DNSTwist User Guide

DNSTwist is a tool used to detect domain variants and potential phishing attacks. It identifies potential malicious activities, such as domain hijacking (Typosquatting), homoglyph attack, bit swapping (Bitsquatting), etc., by generating multiple domain variants and performing DNS queries.

1. Install DNSTwist

1.1 Installation on Linux

sudo apt update && sudo apt install dnstwist -y

If the official repository does not provide, you can use pipInstallation:

pip install dnstwist

1.2 Installation on macOS

brew install dnstwist

1.3 Installation on Windows

1. install Python (recommended Python 3.6 or above).

2. Use pipInstallation:

   pip install dnstwist
   

3. Ensure dnstwistCommand available, run:

   dnstwist -h
   

2. Generate Domain Variants

DNSTwist can generate domain variants based on different strategies, for example:

• Keyboard Typo (Typosquatting): Typographical error in adjacent letters on the keyboard.

• Character Substitution (Homoglyph Attack): Use similar characters to replace, such as о(Cyrillic o) substitution o.

• Bit Swapping: Make a micro modification at the bit level of a character in the domain name.

• Insertion/Omission of Characters: Insert or delete a character in the domain name.

• Subdomain Mutation: Generate subdomain variants, such as secure.example.com.

dnstwist example.com

Example Output:

Typo      | Domain Name       | DNS A Record
----------------------------------------------
Insertion | examp1e.com       | 93.184.216.34
Omission  | exampe.com        | 192.0.2.1
...

3. Perform DNS resolution and IP attribution query

可以启用 DNS 解析，以检查变体域名是否已被注册：

It can enable DNS resolution to check if the variant domain name has been registered:

dnstwist -r example.com Add-g

The parameter can also check WHOIS information to obtain registrar information:

4. Parse All DNS Records

-aThe option is used to query all types of DNS records, such as A records, MX records, NS records, etc.

dnstwist -a example.com

Function:

• ARecord: Parse the IPv4 address corresponding to the domain.

• AAAARecord: Parse IPv6 address.

• MXRecord: Retrieve mail server information.

• NSRecord: Retrieve the authoritative DNS server of the domain.

• TXTRecord: Retrieve the TXT record of the domain (commonly used for SPF, DKIM, DMARC).

5. Combine with Virustotal for Malware Detection

DNSTwist can use the VirusTotal API to check if a domain is involved in malicious activities.

5.1 Configure VirusTotal API Key

You need to register for a VirusTotal account and obtain an API Key first, then set the environment variable:

export VT_API_KEY="your_api_key_here"

5.2 Perform Check

dnstwist --virustotal example.com

6. Combine URL Parsing for Web Fingerprint Identification

DNSTwist can scan variant domain names to see if they point to a specific website and obtain the website's fingerprint.

dnstwist --ssdeep example.com

To scan web content and check if it is similar to the original site:

dnstwist --ssdeep --mx example.com

7. Export Results

DNSTwist supports saving results in CSV or JSON format.

• Export as CSV:

  dnstwist -r -o result.csv example.com
  

• Export as JSON:

  dnstwist -r -o result.json example.com
  

8. Disclaimer

This article is solely for technical research and network security learning purposes, aiming to help users enhance their awareness of security and prevent potential network threats. All content is based on a legal and compliant testing environment, and any organization or individual shall not use it for illegal purposes. The author of this article shall not be held responsible for any direct or indirect consequences arising from the use of this tool.