DNSx | A Fast And Multi-Purpose DNS Toolkit


dnsx is a fast and multi-purpose DNS toolkit allow to run multiple probes using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers, additionally supports DNS wildcard filtering like shuffledns.


  • Simple and Handy utility to query DNS records.
  • Supports A, AAAA, CNAME, PTR, NS, MX, TXT, SOA
  • Supports DNS Status Code probing
  • Supports DNS Tracing
  • Handles wildcard subdomains in automated way.
  • Stdin and stdout support to work with other tools.


dnsx -h

This will display help for the tool. Here are all the switches it supports.

Flag Description Example
a Query A record dnsx -a
aaaa Query AAAA record dnsx -aaaa
cname Query CNAME record dnsx -cname
ns Query NS record dnsx -ns
ptr Query PTR record dnsx -ptr
txt Query TXT record dnsx -txt
mx Query MX record dnsx -mx
soa Query SOA record dnsx -soa
raw Operates like dig dnsx -raw
rcode DNS Response codes dnsx -rcode 0,1,2
l File input list of subdomains/host dnsx -l list.txt
json JSON output dnsx -json
r File or comma separated resolvers dnsx -r
rl Limit of DNS request/second dnsx -rl 100
resp Display response data dnsx -cname -resp
resp-only Display only response data dnsx -cname resp-only
retry Number of DNS retries dnsx -retry 1
silent Show only results in the output dnsx -silent
stats Display stats of the running scan dnsx -stats
o File to write output to (optional) dnsx -o output.txt
t Concurrent threads to make dnsx -t 100
trace Perform dns trace dnsx -trace
trace-max-recursion Max recursion for dns trace dnsx -t 32767
verbose Verbose output dnsx -verbose
version Show version of dnsx dnsx -version
wd Wildcard domain name for filtering dnsx -wd example.com
wt Wildcard Filter Threshold dnsx -wt 5

Installation Instructions

dnsx requires go1.14+ to install successfully. Run the following command to get the repo -

GO111MODULE=on go get -v github.com/projectdiscovery/dnsx/cmd/dnsx

Running dnsx

dnsx can be used to filter dead records from the list of passive subdomains obtained from various sources, for example:-

:arrow_forward: subfinder -silent -d hackerone.com | dnsx a.ns.hackerone.com www.hackerone.com api.hackerone.com docs.hackerone.com mta-sts.managed.hackerone.com mta-sts.hackerone.com resources.hackerone.com b.ns.hackerone.com mta-sts.forwarding.hackerone.com events.hackerone.com support.hackerone.com

dnsx can be used to print A records for the given list of subdomains, for example:-

:arrow_forward: subfinder -silent -d hackerone.com | dnsx -silent -a -resp a.ns.hackerone.com [] b.ns.hackerone.com [] mta-sts.hackerone.com [] events.hackerone.com [] mta-sts.managed.hackerone.com [] resources.hackerone.com [] resources.hackerone.com [] www.hackerone.com [] support.hackerone.com []

dnsx can be used to extract A records for the given list of subdomains, for example:-

:arrow_forward: subfinder -silent -d hackerone.com | dnsx -silent -a -resp-only

dnsx can be used to extract CNAME records for the given list of subdomains, for example:-

:arrow_forward: subfinder -silent -d hackerone.com | dnsx -silent -cname -resp support.hackerone.com [hackerone.zendesk.com] resources.hackerone.com [read.uberflip.com] mta-sts.hackerone.com [hacker0x01.github.io] mta-sts.forwarding.hackerone.com [hacker0x01.github.io] events.hackerone.com [whitelabel.bigmarker.com]

dnsx can be used to probe DNS Staus code on given list of subdomains, for example:-

:arrow_forward: subfinder -silent -d hackerone.com | dnsx -silent -rcode noerror,servfail,refused ns.hackerone.com [NOERROR] a.ns.hackerone.com [NOERROR] b.ns.hackerone.com [NOERROR] support.hackerone.com [NOERROR] resources.hackerone.com [NOERROR] mta-sts.hackerone.com [NOERROR] www.hackerone.com [NOERROR] mta-sts.forwarding.hackerone.com [NOERROR] docs.hackerone.com [NOERROR]

dnsx can be used to extract subdomains from given network range using PTR query, for example:-

echo | dnsx -silent -resp-only -ptr cors.api.paypal.com trinityadminauth.paypal.com cld-edge-origin-api.paypal.com appmanagement.paypal.com svcs.paypal.com trinitypie-serv.paypal.com ppn.paypal.com pointofsale-new.paypal.com pointofsale.paypal.com slc-a-origin-pointofsale.paypal.com fpdbs.paypal.com

Wildcard filtering

A special feature of dnsx is its ability to handle multi-level DNS based wildcards and do it so with very less number of DNS requests. Sometimes all the subdomains will resolve which will lead to lots of garbage in the results. The way dnsx handles this is it will keep track of how many subdomains point to an IP and if the count of the Subdomains increase beyond a certain small threshold, it will check for wildcard on all the levels of the hosts for that IP iteratively.

dnsx -l airbnb-subs.txt -wd airbnb.com -o output.txt

:clipboard: Notes

  • As default, dnsx checks for A record.
  • As default dnsx uses Google, Cloudflare, Quad9 resolver.
  • Custom resolver list can be used using r flag.
  • Domain name input is mandatory for wildcard elimination.
  • DNS record flag can not be used when using wildcard filtering.

dnsx is made with :black_heart: by the projectdiscovery team.