
- Respects public services
- Automatic cache expiry
## Integration
### Pipe to Other Tools
```bash
# Feed to httpx for live host detection
./dnx -d target.com -q | httpx -silent
# Check with nuclei
./dnx -d target.com -q | nuclei -t vulnerabilities/
# Resolve with massdns
./dnx -d target.com -q > subs.txt
massdns -r resolvers.txt -t A -o S subs.txt
# Screenshots with aquatone
./dnx -d target.com -q | aquatone
```
### JSON Processing
```bash
# Extract subdomains with jq
./dnx -d target.com -f json | jq -r '.subdomains[].subdomain'
# Filter by IP range
./dnx -d target.com -f json | jq '.subdomains[] | select(.ip | startswith("192.168"))'
# Count results
./dnx -d target.com -f json | jq '.count'
```
### Automation Scripts
```bash
#!/bin/bash
# Full reconnaissance pipeline
DOMAIN=$1
# Subdomain enumeration
./dnx -d $DOMAIN --passive -o ${DOMAIN}_subs.txt
# Port scanning
cat ${DOMAIN}_subs.txt | naabu -silent -o ${DOMAIN}_ports.txt
# HTTP probing
cat ${DOMAIN}_ports.txt | httpx -silent -o ${DOMAIN}_http.txt
# Vulnerability scanning
cat ${DOMAIN}_http.txt | nuclei -silent -o ${DOMAIN}_vulns.txt
echo "Complete! Results in ${DOMAIN}_*.txt"
```
### Tool Chaining
Combine tools for maximum effectiveness:
```bash
# Passive from multiple tools
subfinder -d target.com -all -silent > subs1.txt
./dnx -d target.com --passive --no-bruteforce -q > subs2.txt
cat subs1.txt subs2.txt | sort -u > all_passive.txt
# Verify with DNX brute-force
./dnx -d target.com -w all_passive.txt --threads 50 -o verified.txt
# Probe services
cat verified.txt | httpx -silent -status-code -title -tech-detect
# Check for vulnerabilities
cat verified.txt | nuclei -t cves/ -t vulnerabilities/
```
## Troubleshooting
### Missing Dependencies
```bash
# Error: Cannot locate Net/DNS.pm
cpanm Net::DNS
# Or install all at once
make deps
```
### Slow Performance
```bash
# Use faster DNS resolvers
./dnx -d target.com --resolvers 1.1.1.1,8.8.8.8
# Increase threads
./dnx -d target.com --threads 50
# Reduce timeout for dead hosts
./dnx -d target.com --timeout 3
```
### API Rate Limits
```bash
# Reduce request rate
./dnx -d target.com --rate-limit 5
# Use API keys for higher limits
./dnx -d target.com --virustotal-key YOUR_KEY
```
### Too Many False Positives
```bash
# Verbose mode shows wildcard detection
./dnx -d target.com -v
# Manual wildcard check
dig randomstring123.target.com
```
### Permission Errors
```bash
# Cache directory permissions
chmod 755 ~/.dnx
chmod 644 ~/.dnx/cache/*
# Output file permissions
./dnx -d target.com -o results.txt
chmod 644 results.txt
```
## Security & Ethics
### Responsible Use
**DO:**
- Scan your own domains
- Get written permission before testing
- Respect rate limits and ToS
- Use for authorized security assessments
**DON'T:**
- Scan without permission
- Abuse public APIs
- Ignore rate limits
- Use for malicious purposes
### Legal Notice
This tool is for **authorized security testing only**. Users are responsible for complying with all applicable laws. Unauthorized scanning may be illegal in your jurisdiction.
## Contributing
Pull requests welcome for:
- Additional passive sources
- Performance improvements
- Bug fixes
- Documentation improvements
- New features (discuss first in issues)
**Coding Standards:**
- Follow existing Perl style
- Add tests for new features
- Update documentation
- Keep dependencies minimal
## FAQ
**Q: Why Perl instead of Go/Python/Rust?**
A: Perl is ubiquitous, fast for text processing, and the entire tool is a single self-contained script. No compilation needed.
**Q: How many API keys do I need?**
A: None required! 27 sources work without keys. Add keys for VirusTotal, Shodan, and SecurityTrails to access 3 more premium sources.
**Q: Is DNX better than Amass?**
A: Different tools for different needs. Amass has 10x more sources and enterprise features. DNX is simpler, lighter, and includes active enumeration + takeover checks in one tool.
**Q: Can I use DNX in bug bounties?**
A: Yes! Many researchers use DNX for initial reconnaissance. Combine with Subfinder for passive, then DNX for active verification.
**Q: Does DNX work on Windows?**
A: Yes, with Strawberry Perl or WSL. Best experience on Linux/macOS.
**Q: How do I add a new API source?**
A: Edit the script and add a function like `query_newsource()`. Follow existing patterns. PRs welcome!
## Roadmap
- [ ] AXFR improvements and better error handling
- [ ] Certificate transparency stream monitoring
- [ ] Subdomain takeover auto-exploitation (ethical mode)
- [ ] Integration with Metasploit/Cobalt Strike
- [ ] Web interface for teams
- [ ] Machine learning for wordlist optimization
- [ ] IPv6 support improvements
- [ ] Database export (SQLite, PostgreSQL)
## Credits
**Author:** bl4ckstack
**License:** MIT
**Version:** 1.0.0
**Built for security researchers who value speed, accuracy, and respect for infrastructure.**
## Resources
**Project:** https://github.com/blackstack/dnx
**Issues:** https://github.com/blackstack/dnx/issues
**Wordlists:** https://github.com/danielmiessler/SecLists
**OWASP Testing:** https://owasp.org/www-project-web-security-testing-guide/
---
**Star it if DNX helped you find something interesting** • Contributions welcome!