puredns v2.1.1 releases: subdomain bruteforcing tool

puredns

puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.

It uses massdns, a powerful stub DNS resolver, to perform bulk lookups. With the proper bandwidth and a good list of public resolvers, it can resolve millions of queries in just a few minutes. Unfortunately, the results from massdns are only as good as the answers provided by the public resolvers. The results are often polluted by wrong DNS answers and false positives from wildcard subdomains.

puredns solves this with its wildcard detection algorithm. It can filter out wildcards based on the DNS answers obtained from a set of trusted resolvers. It also attempts to work around DNS poisoning by validating the answers obtained using those trusted resolvers.

Features

• Resolve thousands of DNS queries per second using massdns and a list of public DNS resolvers
• Bruteforce subdomains using a wordlist and a root domain
• Clean wildcards and detect wildcard roots using the minimal number of queries to ensure precise results
• Circumvent DNS load-balancing during wildcard detection
• Validate that the results are free of DNS poisoning by running against a list of known, trusted resolvers
• Save a list of valid domains, wildcard subdomain roots, and a clean massdns output containing only the valid entries
• Read a list of domains or words from stdin and enable quiet mode for easy integration into custom automation pipelines

How it works

You can see puredns in action against the domain google.com using a small wordlist of the 100k most common subdomains in the image above.

As part of its workflow, puredns performs three steps automatically:

1. Mass resolve using public DNS servers
2. Wildcard detection
3. Validation

1. Mass resolve using public DNS servers

Using massdns, puredns will perform a mass resolve of all the domains and subdomains. It feeds the data to massdns through stdin, which allows it to throttle the number of queries per second if needed and perform basic sanitization on the list of domains generated.

By default, the input domains are set to lowercase, and only entries containing valid characters are accepted (essentially [a-z0-9.-]). You can disable this with the –skip-sanitize flag.

After this step, the results are usually polluted: some public resolvers will send back bad answers, and wildcard subdomains can quickly inflate the results.

2. Wildcard detection

Puredns then uses its wildcard detection algorithm to detect and extract all the wildcard subdomain roots from the massdns results file.

It will use the massdns output from step 1 as a DNS cache to minimize the number of queries it needs to perform. To ensure precise results, it may have to validate the cache results by performing a DNS query.

You can skip this step using the –skip-wildcard flag.

3. Validation

To protect against DNS poisoning, puredns uses massdns one last time to validate the remaining results using an internal list of trusted DNS resolvers. Currently, the trusted resolvers used are 8.8.8.8 and 8.8.4.4. This step is done at a slower pace to avoid hitting any rate limiting on the trusted resolvers.

You can skip this step using the –skip-validation flag.

At this point, the resulting files should be clean of wildcard subdomains and DNS poisoned answers.

Changelog v2.1.1

Fixed

• Wrong version number in binary releases

Install & Use

Copyright (C) 2020 d3mondev