A dnstwist alternative for continuous monitoring
dnstwist is one of the best open-source security tools ever written, and if you need a one-off typosquatting audit, you should probably just use it. The problem it cannot solve by design is time: a CLI scan is a snapshot, and brand impersonation attacks unfold over weeks. VigilDNS takes the same permutation-and-inspect workflow and runs it for you continuously, with screenshots, AI verdicts, Certificate Transparency monitoring, and real-time alerts.
What dnstwist does, and does well
dnstwist is a free, Apache 2.0 licensed command-line tool by Marcin Ulikowski (elceef). You give it a domain, it generates lookalike permutations using a range of fuzzing algorithms (homoglyphs, hyphenation, dictionary words, and more, with Unicode and IDN support), then resolves them with multithreaded DNS lookups. It can geolocate resolved IPs, flag rogue MX hosts that could intercept email, and even compare pages against your real site using fuzzy hashing (ssdeep or TLSH) and perceptual hashing of screenshots if you wire up a local headless browser. Output comes as CSV, JSON, or a plain list, which makes it a pleasure to script. There is also a hosted one-shot version at dnstwist.it.
For a pentest report, an incident-response triage, or a quick "how bad is it" check, that is exactly the right tool. We recommend it without reservation for those jobs.
The gap: a snapshot of an attack that unfolds over time
A typical impersonation campaign does not exist at scan time. The attacker registers a domain that resolves to nothing, lets it age, obtains a TLS certificate, stands up a cloned login page for a few days, harvests credentials, and tears it down. Run dnstwist on Monday and the domain is parked; the phishing page goes live on Thursday. dnstwist has no scheduler, no state between runs, no change history, and no alerting. You can build all of that yourself with cron, a database, a diffing layer, and a notification pipeline, and plenty of teams have. That project is what VigilDNS replaces. If you want background on the threat itself, see what is typosquatting and homoglyph attacks.
What VigilDNS adds on top of the dnstwist workflow
VigilDNS starts from the same idea, a permutation engine with 11 techniques including homoglyphs, character swaps, omissions, repetitions, insertions, bitsquatting, and TLD swaps, then makes it continuous and hosted:
- Scheduled rescans every 24 or 12 hours depending on plan (4 hours on Enterprise), with full DNS records (A, AAAA, MX, NS, CNAME, SPF, DMARC, DKIM, TXT) and a change history for every domain.
- Live Certificate Transparency monitoring, so a lookalike is caught the moment a certificate is issued, often before the page is live. More in our guide to Certificate Transparency monitoring.
- Page screenshots with side-by-side clone detection, captured automatically rather than via a locally configured browser.
- AI threat verdicts that judge intent (phishing, malware, parking, redirect, legitimate) with a confidence level and a written rationale, plus 0-100 risk scoring.
- Campaign detection that clusters domains run by the same actor via shared certificates, analytics IDs, and redirect targets.
- Dormant threat detection for domains that are registered but serve no DNS, verified against the registry.
- Real-time email alerts, team workspaces with roles, MX-based phishing detection, ASN and geo attribution, RDAP registration data, and CSV export.
To be clear about what VigilDNS does not do: there are no managed takedowns (you get the evidence package to file abuse reports yourself), and no social media, dark web, or app store monitoring. If you need those, look at the larger digital risk suites we compare in our ZeroFox comparison and our Bolster comparison.
dnstwist vs VigilDNS at a glance
| Feature | dnstwist | VigilDNS |
|---|---|---|
| Price | Free, open source | From $79/mo |
| Domain permutations | Yes | Yes, 11 techniques |
| Continuous monitoring | Manual (cron + scripting) | Yes, every 24h/12h/4h |
| Alerting | No | Real-time email alerts |
| DNS change history | No | Yes |
| Certificate Transparency monitoring | No | Yes, live |
| Screenshots / page similarity | Manual (fuzzy hash, pHash with local browser) | Yes, hosted, side-by-side clone detection |
| AI threat verdicts | No | Yes, with rationale |
| Campaign clustering | No | Yes |
| Dormant domain detection | No | Yes, registry-verified |
| Team workspaces | No | Yes, with roles |
| Scriptable output | CSV, JSON, list | CSV export |
| Managed takedowns | No | No, evidence for abuse reports |
Keep using dnstwist if
Honestly, dnstwist remains the better fit in several cases:
- You are a pentester or red teamer producing point-in-time findings for a client report.
- You need a one-off audit, not ongoing coverage. A single scan answers a single question well.
- You want to script and automate inside your own pipeline. JSON output and an Apache 2.0 license are hard to beat.
- Your budget is zero. dnstwist plus cron plus your own diffing gets you a long way for free, and we would rather you have that than nothing.
Pricing
VigilDNS is self-serve with published pricing: Starter at $79/mo (5 domains, 3 seats, 24h scans), Team at $199/mo (20 domains, 10 seats, 12h), Business at $899/mo (100 domains, 25 seats, 12h), and a quote-only Enterprise tier with a 4-hour cadence. Annual billing gives you 2 months free. Full details on the pricing page.
Frequently asked questions
Is dnstwist free?
Yes. dnstwist is open source under the Apache 2.0 license and installs via pip, Linux package managers, Homebrew, or Docker. There is also a free hosted one-shot scanner at dnstwist.it.
Can I run dnstwist continuously?
Not out of the box. dnstwist performs one-shot scans, so continuous coverage means building your own scheduler, state storage, diffing, and alerting around it. VigilDNS provides that as a hosted service with rescans every 24, 12, or 4 hours plus real-time email alerts.
Does dnstwist take screenshots?
It can compare pages using fuzzy hashing and perceptual hashing of screenshots, but you must configure a local headless browser yourself and it only applies to that single scan. VigilDNS captures live screenshots automatically on every scan and shows side-by-side clone detection.
Is there an online version of dnstwist?
Yes, dnstwist.it offers one-shot scans in the browser. For an online tool that keeps watching after the first scan, VigilDNS offers a free instant typosquat check and continuous monitoring on paid plans.
Run a free typosquat checker scan on your domain right now, no signup needed, and if the results worry you, see pricing to put it under continuous watch.