whatisgithub

What is dnstwist?

elceef/dnstwist — explained in plain English

Analysis updated 2026-05-18

5,669PythonAudience · ops devopsComplexity · 2/5Setup · easy

In one sentence

A Python tool that generates lookalike domain names to help security teams detect phishing, typo squatting, and brand impersonation before attackers exploit them.

Mindmap

mindmap
  root((dnstwist))
    What it does
      Domain permutations
      Phishing detection
      Brand monitoring
    Attack types caught
      Typo squatting
      Homograph attacks
      Homoglyphs
    Checks performed
      DNS resolution
      MX records
      IP addresses
    Audience
      Security teams
      OSINT researchers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check if your company's domain has lookalike variants already registered that could be used for phishing.

USE CASE 2

Monitor for newly registered typo-squatted domains that resemble your brand.

USE CASE 3

Use as part of a threat intelligence workflow to detect active phishing campaigns targeting your users.

What is it built with?

PythonDNS

How does it compare?

elceef/dnstwistthudm/slimegboeing/osmnx
Stars5,6695,6705,671
LanguagePythonPythonPython
Setup difficultyeasyhardeasy
Complexity2/55/52/5
Audienceops devopsresearcherresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Requires Python, full documentation lives in the docs/ folder rather than the root README.

No license information is available from the sources provided.

So what is it?

This Python tool takes a domain name and generates hundreds of similar-looking variants that could be used in phishing attacks or brand impersonation. If you give it a domain like "example.com", it produces alternatives such as character swaps, skipped or doubled letters, transpositions, and domains that use characters from other alphabets that look identical to Latin letters but are technically different. This last technique is called a homograph attack, and it is a common method attackers use to create convincing fake websites. The tool is designed for security teams and researchers who want to know what lookalike domains exist before attackers exploit them. By discovering which variants are registered or active, an organization can register the most dangerous lookalikes themselves, set up monitoring alerts, or work to take malicious domains down. Beyond generating the list of permutations, dnstwist can optionally check each one against live DNS records. This means it can tell you whether a lookalike domain is registered, what IP address it points to, whether it has an MX record suggesting it can receive email, and other indicators of active use. This makes it useful for actual threat intelligence gathering, not just listing possibilities. The topics associated with the project include DNS, domain fuzzing, homoglyphs, internationalized domain names, OSINT (open-source intelligence), and phishing. OSINT tools are those that gather information from publicly available sources rather than intrusion or exploitation, so dnstwist fits squarely into the defensive security toolkit. The repository points to a separate documentation folder for its full README, so the main project documentation is not included in the root file shown here.

Copy-paste prompts

Prompt 1
I have dnstwist installed and I want to check for phishing domains targeting mycompany.com. Write me a command that finds all registered lookalike domains and outputs them as a CSV.
Prompt 2
Using dnstwist, how can I check if any typo-squatted domains for my-brand.com are actively sending email?
Prompt 3
Help me write a Python script that runs dnstwist on a list of domains once a day and sends an alert if any new lookalike domains appear since the last run.

Frequently asked questions

What is dnstwist?

A Python tool that generates lookalike domain names to help security teams detect phishing, typo squatting, and brand impersonation before attackers exploit them.

What language is dnstwist written in?

Mainly Python. The stack also includes Python, DNS.

What license does dnstwist use?

No license information is available from the sources provided.

How hard is dnstwist to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is dnstwist for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.