dnstwist vs DNSGen vs RipGen: Self-Hosted Domain Permutation & Typosquatting Detection Guide 2026

Domain names are your organization’s digital identity. When attackers register lookalike domains — swapping a single character, substituting a visually similar Unicode character, or adding a hyphen — your users, employees, and customers become targets for credential harvesting, malware delivery, and financial fraud.

Self-hosted domain permutation tools solve this problem by generating every possible variant of your domain name, then checking which ones are actually registered. Run these tools on your own infrastructure to maintain complete control over your brand protection pipeline, integrate results with internal threat intelligence systems, and avoid the costs of commercial brand monitoring services.

For related reading, see our phishing simulation guide and threat intelligence platform comparison.

Why Self-Host Domain Security Tools

Commercial brand protection services charge thousands of dollars per year to monitor your domain variants. With self-hosted tools, you get unlimited scans, full customization, and the ability to integrate with your existing security infrastructure.

Key advantages of self-hosted domain monitoring:

• No subscription costs — open-source tools are free; you only pay for compute
• Unlimited domains — monitor your entire portfolio, subsidiaries, and acquired brands without per-domain fees
• Full data ownership — scan results never leave your network
• Custom alerting — pipe results into Slack, email, PagerDuty, or your SIEM
• Scheduled automation — run daily or hourly scans via cron, Kubernetes CronJobs, or CI/CD pipelines
• Integration with threat intelligence — feed discovered domains directly into MISP, OpenCTI, or your honeypot infrastructure for further analysis

dnstwist: The Gold Standard for Typosquatting Detection

dnstwist is the most widely-used open-source domain permutation engine, with over 5,600 stars on GitHub. Created by security researcher elceef, it generates domain name variations using 28 different fuzzing techniques and resolves them to find active registrations.

Key statistics:

• GitHub stars: 5,664
• Language: Python
• Last updated: April 2025
• Docker pulls: 31,000+

Fuzzing Techniques

dnstwist supports an extensive range of permutation algorithms:

Advanced Features

dnstwist goes beyond simple permutation with several powerful detection capabilities:

• SSDEEP fuzzy hashing — compares webpage similarity to detect cloned login pages
• TLSH hashing — alternative fuzzy hashing for content comparison
• Screenshot capture — uses headless Chromium to visually verify phishing pages
• GeoIP lookup — identifies hosting location of discovered domains
• WHOIS lookup — reveals registration details for threat attribution
• TLD dictionary attacks — tests your domain name against hundreds of top-level domains
• Abused TLD detection — prioritizes checking against TLDs commonly used for phishing

Docker Deployment

dnstwist provides an official Docker image. The standard CLI version runs as a one-shot container, while the webapp variant provides a browser-based interface:

CLI mode (one-shot scan):

1
2
3
4
5
6
7
8
9

version: "3.8"

services:
  dnstwist-cli:
    image: elceef/dnstwist:latest
    command: ["--format", "json", "--registered", "example.com"]
    volumes:
      - ./results:/opt/dnstwist/output
    restart: "no"

With SSDEEP and TLSH hashing:

1
2
3
4
5
6

docker run --rm elceef/dnstwist:latest \
  --format json \
  --registered \
  --ssdeep \
  --tld dictionaries/common_tlds.dict \
  example.com > results.json

Webapp mode (persistent web interface):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"

services:
  dnstwist-webapp:
    build:
      context: .
      dockerfile: webapp/Dockerfile
    ports:
      - "8080:8080"
    volumes:
      - ./results:/opt/dnstwist/output
    restart: unless-stopped
    environment:
      - WORKERS=4

To build the webapp with screenshot capabilities (requires Chrome and Selenium):

1

docker build -t dnstwist:phash --build-arg phash=1 -f webapp/Dockerfile .

Automated Monitoring with dnstwist

The most practical deployment pattern is a scheduled scan that compares results against a baseline and alerts on newly discovered domains:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

#!/bin/bash
# dnstwist-monitor.sh - Run daily and alert on new domains

DOMAINS=("example.com" "example.org" "example.net")
RESULTS_DIR="/var/lib/dnstwist"
ALERT_EMAIL="security@example.com"

for domain in "${DOMAINS[@]}"; do
  today=$(date +%Y%m%d)
  output="${RESULTS_DIR}/${domain}-${today}.json"
  
  docker run --rm -v "${RESULTS_DIR}:/opt/dnstwist/output" \
    elceef/dnstwist:latest \
    --format json --registered --ssdeep "${domain}" \
    > "/opt/dnstwist/output/$(basename "$output")"
  
  # Compare with previous scan
  prev=$(ls -t "${RESULTS_DIR}/${domain}-"*.json 2>/dev/null | head -2 | tail -1)
  if [ -f "$prev" ]; then
    new_domains=$(python3 -c "
import json, sys
old = set(d['domain-name'] for d in json.load(open('$prev')))
new = set(d['domain-name'] for d in json.load(open('$output')))
for d in sorted(new - old):
    print(d)
")
    if [ -n "$new_domains" ]; then
      echo "New typosquatting domains detected for ${domain}:" | \
        mail -s "[ALERT] New domain variants for ${domain}" "$ALERT_EMAIL"
      echo "$new_domains" | mail -s "[ALERT] New domain variants for ${domain}" "$ALERT_EMAIL"
    fi
  fi
done

Add to cron for daily execution at 2 AM:

1

0 2 * * * /opt/scripts/dnstwist-monitor.sh

DNSGen: Intelligent Subdomain Discovery

DNSGen takes a different approach from dnstwist. Instead of focusing on typosquatting detection, it generates intelligent domain name permutations for subdomain enumeration — a critical step in security assessments and attack surface mapping.

