DNS Resolution
Enumeration gives you a list of candidate names. Most engagements need to know which ones actually resolve, what they resolve to, and which IPs that adds to scope. It’s a mass-resolution problem — you can easily end up with tens of thousands of candidate names.
Mass resolution with dnsx
Arsenic originally used fast-resolv for this. These days I use
dnsx (ProjectDiscovery) — it
resolves huge lists quickly against a pool of resolvers and it’s actively
maintained.
# Resolve every discovered subdomain; keep only those that answer, with their A records
dnsx -l recon/domains/example.com/subdomains.txt \
-a -resp \
-silent \
-o recon/domains/example.com/resolved.txt
Use a curated resolver list to avoid poisoned or rate-limited public resolvers —
dnsvalidator builds one:
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt
dnsx -l subdomains.txt -r resolvers.txt -a -resp -silent -o resolved.txt
Watch out for wildcard DNS. Some domains resolve everything to one IP
(*.example.com → 203.0.113.9). dnsx has -wd example.com for wildcard
filtering; puredns handles it automatically. Without it, your “resolved” list
is mostly garbage.
Extract IPs into scope
Every resolved address that falls inside your authorized ranges becomes part of the IP scope for the recon phase:
# Pull the unique IPs out of the resolved output
grep -oE '\[([0-9]{1,3}\.){3}[0-9]{1,3}\]' recon/domains/*/resolved.txt \
| tr -d '[]' | sort -u \
| tee recon/ips/from-domains.txt
# Merge with seed IP scope, filtering to authorized ranges
cat scope-ips.txt recon/ips/from-domains.txt | sort -u > recon/ips/scope-combined.txt
Reverse DNS (the other direction)
You also want to resolve IPs back to names — PTR records often reveal hostnames (and therefore new domains) you’d never have guessed:
dnsx -l recon/ips/scope-combined.txt -ptr -resp-only -silent \
| tr 'A-Z' 'a-z' | sort -u \
| grep -vEf blacklist.txt \
| tee recon/ips/ptr-names.txt
Any in-scope root domains that show up here go back into scope-domains.txt,
and you re-run enumeration. That’s the discovery loop
closing on itself.
Next: Certificate & SSL Harvesting for one more rich source of hostnames, then Host Discovery to find which IPs are alive.