SubBrute: How DNS Enumeration Tools Use Open Resolvers as a Distributed Proxy Network

Hook

In 2014, SubBrute discovered that the fastest way to brute-force DNS records wasn't to upgrade your infrastructure—it was to borrow everyone else's. By routing queries through 2,000+ open resolvers, it turned the internet's misconfigured nameservers into an unwitting distributed reconnaissance platform.

Context

Before tools like SubBrute emerged, DNS enumeration was a game of patience and frustration. Security researchers and penetration testers needed to map an organization's attack surface by discovering subdomains—dev.company.com, staging.company.com, vpn.company.com—but DNS servers actively worked against them. Query too fast, and you'd hit rate limits. Query from a single IP, and you'd get blocked entirely. Zone transfers were almost always disabled. The traditional approach meant slow, sequential queries from your IP address, taking hours or days to enumerate large domains.

SubBrute, released by TheRook in 2014, flipped this model on its head with a deceptively simple insight: what if you didn't query the target's nameservers directly? What if you distributed your queries across thousands of public DNS resolvers scattered worldwide? Each resolver would cache misses, handle a tiny fraction of total queries, and present a different source IP to the target. This architecture simultaneously solved the rate-limiting problem, provided operational anonymity, and dramatically increased enumeration speed. It represented a shift from brute-force computing power to leveraging existing internet infrastructure—a pattern that would later appear in modern cloud-native security tools.

Technical Insight

SubBrute's core innovation lies in its resolver rotation strategy combined with intelligent result filtering. The tool ships with resolvers.txt containing over 2,000 verified public DNS resolvers. Rather than hammering a target's authoritative nameservers directly, SubBrute distributes queries across this pool. Each subdomain guess (from its 101,010-entry wordlist) gets sent to a different resolver in round-robin fashion. From the target's perspective, they're receiving queries from thousands of legitimate DNS servers worldwide rather than a single scanning host.

The basic usage is straightforward, but the implications are clever:

import subbrute

# Basic enumeration
target = "example.com"
results = subbrute.run(target)

for subdomain in results:
    print(f"Discovered: {subdomain}")

# With custom wordlist and record types
results = subbrute.run(
    target,
    wordlist="custom_names.txt",
    record_type="CNAME",
    resolvers="verified_resolvers.txt"
)

Under the hood, SubBrute implements multithreaded workers that maintain a queue of resolver/subdomain pairs. Each thread picks a resolver, constructs a query for a candidate subdomain, and processes the response. The threading model isn't particularly sophisticated by modern standards—it uses Python's threading module rather than async/await—but in 2014, this approach effectively parallelized I/O-bound DNS queries.

The more sophisticated piece is wildcard detection. Many domains configure catch-all DNS records that resolve every possible subdomain to the same IP (often for SEO or email purposes). Without filtering, these wildcards would generate thousands of false positives. SubBrute addresses this by querying several random, non-existent subdomains first. If they all resolve to the same IP, it marks that IP as a wildcard and filters it from results. The tool goes further with geolocation-aware detection—it recognizes that some DNS providers return different wildcard IPs based on the resolver's geographic location, so it tests from multiple resolver regions.

The recursive crawling feature demonstrates SubBrute's spider-like behavior. When it discovers admin.example.com, it doesn't just log the result—it can automatically use that subdomain as a new base for another enumeration round, searching for admin.dev.example.com, admin.staging.example.com, and so on. This recursive approach often uncovers deeply nested infrastructure that single-pass tools miss:

# Recursive mode finds multi-level subdomains
./subbrute.py -r example.com
# Discovers: admin.example.com
# Then automatically searches: *.admin.example.com
# Discovers: vpn.admin.example.com
# Then searches: *.vpn.admin.example.com

The resolver verification process is critical to reliability. Not all public resolvers are created equal—many are slow, log queries, or have been poisoned with incorrect records. SubBrute includes logic to test resolvers before use, sending control queries and measuring response times. Only resolvers that pass these checks enter the active pool. This pre-flight verification reduces false negatives and improves overall enumeration quality.

What makes this architecture particularly interesting from a security perspective is the operational security benefit. Your actual source IP never directly queries the target's nameservers. Instead, queries originate from legitimate public resolvers that handle traffic from thousands of users. This makes attribution difficult and bypasses IP-based blocking. It's a early example of "living off the land" techniques—using existing internet infrastructure for purposes beyond its original intent, a concept that would later become central to modern adversary tactics.

Gotcha

The elephant in the room is that SubBrute hasn't been updated since 2016. That's an eternity in security tooling. The resolver list, SubBrute's primary asset, is now eight years stale. Many of those 2,000+ resolvers are offline, rate-limited themselves, or have been secured against open recursive queries. In 2025, the pool of truly open, unrestricted public resolvers has shrunk dramatically as organizations and ISPs have tightened DNS security. This means SubBrute's performance advantage—its core value proposition—has eroded significantly. You'll spend time filtering dead resolvers and dealing with inconsistent results.

The Python 2.7 codebase presents practical deployment challenges despite claims of Python 3 compatibility. The code may run under Python 3 with minimal changes, but it doesn't leverage modern Python features like asyncio, which would dramatically improve performance. Libraries like dnspython have evolved considerably since 2016, and SubBrute doesn't benefit from these improvements. More critically, modern DNS security features like DNSSEC validation, DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT) aren't handled. Targets using these technologies may return inconsistent results or detect enumeration attempts more easily.

There's also a strategic limitation worth acknowledging: pure brute-force DNS enumeration is increasingly less effective than hybrid approaches. Modern subdomain discovery combines passive techniques (certificate transparency logs, search engine scraping, DNS aggregation databases) with active probing. SubBrute only does active brute-forcing. You'll miss subdomains that aren't in your wordlist, no matter how comprehensive. A subdomain like c7f3a891b2.internal.example.com will never be found through brute-force alone—you need passive reconnaissance or zone enumeration techniques that SubBrute doesn't provide.

Verdict

Use if: You're studying DNS enumeration architectures, need to understand how distributed proxy networks function in security tools, or maintain legacy security pipelines where SubBrute is already integrated and working. It's also valuable for educational purposes—the codebase is readable, and the resolver rotation concept is genuinely clever. If you're working in highly constrained environments where you can't install newer tools and only have Python 2.7 available, SubBrute might be your only option. Skip if: You need a production-ready subdomain enumeration tool in 2025. The stale resolver list, lack of modern DNS protocol support, and Python 2.7 codebase make it impractical for serious reconnaissance work. Use subfinder for comprehensive passive+active enumeration with API integrations, amass for OWASP-backed enterprise-grade discovery with advanced graph analysis, or dnsx for fast, modern DNS toolkit functionality. SubBrute deserves recognition as an innovative tool that shaped how we think about DNS enumeration, but its time as a go-to production tool has passed. Treat it as a historical artifact and learning resource rather than your primary reconnaissance weapon.