PureDNS: The Subdomain Bruteforce Tool That Separates DNS Gold from Poisoned Garbage + Video

By /

Listen to this Post

Featured Image

Introduction:

DNS reconnaissance is the cornerstone of modern bug bounty hunting and penetration testing. Security professionals routinely brute-force millions of subdomains using tools like massdns, only to find their results polluted by wildcard responses and DNS poisoning. The core challenge isn’t resolving queries—it’s knowing which answers you can actually trust. PureDNS addresses this exact problem by combining massdns’s raw speed with an intelligent wildcard detection algorithm and trusted resolver validation, transforming a noisy data stream into actionable intelligence.

Learning Objectives:

  • Understand how wildcard DNS entries and DNS poisoning contaminate reconnaissance results and compromise security assessments.
  • Master the installation and configuration of PureDNS alongside massdns and public resolver lists.
  • Learn to execute subdomain bruteforce attacks and resolve domain lists with wildcard filtering.
  • Detect dangling CNAME records that present subdomain takeover opportunities.
  • Integrate PureDNS into automated reconnaissance pipelines for continuous monitoring.

You Should Know:

1. Understanding the DNS Reconnaissance Pollution Problem

DNS reconnaissance is like trawling with a net—you pull up everything, but most of what you catch is garbage. When you brute-force subdomains using a wordlist and massdns, you can resolve millions of queries in minutes. The problem is that the results are only as good as the answers provided by public resolvers. Two primary types of pollution plague every recon engagement:

  • Wildcard DNS Records: Many domains are configured with wildcard A or CNAME records that respond with an IP address for any subdomain queried. Ask for nonexistent.example.com, and the DNS server cheerfully returns an answer. This creates thousands of false-positive “ghost” subdomains that waste your time and skew your attack surface analysis.

  • DNS Poisoning / Spoofing: Public DNS resolvers can return forged or incorrect answers. Attackers and even misconfigured resolvers can inject false responses, leading you to believe a subdomain exists when it does not.

PureDNS solves this with an intelligent wildcard detection algorithm that uses the minimal number of queries to identify wildcard roots while circumventing DNS load-balancing mechanisms that would otherwise skew detection. It then validates surviving results against trusted resolvers like `8.8.8.8` and `8.8.4.4` to eliminate DNS poisoning.

2. Installing PureDNS and Prerequisites

Before using PureDNS, you must install massdns and obtain a list of public DNS resolvers.

Step-by-Step Installation Guide (Linux/Debian-based systems):

Step 1: Install massdns

git clone https://github.com/blechschmidt/massdns.git
cd massdns
make
sudo make install

This compiles massdns and copies the binary to /usr/local/bin.

Step 2: Verify massdns installation

massdns --version

Step 3: Install PureDNS

For Go 1.17 and later:

go install github.com/d3mondev/puredns/v2@latest

For older Go versions (1.15, 1.16):

GO111MODULE=on go get github.com/d3mondev/puredns/v2

Step 4: Obtain a list of public resolvers

PureDNS requires a file containing public DNS resolver IP addresses. You can curate your own list or use community-maintained lists:

curl -o resolvers.txt https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt

Step 5: Verify installation

puredns --version

3. Basic PureDNS Usage: Resolving and Bruteforcing

PureDNS operates in two primary modes: `resolve` and bruteforce.

Resolving a List of Domains

If you already have a list of domain names and want to resolve them while filtering wildcards and poisoned entries:

puredns resolve domains.txt --resolvers resolvers.txt

Bruteforcing Subdomains

To brute-force subdomains using a wordlist against a root domain:

puredns bruteforce wordlist.txt example.com --resolvers resolvers.txt

Using stdin for Pipeline Integration

PureDNS reads from stdin for seamless automation:

cat subdomains.txt | puredns resolve --resolvers resolvers.txt

Quiet Mode for Scripting

Add `-q` or `–quiet` to suppress banner and non-essential output:

puredns resolve domains.txt --resolvers resolvers.txt -q

4. Advanced Wildcard Detection and CNAME Tracking

The most sophisticated feature of PureDNS is its handling of CNAME records. When a subdomain does not resolve to an IP address, PureDNS does not simply discard it. Instead, it examines the CNAME record. A CNAME pointing to an expired or unclaimed domain represents a dangling DNS record—a prime opportunity for subdomain takeover.

How Wildcard Detection Works:

  1. PureDNS performs an initial massdns scan against public resolvers.
  2. It identifies potential wildcard patterns by comparing responses.
  3. It validates wildcard roots using trusted resolvers (8.8.8.8, 8.8.4.4) to confirm.
  4. It filters out false positives while retaining genuine subdomains.
  5. CNAME-only responses are preserved as potential takeover candidates.

