Tool Review - dnstwist

If you manage domains for yourself or your organization, it might be a good idea to have an idea of similar looking/sounding domains from a security perspective. This blog isn’t focused much on brand protection, although that is another use-case for being aware of similar domains to your own. There are a few methods for being aware of domains that are registered (or could be registered) that are similar to your own, one comprehensive method that requires a fair amount of work would be Rapid 7’s Project Sonar data. This is a collection of datasets that are updated weekly (after you register for a free account) or monthly (downloadable without requiring any account registration). For our purposes the interesting one is the Forward DNS data which includes all A and AAAA records. Downloading this dataset is the easy part (assuming you have the harddrive space to store it, compressed the A record data is 22.9 GB as of August 2020), once you have it you need to do something with it. This involves additional parsing, storage, and notification, something that can certainly be done (and might be a fun project) but if we could shortcut getting the same or better result with a LOT less effort, well that would sure be neat…

What is a segue…

So, unsurprisingly (since this is a tool review), a tool called dnstwist does a lot of the work for us by flipping the way in which we get to our results. Using a dataset like Project Sonar, we are parsing registered domains to see if something is already registered, after we do a lot of parsing. dnstwist approaches the problem of being aware of look-a-like domains by calculating all the possible transmutations of a domain, so, providing a base domain like mktbs.net, it calculates possibilities for what could be registered to trick people who might not recognize a small difference.

Installation and Usage

dnstwist’s Github readme is fairly straightforward and offers several ways to get the tool installed, for me the easiest way is to utilize a Python virtual environment and pip. The commands below make some assumptions around the version of Python installed on your system and how you prefer to use virtual environments. If you don’t know what those things are, start here.

mtobias@some-os:~/code$ mkdir dnstwist
mtobias@some-os:~/code$ virtualenv -p python3 dnstwist
mtobias@some-os:~/code$ cd dnstwist
mtobias@some-os:~/code$ . bin/activate
mtobias@some-os:~/code$ pip install dnstwist

After installation, using dnstwist is fairly easy with the default settings, just run dnstwist mktbs.net, obviously you can substitute your domain for mktbs.net. Out of the box dnstwist will calculate permutations of your specified domain, the longer your domain the more permutations are possible. For a shorter domain like mktbs.net, dnstwist calculates 868 permutations. These include substitutions, insertions, omissions, repetition, replacement, transposition, and homoglyphs (similar looking characters). dnstwist will also check for possible bitsquatting, if you don’t know what that is take a look at this fairly comprehensive write-up on the topic. The longer your domain the more possible permutations exist, if I run dnstwist against miketobias.org, there are 5,831 possible permutations, quite a bit more than mktbs.net!

mtobias@some-os:~/code$ dnstwist mktbs.net
     _           _            _     _
  __| |_ __  ___| |___      _(_)___| |_
 / _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V  V /| \__ \ |_
 \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {20200707}

Processing 868 permutations ···30%··61%··91% 12 hits

original*      mktbs.net      35.185.44.232
addition       mktbsa.net     -
addition       mktbsb.net     -
addition       mktbsc.net     -
addition       mktbsd.net     -
addition       mktbse.net     -

A subset of results for mktbs.net

In addition to listing permutations of your specified domain name, dnstwist also checks to see if they have been registered! For a personal domain like mktbs.net, this is likely less interesting than a corporate domain tied to a notable brand.

If you are interested in dnstwist and don’t feel like or know how to install it you can try out the same functionality through your browser at https://dnstwist.it/. This web based version of dnstwist is hosted by the author of the tool, but as always, be wary of what you enter on some random website on the internet!

Overall I’m really happy with dnstwist, a very high quality tool that solves a problem I had (determining registered domains without parsing 22 compressed gigabytes of data) very quickly. The tool is under active development and it utilized in a few well known tools.