Many false positives during subdomain bruteforce all resolve to 198.105.254.11

[naterobbified]

What's the problem (or question)?

When I use the subdomain bruteforce functionality within subfinder, I get tens of thousands of false positives all of which resolve to the same IP address: 198.105.254.11.

Do you have an idea for a solution?

When I navigate to http://198.105.254.11, I am redirected to searchguide.level3.com. Perhaps this has to do with the DNS resolvers used and not found domains are redirected to this IP address? Only solution I can think of would be to filter out any results pointing to this ip address.

How can we reproduce the issue?

Use the command: subfinder -v -o output.txt -d redacted.net --no-passive -b -w all.txt -t 100

Output:

=============================================== -=Subfinder v1.1.3 github.com/subfinder/subfinder

Running enumeration on redacted.net

Starting Bruteforcing of redacted.net with 2178752 words [...] [BRUTE] home01.redacted.net : 198.105.254.11 [BRUTE] home10.redacted.net : 198.105.254.11 [BRUTE] home101.redacted.net : 198.105.254.11 [BRUTE] home110.redacted.net : 198.105.254.11 [...]

What are the running context details?

• Installation method: go get github.com/subfinder/subfinder
• Client OS: Kali Linux
• Program version: 1.1.3
• Relevant console output (if any): see above
• Exception traceback (if any): N/A

[quietsec]

Hey @naterobbified,

I actually just fixed this the other day in this pull request: https://github.com/subfinder/subfinder/pull/143

You should be able to re-install subfinder from the latest master commit by running the following command: go get -u github.com/subfinder/subfinder

[naterobbified]

wow, this is fantastic news. thanks!