Fast, non-intrusive domain reconnaissance tool written in Go.
Udig provides a quick overview of a target domain's infrastructure by combining multiple active scanning techniques — DNS enumeration (including CAA, DNSSEC, and DMARC), TLS certificate scraping, WHOIS lookups, HTTP analysis (headers, security.txt and robots.txt), Certificate Transparency log search, BGP ASN mapping, GeoIP resolution, RDAP (RIR registration data for discovered IPs), DNSBL blocklist checks and Tor exit-node detection Discovered domains are automatically followed and resolved recursively.
This is not a full-blown DNS enumerator. There is no brute-forcing, no port scanning, no search engine scraping. udig is designed to be unobtrusive and fast, suitable for long-term experiments with many targets.
- DNS — resolves all record types of interest (A, AAAA, NS, MX, TXT, CAA, SOA, DS, DNSKEY, ...) with automatic nameserver discovery
- CAA & DNSSEC — queries CAA records (extracts domains from
iodefURLs), reports DNSSEC signing status - SPF & DMARC parsing — extracts IPs embedded in SPF records, queries
_dmarc.{domain}TXT records, parses policy andrua/rufreporting URIs - TLS — extracts full certificate chains and discovers domains from SANs
- WHOIS — parses contact information from WHOIS banners
- HTTP — inspects security-related headers (CSP, CORS, Alt-Svc, ...), fetches
security.txtandrobots.txtfor domain discovery - Certificate Transparency — queries crt.sh for historical and current certificates
- PTR — reverse DNS lookups on discovered IPs to reveal hostnames (mail servers, CDNs, cloud instances)
- BGP — maps discovered IPs to autonomous systems via Team Cymru
- GeoIP — resolves country codes for discovered IPs via IP2Location
- RDAP — looks up IP registration metadata (network name, handle, range, abuse contact) via RIR RDAP servers using the IANA bootstrap (no API key)
- DNSBL — checks discovered IPs against DNS blocklists (Barracuda, UCEProtect, DroneBL) and decodes return codes
- Tor — detects Tor nodes (exit, guard, relay) via the Onionoo API; reports nickname, fingerprint, and flags
- Recursive crawling — domains found in any resolution are automatically followed
- Output — colorized human-readable CLI output, JSON or graph as DOT (Graphviz), JSON, or terminal tree (
--graph=dot|json|term)
Download the latest release from the Releases page.
Requires Go 1.24+.
make # build + test
make install # install binary (and copy GeoIP DB if present)
make geoip # optional: download GeoIP database for country lookupsgo install github.com/netrixone/udig/cmd/udig@latestudig [-h|--help] [-v|--version] [-V|--verbose] [-s|--strict]
[-d|--domain "<value>"] [-t|--timeout "<value>"]
[--ct:expired] [--ct:from "<value>"] [--json] [--graph "<value>"] [--max-depth <value>]
| Flag | Description |
|---|---|
-d, --domain |
Domain to resolve |
-s, --strict |
Strict domain relation — require TLD match |
-t, --timeout |
Connection timeout (default: 10s) |
-V, --verbose |
Enable debug logging |
--ct:expired |
Include expired Certificate Transparency logs |
--ct:from |
CT log start date in YYYY-MM-DD format (default: 1 year ago) |
--json |
Output payloads as JSON objects |
--graph |
Emit resolution graph: dot, json, or term (terminal tree). DOT is limited to 200 nodes; a warning is shown at 50+ nodes. |
--max-depth |
Max recursion depth (-1 = unlimited, 0 = seed only, default: -1) |
udig -d example.com
udig -d example.com --json
udig -d example.com --graph=term # tree in terminal
udig -d example.com --graph=dot # pipe to dot -Tpng for image
udig -d example.com --ct:from 2024-01-01 -V
udig -d example.com --max-depth 2
udig can be imported as a package for programmatic use. See DEVELOPMENT.md for the API overview, architecture, and build details.
dig := udig.NewUdig()
for res := range dig.Resolve("example.com") {
// Results stream in as they become available.
fmt.Println(res.Type(), res.Query())
}- miekg/dns — DNS library for Go
- akamensky/argparse — CLI argument parsing
- domainr/whois — WHOIS client for Go
- ip2location/ip2location-go — GeoIP using IP2Location LITE
- Team Cymru — IP-to-ASN mapping service
- IANA RDAP Bootstrap — IP address space to RDAP server mapping (RFC 9224)
MIT — see LICENSE.txt.
