Discovering juicy targets via DNS



Information gathering is the first step in a penetration test. Identifying potential targets is crucial. Apart from simple IP addresses, that can be associated to the target, domain names often provide more information. These hostnames can provide an idea about the purpose of the system. Also, they might help mapping domain structure of the target. They also might indicate different web applications on a particular host.

Related Work

There are a lot of awesome tools out there already. One for each programming language. Many unique features.

  • fierce - Is an old tool written in perl. Unfortunately, the original website at is no longer available. Fierce was probably the first tool doing the job of DNS discovery properly. It can utilise threads for discovery which speeds things up quite a bit. First, it tries a zone transfer from the SOA name servers. If this does not work, which it usually should not, it continues with the standard enumeration process. Wildcard domains are an issues which are taken care of by fierce. Network ranges can also be utilised during the discovery process. Furthermore, discovered domains can be added to the discovery. As it is well tested and also provides some really good functionality it is also distributed with kali linux.

  • dnsrecon - This written in python and is maintained on github. The fact, that the tool does a really good job is obvious. Apart from the features fierce it also brings along some other trickery. It can perform a google lookup to discover subdomains. Also, it is able to perform a WHOIS lookup on the domain as well as IP addresses. For further processing, dnsrecon supports different reporting options, e.g. json format. This tool is also part of the kali distribution.

  • dnstwist - This well maintained tool is written in python. The main purpose is to analyse variations of a domain name. This can help helpful to detect typosquatters or phishing attacks.

  • - is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.


These are all awesome tools. Nevertheless, I was about trying to learn golang as a new programming language. What better option, than to test and write a DNS discovery tool with that language.

Also, from my perspective, the tools above do not harness the full potential of information at the moment. One big source of information are the regularly updated scans at Another big source of information are the results at They have a lot information about TLS certificates indexed in their search engine.

The Result

After some hacking away at the keyboard, the first working code sample is on github. There exist still a lot of ToDos until it is working as expect. Keep yourself updated on the repository dnsDisco.

For the sake of comleteness, here is an example of the command.