Investigator Use
DNS Twister is a free domain intelligence tool that detects typosquatting, domain permutations, and homoglyph variants of a target domain. By generating and analyzing variations of a domain name — including common misspellings, character substitutions, and internationalized homoglyphs — DNS Twister helps investigators identify domains that may be used for phishing, brand impersonation, or traffic interception.
What investigators use DNS Twister for: discovering domains that impersonate a target organization for phishing campaigns, monitoring for typosquatting threats against a brand, identifying domains registered by threat actors that closely resemble legitimate domains, and tracking when permutation domains are newly registered and configured.
What DNS Twister exposes: algorithmically generated domain permutations for any input domain, live DNS resolution status for each permutation, phishing risk scores based on registration patterns, MX record presence indicating whether permutations have been configured to send email, and parked versus active domain status.
DNS Twister implements multiple permutation algorithms: character substitution (replacing o with 0), character deletion, character insertion, character transposition, homoglyph substitution (using Unicode characters that visually resemble ASCII letters), and bitsquatting (exploiting single-bit errors in domain name transmission). Each technique represents a different type of domain confusion attack.
For brand protection investigations: submit the target domain and review permutations that are actively registered and have MX records — the combination of registration and mail configuration is a strong indicator of phishing intent. Domains with MX records but no web content are frequently used as phishing infrastructure waiting to be activated.
Proactive monitoring: DNS Twister's phishing detection feature can alert on newly registered permutations, allowing defensive teams to act before phishing campaigns go live. In an OSINT context, newly registered similar domains following a news event or corporate announcement are particularly suspicious.
In a workflow: run DNS Twister at the beginning of any brand protection or phishing investigation. Take all registered permutations with MX records and query them in PhishTank, VirusTotal, and SecurityTrails. For newly registered permutations, check WHOIS registration data for registrant patterns that link multiple fake domains to the same threat actor.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.
Domainiq
Domain OSINT
DomainIQ provides WHOIS research, domain name investigation, brand protection tools, and cybercrime attribution resources.