# Domain Discovery

Check the following locations for additional domains:

* Certificate Transparency Reports
* Goole Cache
* Wordlists in DNS

### Discovery

 Imagine that a DNS CNAME is for a record which is a separate subdomain on the cloud service, can we search for that record as well! This may give us additional information about new assets.

```
// Below gives us a new potential set of hostnames, m4lwhereNotes
CNAME notes.m4lwhere.org -> m4lwhereNotes.gitbook.com
```

### Tools

inetdata - <https://github.com/hdm/inetdata>

DNSRecon.py - <https://github.com/darkoperator/dnsrecon>

```
./dnsrecon.py -t brt,crt -d m4lwhere.org -D hosts.txt --iw --threads 10
# Brute Force, Cert Transparency Logs (brt,crt)
# Target domain of m4lwhere.org
# -D is custom dictionary of hosts.txt
# --iw is to ignore the wildcard
```

ShuffleDNS

Uses `massdns` to shuffle DNS requests across many different providers, very quick!

```
shuffledns -d m4lwhere.org -w ./subdomains-5k.txt -r ./resolvers.txt --massdns /opt/bin/massdns -o ./out.txt
```

gobuster