How to use Fierce for DNS Enumeration? OSINT RECON
The Fierce command line tool is a DNS
reconnaissance tool for locating non-contiguous IP space using DNS records. This tool does not perform exploitation and does not scan the whole internet indiscriminately. Although this tool also scans networks like NMAP, it can excel at finding misconfigured networks that leak internal address space because it uses DNS primarily.
The examples below will be using the facebook.com domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Please visit this link to make sure the Facebook program is still open before attempting any of these commands.
Fierce Github repository: https://github.com/mschwager/fierce
Fierce Tool Options
Argument | Command Example | Description |
---|---|---|
–help | $ fierce –help | show the command options |
–domain | $ fierce –domain facebook.com | domain name to test |
–connect | $ fierce –domain facebook.com –connect | attempt HTTP connection to non-RFC 1918 hosts |
–wide | $ fierce –domain facebookcom –wide | scan entire class c of discovered records |
–traverse | $ fierce –domain facebook.com –subdomains m –traverse 10 | scan IPs near discovered records |
–search | $ fierce –domain facebook.com –subdomains m –search fb.com | filter on these domains when expanding lookup |
–range | $ fierce –dns-servers 10.0.0.1 –range 10.0.0.0/24 | scan an internal IP range, use cidr notation |
–delay | $ fierce –domain facebook.com –delay 10 | time to wait between lookups (sec.) |
–subdomains | $ fierce –domain facebook.com –subdomains m | use these subdomains |
–subdomain-file | $ fierce –domain facebook.com –subdomain-file file.txt | use subdomains specified in this file (one per line) |
–dns-servers | $ fierce –dns-servers 10.0.0.1 | use these dns servers for reverse lookups |
–dns-file | $ fierce –dns-file file.txt | use dns servers specified in this file (one per line) |
Fierce Cheat Sheet

Fierce –help Argument
$ fierce –help
The –help argument shows the command options available for use.

Fierce –domain Argument
$ fierce –domain facebook.com
The domain name specified to test is listed after the –domain argument.

Fierce –connect Argument
$ fierce –domain facebook.com –subdomains mail –connect
The fierce –connect argument gives you a list of subdomains for your target, and by using the -connect argument, it will show you if any of those subdomains are running web servers. It will try to pull the HTTP header information from any web servers that are online for recon purposes. Useful information extracted using the –connect could be version number of web server.

Fierce –wide Argument
$ fierce –domain google.com –wide
The fierce –wide argument scans entire class c of discovered records. This option generates a lot more traffic but can uncover more information.

Fierce –traverse Argument
$ fierce –domain facebook.com –subdomains m –traverse 10
The fierce –traverse argument scans IPs near discovered records and this option will not enter adjacent class c’s. The example below is using the facebook.com domain and the subdomain of m, which is m.facebook.com.

Fierce –search Argument
$ fierce –domain facebook.com –subdomains m –search fb.com
The fierce –search argument filters on the domains specified when expanding lookup. Essentially, it will limit nearby IP traversal to certain domains. This argument is useful for finding names if the corporate servers are named differently than the public facing website.

Fierce –range Argument
$ fierce –dns-servers 10.0.0.1 –range 10.0.0.0/24
The fierce –range argument scans an internal IP range using CIDR notation. The –range has to be used with the –dns-servers argument. Internal networks will often have large blocks of contiguous IP space assigned and can be scanned using this syntax.

Fierce –delay Argument
$ fierce –domain facebook.com –delay 10
The fierce –delay argument is the time to wait between lookups counted in seconds. In the example below, you can see in the blue circle where the command finished the first lookup and has the 10 second delay before proceeding the query.

Fierce –subdomain Argument
$ fierce –domain facebook.com –subdomains m
The fierce –subdomains argument tells the tool to use the specified subdomains.

Fierce –subdomain-list Argument
$ fierce –domain facebook.com –subdomain-file file.txt
The fierce –subdomain-list uses a specified file to enumerate subdomains. The format for the text file should be only 1 subdomain per line.

All the examples above use the facebook.com domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Please visit this link to make sure the Facebook program is still open before attempting any of these commands.