When a nameserver refuses zone transfers - which, these days, is most of them - subdomain brute forcing is how you enumerate a domain. dnsmap is the tool built for exactly that: point it at a domain and it grinds through a wordlist of common hostnames, keeping every one that resolves. It is small, fast, needs no root, and has a habit of flagging when a domain leaks internal addresses. This article is part of the PingLabz DNS enumeration guide, and the output below is real, captured from Kali against a BIND9 server in our lab.
What dnsmap does
dnsmap scans a domain for subdomains using brute force. It ships with a built-in wordlist of around 1,000 common names (ns1, mail, smtp, firewall, vpn and the like) in English and Spanish, or you can supply your own with -w. For every name that resolves, it prints the hostname and IP, and results can be saved as plain text or CSV for later processing. Crucially, dnsmap uses the system resolver, so whatever nameserver is in /etc/resolv.conf is who it asks.
As the author notes, dnsmap is deliberately meant for the enumeration phase of an assessment - and it is especially useful precisely because zone transfers are so rarely allowed publicly anymore. It comes with Kali; elsewhere, sudo apt install dnsmap. Run it as a normal user, not root.
Brute forcing the lab domain
With the resolver pointed at the lab's BIND9 server, dnsmap chews through a wordlist against pinglabz.lab:
root@kali:~# dnsmap pinglabz.lab -w /home/j/dns-recon/subs.txt
dnsmap 0.36 - DNS Network Mapper
[+] searching (sub)domains for pinglabz.lab using /home/j/dns-recon/subs.txt
[+] using maximum random delay of 10 millisecond(s) between requests
www.pinglabz.lab
IP address #1: 10.0.53.10
[+] warning: internal IP address disclosed
vpn.pinglabz.lab
IP address #1: 10.0.53.30
[+] warning: internal IP address disclosed
jenkins.pinglabz.lab
IP address #1: 10.0.53.91
[+] warning: internal IP address disclosed
admin.pinglabz.lab
IP address #1: 10.0.53.99
[+] warning: internal IP address disclosed
[+] 22 (sub)domains and 22 IP address(es) found
[+] 22 internal IP address(es) disclosed
[+] completion time: 1 second(s)The standout feature is that warning: internal IP address disclosed line. dnsmap recognises RFC 1918 addresses and calls them out - because a public DNS record pointing at 10.0.53.x tells an attacker the internal network layout without ever touching the internal network. Here it found 22 hosts and flagged all 22 as internal-address disclosures. That summary at the end (22 subdomains, 22 internal IPs disclosed, one second) is the whole tool in three lines.
The options that matter
Where dnsmap fits
dnsmap does one thing - subdomain brute forcing - and does it simply. It has no zone-transfer logic and no record-type enumeration, so it is not a replacement for dnsrecon or dnsenum; it is the focused brute forcer you reach for when those tools' AXFR attempts come back empty. Its one real limitation is speed: it queries sequentially, so against a large wordlist it is slow. When that matters, step up to massdns, which does the same job at tens of thousands of names per second.
The defender's view
dnsmap's internal-IP warnings are your to-do list. If your public DNS resolves names to RFC 1918 addresses, move those records into an internal-only view with split-horizon DNS. You cannot stop brute forcing outright - each query looks like a normal lookup - but you can make sure a successful guess only ever returns a public address, and you can rate-limit and log to spot the burst of sequential queries that brute forcing produces. See the hardening checklist in the DNS enumeration pillar.
Related tools
Use dnsmap after dnsrecon and dnsenum when zone transfers are blocked. For the same brute force at scale, use massdns. To audit your own zone, run dnswalk. Once you have live hostnames, scan them with the Nmap cluster.
Key takeaways
dnsmap is the go-to subdomain brute forcer for when zone transfers are locked down. It runs a wordlist against a domain using the system resolver, keeps every name that resolves, and flags any internal (RFC 1918) addresses it uncovers. It is simple and needs no root, but it is single-threaded and slow on large lists - reach for massdns when you need scale. For defenders, its internal-IP warnings are a direct signal to adopt split-horizon DNS.
Only run dnsmap against domains you own or are explicitly authorised to test. The output here is from a private lab.