loading
loading
Recon
Asynchronous DNS brute-force tool for fast subdomain enumeration.
overview
aiodnsbrute brute forces subdomains by resolving every entry in a wordlist against a domain, running the lookups concurrently with Python asyncio so thousands of queries stay in flight at once. Where passive enumeration only surfaces names already published in certificate logs or DNS aggregators, brute forcing finds names that resolve in DNS but appear in no public source, which is how it fills the gaps a passive pass leaves.
The tool is built for throughput. You cap concurrency with a max-tasks limit and point it at your own resolver file so a single upstream does not bottleneck the run. Wildcard detection runs by default so a catch-all record does not flood the results with false positives, and the gethostbyname mode surfaces CNAMEs worth checking for subdomain takeover.
On Trickest, aiodnsbrute is a Recon node that takes a domain and a wordlist and writes its results as JSON in a file and a folder. Run it alongside a passive finder for fuller coverage, then pass the resolved names to a prober so the rest of the workflow only touches hosts that answer.
source github.com/blark/aiodnsbrute
use cases
Resolve a wordlist against a domain to find names that exist in DNS but are not published in certificate logs or aggregators, expanding the attack surface.
Supply a resolver file and raise max-tasks to push high concurrency through resolvers you trust, covering large wordlists quickly.
Use the gethostbyname mode to return CNAMEs, which highlights dangling records worth checking for takeover before an attacker does.
Hand the JSON output to httpx and a scanner so the workflow continues against subdomains that resolve, not the whole wordlist.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | · | Domain to brute force. |
| wordlist | FILE | --wordlist | Wordlist to use for the brute force. |
| resolvers-file | FILE | --resolver-file | File of DNS resolvers, one per line; defaults to system resolvers. |
| max-tasks | STRING | --max-tasks | Maximum number of tasks to run asynchronously. |
| wildcard | BOOLEAN | --wildcard | Wildcard detection, enabled by default. |
| get-host-by-name | BOOLEAN | --gethostbyname | Detect CNAMEs, handy for subdomain-takeover detection. |
| verbose | BOOLEAN | --verbosity | Increase output verbosity. |
Showing key inputs. aiodnsbrute exposes 11 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | · | Domain to brute force. |
| verbose | BOOLEAN | --verbosity | Increase output verbosity. |
| wildcard | BOOLEAN | --wildcard | Wildcard detection, enabled by default. |
| wordlist | FILE | --wordlist | Wordlist to use for the brute force. |
| max-tasks | STRING | --max-tasks | Maximum number of tasks to run asynchronously. |
| no-wildcard | BOOLEAN | --no-wildcard | Disable wildcard detection. |
| resolvers-file | FILE | --resolver-file | Text file of DNS resolvers, one per line, comments start with #. Defaults to the system resolvers. |
| dns-lookup-type | BOOLEAN | --query | Use DNS query lookups; faster, but does not return CNAME information. Enabled by default. |
| get-host-by-name | BOOLEAN | --gethostbyname | Detect CNAMEs, handy for potential subdomain-takeover detection. |
| verify-domain-name | BOOLEAN | --verify | Verify the domain name is sane before starting. Enabled by default. |
| dont-verify-domain-name | BOOLEAN | --no-verify | Skip the domain-name sanity check. |
example
# resolve a wordlist against example.com through custom resolvers at high concurrencyaiodnsbrute --wordlist /wordlists/dns-subdomains.txt --resolver-file resolvers.txt --max-tasks 1024 example.com[*] Brute forcing example.com with a maximum of 1024 concurrent tasks[*] Wildcard detection: no catch-all record found[+] www.example.com 198.51.100.24[+] api.example.com 198.51.100.51[+] mail.example.com 203.0.113.10[+] vpn.example.com 203.0.113.42[+] staging.example.com 198.51.100.77[*] Completed! 114441 names checked, 5 subdomains found in 88.20 secondsguidance
Use aiodnsbrute when you want active, wordlist-driven subdomain discovery to complement a passive finder like subfinder. Bring a good wordlist and a resolver file. It finds names, it does not probe them, so follow it with httpx.
massdns wrapper for fast resolution and brute forcing. Heavier setup, very high throughput.
Brute forces and resolves with wildcard filtering. A strong alternative when accuracy at scale matters.
Passive discovery, no brute forcing. Run it alongside aiodnsbrute for combined coverage.
faq
related
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
OSINT automation for hackers.
A domain and a wordlist feed aiodnsbrute, which resolves each candidate asynchronously and writes the discovered subdomains as a queryable output.
Facts on this page come from the live Trickest tool library.