Detecting Subdomain Takeover Candidates

To identify dangling CNAME records that could lead to subdomain takeover:

puredns resolve domains.txt --resolvers resolvers.txt -o clean.txt

Then, review the output for entries with CNAME records pointing to external services (AWS S3, Azure, GitHub Pages, etc.) and verify if the target resource is still claimed.

5. Integrating PureDNS into Automated Reconnaissance Pipelines

PureDNS is designed for automation. Its quiet mode and stdin/stdout support make it an ideal component in larger reconnaissance workflows.

Example Pipeline:

 Generate subdomain permutations, resolve with PureDNS, and feed to httpx
cat subdomains.txt | puredns resolve --resolvers resolvers.txt -q | httpx -silent -o live.txt

Continuous Monitoring Script

!/bin/bash
 monitor.sh - Continuous subdomain discovery and validation

DOMAIN="example.com"
WORDLIST="subdomains.txt"
RESOLVERS="resolvers.txt"
OUTPUT_DIR="./recon"

while true; do
puredns bruteforce $WORDLIST $DOMAIN --resolvers $RESOLVERS -q > $OUTPUT_DIR/$(date +%Y%m%d_%H%M%S).txt
sleep 86400  Run daily
done

6. Performance Tuning and Rate Limiting

PureDNS allows fine-grained control over request rates to avoid overwhelming DNS servers or triggering rate-limiting protections.

Key Flags:

  • --rate-limit: Limit queries per second to public resolvers.
  • --rate-limit-trusted: Limit queries per second to trusted resolvers (default 500 qps).
  • --wildcard-threads: Number of threads used for wildcard detection (default 100).
  • --wildcard-tests: Number of test queries per wildcard root (default 3).

Example with Rate Limiting:

puredns bruteforce wordlist.txt example.com --resolvers resolvers.txt --rate-limit 1000 --rate-limit-trusted 200

7. Windows Installation and Usage

While PureDNS is primarily a Linux/Go tool, it can be used on Windows via WSL2 or by compiling from source.

Option 1: Using WSL2 (Recommended)

1. Install WSL2 and a Linux distribution (Ubuntu).

2. Follow the Linux installation steps above.

3. Run PureDNS from the WSL terminal.

Option 2: Compiling on Windows

  1. Install Go for Windows from https://golang.org/dl/.
  2. Install massdns (requires Cygwin or similar for compilation, or use a pre-built binary).

3. Install PureDNS:

go install github.com/d3mondev/puredns/v2@latest

4. Run from Command Prompt or PowerShell:

puredns.exe resolve domains.txt --resolvers resolvers.txt

What Undercode Say:

  • “The quantity of subdomains you discover is worthless without precision. A good DNS recon tool isn’t the one that finds the most—it’s the one you can trust.”
  • “PureDNS transforms non-responses into attack vectors by preserving CNAME records that point to expired domains, turning a dead end into a subdomain takeover opportunity.”

The genius of PureDNS lies in its philosophical approach to reconnaissance: quality over quantity. In an era where bug bounty hunters and red teams are drowning in data, the ability to filter noise and surface actionable intelligence is the true differentiator. The tool’s CNAME preservation feature is particularly noteworthy—it demonstrates an understanding that DNS recon isn’t just about finding live hosts; it’s about understanding the entire DNS ecosystem, including the vulnerabilities created by forgotten records. By integrating massdns’s raw horsepower with intelligent filtering and trusted validation, PureDNS bridges the gap between speed and accuracy that has plagued DNS reconnaissance for years.

Prediction:

  • +1 PureDNS will become a standard component in every serious bug bounty hunter’s toolkit, joining the ranks of subfinder, amass, and httpx as an industry essential.

  • +1 The tool’s CNAME takeover detection capability will lead to a significant increase in reported subdomain takeover vulnerabilities, as security researchers can now systematically identify dangling records at scale.

  • -1 As PureDNS gains popularity, organizations will be forced to audit their DNS configurations more rigorously, potentially reducing the number of easily exploitable misconfigurations.

  • -1 The increased efficiency of DNS reconnaissance may lead to saturation in the bug bounty market, as more hunters compete for the same vulnerabilities discovered through automated pipelines.

  • +1 PureDNS’s open-source nature and active development community will drive continuous improvements, including potential integration with cloud provider APIs for automated takeover verification.

  • -1 Attackers will also leverage PureDNS to enhance their reconnaissance capabilities, potentially lowering the barrier to entry for malicious actors seeking to identify vulnerable subdomains.

  • +1 The shift toward “trust but verify” DNS recon will raise the overall security posture of the internet, as organizations are forced to eliminate wildcard configurations and properly manage their DNS records.

Project URL: https://github.com/wargg/puredns

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Laurent Biagiotti – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: