Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)

run.js

/*
  Developer: Marzavec ( https://github.com/marzavec )
  Description: A simple browser-based subdomain bruteforcing script, using DoH providers. Developed as a 5 minute hack, just to see it's preformance. Many improvements could be made, such as adding error handling or informing the user when the script is done.
  Usage: Open the browsers dev console (usually F12), paste this script, change the `rootTld`, press enter to run. Ezpz.
*/

const rootTld = 'lyka.pro'; // change to your target's root tld

// url to newline seperated wordlist
const wordlistUrl = 'https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains.txt';
// array of dns over https providers, these have been tested against ratelimiting
const providerArray = ['https://dns.google.com/resolve','https://doh-jp.blahdns.com/dns-query','https://doh-de.blahdns.com/dns-query','https://dns.dns-over-https.com/dns-query','https://doh.securedns.eu/dns-query','https://doh.dns.sb/dns-query','https://doh.li/dns-query'];

// pull wordlist from source path
async function pullWordlist(path) {
  let response = await fetch(path);
  let data = await response.text();
  return data.split("\n");
}

// loop through each word and start the dns request
async function start(wordlist) {
  wordlist.forEach((word) => {
    requestDns(`${word}.${rootTld}`);
  });
}

// preforms the get request to a random doh provider
async function requestDns(domain) {
  let provider = providerArray[Math.floor(Math.random()*providerArray.length)];
  let response = await fetch(`${provider}?name=${domain}&type=A&cd=true`);
  let record = await response.json();
  checkResponse(record);
}

// check provider's response, `Status` will be 0 if found
function checkResponse(record) {
  if (record.Status === 0) {
    console.log(`Found ${record.Answer[0].name} at ${record.Answer[0].data}`);
  }
}

// request wordlist, then start processing
pullWordlist(wordlistUrl)
  .then(wordlist => start(wordlist));