DNSGen: How Intelligent Permutations Beat Wordlists in Subdomain Discovery
Hook
Most subdomain enumeration tools still use the same wordlists from 2012. Meanwhile, modern infrastructure has moved to microservices architectures with naming patterns like api-us-east-1-prod.example.com that no generic wordlist will ever contain.
Context
Subdomain discovery remains one of the most critical phases of security reconnaissance. Find an overlooked staging server or internal tool, and you might uncover the keys to the kingdom. Traditional approaches rely on two methods: passive discovery through certificate transparency logs and DNS databases, and active brute-forcing using wordlists containing common names like ‘www’, ‘mail’, and ‘dev’.
The problem? Both approaches miss a crucial category of subdomains: intelligent variations of domains you’ve already discovered. If you find api-prod.example.com, there’s likely an api-staging.example.com and api-dev.example.com. If you discover app-us-east.example.com, you should check every other AWS region. This is where permutation tools enter the picture. DNSGen, created by AlephNullSK, takes the concept pioneered by altdns and modernizes it for cloud-native infrastructure, where naming conventions follow predictable patterns that can be exploited systematically.
Technical Insight
DNSGen operates as a Unix pipeline component, deliberately focusing on one task: transforming known domains into intelligent variations. It reads a list of discovered subdomains, applies multiple permutation strategies, and outputs candidates for DNS resolution. This architectural decision—separating permutation from resolution—makes it exceptionally fast and composable.
The tool implements several mutation strategies that go beyond simple concatenation. Word insertion places terms from a wordlist between domain components: api.example.com becomes api-staging.example.com, api-dev.example.com, and hundreds of other combinations. Number manipulation swaps or increments digits: web1.example.com generates web2.example.com through web99.example.com. Hyphen and dot manipulation transforms separators: api-prod.example.com yields apiprod.example.com and api.prod.example.com.
Here’s a practical workflow example that demonstrates DNSGen’s pipeline design:
# Start with initial subdomain discovery
subfinder -d example.com | tee initial-domains.txt
# Generate permutations using custom wordlist
cat initial-domains.txt | dnsgen -w /path/to/wordlist.txt | tee permutations.txt
# Resolve candidates with massdns
cat permutations.txt | massdns -r resolvers.txt -t A -o S -w results.txt
# Filter for valid responses
cat results.txt | grep -v "NXDOMAIN" | cut -d ' ' -f1 | sort -uThe wordlist format supports inline comments and filtering, which proves invaluable for organizing domain-specific mutations:
# Cloud regions
aws-{region}-
{region}-aws
us-east-1
us-west-2
eu-central-1
# Environment indicators
staging
dev
uat
prod
# Service patterns
api-{env}
{service}-internal
internal-{service}DNSGen’s fast mode (-f flag) significantly reduces output volume by applying more conservative mutation rules. This matters when dealing with large initial seed lists—normal mode might generate 100,000+ candidates from just 500 input domains, overwhelming even optimized DNS resolvers. Fast mode applies smarter heuristics to focus on high-probability variations.
The tool’s cloud-awareness sets it apart from older alternatives. It recognizes patterns like port numbers in subdomains (admin-8080.example.com), regional identifiers, and microservice naming conventions. When it encounters api-v1-us.example.com, it generates variations across API versions (v2, v3), regions, and environment suffixes. This contextual intelligence dramatically improves hit rates compared to blind wordlist application.
One particularly clever feature is word length filtering (-l flag), which prevents generating absurdly long subdomains that DNS servers would reject anyway. This pre-filtering saves bandwidth and processing time during the resolution phase:
cat domains.txt | dnsgen -w wordlist.txt -l 5 | massdns -r resolvers.txtThe implementation prioritizes memory efficiency and streaming operation. DNSGen doesn’t load entire result sets into memory—it generates and outputs permutations on-the-fly, making it suitable for processing millions of input domains without exhausting system resources. This streaming architecture integrates naturally with Unix pipes, allowing complex reconnaissance pipelines where multiple tools chain together.
Gotcha
DNSGen’s permutation approach has inherent limitations that impact its effectiveness in certain scenarios. The tool generates candidates based on pattern recognition and wordlist combination, which means its success depends entirely on the quality of your initial seed domains and wordlists. If you’re targeting an organization that uses completely random subdomain names (GUIDs, hashes, or arbitrary strings), permutation logic provides minimal value over random guessing.
The output volume problem becomes severe without careful tuning. Running DNSGen in normal mode with a comprehensive wordlist against a seed list of 1,000 domains can easily generate 500,000+ permutation candidates. Most of these will be false positives that waste DNS resolution resources and potentially trigger rate limiting or blocking from target infrastructure. The tool provides filtering options, but determining optimal settings requires experience and often trial-and-error. There’s no built-in intelligence for estimating which permutations are most likely to succeed for a given target—you get statistical generation, not probabilistic ranking. Additionally, DNSGen has no awareness of DNS resolution results, so it can’t learn from successful patterns to refine future generations. You must manually analyze results and adjust wordlists based on what works, creating a feedback loop that requires human intervention rather than automated optimization.
Verdict
Use DNSGen if you’re conducting security assessments against modern cloud-native infrastructure where services follow naming conventions involving environments, regions, versions, or microservice patterns. It excels when you already have a solid seed list from passive reconnaissance and want to expand that foundation intelligently. Use it when your workflow already incorporates dedicated DNS resolution tools like massdns or puredns, as DNSGen’s pipeline design integrates perfectly into that ecosystem. It’s particularly valuable for bug bounty hunters and penetration testers who need to maximize subdomain coverage during time-boxed assessments. Skip it if you need an all-in-one solution with built-in DNS checking and result validation—tools like Amass or Subfinder handle that better. Skip it if your targets use random or cryptographic naming schemes where pattern-based permutation offers no advantage over pure brute-forcing. Also skip it if you’re just starting with subdomain enumeration and don’t yet have the pipeline expertise to chain tools effectively; begin with simpler integrated solutions and graduate to DNSGen when you need its specialized permutation capabilities.
