d3mondev / puredns Goto Github PK

Add a --no-color option to disable colorized input.

Hi,
Love this tool.
so now the bruteforce is like: puredns bruteforce wordlist.txt "www.*.example.com" with a single wordlist.

can you make it like puredns bruteforce wordlist.txt ".www..example.com" using 2 wordlists?

or three or more?

example: puredns bruteforce wordlist.txt "site*.www..example.site.com"

can we change the threads in the wildecard ?

Resolving domains with public resolvers
Processed: 79 Rate: 79 Elapsed: 00:00:25

Detecting wildcard root subdomains
[ETA 00:00:00] |░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░| 0/0 queries: 0 (time: 00:00:00)

Validating domains against trusted resolvers
Processed: 0 Rate: 0 Elapsed: 00:00:00

No valid domains remaining.

           puredns v2.1.1

hie how i you thanks for the tool .was wondering if puredns have a flag to bruteforce multiple domains
like lets sya puredns -dL for a domain list
thanks

puredns allows writing results into a file, so the CLI output should be optional

test

Hello,
Yesterday, I tried the version 2.1.1 resolve capabilities with a list of names and wildcard filtering didn't work right, I checked puredns repository and found that you have pushed a fix for wildcard filtering with long domain (my list was containing lots of them), so I cloned the repo and build puredns from source and get version 2.1.2 to work, after that I tried the resolve feature of puredns twice, the first time it worked, but the second time it didn't. of course both attempts (two different lists of domains) were done in three different hosts (I double checked the one that gave false positives).
I hope my English helped me here to explain it. if there is anything not clear please let me know.

Regards

puredns error: error resolving domains: bufio.Scanner: token too long

-s

Only show the subdomains found

subdomain names frequently have patterns of various kinds. Doing initial pass at the name discovery would produce an initial subdomain list. Searching thought that list and recognizing those patterns would enable you to use these patterns as an anchor for second brut-forcing round.

When I run puredns in cron, the task completes instantly with an empty result. I tried rebuilding massdns and running it via root cron, but that didn't help.
The problem occurs with the bruteforce module.

Hi, my main issue here is the fact that running puredns against public dns servers will make my box be throttled at some point lowering the speed of the scans.

I though then to use my own dns resolver to avoid being limited and also be able to monitor the queries that I do.

When trying -r or the trusted resolver flag to specify my own private resolver, the app does not reach my own dns server (which only has port 53 open). And the output of the tools says that is using public resolvers.

I would like to use my own dns server for all queries and know how is the throttled managed in puredns.

Like Amass, puredns should perform an initial scan against DNS resolvers when starting, in order to see if any resolver has died (some resolvers on public-dns.info are taken down usually)

@d3mondev I am using Puredns 1.0 which is showing less time to resolve the same number of list as compared to the new Go version which is surprising, can you please explain why the new version is not resolving list in less time then the Puredns 1.0, I set equal hashmap value in both version.

Thanks

puredns error: unable to load public resolvers: open /root/.config/puredns/resolvers.txt: no such file or directory

I am running purdns with the following command line :-
puredns bruteforce subdomains.txt target.com -w brute.txt -r ~/resolvers.txt --resolvers-trusted trusted.txt
It took 21:41:34 till finish

Detecting wildcard root subdomains
[ETA 00:00:00] |░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░| 0/0 queries: 0 (time: 00:00:00)

Validating domains against trusted resolvers
Processed: 0 Rate: 0 Elapsed: 00:00:00

No valid domains remaining . ( not see anything after this line in the terminal)

I don't see any results in the output file brute.txt. My wordlist is a 30 Million permuted list from already discovered domains.
What goes wrong here ? I didn't run this scan on VPS or Cloud. Any help kindly

add #17
so massdns can run as root on VPS
Thanks.

Something like altdns, as an optional flag of resolve

Hello I am running
puredns bruteforce wordlist.txt domain.com -w brute.txt
where my wordlist is 3 Million . After around 4 to 5 hours it gave a heavy load on my Wi-Fi router and it did not work properly. Disconnected many times and network speed also reducing so unable to open proper web pages. It almost fried the router. I can't finish this test.
To solve it and effectively running should I use -l flag and set the value between 2000-10000 . If so which will be correct value for 3 Million wordlist ?Further should I also use --wildcard-batch 1000000 ? I am running on home system without VPS. Kindly enlighten me as well as to further improvement of puredns in such similar cases .Is require any other --wildcard flags ?

