loading
loading
OSINT
Find lookalike domains adversaries use for typosquatting, phishing, and brand impersonation.
overview
dnstwist permutes your domain into typo and lookalike variants people land on: swapped characters, omitted letters, alternate TLDs, and homoglyphs. It then checks which of those variants are registered, turning a hypothetical attack surface into a concrete list of domains someone owns.
It enriches each registered hit so you can judge intent. Resolve DNS and show MX to spot domains set up to intercept email, look up GeoIP and WHOIS creation dates, grab HTTP and SMTP banners, and fetch pages to compare fuzzy hashes against your real site to flag clones.
On Trickest, dnstwist is an OSINT node that takes a domain and writes a file and a folder of results. Schedule it to watch for newly registered lookalikes, and route registered, mail-capable, or visually similar hits into alerting.
source github.com/elceef/dnstwist
use cases
Generate lookalike variants of your domain and filter to registered ones to find the names adversaries already hold.
Enable the MX check to flag lookalikes with mail records, the variants most likely to be used for phishing your staff or customers.
Fetch pages and compare fuzzy hashes against your real site to surface lookalikes that copy your branding for credential theft.
Schedule dnstwist and use WHOIS creation dates to catch freshly registered lookalikes as part of brand monitoring.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | · | Domain name or URL to scan for lookalikes. |
| show-only-registered-domains | BOOLEAN | -r | Show only registered lookalike domains. |
| mx-check | BOOLEAN | -m | Check whether MX records could be used to intercept email. |
| compare-fuzzy-hashes | BOOLEAN | -s | Fetch pages and compare fuzzy hashes to evaluate similarity. |
| lookup-whois-db | BOOLEAN | -w | Look up WHOIS for the domain creation date. |
| geoip-lookup | BOOLEAN | -g | Resolve GeoIP location for registered variants. |
| dictionary-file | FILE | -d | Generate more variants using a dictionary. |
| dns-servers-to-query | STRING | --nameservers | DNS servers to query, comma-separated. |
Showing key inputs. dnstwist exposes 14 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | · | Domain name or URL to scan |
| mx-check | BOOLEAN | -m | Check if MX can be used to intercept emails |
| user-agent | STRING | --useragent | User-Agent STRING to send with HTTP requests |
| geoip-lookup | BOOLEAN | -g | Lookup for GeoIP location |
| override-url | STRING | --ssdeep-url | Override URL to fetch the original web page from |
| dictionary-file | FILE | -d | Generate more domains using dictionary |
| lookup-whois-db | BOOLEAN | -w | Lookup WHOIS database for creation date |
| number-of-threads | STRING | -t | Number of urls |
| compare-fuzzy-hashes | BOOLEAN | -s | Fetch web pages and compare their fuzzy hashes to evaluate similarity |
| dns-servers-to-query | STRING | --nameservers | DNS servers to query (separated with commas) |
| show-all-dns-records | BOOLEAN | -a | Show all DNS records |
| http-smtp-service-banners | BOOLEAN | -b | Determine HTTP and SMTP service banners |
| show-only-registered-domains | BOOLEAN | -r | Show only registered domain names |
| generate-domains-by-swapping-tld | FILE | --tld | Generate more domains by swapping TLD from FILE |
example
# registered lookalikes of example.com with MX and fuzzy-hash checksdnstwist -r -m -s -w -g example.comdnstwist example.com* original example.com 198.51.100.10 tld-swap example.net 198.51.100.11 MX tld-swap example.org 203.0.113.5 subdomain www.example.com 203.0.113.8 subdomain mail.example.com 198.51.100.20 subdomain api.example.com 203.0.113.15 MX tld-swap example.io 198.51.100.30* 7 registered lookalikes (sample)guidance
Use dnstwist to protect a brand: generate lookalikes of your own domain and find which are registered, mail-capable, or visually cloned. It targets impersonation, not your own infrastructure. For mapping your real subdomains, use subfinder; dnstwist watches the names that pretend to be yours.
Another typosquat generator. dnstwist adds fuzzy-hash page comparison and MX intercept checks.
Confirms registration details. dnstwist generates the lookalike candidates to verify in the first place.
Finds your own subdomains. dnstwist finds the impersonating domains others register against you.
faq
related
Look up DNS records on DNSDumpster.
Look up a host on DNSDumpster.
List all public repositories for valid GitHub usernames.
Look up the real IP of a host starting from its favicon and using Shodan.
Gather email account intelligence from public sources and check it against breach data.
Collect a dossier on a person by username across thousands of sites.
Your domain feeds dnstwist, which generates lookalike variants, checks which are registered, and writes the impersonating domains as output.
Facts on this page come from the live Trickest tool library.