# Domain Discovery

Check the following locations for additional domains:

* Certificate Transparency Reports
* Goole Cache
* Wordlists in DNS

### Discovery

 Imagine that a DNS CNAME is for a record which is a separate subdomain on the cloud service, can we search for that record as well! This may give us additional information about new assets.

```
// Below gives us a new potential set of hostnames, m4lwhereNotes
CNAME notes.m4lwhere.org -> m4lwhereNotes.gitbook.com
```

### Tools

inetdata - <https://github.com/hdm/inetdata>

DNSRecon.py - <https://github.com/darkoperator/dnsrecon>

```
./dnsrecon.py -t brt,crt -d m4lwhere.org -D hosts.txt --iw --threads 10
# Brute Force, Cert Transparency Logs (brt,crt)
# Target domain of m4lwhere.org
# -D is custom dictionary of hosts.txt
# --iw is to ignore the wildcard
```

ShuffleDNS

Uses `massdns` to shuffle DNS requests across many different providers, very quick!

```
shuffledns -d m4lwhere.org -w ./subdomains-5k.txt -r ./resolvers.txt --massdns /opt/bin/massdns -o ./out.txt
```

gobuster


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.m4lwhere.org/offensive/recon/dns/domain-discovery.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.