puredns Cheatsheet

Type: Powerful DNS brute-forcing and resolution tool — filters wildcard results effectively at scale

Installation

go install github.com/d3mondev/puredns/v2@latest
# Binary ends up in ~/go/bin/puredns

# Also requires massdns (dependency for fast resolution)
git clone https://github.com/blechschmidt/massdns.git
cd massdns && make
sudo cp bin/massdns /usr/local/bin/

Modes

Mode	Description
`bruteforce`	Brute force subdomains using a wordlist
`resolve`	Resolve a list of domains/subdomains

Basic Usage

# Brute force
puredns bruteforce wordlist.txt example.com

# Resolve a list of subdomains
puredns resolve subdomains.txt

Common Flags

Flag	Description
`-r <file>`	Resolver list file (required for speed)
`--resolvers-trusted <file>`	Trusted resolvers for wildcard detection
`-l <n>`	Rate limit (queries per second)
`--bin <path>`	Path to massdns binary
`-w <file>`	Write valid results to file
`--wildcard-tests <n>`	Number of wildcard tests per domain (default: 10)
`--wildcard-batch <n>`	Subdomains to test per batch
`--skip-wildcard-filter`	Skip wildcard filtering
`--skip-validation`	Skip validation step
`-t <n>`	Massdns threads
`-q`	Quiet mode
`-v`	Verbose

Common Commands

# Basic brute force with resolver list
puredns bruteforce wordlist.txt example.com -r resolvers.txt

# Brute force with rate limiting
puredns bruteforce wordlist.txt example.com \
  -r resolvers.txt \
  -l 1000

# Brute force with trusted resolvers for wildcard detection
puredns bruteforce wordlist.txt example.com \
  -r resolvers.txt \
  --resolvers-trusted trusted.txt

# Save results to file
puredns bruteforce wordlist.txt example.com \
  -r resolvers.txt \
  -w results.txt

# Resolve a list of subdomains
puredns resolve subdomains.txt -r resolvers.txt

# Resolve and save valid results
puredns resolve subdomains.txt -r resolvers.txt -w resolved.txt

# Skip wildcard filter (if you want all results)
puredns bruteforce wordlist.txt example.com \
  -r resolvers.txt \
  --skip-wildcard-filter

# Quiet output (subdomains only to stdout)
puredns bruteforce wordlist.txt example.com -r resolvers.txt -q

Resolver Lists

Public resolver lists are essential for speed and accuracy:

# Download fresh public resolvers
wget https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt

# Trusted resolvers (for wildcard detection — use well-known ones)
cat trusted.txt
# 8.8.8.8
# 8.8.4.4
# 1.1.1.1
# 1.0.0.1
# 9.9.9.9

Recommended Wordlists

/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# Large wordlists — puredns handles them efficiently
https://github.com/danielmiessler/SecLists
https://github.com/trickest/wordlists  # DNS-specific massive lists

Pipeline Examples

# Combine assetfinder results + puredns brute force
assetfinder --subs-only example.com > passive.txt
puredns bruteforce wordlist.txt example.com \
  -r resolvers.txt -w brute.txt
cat passive.txt brute.txt | sort -u > all_subs.txt

# Resolve large subdomain list from other tools
amass enum -passive -d example.com | \
  puredns resolve - -r resolvers.txt -w resolved.txt

# Full pipeline
puredns bruteforce \
  /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  example.com \
  -r resolvers.txt \
  --resolvers-trusted trusted.txt \
  -l 500 \
  -w valid_subs.txt \
  -q

Wildcard Handling

puredns detects and filters wildcard DNS responses automatically. If *.example.com resolves to the same IP, it identifies the pattern and removes false positives from results — much more reliable than tools that ignore wildcard records.

Use --resolvers-trusted with well-known public resolvers (e.g. 8.8.8.8, 1.1.1.1) specifically for wildcard detection to avoid poisoned/untrustworthy public resolver results.

puredns Cheatsheet#

Installation#

Modes#

Basic Usage#

Common Flags#

Common Commands#

Resolver Lists#

Recommended Wordlists#

Pipeline Examples#

Wildcard Handling#