When resolving or bruteforcing small lists, it would be useful to disable the use of public resolvers to help ensure no results are missed due to bad public resolvers. This would also imply skipping the validation phase.

Hello,
Maybe im doing something wrong here, but im unable to get this to work.
I wrote my own python request tool but its no way near as fast as pureDNS so i would love to get this one to work :).

puredns resolve url_list.txt --write valid.txt -l 5
this is the command i run, the resolvers.txt has 8.8.8.8, 8.8.4.4 and 1.1.1.1 in it.

Edit: My url_list.txt contains amass/subfinder enums, in the format: subdomain.domain.com (example.com, bob.example.com). I tried adding http and https etc infront but same with or without.

The valid.txt always comes back as empty, never get any resolves.
I am able to resolve domains with httpx and my own tool, but not with pureDNS. Anyone been in a similiar pickle and managed to resolve it ? (lol!).
MassDNS is installed to but i have not done anything with it (using kali out the box distro).

Would be greatly appreciated.

Hi d3mondev and team iam trying to use puredns in Azure debian servers both ubuntu and Kali with really good specs but its returning no results so am not sure is it iam resolving a much bigger list or is it DNS load-balancing in azure that needs to be Circumvented or is it a limit interms of rate resolved per second how do u deal wth that if u have any experience with using this in azure environmnet like whats the best setting or what do i need to modify exactly thanks

It would be really cool if you add json output format like in massdns, I think it's not hard to create new option and let the people set it by themselves

Bug exists when using ./puredns resolve domains.txt --write flag to write valid domains

Created a pull request pull1

Hi ,

Everything seems fine. Massdns installed but puredns throwing error that puredns error: error resolving domains: exit status 1

I trace the issue. The problem is actually in massdns. that massdns will not allow you to run massdns without supplying --root argument when you are the root user. Puredns doesn't supply the --root argument while running the massdns.

Since go get is deprecated using go install throwing this error how to resolve this

go install github.com/d3mondev/puredns@latest

go install: github.com/d3mondev/puredns@latest: module github.com/d3mondev/puredns@latest found (v1.0.3), but does not contain package github.com/d3mondev/puredns

when connected to vpn the tool does not work but when ran with out vpn it kills my local internet if the list of domains is big but if small it works.

setup:
root@kali:~# uname -a
Linux kali 5.10.0-kali7-amd64 #1 SMP Debian 5.10.28-1kali1 (2021-04-12) x86_64 GNU/Linux

is there anyway around this or is the tool intended to be ran in a vps?

Add a --domains command line flag that takes a file containing domains to bruteforce.

Hello,

First of all, thank you for the awesome tool.

1. Wildcard subdomain that resolves to CNAME with status NXDOMAIN are not filtered. (have not checked if NOERROR with CNAME are filtered or not) .

Example domain : doesnotexists.paypal.cn

2. if the answer contain part of dns query, such wildcard is not detected.

Example domain : algolia.net

host -t CNAME FOOBAR.algolia.net
FOOBAR.algolia.net is an alias for up.FOOBAR.api.algolia.net.

I know this may be obvious for a lot of people but it wasn't for me. I am working on ubuntu 20 and I am not quite sure how to add the path to massdns in the PATH environment variable. Can someone assist?

Do I simply add the following to my ./profile or to ./bashrc?
PATH=/usr/local/bin/massdns

Error:
cc -DMASSDNS_REVISION=\"v1.0.0-65-g2cee317\" -O3 -std=c11 -Wall -fstack-protector-strong src/main.c -o bin/massdns In file included from src/dns.h:12, from src/massdns.h:22, from src/main.c:9: src/string.h: In function ‘trim_start’: src/string.h:56:21: warning: array subscript has type ‘char’ [-Wchar-subscripts] 56 | if(!isspace(*str)) | ^~~~ src/string.h: In function ‘trim_end’: src/string.h:70:21: warning: array subscript has type ‘char’ [-Wchar-subscripts] 70 | if(!isspace(*last)) | ^~~~~ src/string.h: In function ‘json_escape_str’: src/string.h:146:31: warning: array subscript has type ‘char’ [-Wchar-subscripts] 146 | if(isprint(src[i])) \ | ~~~^~~ src/string.h:168:5: note: in expansion of macro ‘json_escape_body’ 168 | json_escape_body(src[i] != 0);

