DNS enumeration starting from a domain name

Written on 2023/02/23

As we crawl the Web like a search engine, we have plenty of data to enumerate all subdomains (or hostnames) bound to a given domain name. To do so, there is two categories of information (or datasets) you can query:

Using the resolver category

By using the official command line tool, you can easily execute this use case in a single call:

$ onyphe -search 'category:resolver domain:google.com -since:7M | uniq hostname'
{"hostname":"alt3.aspmx.l.google.com"}
{"hostname":"alt4.aspmx.l.google.com"}
{"hostname":"alt1.aspmx.l.google.com"}
{"hostname":"alt2.aspmx.l.google.com"}
{"hostname":"aspmx.l.google.com"}
{"hostname":"alt1.gmr-smtp-in.l.google.com"}
{"hostname":"gmr-smtp-in.l.google.com"}
{"hostname":"nevrvim4nc4fn3dpatfp4c3vwyvsxjylq6rvjj5tjddl3xal2ptq.mx-verification.google.com"}
{"hostname":"alt3.gmr-smtp-in.l.google.com"}
{"hostname":"alt4.gmr-smtp-in.l.google.com"}
{"hostname":"alt2.gmr-smtp-in.l.google.com"}
{"hostname":"alt1.aspmx.google.com"}
{"hostname":"cache.google.com"}
{"hostname":"alt3.gmail-smtp-in.l.google.com"}
{"hostname":"smtp.google.com"}
[..]

Output has been truncated, but there are many hostnames pointing to this domain name.

NOTE: this onyphe call uses the Search API against the last 30-day of data from resolver category of information.

Using the hostname category

This one is more powerful as we have 12-month of historical records (Griffin View required). It is as easy as previously by using the command line, but this will yield far more results. Let’s add an addcount command to have the final count:

$ onyphe -export 'category:hostname -since:12M domain:google.com | fields hostname | addcount'
[..]
{"count":51390,"hostname":"mail-mta1425.google.com"}
{"count":51391,"hostname":"5it3jauavsq5c23zqtnpygd72ajatyfthrpxlnf4wzvzpwd7rq5q.mx-verification.google.com"}
{"count":51392,"hostname":"vjsd4th4xpcittktjsrkg5rczvkjuj44bhtrr4sezc2p2tnsobua.mx-verification.google.com"}
{"count":51393,"hostname":"j44y55eahw6q4jozrs2tvz4kuos3jcv5d56gb3ws66pf3sntbaeq.mx-verification.google.com"}
{"count":51394,"hostname":"f6nktbni5rfty3w43bbyzcbpe6xs7fyiisttekhlzhmtkl6uhzra.mx-verification.google.com"}
{"count":51395,"hostname":"m3gvb7yb345nygqbpfuolooapw7eaej3e7vdrltjardtzahw5edq.mx-verification.google.com"}
{"count":51396,"hostname":"6wg2jdhf2rpupmeupyr6tqldwxypz6uavi5i44ngoypj3ytwbk2a.mx-verification.google.com"}
{"count":51397,"hostname":"4gcahtpshjn6756trhhvhriuqpzawablvdsv2agdecrbwmq6zbuq.mx-verification.google.com"}
{"count":51398,"hostname":"nr4jlxwzrwz7fautdeiaoyf3vqukncgmydujeaddwj4cwcmmvzka.mx-verification.google.com"}
{"count":51399,"hostname":"m6w6blmjrdpilsbgkfgyu25vg2nprc4mfw5lbp6fqo2qfo2oxdwa.mx-verification.google.com"}
[..]

Count: 51,000+ and not finished right now…

NOTE: this onyphe call uses the Export API against the last 12-month of data from hostname category of information.