DNS Dumpster
Discover subdomains, DNS records, and hosts for any domain using Certificate Transparency logs and DNS enumeration.
Performing DNS reconnaissance...
Querying Certificate Transparency logs
Hosting / Networks
| Host | IP | Reverse DNS | ASN | Country |
|---|
| Priority | Mail Server |
|---|
| Name Server |
|---|
Export Results
What is DNS Reconnaissance?
DNS reconnaissance (or DNS enumeration) is the process of collecting all publicly available DNS information about a domain — subdomains, mail servers, nameservers, IP addresses, and associated services. It is a standard first step in security assessments, penetration tests, and infrastructure mapping because DNS records are public by design and reveal significant information about an organization's infrastructure.
Unlike port scanning or active probing, DNS enumeration is passive — it queries public DNS infrastructure and doesn't directly touch the target's systems. All information returned by this tool is publicly available in the global DNS.
How to Use This Tool
- Enter a root domain (e.g.,
example.com) — no subdomain prefix. - Click Enumerate to start the discovery process.
- Results show discovered subdomains, their IP addresses, and associated services.
- Use the results to map out the organization's public-facing infrastructure.
What DNS Dumpster Reveals
- Subdomains — dev, staging, api, mail, vpn, admin subdomains that might expose less-hardened infrastructure
- Mail infrastructure — MX records reveal the email provider and associated SPF/DKIM configuration
- IP address ranges — Multiple subdomains may resolve to IP ranges that indicate hosting providers or data centers
- Hosting providers — IP blocks reveal whether the organization uses AWS, Cloudflare, Azure, or on-premises infrastructure
- Technology stack hints — Subdomains like
jenkins.example.comorgrafana.example.comreveal internal tooling exposed to the internet
Legitimate Use Cases
- Penetration testing and authorized security assessments
- Mapping your own organization's public attack surface
- Competitive research (public information only)
- Bug bounty reconnaissance
- Verifying DNS configuration after migrations
Frequently Asked Questions
Querying public DNS records is legal — DNS is a public system by design. However, using this information to attack systems without authorization is illegal under computer fraud laws in most jurisdictions (CFAA in the US, Computer Misuse Act in the UK, etc.). DNS Dumpster is a research and reconnaissance tool. Always ensure you have explicit authorization before conducting any security testing against systems you don't own.
Several techniques are combined: (1) DNS brute force — testing common subdomain names against the domain's nameservers; (2) Certificate Transparency logs — SSL certificates must be logged publicly and often include subdomains; (3) Search engine dorking — searching for subdomains indexed by Google; (4) DNS zone transfers — if the target's nameserver is misconfigured, it may return all zone records at once (increasingly rare). CT logs are particularly powerful as they're comprehensive and passive.
A zone transfer (AXFR) is a DNS operation that replicates all records from a primary nameserver to secondary nameservers. Misconfigured nameservers allow any host to request a zone transfer, exposing the complete DNS record set. Prevent this by restricting AXFR requests to your secondary nameserver IPs only: in BIND, use
allow-transfer { secondaryIP; }; in your zone configuration. Test your nameservers with dig axfr yourdomain.com @yourns1.com.Key measures: (1) Remove DNS records for decommissioned services immediately — dangling DNS entries are a common hijacking vector; (2) Avoid descriptive subdomain names that hint at technology (prefer
ci.example.com over jenkins.example.com); (3) Put internal services behind VPN instead of exposing them publicly; (4) Enable CAA records to restrict certificate issuance; (5) Regularly audit your own external DNS footprint using tools like this one.A dangling DNS record points to a resource that no longer exists — for example, a CNAME pointing to a deprovisioned cloud service hostname. Attackers can register that hostname on the same cloud provider and take over the subdomain, serving malicious content under your domain. This is called subdomain takeover. Regularly audit DNS records and delete entries for decommissioned services. Tools like subjack and nuclei have templates specifically for subdomain takeover detection.