What is dnstwister?

dnstwister generates a list of domain names that are similar to one that you provide, checking to see if any of them are registered.

Why use dnstwister?

dnstwister can tell you if someone may be using a domain like yours for malicious purposes like phishing or trademark infringement.

For instance as the owner of the domain I would be very interested to know if someone registered the ‘’ domain and started sending malicious password-reset emails to users.

dnstwister makes it trivial to answer that exact question.

Email and Atom alerts email_icon feed_icon

So you don’t have to keep coming back and running searches, dnstwister can also alert you (via Email or Atom/RSS feeds) within 24 hours if a new domain is registered like yours, if an existing domain has changed IP address or has even been unregistered. To subscribe you simply click on the appropriate icon after performing a search.

How it works

Let’s say you do a dnstwister search on

Firstly, dnstwister will generate a list of similar domains - something like:

(you can thank dnstwist for that awesome algorithm)

For each of these domains, dnstwister will attempt to resolve a DNS A record - the mapping between a domain name and an IP address. This will look something like:


Successfully resolving a domain to an IP address indicates someone has registered it.


1. Why do you use hexadecimal for all the domain references?

Corporate firewalls and proxies will often block malicious domains even if they are only part of a query string in the URL- eg[malicious domain].

By encoding the domain as hexidecimal you can still perform your searches and analysis.


We have a fast-evolving JSON API available for you to play with, if you’re keen.