Most DNS security advice is reactive. Something breaks, you investigate. But the teams that catch problems early aren't waiting for alerts from their SIEM — they're actively mapping their own attack surface before anyone else does.
These are the tools that make that possible. Some are for enumeration, some for continuous monitoring, some for hunting typosquatting and phishing infrastructure. All of them are worth having in your rotation.
1. Amass
What it does: Attack surface mapping and subdomain enumeration.
Amass is the most comprehensive open-source tool for external attack surface discovery. It combines passive DNS, certificate transparency logs, web archives, and active DNS queries to build the fullest possible picture of what's associated with a domain.
# Passive enumeration only (no direct queries to target)
amass enum -passive -d yourapp.com
# Active enumeration with brute forcing
amass enum -active -brute -d yourapp.com -o results.txt
It integrates with dozens of data sources: Shodan, VirusTotal, SecurityTrails, crt.sh, and more. The output can be fed into other tools or visualized with the built-in graph database.
Best for: getting a complete picture of your external footprint before a pentest or infrastructure audit.
Install: go install -v github.com/owasp-amass/amass/v4/...@master
2. dnsx
What it does: Fast, bulk DNS resolution and record querying.
dnsx is a swiss army knife for DNS queries at scale. You give it a list of subdomains and it resolves them fast, with support for filtering by record type, status code, or response content.
# Resolve a list and show only live hosts
cat subdomains.txt | dnsx -silent -a -resp
# Find all subdomains with CNAME records
cat subdomains.txt | dnsx -cname -silent
# Check for wildcard DNS
dnsx -d yourapp.com -wc -silent
Where MassDNS is about raw speed, dnsx is about usability. It fits naturally into pipelines with other tools.
Best for: quickly triaging a large list of subdomains, filtering by record type, feeding results into takeover scanners.
Install: go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest
3. ZeroHook
What it does: Continuous DNS monitoring and dangling record detection.
Most of the tools on this list are point-in-time scanners. You run them, you get a snapshot, and then you move on. ZeroHook is different: it monitors your DNS records continuously and alerts you when something changes.
That matters because DNS threats aren't always present when you run your weekly scan. A dangling CNAME gets claimed at 2am on a Sunday. A nameserver record gets changed by someone who still has registrar access. An MX record gets removed and your email starts bouncing. You find out from a customer.
ZeroHook flags dangling CNAMEs, monitors NS and MX records for unexpected changes, and integrates with the rest of your alerting setup. It has a free tier that covers most small to medium setups.
Best for: teams that have done a one-time audit and now need ongoing visibility without running manual scans on a schedule.
4. subjack
What it does: Automated subdomain takeover detection.
subjack takes a list of subdomains and checks each one against a fingerprint database of vulnerable hosting platforms: Heroku, GitHub Pages, Netlify, S3, Fastly, Shopify, and dozens more. It's looking for the pattern where your CNAME points at a platform, but the resource at that platform no longer exists.
# Basic scan
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
# With verbose output
subjack -w subdomains.txt -t 100 -timeout 30 -v -ssl
The fingerprint database is community-maintained and updated as new platforms are identified as vulnerable. Worth cross-referencing with EdOverflow/can-i-take-over-xyz.
Best for: running after Amass or dnsx to identify which discovered subdomains are actually claimable.
Install: go install github.com/haccer/subjack@latest
5. DNStwist
What it does: Typosquatting and phishing domain detection.
DNStwist generates permutations of your domain — typos, homoglyphs, different TLDs, added words — and checks which ones are registered and what they're pointing at. It's how you find out that someone registered yourapp-login.com and is serving a credential harvesting page.
# Basic scan
dnstwist yourapp.com
# With MX records and GeoIP
dnstwist --mxcheck --geoip yourapp.com
# Export to CSV
dnstwist yourapp.com --format csv --output results.csv
The output tells you which permutations are registered, what their A/MX records are, and whether they look like they're set up to receive email (a strong phishing signal).
Best for: brand protection, finding phishing infrastructure before your users do, and incident response when you suspect an active campaign.
Install: pip install dnstwist
6. MassDNS
What it does: High-performance passive DNS resolution.
When you have a large wordlist and need to brute-force subdomain discovery fast, MassDNS is the tool. It's a stub resolver that can handle hundreds of thousands of queries per second by sending them asynchronously across multiple resolvers.
# Brute-force subdomains using a wordlist
massdns -r resolvers.txt -t A -o S wordlist.txt > results.txt
# Parse the output
cat results.txt | grep -v "NXDOMAIN" | awk '{print $1}' | sed 's/\.$//'
It's deliberately minimal — just resolution, no fingerprinting or analysis. Pipe the output to dnsx or subjack for the next step.
Best for: large-scale subdomain brute-forcing during a full attack surface audit. Less useful for targeted monitoring.
