What is Dnsx?
Dnsx is a fast and flexible tool designed for mass DNS resolution. It's part of the ProjectDiscovery ecosystem (along with httpx, subfinder, naabu, etc.). Its essential function is to convert a list of raw subdomains (obtained from Findomain, Subfinder, etc.) into valid and exploitable targets. This is achieved by validating whether the subdomains resolve to an active IP and by detecting key DNS records that reveal sensitive information.
In the realm of bug bounty, it is fundamental because:
- It validates whether subdomains resolve to an active IP.
- It allows the detection of juicy DNS records (A, AAAA, CNAME, TXT, MX, NS, SRV, PTR).
- It helps find misconfigured subdomains $\rightarrow$ potential takeovers.
- It works very well in recon pipelines with other tools.
In summary: Dnsx converts a raw list of subdomains into genuinely valid and exploitable targets.
Installation
Using Go (Recommended)
go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latestPrecompiled Binary
wget https://github.com/projectdiscovery/dnsx/releases/latest/download/dnsx-linux-amd64.tar.gz
tar -xvzf dnsx-linux-amd64.tar.gz
chmod +x dnsx
sudo mv dnsx /usr/bin/Performance and Resolvers
To achieve maximum speed and reliability, it is crucial to configure fast DNS resolvers.
- Public: For quick tests, you can use public resolvers with
-r.
dnsx -l subs.txt -r 1.1.1.1,8.8.8.8- Resolver List (Recommended): In mass scans, it is much more effective to use a list of trusted resolvers to increase speed and avoid rate limits.
dnsx -l subs.txt -rL resolvers.txtNote: Lists of reliable public resolvers can be found in repositories such as trickest/resolvers.
Main Options
| Option | Description | Example |
| ------- | --------------------------------------------- | -------------------------------------- |
| -d | Single domain to resolve | dnsx -d target.com |
| -l | List of domains/subdomains | dnsx -l subs.txt |
| -r/-rL | Use specific DNS(s) or a list | dnsx -l subs.txt -r 1.1.1.1 |
| -resp | Show DNS server response | dnsx -d target.com -resp |
| -a | A records (IPv4) | dnsx -d target.com -a |
| -aaaa | AAAA records (IPv6) | dnsx -d target.com -aaaa |
| -cname | Show CNAME records | dnsx -d target.com -cname |
| -mx | MX records | dnsx -d target.com -mx |
| -ns | NS records | dnsx -d target.com -ns |
| -txt | TXTrecords | dnsx -d target.com -txt |
| -soa | SOA records | dnsx -d target.com -soa |
| -ptr | Búsqueda inversa PTR | dnsx -ptr -d 8.8.8.8 |
| -recon | Complete enumeration (A,AAAA,CNAME,MX,TXT,NS) | dnsx -l subs.txt -recon |
| -json | Export results in JSON | dnsx -l subs.txt -json -o results.json |
| -silent | Clean results only (useful in pipelines) | dnsx -silent -l subs.txt |Usage Strategy in Bug Bounty
As with other tools, Dnsx's value lies in its direct integration into mass reconnaissance workflows.
1. Basic Asset Discovery Flow
This is the fundamental process for a bug hunter to validate their list of targets:
# 1. Enumerate subdomains
subfinder -d target.com -o subs.txt
# 2. Resolve and filter active subdomains (dnsx)
dnsx -l subs.txt -silent -o resolved.txt
# 3. Validate active HTTP/S hosts (httpx)
httpx -l resolved.txt -o alive_http.txtNote: The -silent option in dnsx ensures the output is clean and easy to pipe to the next command.
2. Subdomain Takeover (SHTO) Detection
SHTO is a high-severity finding. To detect it, the professional uses Dnsx to obtain CNAMEs and then manually filters for "orphans":
# Extracts CNAMEs and saves them
dnsx -l subs.txt -cname -o cname_records.txt
# The investigator reviews cname_records.txt looking for orphaned CNAMEs
# (e.g., sub.target.com CNAME: service.azurewebsites.net) that are unclaimed.Advanced Analysis (-resp): To manually confirm, the -resp option shows the complete DNS server response (e.g., NXDOMAIN), which can confirm that the record points to a service that no longer exists.
3. Sensitive Information Detection (TXT Records)
TXT records may contain verification tokens, domain keys, or sensitive configuration information.
# Searches for all TXT records combined with other records of interest
dnsx -l subs.txt -txt -a -cname -silent -o dns_info.txtReview the dns_info.txt file searching for patterns such as: "google-site-verification=", "spf", "dmarc", "dkim", service tokens, etc.
4. Wildcard Detection and Filtering
Wildcard domains (https://www.google.com/search?q=.target.com) can generate thousands of false positives. Dnsx can help identify them by showing the IP they resolve to.
# Resolves A records and counts the most frequent IPs
dnsx -l subs.txt -silent -a -resp | cut -d ' ' -f2 | sort | uniq -c | sort -nrIf one or more IPs appear hundreds of times, it is likely a wildcard. Exclude that IP from the results to clean up the target list.
Best Practices and Professional Mitigation
- Complete Flow: Integrate
dnsxwithhttpx(for web assets) and then withnuclei(for vulnerability scanning) for a complete and automated workflow. - JSON Output: Using the JSON format (
-json) facilitates automated analysis and integration with other tools or reporting systems.
When reporting DNS-related findings, mitigation recommendations should focus on:
- Subdomain Takeover: Recommend the removal or review of CNAME configurations that point to unclaimed external services.
- Record Hygiene: Recommend deleting obsolete records (A, CNAME, TXT) to reduce the attack surface and the risk of takeover.
- Hardening: Suggest using DNSSEC to strengthen record security and prevent tampering.
Connect with me
Did you find this information useful? You can find more content on: