Scroll to navigation

DNSENUM(1) User Contributed Perl Documentation DNSENUM(1)


dnsenum -- multithread script to enumerate information on a domain and to discover non-contiguous IP blocks


dnsenum version 1.3.0


dnsenum [options] <domain> -f dns.txt


Supported operations: nslookup, zonetransfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.


  • 1) Get the host's address (A record).
  • 2) Get the nameservers (threaded).
  • 3) Get the MX record (threaded).
  • 4) Perform AXFR queries on nameservers (threaded).
  • 5) Get extra names and subdomains via google scraping (google query = "-www site:domain").
  • 6) Brute force subdomains from (REQUIRED), can also perform recursion on subdomain that have NS records (all threaded).
  • 7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).
  • 8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).
  • 9) Write to domain_ips.txt file non-contiguous ip-blocks results.


The brute force -f switch takes priority over default dns.txt


Use this DNS server to perform all A, NS and MX queries,
the AXFR and PTR queries are sent to the domain's NS servers.
Shortcut option equivalent to --threads 5 -s 20 -w.
Print the help message.
Skip the reverse lookup operations.
Reverse lookups can take long time on big netranges.
Disable ANSIColor output.
This option is only intended to be used on consoles that do not support
color output.
Show and save private ips at the end of the file domain_ips.txt.
Write all valid subdomains to this file.
Subdomains are taken from NS and MX records, zonetransfer,
google scraping, brute force and reverse lookup hostnames.
The tcp and udp timeout values in seconds (default: 10s).
The number of threads that will perform different queries.
Be verbose (show all the progress and all the error messages).

Notes: neither the default domain nor the resolver search list are appended to domains that don't contain any dots.


This function will scrap subdomains from google search, using query: -www site:domain.
The number of google search pages to process when scraping names,
the -s switch must be specified, (default: 20 pages).
The maximum number of subdomains that will be scraped from google.

NOTES: Google can block our queries with the malware detection. Http proxy options for google scraping are automatically loaded from the environment if the vars http_proxy or HTTP_PROXY are present. "http_proxy=" or "HTTP_PROXY=". On IO errors the mechanize browser object will automatically call die.


Read subdomains from this file to perform brute force.
Update the file specified with the -f switch with valid subdomains.

-u a Update using all results.

-u g Update using only google scraping results.

-u r Update using only reverse lookup results.

-u z Update using only zonetransfer results.

Recursion on subdomains, brute force all discovered subdomains
that have an NS record.

NOTES: To perform recursion first we must check previous subdomains results (zonetransfer, google scraping and brute force) for NS records after that we perform brute force on valid subdomains that have NS records and so on. NS, MX and reverse lookup results are not concerned.


Perform whois ip queries on c class netanges discovered from previous operations.

The maximum value of seconds to wait between whois queries,
the value is defined randomly, (default: 3s).

NOTES: whois servers will limit the number of connections.
Perform the whois queries on c class network ranges.
Warning: this can generate very large netranges and it
will take lot of time to perform reverse lookups.

NOTES: The whois query should recursively query the various whois providers until it gets the more detailed information including either TechPhone or OrgTechPhone by default. See: perldoc Net::Whois::IP. On errors the netrange will be a default c class /24.


Exclude PTR records that match the regexp expression from reverse
lookup results, useful on invalid hostnames.

NOTES: PTR records that not match the domain are also excluded. Verbose mode will show all results.


Final non-contiguous ip blocks are written to domain_ips.txt file.

NOTES: Final non-contiguous ip blocks are calculated :

  • 1) From reverse lookups that were performed on netranges ( c class network ranges or whois netranges ).
  • 2) If the noreverse switch is used then they are calculated from previous operations results (nslookups, zonetransfers, google scraping and brute forcing).


dnsenum: multithread script to enumerate information on a domain and to discover non-contiguous ip blocks.


Modules that are included in perl 5.28.0:
Getopt::Long, IO::File, Thread::Queue.

Other Necessary modules:
Must have: Net::DNS, Net::IP, Net::Netmask.
Optional: Net::Whois::IP, HTML::Parser, WWW::Mechanize.

Perl ithreads modules (perl must be compiled with ithreads support):
threads, threads::shared.


Filip Waeytens <filip.waeytens[at]>

tix tixxDZ <tixxdz[at]>


Network Silence


This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.


Networking DNS

2024-01-17 perl v5.38.2