Subdomain brute forcing is only useful if you can go big, and going big means going fast. massdns is the tool that makes internet-scale DNS enumeration practical: a high-performance stub resolver built to resolve millions - even billions - of names by spreading queries across many public resolvers at once. Without any special tuning it will push over 350,000 names per second. This article is part of the PingLabz DNS enumeration guide, and the capture below is real output from Kali in our lab.
What massdns does
massdns is a stub resolver, not a brute forcer on its own. You feed it two things: a list of names to resolve and a list of DNS resolvers to spread the load across. It fires the queries out concurrently, tracks which ones succeed, and writes the answers in whatever output format you choose. In a modern subdomain-discovery pipeline it is the resolution engine: a tool like a wordlist generator or permutation tool produces candidate names, and massdns resolves them at speed. It is the workhorse behind many bug-bounty recon workflows.
massdns is in the Kali repos: sudo apt install massdns. It is also trivially built from source.
Running massdns against the lab
You need a resolvers file (here, just the lab's BIND9 server) and a names file (candidate FQDNs). Then point massdns at both, choose record type A and simple output (-o S), and write to a file:
root@kali:~# massdns -r resolvers.txt -t A -o S -w massdns.out names.txt
Concurrency: 10000
Processed queries: 34
Received packets: 34
Progress: 100.00% (00 h 00 min 00 sec / 00 h 00 min 00 sec)
Current incoming rate: 7071 pps, average: 7071 pps
Current success rate: 7071 pps, average: 7071 pps
Finished total: 34, success: 34 (100.00%)
root@kali:~# sort massdns.out
admin.pinglabz.lab. A 10.0.53.99
backup.pinglabz.lab. A 10.0.53.60
db.pinglabz.lab. A 10.0.53.70
dc01.pinglabz.lab. A 10.0.53.5
jenkins.pinglabz.lab. A 10.0.53.91
mail.pinglabz.lab. A 10.0.53.20
router.pinglabz.lab. CNAME gw.pinglabz.lab.
smtp.pinglabz.lab. CNAME mail.pinglabz.lab.
vpn.pinglabz.lab. A 10.0.53.30
www.pinglabz.lab. A 10.0.53.10The live status screen is the massdns signature: concurrency, queries processed, and a real-time packets-per-second rate. Even in this tiny lab it hit 7,071 pps at 100% success. Scale the names file to millions and point it at a large resolver list and that rate is what lets it finish in minutes instead of days. The output resolves CNAME chains too, so you see that router is an alias for gw and smtp for mail.
The options that matter
One practical warning: massdns is only as reliable as its resolver list. A list full of dead or poisoned public resolvers produces false positives and misses. Recon practitioners maintain curated, regularly validated resolver lists for exactly this reason. Because massdns just resolves what you give it, the quality of your candidate names (from a good wordlist or a permutation tool) determines what you actually find.
The defender's view
massdns does not attack your server so much as hammer it, and a flood of sequential lookups for guessed names is a detectable pattern. Response Rate Limiting and query-log analysis on your authoritative servers will surface it. The deeper defence is the same as for any brute forcing: make sure a resolved name only ever returns a public address, so speed buys the attacker nothing but a list of things they were already meant to see. The full checklist is in the DNS enumeration pillar.
Related tools
massdns is the scale version of what dnsmap does slowly. Generate the standard records and try zone transfers first with dnsrecon and dnsenum - if AXFR works, you do not need to brute force at all. To audit your own zone for errors, use dnswalk. Feed the live hosts massdns finds into the Nmap cluster for port scanning.
Key takeaways
massdns is the speed tool of DNS enumeration - a stub resolver that spreads a huge list of candidate names across many resolvers to resolve hundreds of thousands per second. Give it a names file and a resolvers file, pick a record type and output format, and let it run. Its results are only as good as your resolver list and your candidate names, so curate both. It is the scale-up from dnsmap, and the defence against it is the same: keep internal addresses out of public zones and monitor for brute-force patterns.
Only run massdns against domains and resolvers you own or are explicitly authorised to test. The output here is from a private lab.