Free typosquat & homoglyph generator
Generate up to several hundred typosquat permutations of any domain in your browser. The generator implements the same 11 permutation classes used by dnstwist (omission, repetition, transposition, replacement, insertion, vowel swap, hyphenation, subdomain split, TLD swap, Cyrillic homoglyph, bitsquatting). Optional DoH probe checks which permutations are actually registered.
For phishing investigation, brand-protection monitoring, and pre-launch domain defense: feed your brand domain in, sort by "DNS yes" in the resulting table, and triage. Many resolving permutations turn out to be defensive registrations by the brand itself — but the ones that aren't need investigation. Use the urlscan and Wayback links in the table for safe inspection rather than visiting the domain directly.
For more advanced features (perceptual-hash similarity, MX-fingerprinting against phishing kit databases, large-batch registrar enrichment), use the dnstwist Python CLI. For monitoring newly-registered domains against your brand keywords on a daily cadence, see the WhoisDS NRD feed.
Frequently asked questions
What permutation types are generated?
Omission (drop a char), repetition (double a char), transposition (swap adjacent chars), replacement and insertion (use QWERTY neighbors), vowel swap, hyphenation, subdomain split (insert a dot), TLD swap (.com → .net etc.), homoglyph (substitute Cyrillic/Greek lookalikes — а, е, о), and bitsquatting (single ASCII bit flip on each character).
How does the DoH probe work?
Each permutation is queried at cloudflare-dns.com/dns-query with Accept: application/dns-json. A response with at least one A record means the domain has been registered and points somewhere. The query is privacy-preserving (Cloudflare's DoH endpoint), CORS-permissive, and rate-limited only at very high volumes.
Why aren't IDN/punycode confusables shown explicitly?
Cyrillic homoglyphs are already in the table — when generated they're shown in their Unicode form. To register them, attackers convert to xn-- punycode. Browsers now display Unicode-mixed-script labels in their punycode form by default (UTS #39 Confusables policy), making homoglyph attacks much less effective in 2025-2026 than they were in 2017.
Is this dnstwist?
It implements the same permutation algorithms as
dnstwist by elceef, ported to JavaScript so the entire toolchain runs in your browser. dnstwist (Python) supports more advanced features like phash + ssdeep similarity scoring, MX-record-based phishing-kit fingerprinting, and registrar/whois enrichment — for those, see the dnstwist standalone CLI.
How do I act on a resolving permutation?
Inspect first, judge second. Use the
urlscan link to see if anyone has already submitted the domain for analysis (HTML, screenshots, technology stack); use
archive to check the Wayback Machine for prior versions; never load the live URL in your normal browser. If you confirm phishing, report to
Google Safe Browsing, the registrar (
whois the domain), and the brand owner's abuse contact.
What's the privacy story?
The permutation generation is 100% offline JavaScript. The optional DoH probe sends each generated domain to Cloudflare's public 1.1.1.1 DNS-over-HTTPS endpoint — Cloudflare therefore sees the list of domains you queried but doesn't know which one is the "target." Uncheck the probe checkbox if you need fully offline operation.