MassDNS Tutorial – DNS resolver for bulk lookups

MassDNS is a high-performance DNS stub resolver designed for bulk lookups and reconnaissance in penetration testing scenarios. Its capability to handle thousands of queries per second makes it an invaluable tool for security researchers and network administrators.

Table of Contents

• Features of MassDNS
• Installation Steps
• Usage Examples
• References
• Conclusive Summary

Features of MassDNS

• Highly efficient handling of large volumes of DNS queries
• Supports a wide range of DNS record types
• Flexible output format for easy integration with other tools
• Resilience to DNS-based rate limitations

Installation Steps

To install MassDNS, follow these steps:

1. Clone the repository from GitHub:  git clone https://github.com/blechschmidt/massdns.git  
2. Navigate to the MassDNS directory: cd massdns 
3. Compile the source code: make 

Usage Examples

Below are 20 distinct usage examples of MassDNS in various scenarios:

1. Resolving a single domain:

   ./bin/massdns -r lists/resolvers.txt -q example.com
   

   Output:

   example.com. A 93.184.216.34
   

2. Resolving multiple domains from a file:

   ./bin/massdns -r lists/resolvers.txt domains.txt
   

   Output:

   example.com. A 93.184.216.34
   example.net. A 195.20.41.179
   

3. Querying for MX (Mail Exchange) records:

   ./bin/massdns -r lists/resolvers.txt -t MX example.com
   

   Output:

   example.com. MX 10 mail.example.com.
   

4. Specifying a custom output file:

   ./bin/massdns -r lists/resolvers.txt -o S results.txt domains.txt
   

   Output: The output is saved to results.txt

5. Performing a subdomain enumeration:

   ./bin/massdns -r lists/resolvers.txt -q -s subdomains.txt example.com
   

   Output:

   shop.example.com. A 93.184.216.45
   

6. Resolving domains with wildcard filtering:

   ./bin/massdns -r lists/resolvers.txt -w resolved.txt --wildcard domains.txt
   

   Output: The resolved domains without wildcarded responses will be in resolved.txt

7. Using a SOCKS5 proxy for DNS queries:

   ./bin/massdns -r lists/resolvers.txt --socks5 127.0.0.1:9050 example.com
   

   Output:

   example.com. A 93.184.216.34
   

8. Querying for TXT records:

   ./bin/massdns -r lists/resolvers.txt -t TXT example.com
   

   Output:

   example.com. TXT "v=spf1 -all"
   

9. Bruteforcing subdomains using a wordlist:

   ./bin/massdns -r lists/resolvers.txt -q -s wordlist.txt example.com
   

   Output: Outputs the subdomains found using the given wordlist

10. Limiting the number of concurrent threads:

    ./bin/massdns -r lists/resolvers.txt -t A -c 100 example.com
    

    Output:

    example.com. A 93.184.216.34
    

11. Resolving CNAME records:

    ./bin/massdns -r lists/resolvers.txt -t CNAME www.example.com
    

    Output:

    www.example.com. CNAME example.com.
    

12. Reverse DNS lookup of an IP range:

    ./bin/massdns -r lists/resolvers.txt -t PTR 198.51.100.0/24
    

    Output: Outputs PTR records for the IPs within the specified range

13. Resolving names with a custom query timeout:

    ./bin/massdns -r lists/resolvers.txt -t A -o S --timeout 3 example.com
    

    Output:

    example.com. A 93.184.216.34
    

14. Ignoring non-responsive resolvers:

    ./bin/massdns -r lists/resolvers.txt --ignore nonresponsive.txt example.com
    

    Output:

    example.com. A 93.184.216.34
    

15. Querying for SRV records:

    ./bin/massdns -r lists/resolvers.txt -t SRV _sip._tcp.example.com
    

    Output:

    _sip._tcp.example.com. SRV 0 5 5060 sipserver.example.com.
    

16. Resolving domains to IPv6 addresses:

    ./bin/massdns -r lists/resolvers.txt -t AAAA example.com
    

    Output:

    example.com. AAAA 2606:2800:220:1:248:1893:25c8:1946
    

17. Checking DNSSEC validation:

    ./bin/massdns -r lists/resolvers.txt --dnssec example.com
    

    Output: Outputs whether DNSSEC validation is in place for the domain

18. Using a retry count for failed queries:

    ./bin/massdns -r lists/resolvers.txt -t A --retry 5 example.com
    

    Output:

    example.com. A 93.184.216.34
    

19. Performing a zone transfer (AXFR):

    ./bin/massdns -r lists/resolvers.txt -t AXFR example.com
    

    Output: Outputs the records obtained via AXFR, if successful

20. Discovering subdomains with a dictionary attack:

    ./bin/massdns -r lists/resolvers.txt -q --flush dictionary.txt example.com
    

    Output: Outputs discovered subdomains using the provided dictionary file

References

• MassDNS GitHub Repository
• Domain names – implementation and specification (RFC 1035)

Conclusive Summary

MassDNS is a versatile DNS resolution tool that provides vast capabilities for handling DNS queries at scale. With the ability to process large lists of domains rapidly and support diverse DNS record types, it’s an essential tool for network reconnaissance and security research. This tutorial presented the core features of MassDNS, installation steps, and a series of examples to showcase its flexibility and power. Whether you’re performing targeted lookups or extensive subdomain enumeration, MassDNS can be tailored to fit your needs and enhance your workflow.