Domain Typosquatting & Phishing Detector (dnstwist) avatar

Domain Typosquatting & Phishing Detector (dnstwist)

Pricing

$30.00 / 1,000 registered domain founds

Go to Apify Store
Domain Typosquatting & Phishing Detector (dnstwist)

Domain Typosquatting & Phishing Detector (dnstwist)

Find registered look-alike domains (typosquatting, homoglyphs, TLD swaps) impersonating your brand — powered by the open-source dnstwist engine. Public DNS data only. For brand protection and authorized security research.

Pricing

$30.00 / 1,000 registered domain founds

Rating

0.0

(0)

Developer

daehwan kim

daehwan kim

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

5 days ago

Last modified

Share

Find registered look-alike domains that impersonate your brand — typosquatting, homoglyph (IDN) spoofs, TLD swaps, bitsquatting, and more — powered by dnstwist (Apache-2.0), the industry-standard domain permutation engine. The Actor generates thousands of permutations of your domain and resolves which ones are actually registered, so you see the real phishing and brand-impersonation threats instead of a noisy wordlist.

Built for brand-protection teams, security analysts, fraud investigators, and SOC/CTI teams who need to monitor domain abuse with zero setup. Public DNS data only — this Actor never logs into or scrapes the content of any target domain.

Legal Disclaimer: This Actor is an unofficial integration of dnstwist (elceef/dnstwist) and is not affiliated with or endorsed by the original project. It uses publicly available DNS data for defensive brand-protection and authorized security research. Comply with all applicable laws in your jurisdiction.


What does this Actor do?

Give it a domain (e.g. yourbrand.com) and it will:

  1. Generate thousands of permutations — typos, character swaps, missing/added letters, homoglyphs (e.g. yourbrаnd.com with a Cyrillic "а"), hyphenation, TLD substitutions (.com.net, .co, ...), and bitsquatting.
  2. Resolve each permutation's live DNS records (A, AAAA, MX, NS).
  3. Return the ones that are actually registered — the genuine impersonation risk — including whether they have a mail server (MX), which signals possible phishing-email capability.

Running on Apify gives you scheduling, a REST API, dataset exports (JSON/CSV/Excel), and monitoring — so you can watch for newly registered look-alikes on a recurring schedule.

Why use this Actor?

  • Brand protection — discover domains squatting on your brand before customers get phished.
  • Anti-phishinghasMailServer flags look-alikes configured to send email (the dangerous ones).
  • M&A / due diligence — map the domain footprint and impersonation exposure of any company.
  • Continuous monitoring — schedule weekly scans to catch newly registered copycats.

How to use it

  1. Enter your domain (just the domain, e.g. example.com — no http://, no path).
  2. Leave Registered domains only on to see just the real threats (recommended).
  3. Run it. Each registered look-alike becomes one row in the dataset.
  4. Export to CSV/JSON/Excel or pull via the API. Schedule it for ongoing monitoring.

Input

FieldTypeDescription
domainstringThe domain to protect, e.g. example.com. Required.
registeredOnlybooleanOnly return permutations that actually resolve (default true).
maxResultsintegerCap on look-alikes returned/charged (default 200, max 500).
timeoutintegerMax scan time in seconds (default 300).

Output

Each registered look-alike domain is one dataset record. You can download the dataset in JSON, HTML, CSV, or Excel.

{
"inputDomain": "example.com",
"variantDomain": "example.com",
"fuzzer": "omission",
"registered": true,
"hasMailServer": true,
"dnsA": ["203.0.113.10"],
"dnsMX": ["mail.example.com"],
"dnsNS": ["ns1.somehost.com"],
"scannedAt": "2026-06-29T00:00:00+00:00"
}

Data fields

FieldDescription
variantDomainThe look-alike domain found
fuzzerPermutation technique (omission, homoglyph, tld-swap, addition, ...)
registeredWhether the domain resolves (has DNS records)
hasMailServerWhether it has an MX record (can send/receive email → phishing risk)
dnsA / dnsAAAAIPv4 / IPv6 addresses
dnsMX / dnsNSMail servers / nameservers

Pricing / Cost estimation

This Actor is pay-per-result: you are charged $0.03 per registered look-alike domain discovered. A typical brand has a handful to a few dozen registered look-alikes, so most scans cost a few cents to under a dollar. Invalid input and "no look-alikes found" runs are free. New Apify users get free monthly credits to start.

Tips & advanced options

  • Keep registeredOnly: true for signal over noise — unregistered permutations are not an active threat.
  • Watch the hasMailServer flag: a look-alike with MX records is set up to send email and is a high-priority phishing risk.
  • Schedule a weekly run and diff the results to catch newly registered copycats early.

FAQ, disclaimers & support

Is this legal? Yes — it only generates name permutations and queries public DNS, the same data any DNS resolver returns. It does not access private data or the target domains' content. Use it for defensive brand protection and authorized research.

Known limitations: DNS results depend on resolver propagation; very large brands may exceed the result cap (raise maxResults). Homoglyph detection follows dnstwist's database.

  • Found a bug or need a custom OSINT/brand-protection solution? Open an issue in the Issues tab.

Build your full OSINT & brand-protection stack:

⭐ Love it? Leave a Review

Your rating helps other defenders discover this Actor. Rate it here.