It will be awesome if puredns can output the dns resolved domain along with the ip address.

thank your good tools,i want to change massdns output fomat 'Snl' to 'S', i modify thif file code
https://github.com/d3mondev/puredns/blob/master/pkg/massdns/runner.go#L41
args := []string{"-q", "-r", resolvers, "-o", "S", "-t", "A", "--retry", "REFUSED", "--retry", "SERVFAIL", "-w", output}

but after the no domain found,only foud one domain.
can you help me what to do change this fomat,and work normally. thank you!

puredns -r resolvers.txt resolve subdomains.txt
                          _
                         | |
 _ __  _   _ _ __ ___  __| |_ __  ___
| '_ \| | | | '__/ _ \/ _` | '_ \/ __|
| |_) | |_| | | |  __/ (_| | | | \__ \
| .__/ \__,_|_|  \___|\__,_|_| |_|___/
| |
|_|                     puredns v2.0.1

Fast and accurate DNS resolving and bruteforcing

Crafted with <3 by @d3mondev
https://github.com/sponsors/d3mondev

------------------------------------------------------------
[+] Mode                 : resolve
[+] File                 : /tmp/dnstest/subdomains.txt
[+] Resolvers            : /tmp/resolvers.txt
[+] Rate Limit           : unlimited
[+] Rate Limit (Trusted) : 500 qps
[+] Wildcard Threads     : 100
[+] Wildcard Tests       : 3
------------------------------------------------------------

Resolving domains with public resolvers
[ETA 00:00:00] |██████████████████████████████████████| 200/200 rate: 200 qps (time: 00:00:00)

Detecting wildcard root subdomains
[ETA 00:00:00] |██████████████████████████████████████| 1/1 queries: 1 (time: 00:00:01)

Validating domains against trusted resolvers
[ETA 00:00:00] |██████████████████████████████████████| 1/1 rate: 1 qps (time: 00:00:00)

Found 1 valid domains:
0.zhuanzhuan.com

Hi
I did a brute force with the 28 million wordlist and now it's stuck here after the brute force is done

Thanks for the amazing tool!
When you have multiple subdomains under the same wildcard root, puredns won't return any subdomain.
For example:

au.site.yahoo.com
matrixcollectibles.site.yahoo.com

Wouldn't be interesting to return at least one subdomain from the list above?
If an user is filtering valid domains for security testing, he/she could miss valid subdomains from wildcard roots domains.

where is the location to put the file resolver.txt??

The --rate-limit flag allows to control the qps of outbound queries during execution (separate from --rate-limit-trusted for trusted resolvers), however, this is not mentioned anywhere in the README or even in the application's help menu. Might help people if it get's fixed.

Wanted to ask if it would be possible to add a flag to not discard subdomains that respond to SERVFAIL? but are unique and not wildcards?

The reason is, a subdomain can be vulnerable to takeover while responding to SERVFAIL, and wanted to not discard those subdomains with puredns

I am resolving a lot of subdomains pretty fast, but when it comes to wildcard filtering it just takes forever and I don't know if it would be possible to speed it up, it takes an absurd amount of time:

Resolving domains with public resolvers
Processed: 2253265 Rate: 7514 Elapsed: 00:05:16

Detecting wildcard root subdomains
[ETA 52:12:09] |█░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░| 5616/1553671 queries: 5718 (time: 00:10:55))

5 minutes to resolve, ~52 hours to wildcard filtering (it is updated all the time), the queries go so slow even thought I didn't provide any --wildcard-batch value

Does the --rate-limit-trusted flag affect the wildcard filtering (does it use the trusted resolvers)? or just -t for threads and --wildcard-batch affect it? because I don't see much changes from the last 2 flags, but I notice some different when changing the limit of trusted resolvers

Consider adding Hudson Rock's complimentary data to receive additional URLs associated with a specific domain.
Data was retrieved from infected computers with the Infostealer malware and contains URLs that usually cannot be found conventionally.

Domain sample: https://cavalier.hudsonrock.com/api/json/v2/osint-tools/urls-by-domain?domain=tesla.com

Thank you.

Please make a pre compiled binary for x86/arm available.

PureDNS stucks at Validating domains against trusted resolvers when all domains from the list are filtered out by wildcard detection or no domain resolves .

Examples :

echo "nxdomain.facebook.com" | puredns resolve

echo "wildcard.paypal.com" | puredns resolve