DNS enumeration toolkit for discovering all public domains, subdomains and their IP addresses. Built for compliance audits and asset inventory.
Takes a domain and resolves all DNS records (A, AAAA, CNAME, MX, TXT, NS) for the base domain and discovered subdomains.
Discovery methods (standalone mode):
- Zone Transfer (AXFR) - attempts full zone transfer from all nameservers
- Certificate Transparency Logs (crt.sh) - finds domains from issued SSL certificates
- Subdomain Brute-Force - tests ~100 common subdomain names
When used with -w and FQDNs (e.g. from subdiscover.sh), zone transfer and CT lookups are skipped to avoid redundant work. The wordlist entries are resolved directly.
# Basic usage (standalone with built-in discovery)
./domainips.sh -d example.com
# Export as CSV
./domainips.sh -d example.com -o reports/example.com.csv
# Use a wordlist from subdiscover.sh (skips discovery, resolves directly)
./domainips.sh -d example.com -w subs/example.com.txt
# Use plain subdomain prefixes as wordlist (brute-force mode)
./domainips.sh -d example.com -w my-prefixes.txt
# Skip CT log lookup (faster)
./domainips.sh -d example.com -s
# Quiet mode (results only)
./domainips.sh -d example.com -qOptions:
| Flag | Description |
|---|---|
-d <domain> |
Target domain (required) |
-o <file> |
Output results to CSV file |
-w <wordlist> |
Subdomain wordlist - accepts FQDNs or plain prefixes (one per line) |
-s |
Skip Certificate Transparency lookup |
-q |
Quiet mode (less verbose output) |
-h |
Show help |
Discovers unknown subdomains from multiple public OSINT sources. No API keys required. Output is compatible with domainips.sh -w.
Sources:
| Source | Description |
|---|---|
| crt.sh | Domains from SSL certificates (Certificate Transparency) |
| AlienVault OTX | Passive DNS from threat intelligence |
| HackerTarget | DNS lookup database |
| RapidDNS | Passive DNS collection |
| Wayback Machine | Historical URLs from the web archive |
| urlscan.io | Domains from website scans |
| ThreatMiner | Threat intelligence database |
# Discover subdomains and save to file
./subdiscover.sh -d example.com -o subs/example.com.txt
# Print to stdout
./subdiscover.sh -d example.comOptions:
| Flag | Description |
|---|---|
-d <domain> |
Target domain (required) |
-o <file> |
Output file (default: stdout) |
-q |
Quiet mode (no progress output) |
-h |
Show help |
Combine both tools for a comprehensive compliance report:
mkdir -p subs reports
# Step 1: Discover all subdomains from OSINT sources
./subdiscover.sh -d company.com -o subs/company.com.txt
# Step 2: Resolve DNS records for all discovered subdomains
./domainips.sh -d company.com -w subs/company.com.txt -o reports/company.com.csvTerminal - formatted table with live progress:
[*] Resolving 3/22: api.example.com
DOMAIN TYPE VALUE
-------------------------------------------------- -------- ----------------------------------------
example.com A 104.18.26.120
example.com AAAA 2606:4700::6812:1a78
example.com MX 0 .
example.com NS hera.ns.cloudflare.com.
example.com TXT "v=spf1 -all"
www.example.com A 104.18.26.120
CSV (-o) - importable into Excel/Sheets:
Domain,Record Type,Value
example.com,A,104.18.26.120
example.com,AAAA,2606:4700::6812:1a78
www.example.com,A,104.18.26.120- Bash 3.2+ (macOS default)
dig,curl,jq