Key statistics:

• GitHub stars: 1,064
• Language: Python
• Last updated: January 2025

How DNSGen Works

DNSGen reads a list of base domains or subdomains and generates variations by combining words, prefixes, suffixes, and common naming patterns. This is particularly useful for:

• Red team engagements — discovering hidden subdomains during penetration testing
• Attack surface mapping — finding all exposed services for your organization
• Bug bounty hunting — identifying overlooked subdomains with vulnerabilities
• Security audits — comprehensive inventory of DNS infrastructure

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Install DNSGen
pip3 install dnsgen

# Basic usage with a wordlist
echo -e "api.example.com\ndev.example.com" | dnsgen -w /usr/share/wordlists/dnsgen/default.txt

# Output includes intelligent permutations like:
# api-dev.example.com
# staging-api.example.com
# api-internal.example.com
# dev-api-legacy.example.com

Docker Deployment

DNSGen doesn’t have an official Docker image, but it can be easily containerized:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

version: "3.8"

services:
  dnsgen:
    image: python:3.11-slim
    working_dir: /app
    volumes:
      - ./input:/app/input
      - ./output:/app/output
    entrypoint: ["/bin/bash", "-c"]
    command:
      - |
        pip install dnsgen
        cat /app/input/domains.txt | dnsgen -w /usr/share/wordlists/dnsgen/default.txt > /app/output/permutations.txt
    restart: "no"

Integration with dnstwist

DNSGen and dnstwist are complementary tools. A powerful workflow chains them together:

1
2
3
4
5
6
7

# Step 1: Generate subdomain permutations with DNSGen
cat known-domains.txt | dnsgen - | sort -u > expanded-domains.txt

# Step 2: Feed results into dnstwist for typosquatting detection
while IFS= read -r domain; do
  dnstwist --registered --format json "$domain"
done < expanded-domains.txt | jq -s '.' > comprehensive-report.json

This approach expands your monitoring coverage from a handful of primary domains to thousands of potential variants.

RipGen: High-Performance Rust-Based Permutation

RipGen is a Rust-based domain permutation generator designed for speed and performance. When you need to process large domain portfolios or integrate permutation generation into high-throughput pipelines, RipGen’s compiled execution provides significant advantages.

Key statistics:

• GitHub stars: 299
• Language: Rust
• Last updated: December 2023

Performance Advantages

As a compiled Rust binary, RipGen offers:

• Faster execution — no Python interpreter overhead
• Lower memory usage — minimal runtime footprint
• Standalone binary — no dependency installation required
• Cross-platform — pre-compiled binaries for Linux, macOS, and Windows

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Install via cargo
cargo install ripgen

# Or download pre-compiled binary
wget https://github.com/resyncgg/ripgen/releases/latest/download/ripgen-linux-amd64
chmod +x ripgen-linux-amd64

# Basic usage
./ripgen-linux-amd64 -d example.com > permutations.txt

# Process a list of domains
cat domains.txt | ./ripgen-linux-amd64 --stdin > all-permutations.txt

Docker Deployment

RipGen can be built from source in a Docker container:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"

services:
  ripgen:
    image: rust:1.75-slim
    working_dir: /app
    volumes:
      - ./input:/app/input
      - ./output:/app/output
    entrypoint: ["/bin/bash", "-c"]
    command:
      - |
        git clone https://github.com/resyncgg/ripgen.git /tmp/ripgen
        cd /tmp/ripgen && cargo build --release
        cat /app/input/domains.txt | /tmp/ripgen/target/release/ripgen --stdin > /app/output/permutations.txt
    restart: "no"

Or use a minimal pre-built image:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

version: "3.8"

services:
  ripgen:
    image: alpine:latest
    volumes:
      - ./ripgen-binary:/usr/local/bin/ripgen:ro
      - ./input:/input
      - ./output:/output
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        cat /input/domains.txt | ripgen --stdin > /output/permutations.txt
    restart: "no"

Feature Comparison

Choosing the Right Tool

Use dnstwist when:

• You need active typosquatting detection with DNS resolution
• You want visual verification via screenshot capture
• You need content similarity comparison (SSDEEP/TLSH)
• You’re monitoring for homograph phishing attacks with Unicode lookalikes
• You want a web-based dashboard for your security team

Use DNSGen when:

• Your primary goal is subdomain enumeration for security assessments
• You need intelligent word-based permutations (not just character mutations)
• You’re doing red team engagements or bug bounty hunting
• You want to expand a small domain list into a comprehensive target inventory

Use RipGen when:

