Subfinder and DNSX from ProjectDiscovery are two of the most powerful tools in a recon toolkit. Together, they give you fast, accurate subdomain enumeration at scale. This is a complete guide to using both tools effectively for bug bounty and security research.
Installation
# Install Go first pkg install golang # Termux apt install golang # Debian # Install both tools go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest subfinder -version dnsx -versionbash
Subfinder: Key Flags
# Basic subfinder -d target.com # All passive sources (slower, more complete) subfinder -d target.com -all # Multiple targets from file subfinder -dL domains.txt -o all_subs.txt # Silent — for clean piping subfinder -d target.com -silentbash
DNSX: Resolving and Filtering
# Resolve A records cat subs.txt | dnsx -a -resp -silent # Get CNAME records (subdomain takeover detection) cat subs.txt | dnsx -cname -resp -silent # Filter wildcard DNS cat subs.txt | dnsx -silent -wd target.combash
Full Production Pipeline
#!/bin/bash — TeenSquad Subdomain Pipeline TARGET="$1" OUT="recon_results" mkdir -p $OUT echo "[*] Subfinder passive enum..." subfinder -d $TARGET -all -silent > $OUT/raw_subs.txt echo "[*] DNSX resolving..." cat $OUT/raw_subs.txt | dnsx -silent -a -resp > $OUT/resolved.txt echo "[*] HTTPX web probing..." cat $OUT/resolved.txt | awk '{print $1}' | httpx -silent -title -status-code -tech-detect > $OUT/web.txt echo "[+] Raw: $(wc -l < $OUT/raw_subs.txt) | Resolved: $(wc -l < $OUT/resolved.txt) | Web: $(wc -l < $OUT/web.txt)"bash
Boosting Subfinder with API Keys
Subfinder supports optional API keys for sources like Shodan, SecurityTrails, Censys and VirusTotal. Adding even 2-3 of these dramatically increases subdomain coverage. Store them in ~/.config/subfinder/provider-config.yaml. All have free tiers sufficient for personal research.
