Origin Story
How a closet computer build and 27 years of proving what actually happened became a domain security intelligence platform.
DNS Tool exists because of a simple reality: when something breaks, someone has to prove what happened.
Across 27 years in IT and security, the pattern repeated itself — something goes down, executives want answers, and the explanation had better come with verifiable facts. A graphic designer edits the website and breaks DNS. A vendor change cascades into a mail outage. Every time, it was either going to be your fault for no reason, or you found the real cause and proved it.
That pressure — needing to pull up RFCs, run dig commands, craft one-liners, and produce evidence under fire — is why this tool exists. After doing that hundreds of times, the obvious question became: why isn’t there a tool that just does this automatically?
The Long Road Here
A father and son bought parts at Radio Shack and built a computer in a closet. That was the first time the builder behind this tool touched a keyboard. The fascination never stopped.
The father, John, was a Navy veteran who served in Vietnam and the Philippines, a Memphis State graduate, and a career technologist — Systems Analyst, Chief Radio Officer, Chief Electronics Officer across shipping, defense, and technology companies. He worked in a real data center with walk-through server rooms and walls of tape drives. His son heard military phonetics and Morse code before he was probably learning to read. The lullabies were literally Morse code messages beeping away from a room that looked like a NASA control center.
Today, listening to DEF CON Radio brings those sounds back.
Years of IT work — networks, servers, clients, and the slow accumulation of knowledge that only comes from being the person who gets called when things break. And when things broke, someone had to explain why to executives who wanted answers.
Eventually, high-end AV integration companies and other IT firms started calling when they hit the limits of their own expertise — port forwarding, static IP configurations, deep DNS work. The kind of infrastructure problems that don’t have a GUI button. DNS was always there, quietly underpinning everything, same protocol since 1983.
The Linux and command-line breakthrough came from an unexpected place: Raspberry Pi. Not just the hardware — the community. They didn’t punish bad questions. They didn’t gatekeep. They taught. That culture of patience and genuine knowledge-sharing made the difference between dabbling and real competence.
Hak5 was the next catalyst. OMG cables, Bash Bunnies, and the hands-on offensive security work that teaches you to think like an adversary. Understanding attack vectors changes how you evaluate defenses — you stop accepting “it’s probably fine” and start demanding proof.
Nobody was doing Mac hacking — even in big cities, Mac-focused security people were almost nonexistent, so the only option was to learn it from scratch. That path started years earlier at PhreakNIC, Nashville 2600’s hacker conference, walking in around 2006 with a PC laptop running fully functional macOS — Wi-Fi, everything — right when Apple had just made the Intel switch. A Hackintosh, before most people had heard the word. His father was there for that one.
High-profile clients — the kind who needed to understand lockdown mode, why their credentials leaked, and how an attacker could walk into their office with a cable that looks like a charger — needed live demonstrations, not slide decks. The offensive tools made those demonstrations possible and turned abstract threats into something tangible.
Around 2015, the question shifted from “how do you break in?” to “why does spam still work?” A deep dive into email authentication — SPF, DKIM, DMARC — revealed that most IT professionals weren’t implementing it correctly, and most organizations had no idea their domains could be spoofed. That frustration became a mission.
The same year, Objective-See entered the picture — Patrick Wardle’s free, open-source Mac security tools became a cornerstone of endpoint defense. LuLu, his open-source firewall, became standard kit.
That defensive posture was validated in January 2022 during a CISA Cyber Hygiene Remote Penetration Test. The DHS CISA Assessments team, operating from their Arlington, VA lab, ran network penetration testing with Nmap, Nessus, and Metasploit, plus a phishing assessment using Cobalt Strike. They tested 34 payloads across both Mac and Windows — every single one was blocked at the host level. Zero critical, zero high, zero low findings. The CISA report specifically named LuLu in its “Noted System Strengths” section as the tool that “successfully identified and prevented the execution of most payloads during the phishing assessment.”
In September 2023, the offensive side came full circle with a Hak5 Payload Award for an exfiltration payload (mac_exfil) — a Mac-targeted payload, because that’s where the expertise was. A different discipline from defensive security, but part of the same path — understanding how systems actually work, not how they’re supposed to work.
The earliest version of this tool was a Python CLI — a terminal app that pulled back DNS results in one quick scroll. Out in the field doing DMARC audits for clients, the alternative was running a dozen dig commands and crafting one-liners. The CLI was basic — no RFC citations, no intelligence analysis — but it was the seed: type a domain, get an honest answer about what’s actually configured.
By November 2023, the CLI — then called DNS Scout — was published to the Snap Store and Launchpad PPA as a packaged, installable release. The earliest externally verifiable timestamp of the project.
That CLI became what you see now — a Go-powered intelligence platform that queries five independent DNS resolvers for consensus, cryptographically hashes every analysis with SHA-3-512, cites the RFC for every finding, and produces reports that would hold up at a DEF CON presentation or a board meeting. The reports are the résumé.
Q in the Lab
Every intelligence operation needs someone in the lab — the one who builds the tools, not the one who carries them into the field. This platform is 27 years of field experience distilled into code. Every analysis, every RFC citation, every confidence score is the product of having done it manually, for years, and knowing exactly what matters and what doesn’t.
No hacker handle. Never had one. Every commit, every payload, every changelog credit is under a real name. Always has been.
Acknowledgments
She made sure her brother had the machine he needed to keep building. The supercomputer that powered the early development of this platform exists because she stepped in when it mattered most.
In the early Python days, corydon76 helped suss out a lot of the core DNS logic. A Linux admin, hacker, and friend from the Nashville 2600 Club who contributed time and knowledge when the project was still a terminal script. The tool has evolved enormously since then — rewritten from scratch in Go, expanded into a full intelligence platform — but the early collaboration mattered and deserves recognition.
Volunteered to build MKDocs documentation for the original DNS Tool CLI. Showed up, offered help, followed through.
For building a community that proves you can teach technical skills without being hostile about it. The Raspberry Pi community is proof that intellectual generosity produces better engineers than gatekeeping ever will. The thank-you post still stands.
For the hardware, the community, and the mindset. Hak5 tools teach you to think like an adversary, which is exactly the perspective that makes a defensive tool worth using.
For building Mythic — the collaborative red teaming framework that made the O.MG Cable work operationally viable. The cable is the hardware; Mythic is the command-and-control infrastructure that makes it useful in a real engagement. The offensive demonstrations that changed how clients understood threat exposure could not have happened without Mythic behind them. We corresponded, and his willingness to support the community around his work deserves recognition.
For creating the O.MG Cable — the hardware that made abstract threats tangible. Never met, never corresponded, but his work changed how we demonstrated attack vectors to clients. When you can hand someone a cable that looks identical to a charger and show them what an adversary can do, slide decks become unnecessary. That’s a contribution to the field that deserves acknowledgment.
For building the Objective-See tools — free, open-source Mac security tools from an ex-NSA researcher who chose to give them away. LuLu in particular proved its worth when it mattered most — CISA’s own RPT report named it in the “Noted System Strengths” section for preventing payload execution during their January 2022 assessment. 34 payloads, zero successful executions. Nearly a decade of learning from his research is part of the defensive mindset behind this platform.
For creating Nmap — the tool that taught a generation of security professionals what network reconnaissance actually looks like. Nmap was a major part of the path that led here. We’ve corresponded, and his work remains an inspiration. The builder of this platform is credited in the official Nmap 7.94 changelog (May 19, 2023) for Python 3-related contributions.