DNS

dnsmap: DNS Subdomain Brute Forcing on Kali

dnsmap DNS enumeration on Kali Linux with real lab output
In: DNS, DNS Enumeration, Kali Linux, Security, Penetration Testing

When a nameserver refuses zone transfers - which, these days, is most of them - subdomain brute forcing is how you enumerate a domain. dnsmap is the tool built for exactly that: point it at a domain and it grinds through a wordlist of common hostnames, keeping every one that resolves. It is small, fast, needs no root, and has a habit of flagging when a domain leaks internal addresses. This article is part of the PingLabz DNS enumeration guide, and the output below is real, captured from Kali against a BIND9 server in our lab.

What dnsmap does

dnsmap scans a domain for subdomains using brute force. It ships with a built-in wordlist of around 1,000 common names (ns1, mail, smtp, firewall, vpn and the like) in English and Spanish, or you can supply your own with -w. For every name that resolves, it prints the hostname and IP, and results can be saved as plain text or CSV for later processing. Crucially, dnsmap uses the system resolver, so whatever nameserver is in /etc/resolv.conf is who it asks.

As the author notes, dnsmap is deliberately meant for the enumeration phase of an assessment - and it is especially useful precisely because zone transfers are so rarely allowed publicly anymore. It comes with Kali; elsewhere, sudo apt install dnsmap. Run it as a normal user, not root.

Brute forcing the lab domain

With the resolver pointed at the lab's BIND9 server, dnsmap chews through a wordlist against pinglabz.lab:

root@kali:~# dnsmap pinglabz.lab -w /home/j/dns-recon/subs.txt
dnsmap 0.36 - DNS Network Mapper

[+] searching (sub)domains for pinglabz.lab using /home/j/dns-recon/subs.txt
[+] using maximum random delay of 10 millisecond(s) between requests

www.pinglabz.lab
IP address #1: 10.0.53.10
[+] warning: internal IP address disclosed

vpn.pinglabz.lab
IP address #1: 10.0.53.30
[+] warning: internal IP address disclosed

jenkins.pinglabz.lab
IP address #1: 10.0.53.91
[+] warning: internal IP address disclosed

admin.pinglabz.lab
IP address #1: 10.0.53.99
[+] warning: internal IP address disclosed

[+] 22 (sub)domains and 22 IP address(es) found
[+] 22 internal IP address(es) disclosed
[+] completion time: 1 second(s)

The standout feature is that warning: internal IP address disclosed line. dnsmap recognises RFC 1918 addresses and calls them out - because a public DNS record pointing at 10.0.53.x tells an attacker the internal network layout without ever touching the internal network. Here it found 22 hosts and flagged all 22 as internal-address disclosures. That summary at the end (22 subdomains, 22 internal IPs disclosed, one second) is the whole tool in three lines.

The options that matter

-w <wordlist>
Use an external wordlist instead of the built-in one. Bigger, targeted lists find more.
-r <file>
Save results to a plain-text file (or a directory for an auto-named file).
-c <file>
Save results in CSV format for further processing.
-d <ms>
Maximum random delay between queries. Raise it to be gentler on bandwidth or stealthier.
-i <ips>
Ignore specific IPs in results - useful for filtering out wildcard false positives.
dnsmap-bulk
A companion script that runs dnsmap across a whole file of domains in bulk.

Where dnsmap fits

dnsmap does one thing - subdomain brute forcing - and does it simply. It has no zone-transfer logic and no record-type enumeration, so it is not a replacement for dnsrecon or dnsenum; it is the focused brute forcer you reach for when those tools' AXFR attempts come back empty. Its one real limitation is speed: it queries sequentially, so against a large wordlist it is slow. When that matters, step up to massdns, which does the same job at tens of thousands of names per second.

The defender's view

dnsmap's internal-IP warnings are your to-do list. If your public DNS resolves names to RFC 1918 addresses, move those records into an internal-only view with split-horizon DNS. You cannot stop brute forcing outright - each query looks like a normal lookup - but you can make sure a successful guess only ever returns a public address, and you can rate-limit and log to spot the burst of sequential queries that brute forcing produces. See the hardening checklist in the DNS enumeration pillar.

Use dnsmap after dnsrecon and dnsenum when zone transfers are blocked. For the same brute force at scale, use massdns. To audit your own zone, run dnswalk. Once you have live hostnames, scan them with the Nmap cluster.

Key takeaways

dnsmap is the go-to subdomain brute forcer for when zone transfers are locked down. It runs a wordlist against a domain using the system resolver, keeps every name that resolves, and flags any internal (RFC 1918) addresses it uncovers. It is simple and needs no root, but it is single-threaded and slow on large lists - reach for massdns when you need scale. For defenders, its internal-IP warnings are a direct signal to adopt split-horizon DNS.

Only run dnsmap against domains you own or are explicitly authorised to test. The output here is from a private lab.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.