Home

Awesome

domfind

domfind is a Python 3.6.x utility that tests for the existence of domain names under different Top Level Domains (TLDs). This is achieved by making a series of DNS requests for Start of Authority (SOA) records starting at the root servers and working down through the parent domains until the last parent replies with a SOA section or a NXDOMAIN response code indicating the nonexistence of the input domain name. Local or public DNS resolvers are purposefully not used in order to avoid cached records. It should be noted that the number of DNS queries performed grows linearly with the depth of the input domain and the number of TLDs to check for. For instance, sub1.sub2.domain.tld needs a total of three queries per TLD. The first one is directed at a root server, the second one goes to a NS server of domain.tld, and the third, final one to sub2.domain.tld.

This utility is useful to find malicious subdomains registered under multiple TLDs that might be used for phishing campaigns. Malicious actors often use the same domain name for related or subsequent campaigns for hosting web servers, which can be proactively found with domfind as a one-off, if a domain name is known, and acted upon accordingly afterwards. NS servers for the very last subdomain are never queried so as to avoid generating network traffic towards a potentially malicious infrastructure not yet in use, and thus remain under the radar of the adversary.

The main purpose of domfind is to serve as an intelligence tool for incident responders and security investigators alike. It can, nevertheless, be used for other, similar goals where domain names need finding.

Dependencies and Usage

domfind requires only a few modules that are specified in requirements.txt.

The supported options are the following:

Usage: domfind [-h] [-p <sec>] [-r] [-t <thread>] [-u] [-v ...]
               [-b | -d <file>]
               [<domain> ...]

Find identical domain names with SOA DNS records under different Top Level Domains (TLDs).

Options:
  -h, --help  show this help message and exit

  -b, --bad            use the known-bad TLD file at data/known-bad-tld.txt
  -d, --domain <file>  use the specified custom TLD file [default: data/tlds-alpha-by-domain.txt]
  -p, --pause <num>    wait an interval in seconds between each input domain [default: 0]
  -r, --raw            output raw hits (just the domain names)
  -t, --thread <num>   specify the size of the thread pool [default: number of CPU cores]
  -u, --update         update the local TLD list from IANA and the root name servers from InterNIC
  -v, --verbose        display verbose and debug messages

Examples

$ python3 domfind.py -b -t 2 domain
$ python3 domfind.py -vp 60 sub2.sub1.domain1 sub.domain2

Future Work

Change History

Author

@dfernan__