Docs · Tools
DNS / Subdomain Recon
This tool maps the public surface of a domain by discovering its subdomains and resolving them to addresses. It is pure Python, so there is nothing to install — it just works.
- Category
- Recon & Scan
- Powered by
pure Python (sockets)- Edition
- Free
- Where
- Desktop → DNS Recon tab
What it does
Attackers map your subdomains first; this lets you do it before they do. It tries a built-in list of ~60 common prefixes (and any wordlist you add), resolves each name, and reports the live subdomains with their IP addresses — revealing forgotten dev, staging, or admin hosts.
How to use it
1
Enter a domain
Type the root domain, e.g.
example.com.2
Optionally add a wordlist
Use the built-in prefixes, or point to a larger wordlist (see the Wordlist Manager) for deeper coverage.
3
Run
Click Enumerate. Resolved subdomains stream in with their addresses.
Options
- Built-in prefixes — ~60 of the most common subdomain names, on by default.
- Custom wordlist — a larger list for thorough enumeration.
What you get
A list of subdomain → IP for every name that resolves. Feed the discovered hosts into the Port Scanner, SSL Auditor, or Vulnerability Scanner to assess each one.
Tips
- Because it is pure Python, there is no dependency to install — it runs anywhere.
- Pair it with the Wordlist Manager to widen coverage when the defaults come up short.
- Forgotten staging/admin subdomains are a classic breach vector — re-run it periodically.
Authorized use only. Only enumerate domains you own or are permitted to assess. Inputs are sanitized before use.