OneForAll: The Subdomain Enumeration Framework That Aggregates 100+ Data Sources

Hook

While most subdomain scanners query 5-10 data sources, OneForAll orchestrates over 100 collection modules—from certificate transparency logs to obscure Chinese search engines—making it the Swiss Army knife of reconnaissance that security researchers actually use in production.

Context

Subdomain enumeration is the unglamorous foundation of modern attack surface management. Before you can test for vulnerabilities, you need to know what exists. Traditional approaches relied on DNS zone transfers (rarely permitted) or brute-forcing wordlists against DNS servers (slow and incomplete). The explosion of certificate transparency logs, public APIs, and passive DNS databases changed the game, but also fragmented the tooling landscape.

OneForAll emerged from the Chinese infosec community to solve a specific pain point: manually chaining together dozens of tools and API calls during bug bounty reconnaissance. Rather than running Subfinder for passive enumeration, then Amass for active scanning, then custom scripts for niche data sources, OneForAll provides a unified framework that handles authentication, rate limiting, data normalization, and historical tracking across the entire ecosystem. Its 9,700+ stars reflect adoption by professionals who value comprehensive coverage over execution speed.

Technical Insight

OneForAll's architecture revolves around a modular collection system coordinated through a central SQLite database. The main entry point (oneforall.py) accepts a domain and orchestrates execution across four primary module categories: certificate enumeration, DNS collection, web scraping, and intelligence APIs. Each module inherits from a base class that handles database writes, logging, and error recovery.

The framework's real power lies in its concurrent execution model. Rather than running modules sequentially, OneForAll employs a hybrid concurrency strategy using Python's multiprocessing, threading, and asyncio based on each module's I/O characteristics. DNS brute-forcing leverages aiodns for asynchronous resolution, while API calls use thread pools to respect rate limits without blocking execution:

import aiodns
import asyncio
from concurrent.futures import ThreadPoolExecutor

class BruteForceModule:
    def __init__(self, domain, wordlist):
        self.domain = domain
        self.resolver = aiodns.DNSResolver()
        self.wordlist = wordlist
    
    async def resolve_subdomain(self, subdomain):
        try:
            result = await self.resolver.query(subdomain, 'A')
            return {'subdomain': subdomain, 'ips': [r.host for r in result]}
        except aiodns.error.DNSError:
            return None
    
    async def run(self):
        tasks = [self.resolve_subdomain(f"{word}.{self.domain}") 
                 for word in self.wordlist]
        results = await asyncio.gather(*tasks)
        return [r for r in results if r is not None]

The SQLite persistence layer uses three core tables: result_table for raw findings with metadata about the collection source, resolved_table for DNS resolution results including IP addresses and CNAME chains, and subdomain_table for deduplicated final outputs. This multi-table design enables historical comparison across scans and attribution of results back to specific collection modules—critical for understanding which data sources provide unique value.

OneForAll's enumeration strategy combines passive and active techniques in a carefully sequenced pipeline. It starts with passive sources (certificate transparency via crt.sh and Censys, DNS aggregators like SecurityTrails, search engine dorking) to build an initial subdomain list. This list then feeds into validation layers: DNS resolution to confirm active records, HTTP probing to identify live web services, and optional port scanning for service fingerprinting. The framework even includes subdomain takeover detection by checking for dangling CNAME records pointing to services like AWS S3 or GitHub Pages:

# Simplified takeover detection logic
DANGLING_SIGNATURES = {
    's3.amazonaws.com': 'NoSuchBucket',
    'github.io': 'There isn\'t a GitHub Pages site here',
    'azure-api.net': 'ResourceNotFound'
}

def check_takeover(subdomain, cname, http_response):
    for service, signature in DANGLING_SIGNATURES.items():
        if service in cname and signature in http_response:
            return {'vulnerable': True, 'service': service}
    return {'vulnerable': False}

Configuration management reveals OneForAll's enterprise orientation. The config.py file contains authentication tokens for 40+ services including Shodan, Fofa, Hunter, and Chinese platforms like Chinaz and Baidu. The tool supports proxy chains for bypassing regional restrictions and includes intelligent retry logic with exponential backoff. For teams running repeated scans, the --compare flag generates diff reports showing newly discovered subdomains since the last run—a feature absent from most alternatives.

Gotcha

OneForAll's comprehensiveness comes with significant operational overhead. The initial setup requires registering for dozens of API services, many of which have approval delays or require Chinese phone numbers. Without these API keys, you'll only access ~30% of the tool's collection modules, essentially reducing it to a slower version of Subfinder. The configuration file explicitly warns that missing keys will cause modules to fail silently, making it difficult to understand actual coverage.

Performance characteristics vary wildly based on network conditions and API quota. A full scan against a large domain can take 30-60 minutes compared to Subfinder's 2-3 minute runtime, and you'll hit rate limits on free API tiers quickly. The documentation acknowledges that some modules (particularly those querying Baidu, Qihu 360, and other Chinese services) may be inaccessible outside China without VPN/proxy configuration. The async implementation also has memory implications—scanning large wordlists (100k+ entries) in brute-force mode can consume several gigabytes of RAM due to task queue buildup.

Verdict

Use if: You're conducting deep reconnaissance for bug bounties or red team engagements where completeness trumps speed, you have time to configure API integrations across multiple services, you need historical tracking and diff capabilities for ongoing attack surface monitoring, or you're working primarily with Chinese infrastructure where regional data sources provide unique value. Skip if: You need quick one-off subdomain enumeration (use Subfinder instead), you lack access to API credits for premium services, you're scanning behind restrictive networks without proxy infrastructure, or you prefer active-first enumeration with network topology mapping (Amass is better suited). OneForAll excels as a batch processing framework for systematic reconnaissance, not an interactive exploration tool.