Skip to main content

System Architecture

TLP:CLEAR
Classification: Public Release FIRST TLP v2.0 26.35.35

This document is published under TLP:CLEAR per FIRST TLP v2.0. No restrictions on distribution. Proprietary methodology, internal scoring algorithms, and infrastructure details have been withheld.

Intelligence Pipeline

Domain intelligence flows through a multi-stage pipeline: collection from distributed sources, analysis against RFC standards, classification into actionable verdicts, and delivery as structured intelligence products.

Domain Input
Target acquisition
Collection Layer
Multi-resolver DNS
SMTP · CT · HTTP
ICIE Analysis
Intelligence Classification
& Interpretation Engine
Privacy Gate
Classification &
access control
Intelligence Products
Reports · Briefs
Exports · Badges
Internal pipeline sequencing, enrichment stages, and classification algorithms withheld

Dual-Engine Confidence Framework

Two independent engines audit the quality of every analysis using ICD 203 confidence methodology — one measures correctness, the other measures currency. Together they provide a holistic confidence assessment at scientific parity.

ICAE
Intelligence Confidence Audit Engine
Measures analysis correctness
Deterministic test cases across 9 protocols
Five-tier maturity model
SHA-3-512 tamper-evident audit trail
Historical regression tracking
\(C_{\text{cal}} = w \cdot C_{\text{raw}} + (1-w) \cdot \frac{\alpha}{\alpha+\beta}\)
ICuAE
Intelligence Currency Audit Engine
Measures data timeliness
Five quality dimensions
Self-tuning advisory pipeline
Excellence benchmarks from industry leaders
Standards: ICD 203 · NIST SI-7 · ISO 25012
\(Z_t = \lambda X_t + (1-\lambda)Z_{t-1}\)
ICIE Output
Analysis results
ICAE Evaluation
Correctness audit
ICuAE Evaluation
Currency audit
Confidence Score
Holistic assessment

ICAE Reliability-Weighted Shrinkage Calibration

$$C_{\text{cal}} = w \cdot C_{\text{raw}} + (1-w) \cdot \frac{\alpha}{\alpha+\beta}$$

ICuAE EWMA Drift Detection

$$Z_t = \lambda \cdot X_t + (1 - \lambda) \cdot Z_{t-1}$$
Test case inventories, scoring formulas, maturity thresholds, and tuning parameters withheld

Protocol Coverage

Nine RFC-defined security protocols analyzed from multiple intelligence sources with multi-resolver consensus. All analysis uses open-standard protocols and publicly available DNS records.

SPF
RFC 7208
DKIM
RFC 6376
DMARC
RFC 7489
DANE/TLSA
RFC 6698
DNSSEC
RFC 4033–4035
BIMI
BIMI Working Group
MTA-STS
RFC 8461
TLS-RPT
RFC 8460
CAA
RFC 8659

Open-Core Architecture

Dual-repository structure separates the open-core application framework from proprietary intelligence modules. Build-tag isolation enforces clean boundary contracts verified by automated integrity tests.

Public — Open-Core (BUSL-1.1)
Application framework
HTML templates & static assets
Boundary integrity test suite
Build & deployment scripts
OSS stub contracts
BUSL-1.1 License
Private — Proprietary
Intelligence modules
Provider databases
Classification methodology
Detection algorithms
Commercial roadmap
BUSL-1.1 License
Build-Tag Isolation Boundary
Repository names, build-tag identifiers, sync mechanisms, and module interfaces withheld

Intelligence Products

Five distinct intelligence products serve different audiences and operational contexts — from board-ready executive briefs to adversarial-lens reconnaissance reports.

Engineer's Report
Technical · RFC-cited
Full protocol analysis
Executive's Brief
Board-ready
TLP-classified
Recon Report
Adversarial lens
Red-team perspective
Domain Dossier
Aggregated
intelligence view
Domain Comparison
Side-by-side
posture analysis

Drift Engine & Notification Pipeline

Continuous posture monitoring detects DNS configuration changes between analyses. When drift is detected, the notification pipeline routes alerts to the right people through the right channels.