• You need maximum performance for large-scale permutation generation
• You’re processing thousands of domains in batch pipelines
• You want a zero-dependency binary that runs anywhere
• Memory efficiency is critical (containers, serverless environments)

Building a Complete Domain Security Pipeline

For comprehensive brand protection, combine these tools into an automated pipeline:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

version: "3.8"

services:
  # Step 1: Generate subdomain permutations
  dnsgen:
    image: python:3.11-slim
    volumes:
      - ./data:/data
    command: >
      bash -c "
        pip install dnsgen &&
        cat /data/base-domains.txt | dnsgen - > /data/expanded-domains.txt
      "

  # Step 2: High-performance permutation for additional variants
  ripgen:
    image: alpine:latest
    volumes:
      - ./ripgen:/usr/local/bin/ripgen:ro
      - ./data:/data
    command: >
      sh -c "
        cat /data/base-domains.txt | ripgen --stdin >> /data/expanded-domains.txt &&
        sort -u /data/expanded-domains.txt -o /data/expanded-domains.txt
      "

  # Step 3: Typosquatting detection and resolution
  dnstwist:
    image: elceef/dnstwist:latest
    volumes:
      - ./data:/data
    command: >
      bash -c "
        while IFS= read -r domain; do
          ./dnstwist.py --format json --registered --ssdeep --tld dictionaries/common_tlds.dict \"$$domain\"
        done < /data/expanded-domains.txt > /data/final-report.json
      "
    depends_on:
      - dnsgen
      - ripgen

Run the pipeline on a schedule and archive results for trend analysis:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

#!/bin/bash
# Run the complete domain security pipeline

DATE=$(date +%Y-%m-%d)
PIPELINE_DIR="/var/lib/domain-security/${DATE}"
mkdir -p "${PIPELINE_DIR}"

# Copy baseline domains
cp /etc/domain-security/base-domains.txt "${PIPELINE_DIR}/"

# Run Docker Compose pipeline
cd "${PIPELINE_DIR}"
docker compose -f /etc/domain-security/docker-compose.pipeline.yml up --abort-on-container-exit

# Archive results
tar czf "${PIPELINE_DIR}.tar.gz" "${PIPELINE_DIR}"

For organizations that also need to detect typosquatting at the network level, consider deploying a self-hosted DNS firewall to block access to discovered malicious domains, or integrate findings with a self-hosted honeypot to capture attacker activity.

FAQ

What is typosquatting and why should I monitor for it?

Typosquatting (also called URL hijacking) is the practice of registering domain names that are slight misspellings or visual lookalikes of legitimate domains. Attackers use these domains for phishing, malware distribution, and brand impersonation. For example, goggle.com instead of google.com or examp1e.com instead of example.com. Monitoring for these variants lets you identify threats before they impact your users.

How often should I run domain permutation scans?

For most organizations, weekly scans provide a good balance between coverage and resource usage. High-risk organizations (financial services, government, large enterprises) should run daily scans. The initial baseline scan processes all 28 fuzzing techniques across your domain portfolio; subsequent scans can focus on newly registered domains since your last scan date.

Can dnstwist detect internationalized domain names (IDN) and homograph attacks?

Yes. dnstwist’s homograph attack detection specifically targets Unicode characters that look visually similar to ASCII characters. For example, the Cyrillic letter “о” (U+043E) is visually identical to the Latin letter “o” (U+006F). dnstwist generates these IDN variants and checks if they’re registered, helping you identify sophisticated phishing campaigns targeting international users.

What’s the difference between dnstwist, DNSGen, and RipGen?

dnstwist is a complete typosquatting detection tool — it generates domain variants, resolves them via DNS, and reports which ones are registered. DNSGen focuses on intelligent subdomain permutation using wordlists, making it ideal for subdomain enumeration during security assessments. RipGen is a high-performance Rust-based permutation generator designed for speed when processing large domain lists. dnstwist does resolution; DNSGen and RipGen do generation only.

Do I need a dedicated server to run these tools?

No. All three tools can run on a small VPS or even a Raspberry Pi. dnstwist’s Docker image requires approximately 200MB of disk space and minimal RAM. For large-scale scanning (hundreds of domains with SSDEEP and screenshot capture), a VM with 2 CPU cores and 2GB RAM is recommended. The DNS resolution queries are lightweight and don’t require high bandwidth.

How can I integrate scan results with my existing security tools?

dnstwist outputs JSON, CSV, and plain text formats, making it easy to pipe results into your existing infrastructure. Common integrations include:

• MISP/OpenCTI — add discovered domains as threat indicators
• Slack/Teams — send alerts to your security channel via webhook
• SIEM (Wazuh, Elastic) — forward scan results as log entries
• DNS firewall — automatically update RPZ blocklists with malicious domains
• Threat intelligence feeds — share findings with industry ISACs

Is it legal to scan domains I don’t own?

Running domain permutation tools and checking DNS records is generally considered passive reconnaissance and is legal in most jurisdictions. You’re querying public DNS records — the same information anyone can look up with dig or nslookup. However, actively probing websites (screenshots, HTTP requests) on domains you don’t own may have different legal implications. Consult your legal counsel and review your local regulations before running scans against third-party domains.