DNS Resolution

Resolve enumerated names to IPs at scale, separate live from dead, and turn resolved addresses into IP scope.

Enumeration gives you a list of candidate names. Most engagements need to know which ones actually resolve, what they resolve to, and which IPs that adds to scope. It’s a mass-resolution problem — you can easily end up with tens of thousands of candidate names.

Mass resolution with dnsx

Arsenic originally used fast-resolv for this. These days I use dnsx (ProjectDiscovery) — it resolves huge lists quickly against a pool of resolvers and it’s actively maintained.

# Resolve every discovered subdomain; keep only those that answer, with their A records
dnsx -l recon/domains/example.com/subdomains.txt \
     -a -resp \
     -silent \
     -o recon/domains/example.com/resolved.txt

Use a curated resolver list to avoid poisoned or rate-limited public resolvers — dnsvalidator builds one:

dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt
dnsx -l subdomains.txt -r resolvers.txt -a -resp -silent -o resolved.txt

Watch out for wildcard DNS. Some domains resolve everything to one IP (*.example.com → 203.0.113.9). dnsx has -wd example.com for wildcard filtering; puredns handles it automatically. Without it, your “resolved” list is mostly garbage.

Extract IPs into scope

Every resolved address that falls inside your authorized ranges becomes part of the IP scope for the recon phase:

# Pull the unique IPs out of the resolved output
grep -oE '\[([0-9]{1,3}\.){3}[0-9]{1,3}\]' recon/domains/*/resolved.txt \
  | tr -d '[]' | sort -u \
  | tee recon/ips/from-domains.txt

# Merge with seed IP scope, filtering to authorized ranges
cat scope-ips.txt recon/ips/from-domains.txt | sort -u > recon/ips/scope-combined.txt

Reverse DNS (the other direction)

You also want to resolve IPs back to names — PTR records often reveal hostnames (and therefore new domains) you’d never have guessed:

dnsx -l recon/ips/scope-combined.txt -ptr -resp-only -silent \
  | tr 'A-Z' 'a-z' | sort -u \
  | grep -vEf blacklist.txt \
  | tee recon/ips/ptr-names.txt

Any in-scope root domains that show up here go back into scope-domains.txt, and you re-run enumeration. That’s the discovery loop closing on itself.

Next: Certificate & SSL Harvesting for one more rich source of hostnames, then Host Discovery to find which IPs are alive.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)