Domain Scan
ICIE analysis
Posture Hash
SHA-256 canonical
Posture Diff
Field-by-field
comparison
Severity Engine
danger · warning
success · info
Drift Event
PostgreSQL record
Watchlist Lookup
domain_watchlist
Queue Notifications
Per-endpoint routing
Delivery Loop
30s poll · 50/batch
SSRF-protected
Discord
Webhook embed
Internal detection thresholds and flickering domain analysis methodology withheld.

GitHub Issues Triage

Three-tier issue routing with automated validation. Research-critical issues require RFC-backed evidence. Security reports are auto-redirected to private channels. All issues follow a label-based state machine.

Research Mission Critical
RFC citation required
P0 — immediate investigation
Cosmetic / UX / UI
Screenshot required
Normal cadence
Security Vulnerability
Auto-close & lock
Private channel only

Engineering Diagrams

Canonical architecture diagrams rendered from version-controlled Mermaid source files. These are the engineering source of truth — diffable, auditable, and tied to releases.

Source: docs/diagrams/*.mmd

Intelligence Pipeline
Intelligence pipeline diagram showing data flow from domain input through collection, ICIE analysis, privacy gate, to intelligence products
Confidence Framework
Dual-engine confidence framework diagram showing ICIE output flowing through ICAE correctness audit and ICuAE currency audit to produce holistic confidence score
Open-Core Architecture
Open-core architecture diagram showing public BUSL-1.1 repository separated from private proprietary intelligence repository by build-tag isolation boundary
Protocol Coverage
Protocol coverage diagram showing nine RFC-defined security protocols organized into email authentication, transport security, and policy groups feeding into the ICIE engine
Drift Notification Pipeline
Drift notification pipeline diagram showing detection flow from domain scan through posture hashing, diff computation, severity classification, watchlist routing, to multi-channel delivery
GitHub Issues Triage
GitHub issues triage diagram showing three-tier routing for research mission critical, cosmetic UX, and security vulnerability issues with automated validation and label state machine

Standards Foundation

Every engine, verdict, and confidence assessment traces to published standards. No proprietary scoring without a standards citation.

ICD 203
Analytic Standards
Intelligence Community Directive for confidence levels and analytic tradecraft — the framework that structures ICAE and ICuAE assessments
NIST SP 800-53 SI-7
Information Integrity
System and Information Integrity control for data currency — the basis for ICuAE's timeliness dimension
ISO/IEC 25012
Data Quality Model
International standard defining data quality characteristics — completeness, currentness, and credibility dimensions
FIRST TLP v2.0
Traffic Light Protocol
Information sharing classification used across all intelligence products and this architecture document
FIPS 202
SHA-3 Standard
SHA-3-512 used for cryptographic provenance hashing on all JSON exports — tamper-evident audit trail
RFC 4033–8659
DNS Security RFCs
21 IETF RFCs governing SPF, DKIM, DMARC, DNSSEC, DANE, MTA-STS, TLS-RPT, CAA, and BIMI analysis
View Source on GitHub
TLP:CLEAR — No restrictions on distribution · Sensitive methods and infrastructure details withheld · v26.35.35
Straight talk about your data.

We use two cookies, both essential:

  • _csrf — Prevents cross-site request forgery. Required for form submissions. Security-only.
  • _dns_session — Only exists if you choose to sign in. No account required to use DNS Tool.

We log your IP address for two reasons: rate limiting (so nobody abuses the service) and security (identifying malicious actors and complying with legal obligations). We check source geography for analysis accuracy — DNS responses vary by region, and knowing which resolver answered from where makes the science better.

No tracking cookies. No analytics cookies. No ad networks. No data brokers. Our code is open-core — the application framework is publicly available under BUSL-1.1 with timed Apache-2.0 conversion. Verify it yourself.

If you create an account and want out, account deletion removes your login and scan history. Public domain analyses remain available because they contain only public DNS records, already hashed. Full details: Privacy Pledge.