Passive DNS network mapping

Dnsmap – Passive DNS network mapper a.k.a. subdomains bruteforcer.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.


dnsmap <target-domain> [options]


-w <wordlist-file>
-r <regular-results-file>
-c <csv-results-file>
-d <delay-millisecs>
-i <ips-to-ignore> (useful if you're obtaining false positives)


dnsmap -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap -r /tmp/ -d 3000
dnsmap -r ./domainbf_results.txt

Results example:

user@kali:~# dnsmap
dnsmap 0.30 - DNS Network Mapper by pagvac (
[+] searching (sub)domains for using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
IP address #1:
IP address #1:
IP address #1:
IP address #1:
[+] 4 (sub)domains and 4 IP address(es) found
[+] completion time: 195 second(s)
%d bloggers like this: