tips tools

SecurityTrails Blog · Sep 08 · by Esteban Borges

dnsmap: an Old-School Network Recon Tool

Reading time: 6 minutes

When it comes to the vast array of open source tools available to the infosec community in 2020, one could say we’re spoiled.

Installing Kali Linux or any other pentesting distro reveals the massive amount of tools in today’s infosec landscape that make the work of researchers, analysts and other security professionals easier, faster and more accurate.

This certainly wasn’t the case 14 years ago, when dnsmap was released. Tools like dnsmap marked the beginning of the ever-growing toolset we now find ourselves privileged to have.

Although many of the older tools remain limited in their capacity, their simplicity provides an opportunity for beginners or even those with limited time to conduct research swiftly.

What is dnsmap?

dnsmap provides the ability to find OSINT data like subdomains and IP addresses associated with each domain.

This can help researchers discover tests or other subdomains that should not necessarily be exposed to the Internet, increasing the attack surface area within an organisation.

For a broader picture of dnsmap’s effectiveness, we’ve listed a few of its pros and cons:

Features:

  • Easy installation: If you’re using Kali Linux, dnsmap already comes pre-installed. If you’re using any other Linux distro, installing dnsmap takes less than a minute.
  • Simplified usage: dnsmap focuses on a narrow set of objectives and does it well. This makes learning and using the tool easy.
  • Vintage: dnsmap is battle-tested—it’s been around for years and is still available on many pentesting distros.

Drawbacks:

  • Archived: The software is no longer actively maintained, so new bugs in the software might not get patched.
  • Features: This is subjective, but if you prefer tools that do a lot, dnsmap might feel somehow limited.

Who is dnsmap for?

Like many of the other open source tools we’ve reviewed, dnsmap is suitable for both blue and red team investigations during the reconnaissance or data-gathering phase.

It is highly recommended that beginners or junior analysts test out dnsmap to see what it can do. Once an analyst understands how dnsmap works, they can also compare the results with those of other tools that perform similar tasks.

Installing dnsmap on Linux

dnsmap comes pre-installed as a package on Kali Linux. We also investigated other Linux distros, and found it available on BlackArch and ParrotSecurity OS as well. We suspect that if the package is available on Kali, then it’s probably available on other infosec distros through their software managers—but that’s unverifiable, owing to the lack of documentation from various pentesting distros. You can, however, find more information about the Kali package here.

We will now install dnsmap on a fresh Ubuntu installation. As it’s always important to use some type of sandboxing environment when installing new software, you can opt for a virtual machine (VM), container or a remote test server.

We’re using the latest Ubuntu version, 20.04, for this review, and any commands used here should apply to Debian-based distros (and with a few minor tweaks, to other distros as well).

dnsmap is written in C, so we’ll install the required packages to compile the software:

    sudo apt update
    sudo apt upgrade
    sudo apt install git gcc make

Next we’ll clone the repo, then proceed to compile it:

    git clone https://gitlab.com/kalilinux/packages/dnsmap
    cd dnsmap/
    make

Unlike the installation of Masscan (which also required compiling), compiling dnsmap goes quickly and results in no warnings.

Testing/usage

Now we’ll run a few tests to see dnsmap in action.

Our first test will be to run a vanilla scan to see what results we get:

    ./dnsmap nytimes.com -d 100 -r testdata/

dnsmap searched for subdomains on nytimes.com using the tool’s built-in wordlist. We added a 100-millisecond delay to avoid our test IP getting blocked and we saved the output data to testdata/.

dnsmap searched for subdomains

Taking a look at the output, we can see that 37 subdomains and 74 IP addresses were found.

37 subdomains and 74 IP addresses were found

We took a sample subdomain to verify it against our SecurityTrails data. An interesting discovery from this is that dnsmap only found subdomains at the first level when looking at the subdomain: cn.nytimes.com:

Sample subdomain to verify

By contrast, there are 9 other nested subdomains on cn.nytimes.com. This might be a limitation of the tool or the built-in wordlist.

We can investigate this by creating our own wordlist containing the 9 missing subdomains to see if we can obtain the missing results.

Here is our wordlist: cn, aelb, babel, appdata, i, e, cse, iapi, preview, athena

After running this custom wordlist, let’s examine the results:

    ./dnsmap nytimes.com -d 100 -w st_words.txt

In this command we used the -w to point to the wordlist file. The file itself contains each word on a single line with no commas or other separators.

Pointing to the wordlist file

After running this scan, it appears that the problem might be with the tool itself and not the wordlist. We can attempt one more test to see if we’re able to view the nested subdomains:

    ./dnsmap cn.nytimes.com -d 100 -w st_words.txt -r testdata/

Nested subdomains test

This appeared to partially work, as we found 3 of the nested subdomains (level 2). This might be a limitation of the tool, not being able to find nested subdomains accurately.

Next up we can test the IP exclusion feature—we’ll test it against a few IPv6 addresses to see if it works.

    ./dnsmap nytimes.com -d 100 -i 2600:9000:20ed:1800:18:9b35:e940:93a1,2600:9000:20ed:b200:18:9b35:e940:93a1,2600:9000:20ed:2e00:18:9b35:e940:93a1,2600:9000:20ed:dc00:18:9b35:e940:93a1,2600:9000:20ed:c00:18:9b35:e940:93a1,2600:9000:20ed:f600:18:9b35:e940:93a1,2600:9000:20ed:1a00:18:9b35:e940:93a1,2600:9000:20ed:3600:18:9b35:e940:93a1 -r testdata/

A bug appears when trying to run this, which is:

    [+] error: entered parameter(s) is/are too long!

We’ll reduce the IPs until it’s able to run. The command ran successfully with:

    ./dnsmap nytimes.com -d 100 -i 2600:9000:20ed:1800:18:9b35:e940:93a1,2600:9000:20ed:b200:18:9b35:e940:93a1,2600:9000:20ed:2e00:18:9b35:e940:93a1,2600:9000:20ed:dc00:18:9b35:e940:93a1,2600:9000:20ed:c00:18:9b35:e940:93a1 -r testdata/

The limit for IP addresses (based on our tests here) appears to be 5. The IP restriction doesn’t have much of an impact as we’re still able to see the cn.nytimes.com subdomain on other IPv6 addresses:

Limit for IP addresses

Our last test will be using the shell script to fetch the subdomains of a few malvertising domains we’re tracking. We had to modify the shell script a bit as we did not make the dnsmap command globally executable.

Shell script to fetch the subdomains

Using the built-in wordlist and the shell script to find the subdomains of these 13 domains, we obtained no results. This is in a slight conflict with the data available at SecurityTrails, which shows some of these domains have at least the www subdomain.

Summary

dnsmap is really easy to install and use. Other tools that do more will naturally have a higher learning curve. So if you’re just starting out and learning about OSINT, dnsmap is a great start to gain an understanding of reconnaissance and intelligence-gathering without spending hours figuring out how to install and use tools.

One drawback of dnsmap is that its subdomain discovery is not 100% accurate, based on the tests we ran above. With some tinkering we were able to find nested subdomains, but the ability to find subdomains at all levels is likely standard in most modern reconnaissance tools.


If you’re looking for current and historical subdomains and the IP addresses associated with them, we offer the powerful SecurityTrails API and SurfaceBrowser™, our enterprise-grade software that can provide you with all this information, and other OSINT data, including associated domains, open ports, SSL certificates, IP neighbors, and much more.

ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.