dnsx

Query the A record of a (sub)domain and show [re]sponse received

$ echo [example.com] | dnsx -a [[-re|-resp]]

$ dnsx <<< [example.com] -recon [[-re|-resp]]

$ echo [example.com] | dnsx [[-re|-resp]] -[a|aaaa|cname|ns|txt|srv|ptr|mx|soa|any|axfr|caa]

$ echo [example.com] | dnsx [[-ro|-resp-only]]

$ echo [example.com] | dnsx -[debug|raw] [[-r|-resolver]] [1.1.1.1,8.8.8.8,...] -retry [number]

$ dnsx [[-d|-domain]] [FUZZ.example.com] [[-w|-wordlist]] [path/to/wordlist.txt] [[-re|-resp]]

$ dnsx [[-d|-domain]] [path/to/domain.txt] [[-w|-wordlist]] [path/to/wordlist.txt] [[-re|-resp]] [[-o|-output]] [path/to/output.txt] [[-nc|-no-color]]

$ subfinder -silent [[-d|-domain]] [example.com] | dnsx -cname [[-re|-resp]] [[-rl|-rate-limit]] [number]

dnsx [-l list] [-d domain] [-r resolvers] [-t threads] [-probe record_types] [-o output] [global flags]

-l, --list string
    File containing list of domains/subdomains to process

-d, --domain stringArray
    Comma-separated domains to query directly

-r, --resolvers stringArray
    Resolver file or comma-separated list (e.g., 8.8.8.8:53)

-resp, --resolvers-profile string
    Public resolver profile (default: fastest)

-t, --threads int
    Number of concurrent threads (default: 25)

-probe stringArray
    DNS record types to probe (a,aaaa,cname,ns,mx,txt,ptr,soa)

-probe-all
    Probe all supported record types

-a
    Resolve A records

-aaaa
    Resolve AAAA records

-cname
    Resolve CNAME records

-ns
    Resolve NS records

-mx
    Resolve MX records

-txt
    Resolve TXT records

-ptr
    Resolve PTR records

-soa
    Resolve SOA records

-rc, --recursion
    Enable recursive CNAME resolution

-depth int
    Recursion depth limit (default: 3)

-wildcard
    Manual wildcard domain for filtering

-fwf, --filter-wildcard
    Auto-detect and filter wildcard responses

-validate
    Validate responses against detected wildcard

-o, --output string
    Output file path

-json
    Output as JSON lines

-silent
    Suppress banner and only show results

-c, --clear
    Clear screen before output

-v, --verbose
    Verbose logging

-cn, --config string
    Configuration file path

-rl, --rate-limit int
    Max requests per second per resolver (default: 50000)

dnsx is a high-performance, multi-threaded DNS resolution toolkit developed by ProjectDiscovery. Designed for security researchers, bug bounty hunters, and network analysts, it excels at resolving large lists of domains/subdomains to IP addresses, detecting wildcard DNS responses, and probing various DNS record types like A, AAAA, CNAME, NS, MX, TXT, PTR, and SOA.

It supports input from files, stdin, or direct domains, with customizable resolvers from files or public profiles. Key strengths include recursion for CNAME chains, wildcard filtering/validation, and output in plain text or JSONL formats. Optimized for speed with thread control and rate-limiting avoidance, dnsx handles millions of queries efficiently.

Common use cases: subdomain enumeration validation, wildcard detection in bug bounties, and passive reconnaissance. It's part of the ProjectDiscovery suite alongside tools like nuclei and subfinder, making it ideal for automated workflows.

Not a standard Linux utility; requires Go installation or binary download from GitHub. High thread counts may overwhelm public resolvers leading to rate-limits. Wildcard detection assumes consistent server behavior. Stdin input must be one host per line.

curl -sfL https://i.projectdiscovery.io/dnsx/install.sh | sh
or go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

cat subdomains.txt | dnsx -silent -a -aaaa -cname -o resolved.txt
dnsx -l hosts.txt -r resolvers.txt -fwf -probe-all -json

Developed by ProjectDiscovery starting 2021 as open-source tool on GitHub. Evolved from needs in bug bounty automation, integrated with subfinder/nuclei. Latest v1.2+ adds enhanced recursion and resolver profiles.

dig(1), nslookup(1), host(1), massdns(1)