explaingit

elceef/dnstwist

5,669PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

A Python tool that generates lookalike domain names to help security teams detect phishing, typo squatting, and brand impersonation before attackers exploit them.

Mindmap

mindmap
  root((dnstwist))
    What it does
      Domain permutations
      Phishing detection
      Brand monitoring
    Attack types caught
      Typo squatting
      Homograph attacks
      Homoglyphs
    Checks performed
      DNS resolution
      MX records
      IP addresses
    Audience
      Security teams
      OSINT researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Check if your company's domain has lookalike variants already registered that could be used for phishing.

USE CASE 2

Monitor for newly registered typo-squatted domains that resemble your brand.

USE CASE 3

Use as part of a threat intelligence workflow to detect active phishing campaigns targeting your users.

Tech stack

PythonDNS

Getting it running

Difficulty · easy Time to first run · 5min

Requires Python, full documentation lives in the docs/ folder rather than the root README.

No license information is available from the sources provided.

In plain English

This Python tool takes a domain name and generates hundreds of similar-looking variants that could be used in phishing attacks or brand impersonation. If you give it a domain like "example.com", it produces alternatives such as character swaps, skipped or doubled letters, transpositions, and domains that use characters from other alphabets that look identical to Latin letters but are technically different. This last technique is called a homograph attack, and it is a common method attackers use to create convincing fake websites. The tool is designed for security teams and researchers who want to know what lookalike domains exist before attackers exploit them. By discovering which variants are registered or active, an organization can register the most dangerous lookalikes themselves, set up monitoring alerts, or work to take malicious domains down. Beyond generating the list of permutations, dnstwist can optionally check each one against live DNS records. This means it can tell you whether a lookalike domain is registered, what IP address it points to, whether it has an MX record suggesting it can receive email, and other indicators of active use. This makes it useful for actual threat intelligence gathering, not just listing possibilities. The topics associated with the project include DNS, domain fuzzing, homoglyphs, internationalized domain names, OSINT (open-source intelligence), and phishing. OSINT tools are those that gather information from publicly available sources rather than intrusion or exploitation, so dnstwist fits squarely into the defensive security toolkit. The repository points to a separate documentation folder for its full README, so the main project documentation is not included in the root file shown here.

Copy-paste prompts

Prompt 1
I have dnstwist installed and I want to check for phishing domains targeting mycompany.com. Write me a command that finds all registered lookalike domains and outputs them as a CSV.
Prompt 2
Using dnstwist, how can I check if any typo-squatted domains for my-brand.com are actively sending email?
Prompt 3
Help me write a Python script that runs dnstwist on a list of domains once a day and sends an alert if any new lookalike domains appear since the last run.
Open on GitHub → Explain another repo

← elceef on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.