7. DNSRecon
What it does: DNS enumeration, zone transfer testing, and record auditing.
DNSRecon is one of the older tools on this list and still one of the most thorough for initial enumeration. It tests for zone transfer vulnerabilities (which still exist on misconfigured servers), enumerates standard and non-standard record types, and checks for common misconfigurations.
# Standard enumeration
dnsrecon -d yourapp.com
# Zone transfer attempt
dnsrecon -d yourapp.com -t axfr
# Reverse lookup on a CIDR range
dnsrecon -r 192.168.1.0/24
The zone transfer check is worth running on every domain you own. AXFR transfers should be restricted to authorized secondary nameservers only. When they're not, your entire zone file — every subdomain, every internal hostname — is readable by anyone.
Best for: initial enumeration, zone transfer testing, auditing record configurations.
Install: pip install dnsrecon
8. crt.sh
What it does: Certificate transparency log search.
Not a tool you install — a web interface and API for searching certificate transparency logs. Every TLS certificate ever issued for your domain is in there, including historical subdomains you may have forgotten.
# Pull all subdomains ever certificated for your domain
curl "https://crt.sh/?q=%.yourapp.com&output=json" \
| jq -r '.[].name_value' \
| sed 's/\*\.//g' \
| sort -u
The output is a historical subdomain list you can feed directly into dnsx or subjack. It's usually the starting point for any DNS audit, because it doesn't require active scanning and returns data on infrastructure that may have been decommissioned years ago.
Best for: building a historical subdomain list, finding forgotten infrastructure, starting any DNS audit. Covered in more depth in our CT logs post.
9. Shodan
What it does: Internet-wide scanning, including DNS and nameserver infrastructure.
Shodan indexes the internet continuously and lets you query it. From a DNS security perspective, it's useful for finding exposed DNS servers (open resolvers, BIND version disclosure), locating infrastructure associated with your IP ranges, and understanding what's publicly visible on your network.
# Via CLI (requires API key)
shodan search "hostname:yourapp.com"
# Find open DNS resolvers on a CIDR
shodan search "net:192.168.1.0/24 port:53"
Shodan won't replace dedicated DNS enumeration tools, but it adds a layer that the others miss: what's actually running on the servers your DNS records point at.
Best for: understanding what's exposed beyond just the DNS records themselves, finding misconfigured nameservers, validating that decommissioned infrastructure is actually gone.
10. Passive DNS databases (DNSDB / SecurityTrails)
What it does: Historical DNS record lookup.
Passive DNS databases record DNS responses observed across large resolver networks over time. They answer questions that active scanning can't: what did this domain point at six months ago? When did this IP start hosting this domain? What other domains share this nameserver?
DNSDB (Farsight Security) and SecurityTrails are the main commercial options. SecurityTrails has a free tier with limited queries. Both are useful for threat hunting — if you're investigating suspicious infrastructure, passive DNS data lets you reconstruct its history and find connected domains.
Best for: incident response and threat hunting, tracing attacker infrastructure, understanding historical DNS changes you didn't monitor at the time.
Putting it together: a practical workflow
These tools work best in sequence, not in isolation.
For a one-time audit:
- Pull historical subdomains from crt.sh
- Enumerate additional subdomains with Amass
- Resolve everything live with dnsx
- Scan for takeover candidates with subjack
- Check zone transfer exposure with DNSRecon
- Run DNStwist to find phishing domains targeting your brand
For ongoing monitoring:
Set up ZeroHook or equivalent continuous monitoring on your DNS records. Run DNStwist monthly. Review your zone file quarterly. The one-time audit tells you where you are. The ongoing monitoring tells you when something changes.
Quick reference
| Tool | Type | Primary use |
|---|---|---|
| Amass | Active/passive | Full attack surface enumeration |
| dnsx | Active | Bulk DNS resolution and filtering |
| ZeroHook | Monitoring | Continuous DNS change alerting |
| subjack | Active | Subdomain takeover detection |
| DNStwist | Active | Typosquatting and phishing detection |
| MassDNS | Active | High-speed brute-force resolution |
| DNSRecon | Active | Enumeration and zone transfer testing |
| crt.sh | Passive | Certificate transparency log search |
| Shodan | Passive | Exposed infrastructure discovery |
| DNSDB / SecurityTrails | Passive | Historical DNS records |
TL;DR
Proactive DNS security is two things: knowing what you have, and knowing when it changes. The enumeration tools (Amass, dnsx, subjack, MassDNS, crt.sh) tell you what's out there. The monitoring tools (ZeroHook, passive DNS databases) tell you when things shift.
Run the audit workflow at least once against your full domain portfolio. You'll find something you forgot about. That's the point.
Part of an ongoing series on DNS security.
Top comments (0)