Altdns: Intelligence-Based Subdomain Discovery Through Pattern Permutation

Hook

A single known subdomain like dev-api.example.com can generate 500+ variations—and about 8-12% of them typically resolve to real infrastructure you never knew existed.

Context

Traditional subdomain enumeration relies on two approaches: passive DNS aggregation from certificate transparency logs and historical data, or active bruteforce using massive wordlists against DNS servers. Both have significant blind spots. Passive methods only find subdomains that have been publicly observed, missing internal or recently created infrastructure. Pure bruteforce is constrained by wordlist quality and the computational expense of trying millions of combinations.

Altdns emerged from the observation that organizations follow predictable naming conventions. If staging-api.company.com exists, there's a reasonable chance staging-web.company.com, staging-api-v2.company.com, or staging-api01.company.com might also exist. Rather than randomly trying dictionary words, Altdns applies transformation patterns to known subdomains, generating targeted permutations that exploit common organizational patterns. It's the reconnaissance equivalent of learning an organization's language and then speaking fluently.

Technical Insight

Altdns operates through a two-phase architecture that separates intelligence generation from validation. The first phase applies six distinct permutation strategies to seed subdomains combined with a user-provided wordlist. These transformations mirror real-world subdomain naming conventions: insertion (inserting words before/after each label), joining words directly, adding dashes between components, appending numeric suffixes, and combining multiple patterns.

The permutation engine's core logic is deceptively simple but combinatorially explosive. Given a subdomain like "api.example.com" and a wordlist containing ["dev", "staging", "test"], it generates variations like dev-api.example.com, apidev.example.com, api-dev.example.com, devapi.example.com, api.dev.example.com, dev.api.example.com, and dozens more. Each word in your wordlist multiplies the output exponentially, which is why the tool recommends starting with 200+ known subdomains—you need sufficient seed data to make the pattern recognition worthwhile.

Here's how you'd use Altdns in a typical reconnaissance workflow:

# First, gather seed subdomains using passive enumeration
# subfinder, amass, or certificate transparency logs
cat known_subdomains.txt
# api.target.com
# www.target.com
# staging.target.com
# mail.target.com

# Generate permutations with a focused wordlist
altdns -i known_subdomains.txt -o permutations.txt -w words.txt

# The words.txt might contain environment identifiers:
cat words.txt
# dev
# test
# qa
# prod
# staging
# uat
# internal
# admin
# vpn
# backup

# Optionally resolve immediately with threading
altdns -i known_subdomains.txt -o permutations.txt -w words.txt -r -s resolved.txt -t 50

The resolution phase leverages Python's threading to parallelize DNS queries. By default, it uses your system's configured resolvers, but you can specify custom DNS servers—particularly useful when targeting an organization's authoritative nameservers, which often respond faster and more completely than public resolvers. The tool performs A record lookups and outputs only subdomains that successfully resolve, dramatically reducing noise in your dataset.

The threading implementation is straightforward but effective, distributing resolution tasks across a configurable thread pool (default 10, recommended up to 100 depending on your network). Each thread pulls subdomains from a queue, performs the DNS query, and writes results to the output file if successful. This design handles the I/O-bound nature of DNS queries efficiently without complex async patterns.

One architectural decision worth noting: Altdns outputs the complete permutation set before resolution begins. This means you can use it purely as a permutation generator, feeding the results into faster DNS resolution tools like massdns or puredns. Many practitioners prefer this approach, generating permutations with Altdns then using specialized resolvers that can handle 10,000+ queries per second. The separation of concerns makes Altdns a strong component in a larger toolchain rather than a standalone solution.

The wordlist you choose dramatically impacts results. Generic wordlists produce noise; targeted wordlists based on your reconnaissance findings (technology stack, cloud providers, development methodologies) yield gold. If you've identified that a target uses Kubernetes, adding k8s, kube, cluster, node, pod to your wordlist often reveals infrastructure. AWS-heavy organizations expose patterns with aws, s3, ec2, elb prefixes and suffixes.

Gotcha

Altdns suffers from the cold start problem—it needs substantial seed data to be effective. Starting with just five subdomains produces limited value because the pattern permutations lack context. The tool explicitly recommends 200+ known subdomains, which means you need to complete initial reconnaissance using other methods (certificate transparency, passive DNS, basic wordlist bruteforce) before Altdns becomes useful. This positions it firmly as a mid-stage tool, not an entry point for subdomain discovery.

The permutation explosion creates practical challenges. A modest dataset of 50 subdomains with a 100-word wordlist easily generates 50,000+ permutations. Most won't resolve, creating significant noise if you're manually reviewing results. The resolution phase helps, but DNS queries for tens of thousands of domains take time—even with threading, expect 30+ minutes for large permutation sets. You'll want to carefully curate your wordlist and potentially filter seed subdomains to the most promising candidates rather than throwing everything at the wall. The Python 2 vs Python 3 split (py-altdns vs altdns packages) also creates friction, requiring you to verify compatibility with your environment and potentially dealing with abandoned Python 2 dependencies in 2024.

Verdict

Use if: You've completed initial reconnaissance and have 100+ known subdomains for a target, need to discover environment-specific infrastructure (dev, staging, test systems often misconfigured), want a permutation generator to feed into high-performance DNS resolvers like massdns, or are targeting organizations with predictable naming conventions (enterprises, SaaS companies, large tech orgs). Skip if: You're starting reconnaissance from scratch with minimal subdomain knowledge, need cutting-edge performance and modern code (consider dnsgen or dnsx instead), want an all-in-one solution rather than a pipeline component, or prefer actively maintained tools with recent commits. Altdns excels at what it does but occupies a specific niche in the reconnaissance workflow—understand where it fits before deploying it.