Altdns: Pattern-Based Subdomain Discovery Through Intelligent Permutation

Hook

The best subdomain discoveries don’t come from brute-forcing millions of random strings—they come from understanding how DevOps teams actually name things.

Context

Traditional subdomain enumeration follows two paths: passive collection from certificate transparency logs and DNS databases, or active brute-forcing against massive wordlists. Both approaches miss a crucial attack surface—the subdomains that follow organizational naming conventions but aren’t in public records or generic wordlists. When you discover api.example.com, there’s a high probability that dev-api.example.com, staging-api.example.com, or api-v2.example.com also exist. These pattern-based variations reveal how teams actually structure their infrastructure.

Altdns emerged from the InfoSec Australia team to fill this gap. Rather than replacing passive or brute-force enumeration, it multiplies their effectiveness by taking known subdomains and generating mutations based on common organizational patterns. If you’ve already found 200 or more subdomains through passive reconnaissance, Altdns can expand that dataset by generating what the documentation describes as a “massive” output of altered and mutated potential subdomains. It’s reconnaissance as a force multiplier, designed for the later stages of discovery when you need to squeeze maximum coverage from existing intelligence.

Technical Insight

Altdns operates through a two-phase architecture that separates permutation generation from DNS resolution, giving you flexibility in how you process the results. The generation phase takes your known subdomains and a wordlist of common terms (like admin, dev, staging, qa) and generates altered or mutated versions of those subdomains.

The basic workflow starts with two input files. Your subdomains.txt contains known subdomains discovered through other means, while words.txt contains terms you expect might appear in subdomain patterns:

# Generate permutations and resolve them
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

# Or generate permutations only, pipe to your preferred DNS tool
altdns -i subdomains.txt -o data_output -w words.txt

The generation phase produces what the documentation describes as a “massive” output file. The tool prioritizes coverage during generation, creating numerous permutation candidates from your input datasets.

The optional resolution phase (-r flag) activates a multi-threaded DNS resolver that validates which permutations actually exist. The tool supports thread limiting via -t to prevent overwhelming your network or triggering rate limits, and allows custom DNS server specification with -d 1.2.3.4. Setting the DNS server to the target domain’s authoritative nameserver may increase resolution performance, according to the documentation.

# Use custom DNS server and limit threads
altdns -i subdomains.txt -o data_output -w words.txt -r -s results.txt -t 10 -d 8.8.8.8

The separation of generation and resolution means you can generate permutations once, then use different resolution tools if preferred—the data_output file becomes a reusable asset for testing with tools like massdns or puredns.

The tool’s effectiveness scales with input quality. The documentation states that Altdns works best with large datasets, and having an initial dataset of 200 or more subdomains should produce valid results via the alterations generated. With smaller initial datasets, you’re better served building up your known subdomain list through passive enumeration or traditional brute-forcing first.

Gotcha

Altdns generates what the documentation explicitly warns is a “massive” output of permutation candidates. Even with moderate input sets, you’ll need to resolve large numbers of candidates, most of which won’t exist. Without a fast DNS resolution pipeline, you’ll spend considerable time validating subdomains.

The tool uses separate versioning for Python 2 (1.0.0) and Python 3 (1.0.2). The tool focuses specifically on permutation generation and optional DNS resolution—it’s a specialist tool that requires supporting infrastructure (fast DNS resolution, good input data, thoughtful wordlists) to deliver value. You’ll need to integrate it into a broader subdomain enumeration workflow rather than using it as a standalone solution.

Verdict

Use if: You’ve already compiled a substantial dataset of 200+ known subdomains through passive enumeration and need to expand coverage by exploiting organizational naming patterns. Altdns excels during later-stage reconnaissance when you understand the target’s infrastructure and want to find pattern-based variations that passive sources miss. It’s particularly valuable when targeting organizations with consistent naming conventions across environments (dev/staging/prod prefixes, regional variants, versioned APIs). The separation of generation and resolution also makes it useful if you have preferred DNS tools and just need permutation candidates to feed into your existing pipeline. Skip if: You’re starting subdomain enumeration from scratch with minimal known subdomains—the tool works best with large datasets of 200+ subdomains as stated in the documentation. Also skip if you need an all-in-one solution—Altdns is a specialist permutation tool that requires integration with other reconnaissance tools. The massive output and resolution time requirements make it impractical for quick scans or situations where you can’t dedicate significant compute resources to DNS validation.

[![Featured on Starlog](https://starlog.is/api/badge/developer-tools/infosec-au-altdns.svg)](https://starlog.is/api/badge-click/developer-tools/infosec-au-altdns)