dnsenum Cheatsheet

Type: Comprehensive DNS enumeration — dictionary & brute-force subdomain discovery

Installation

sudo apt install dnsenum
# or
git clone https://github.com/fwaeytens/dnsenum.git

Basic Usage

dnsenum <domain>
dnsenum example.com

Common Flags

Flag	Description
`--dnsserver <ns>`	Use a specific DNS server
`-f <wordlist>`	Wordlist for subdomain brute force
`-r`	Enable recursive brute force on found subdomains
`-p <pages>`	Number of Google scraping pages (default: 5)
`-s <results>`	Maximum results from Google scraping
`-o <file>`	Output to XML file
`--enum`	Shortcut: enables brute force, threads, Google scraping
`--threads <n>`	Number of threads for brute forcing
`--noreverse`	Skip reverse lookup on found IP ranges
`--nocolor`	Disable colored output
`-v`	Verbose output
`--timeout <s>`	DNS query timeout in seconds

Common Commands

# Full enumeration with brute force
dnsenum --dnsserver <ns> --enum -p 0 -s 0 -f wordlist.txt <domain>

# Brute force with threads, no Google scraping
dnsenum -f wordlist.txt --threads 20 --noreverse <domain>

# Output to XML
dnsenum -f wordlist.txt -o output.xml <domain>

# Recursive brute force (enumerate found subdomains too)
dnsenum -f wordlist.txt -r <domain>

# Suppress Google scraping (clean/offline)
dnsenum -p 0 -s 0 -f wordlist.txt <domain>

# Use specific nameserver
dnsenum --dnsserver 8.8.8.8 -f wordlist.txt <domain>

What dnsenum Does Automatically

1. Queries A, NS, MX records
2. Attempts zone transfer (AXFR) on each nameserver
3. Google scraping for subdomains (unless -p 0 -s 0)
4. Reverse lookups on found IP ranges
5. Brute forces subdomains from wordlist (if -f provided)

Recommended Wordlists

/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
/usr/share/wordlists/dnsmap.txt

Example Full Run

dnsenum --dnsserver 8.8.8.8 \
        --enum \
        -p 0 -s 0 \
        --threads 20 \
        -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
        -o results.xml \
        example.com

dnsenum Cheatsheet#

Installation#

Basic Usage#

Common Flags#

Common Commands#

What dnsenum Does Automatically#

Recommended Wordlists#

Example Full Run#

dnsenum Cheatsheet

Installation

Basic Usage

Common Flags

Common Commands

What dnsenum Does Automatically

Recommended Wordlists

Example Full Run