CheckDNS automates processing subdomain records, with an eye on subdomain takeover. Given input subdomains, checkdns filters subdomains that are live according to public DNS resolvers and outputs any A or CNAME records. Sifting through the A records may yield additional in-scope hosts for a penetration test while CNAME records and their corresponding destination address can be quickly reviewed for potential subdomain takeovers.
Process subdomains from a file
python checkdns.py -i subdomains.txt
Process subdomains and save the results to a file
python checkdns.py -i subdomains.txt -o output.txt
The input file should contain subdomains, one per line. The subdomains should be in FQDN format. For example:
subdomain.example.com
mail.example.com
someservice.example.com
If the top level domain is not present (file contains only hostnames or subdomain names), then the -d option can be used to append the TLD after the subdomain. For example, with input like...
subdomain
someservice
...you can run python checkdns.py -i subdomains.txt -d example.com.
As a side note, using this method CheckDNS can brute force or enumerate potential subdomain names. However, it is not designed to do this - it's a processing tool for when you have a list of discovered subdomains and want to know more details for each subdomain.
CheckDNS is licensed under the GNU GPL license, which can be found here.
Please respect legal restrictions and conduct testing only against infrastructure which you have permission to target.
CheckDNS uses the dnslib library - make sure you have it installed on your system before use. It can be downloaded here or installed on many systems using:
pip install dnslib
Version 1.2 2/17/18