DOME – Fast & Reliable Python Subdomain Enumeration Tool


Dome is a fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports. This tool is recommended for bug bounty hunters and pentester in their reconnaissance phase.

the more surface area exposed the faster a rock with break down

If you want to use more OSINT engines, fill the config.api file with the needed API tokens

Passive Mode:

Use OSINT techniques to obtain subdomains from the target. This mode will not make any connection to the target so it is undetectable. The basic use of this mode is:

python -m passive -d domain

Active Mode:

Perform bruteforce attacks to obtain alive subdomains. There are 2 types of bruteforce:

  • Pure Bruteforce: Check subdomains from to (26 + 26^2 + 26^3 = 18278 subdomains) this bruteforce can be disabled with -nb, --no-bruteforce
  • Wordlist based: Use a custom wordlist provided by the user using the flag -w, --wordlist. If no wordlists is specified, this mode won’t be executed

This mode will also make passive mode attack but in this case, the connection is tested to ensure the subdomain is still alive. To disable passive scan in active scan mode, use --no-passive flag

The basic use of this mode is:

python -m active -d domain -w wordlist.txt

Add -p option or a built-it port option (see usage menu) to perform port scanning

python -m active -d domain -w wordlist.txt -p 80,443,8080


You can run Dome with Python 2 or 3. Python3 is recommended

Install the dependencies and run the program

git clone
cd Dome
pip install -r requirements.txt
python --help

Top Features

  • Easy to use. Just install the requirements.txt and run
  • Active and Passive scan (read above)
  • Faster than other subdomain enumeration tools
  • 7 different resolvers/nameservers including google, cloudfare (fastest), Quad9 and cisco DNS (use –resolvers filename.txt to use a custom list of resolvers, one per line)
  • Up to 21 different OSINT sources
  • Subdomains obtained via OSINT are tested to know if they are alive (only in active mode)
  • Support for webs that requires API token
  • Detects when api key is no longer working (Other tools just throw an error and stops working)
  • Wildcard detection and bypass
  • Custom Port scaning and built-in params for Top100,Top1000 and Top Web ports
  • Colored and uncolored output for easy read
  • Windows and Python 2/3 support (Python 3 is recommended)
  • Highly customizable through arguments
  • Scan more than one domain simultaneously
  • Possibility to use threads for faster bruteforce scans
  • Export output in different formats such as txt, json, html

Buy me a Coffee

"Buy Me A Coffee"



Passive mode:


Active mode + port scan:


OSINT Search Engines

Dome uses these web pages to obtain subdomains

Without API:

  • AlienVault
  • HackerTarget
  • RapidDNS
  • ThreatMiner
  • CertSpotter
  • Anubis-DB
  • Sonar
  • SiteDossier
  • DNSrepo

With API:

  • VirusTotal
  • Shodan
  • Spyse
  • SecurityTrails
  • PassiveTotal
  • BinaryEdge


Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *