Skip to main content

Intelligence Sources

Every data source, methodology, and limitation — fully transparent.

Built on a native Go DNS engine with Unix-heritage verification tools and public protocols. Every conclusion can be independently verified.

Our Principles
Verifiable
Every analysis step maps to a standard command you can run yourself.
Honest
When a source is unavailable or rate-limited, we say so — never fabricating results.
Redundant
Multiple independent methods reach the same conclusion. No single point of failure.
Unix Lineage
Grounded in decades of Unix tradition and open standards. No proprietary magic.

DNS Resolution & Record Queries

The foundation of every analysis. Five independent resolvers queried in parallel via native DNS over UDP/TCP with majority-agreement consensus. The dig commands shown are the equivalent terminal commands for manual verification.

Multi-Resolver DNS Consensus
Primary Free

All DNS record queries (A, AAAA, MX, NS, TXT, CNAME, DNSKEY, DS, TLSA, CAA, HTTPS, SVCB, CDS, CDNSKEY, SMIMEA, OPENPGPKEY). Five resolvers queried in parallel with majority-agreement consensus to detect censorship, poisoning, or propagation delays.

Method: UDP/TCP DNS queries with DoH (DNS-over-HTTPS) fallback
Rate Limits: No rate limits. Public DNS resolvers are free and unrestricted.
Verify: dig @1.1.1.1 +short A example.com
Cloudflare DNS (1.1.1.1)
Resolver Free

Primary consensus resolver. Privacy-focused, DNSSEC-validating resolver operated by Cloudflare.

Method: UDP/TCP with DoH fallback via https://cloudflare-dns.com/dns-query
Rate Limits: No rate limits.
Verify: dig @1.1.1.1 +short A example.com
Documentation
Google Public DNS (8.8.8.8)
Resolver Free

Primary consensus resolver. Globally distributed, DNSSEC-validating resolver operated by Google.

Method: UDP/TCP with DoH fallback via https://dns.google/resolve
Rate Limits: No rate limits.
Verify: dig @8.8.8.8 +short A example.com
Documentation
Quad9 (9.9.9.9)
Resolver Free

Consensus resolver with threat-intelligence filtering. Swiss-based nonprofit, DNSSEC-validating.

Method: UDP/TCP with DoH fallback via https://dns.quad9.net/dns-query
Rate Limits: No rate limits.
Verify: dig @9.9.9.9 +short A example.com
Documentation
OpenDNS / Cisco Umbrella (208.67.222.222)
Resolver Free

Consensus resolver. Enterprise-grade resolver operated by Cisco.

Method: UDP/TCP
Rate Limits: No rate limits.
Verify: dig @208.67.222.222 +short A example.com
Documentation
DNS4EU (86.54.11.100)
Resolver Free

EU-sovereign consensus resolver. Operated by a European Commission-funded consortium across 10 EU member states. Unfiltered variant, DNSSEC-validating, GDPR-compliant. Infrastructure exclusively within EU borders.

Method: UDP/TCP with DoH fallback via https://unfiltered.joindns4.eu/dns-query
Rate Limits: 1,000 queries/sec per IP.
Verify: dig @86.54.11.100 +short A example.com
Documentation
Authoritative NS Direct Query
Primary Free

Direct queries to the domain's own authoritative nameservers for DKIM selector probing, delegation checks, and DNSSEC chain validation. Bypasses resolver caching for ground-truth data.

Method: UDP/TCP DNS queries to authoritative NS IPs
Rate Limits: No rate limits (querying the domain's own infrastructure).
Verify: dig @ns1.example.com +short A example.com

Infrastructure Intelligence

Hosting, CDN, and network attribution through standard DNS protocols and community services.

Reverse DNS (PTR Records)
Primary Free

Identifies hosting providers by resolving IP addresses back to hostnames. A PTR record for a CloudFront IP returns server-xxx.cloudfront.net, directly revealing the hosting provider without any third-party API.

Method: Standard DNS PTR query (dig -x)
Rate Limits: No rate limits. Standard DNS protocol.
Verify: dig +short -x 13.248.169.35
Team Cymru IP-to-ASN Mapping
Community Free

Maps IP addresses to their owning Autonomous System Number (ASN) and organization. Identifies whether an IP belongs to AWS (AS16509), Cloudflare (AS13335), Google (AS15169), etc. Used for CDN/edge detection and infrastructure attribution.

Method: DNS TXT queries to origin.asn.cymru.com (IPv4) and origin6.asn.cymru.com (IPv6)
Rate Limits: No published rate limits. Free community DNS service. Responses are cacheable.
Verify: dig +short TXT 35.169.248.13.origin.asn.cymru.com
Documentation
SMTP Transport Probing
Primary Free

Live STARTTLS verification of mail servers. Tests TLS version support, cipher suites, certificate validity, and DANE/TLSA matching. Falls back to DNS-inferred analysis when direct connection is unavailable.

Method: TCP connection to port 25 with STARTTLS negotiation
Rate Limits: No rate limits (standard SMTP protocol).
Verify: openssl s_client -starttls smtp -connect mx.example.com:25

Threat Intelligence

Phishing and threat detection powered by community-maintained open data.

OpenPhish Community Feed
Community Free

Community-maintained phishing URL feed used by the Email Header Analyzer to cross-reference URLs found in email bodies and headers against confirmed phishing campaigns. Cached locally with a 12-hour TTL.

Method: HTTPS fetch of plain-text URL list from GitHub-hosted public feed
Rate Limits: No published rate limits. Public GitHub-hosted feed, refreshed every 12 hours.
Verify: curl -s https://openphish.com/feed.txt | head -20
Documentation

Historical & Discovery

DNS change timelines and subdomain discovery from certificate transparency logs.

Certificate Transparency (crt.sh)
Public Log Free

Discovers subdomains by searching Certificate Transparency logs for all SSL/TLS certificates ever issued for a domain. Reveals infrastructure that may not be publicly linked.

Method: HTTPS query to crt.sh PostgreSQL interface
Rate Limits: Community service with telemetry-based cooldown. Honest timeout/error messaging when unavailable.
Verify: curl -s 'https://crt.sh/?q=%.example.com&output=json' | jq '.[].name_value'
Documentation

Registry & Reference

Domain registration data and RFC standards metadata.

IANA RDAP
Registry Free

Registration Data Access Protocol — the modern successor to WHOIS. Retrieves domain registrar, registration dates, status codes, and nameserver delegation from the authoritative registry.

Method: HTTPS REST API (no authentication required)
Rate Limits: Varies by registry. Telemetry-based cooldown with honest unavailability messaging.
Verify: curl -s 'https://rdap.verisign.com/com/v1/domain/example.com' | jq '.entities[0].vcardArray'
Documentation
IETF Datatracker
Reference Free

Fetches RFC metadata (titles, status, obsoleted-by) for all cited RFCs. Ensures RFC references in remediation guidance are current and accurate.

Method: HTTPS REST API (no authentication required)
Rate Limits: No published rate limits.
Verify: curl -s 'https://datatracker.ietf.org/doc/api/rfc/?format=json&rfc=7489' | jq '.objects[0].title'
Documentation
ip-api.com
Supplemental Free

Visitor IP geolocation only (your location flag in the footer). Not used for any analysis data. Degrades gracefully on failure.

Method: HTTPS REST API (no authentication required)
Rate Limits: 45 requests/minute on free tier.
Documentation

Standards & Classification Colors

Every color used for security classification in DNS Tool reports traces to a published standard. Where formal specifications exist, we cite the exact hex values. Where colors are industry convention rather than specification, we note the distinction.

Traffic Light Protocol (TLP) v2.0
Standard Formally Specified

Information sharing classification used on all DNS Tool reports. Colors are formally specified by FIRST with exact hex values. Default classification: TLP:AMBER.

TLP:RED #FF2B2B
TLP:AMBER #FFC000
TLP:AMBER+STRICT #FFC000
TLP:GREEN #33A532
TLP:CLEAR #FFFFFF
FIRST TLP v2.0 Specification
CVSS v3.1 Severity Scale
Convention Industry Standard

Score ranges formally specified by FIRST CVSS v3.1. Colors are not part of the CVSS specification — they are de facto industry convention derived from the NIST NVD implementation. Used for posture scoring and risk-level badges.

Critical (9.0–10.0) #cc0000
High (7.0–8.9) #df3d03
Medium (4.0–6.9) #f9a009
Low (0.1–3.9) #ffcb0d
None (0.0) #53aa33
FIRST CVSS v3.1 Specification · NIST NVD Color Convention
The Intelligence Engine
Analysis Engine — Decision-Ready Intelligence

DNS Tool’s core engine is built in Go using the miekg/dns v2 library — constructing raw DNS packets in memory and sending them directly over the wire. No shelling out. No subprocess calls. No external binaries.

The engine controls EDNS0, the DO bit for DNSSEC validation, recursion flags, timeout and retry logic, and parallel resolution across five independent resolvers with majority-agreement consensus. This is native DNS at the packet level.

Each scan launches 20+ concurrent tasks — DNS records, SPF/DMARC/DKIM analysis, DNSSEC chain walking, Certificate Transparency log queries, RDAP registrar lookups, live SMTP/STARTTLS verification, MTA-STS/TLS-RPT/BIMI/CAA checks, DANE/TLSA validation, HTTPS/SVCB records, AI surface scanning, and infrastructure fingerprinting — all in parallel. Every task is individually timed and logged.

The Intelligence Classification & Interpretation Engine (ICIE) transforms raw data into actionable intelligence: posture scoring with CVSS-aligned risk levels, per-section remediation with RFC-cited fixes, and confidence indicators that distinguish observed facts from inferred conclusions.

Verification Commands

The dig, openssl, and curl commands in each report are not how we analyze — they’re how you verify. Every finding maps to a standard command you can run in your own terminal to independently confirm our results.

The transport layer is not the product. The interpretation layer is — SPF policy reasoning, DKIM state analysis, DMARC alignment logic, MX transport security, provider fingerprinting, and cross-record correlation. That’s what 27 years of field experience looks like in code.

No Cache, No Shortcuts

DNS query cache is disabled (TTL=0) — every scan performs live queries. When you change a record and rescan, you see the new state immediately. The only caches retained are defensible: RDAP (24h, rate-limit protection), CT subdomains (1h, append-only historical data), and RFC metadata (24h, reference data).

The Audit Engine

The Intelligence Confidence Audit Engine (ICAE) continuously validates that the Intelligence Engine delivers accurate, RFC-compliant intelligence. Every release runs against a deterministic test suite anchored to specific RFC sections — if analysis accuracy regresses, we know before you do.

RFC-Grounded Test Coverage

129 deterministic test cases across nine protocol families validate analysis accuracy against RFC-specified expected outcomes:

SPF17 cases — RFC 7208 mechanisms, qualifiers, lookup limits, verdict logic, cross-protocol warnings (RFC 7489 §10.1)
DMARC11 cases — RFC 7489 policy levels, alignment modes, subdomain policy, null MX (RFC 7505), posture classification
DNSSEC17 cases — RFC 4033 chain validation, tampering verdicts, enterprise DNS classification (RFC 1035)
Maturity Progression

Each protocol earns a maturity grade based on consecutive passes and sustained accuracy over time:

Development< 100 consecutive passes
Verified100+ consecutive passes
Consistent500+ passes & 30+ days sustained
Gold1,000+ passes & 90+ days sustained
Gold Master5,000+ passes & 180+ days sustained

Regressions are tracked per protocol with automatic detection. If a previously passing test case fails, it’s flagged immediately — not buried in logs.

Cryptographic Algorithm Transparency

Every algorithm classification cites the governing RFC. No proprietary risk scores — only standards-body guidance.

DNSSEC Algorithms (RFC 8624 / RFC 9157)
DeprecatedRSAMD5, DSA, ECC-GOST — MUST NOT use
LegacyRSA/SHA-1 — NOT RECOMMENDED
AdequateRSA/SHA-256, RSA/SHA-512 — MUST implement
ModernECDSA P-256/P-384, Ed25519, Ed448
DKIM Key Strength (RFC 8301)
DeprecatedRSA < 1024-bit — MUST NOT use
WeakRSA 1024-bit — upgrade recommended
AdequateRSA 2048-bit — industry standard
StrongRSA 4096-bit, Ed25519 — future-ready

Post-quantum DNSSEC standards in active IETF development (draft-sheth-pqc-dnssec-strategy) — no PQC algorithms standardized for DNS yet. All classical algorithms carry this transparency note in reports.

Every Command, Verifiable

Every report includes a “Verify It Yourself” appendix with dig, openssl, and curl commands to independently reproduce every finding — open-source tools available on macOS and Linux, and installable on Windows via WSL or individual packages.

No proprietary scanners. No black boxes. DNS — open standard since 1983.

System Architecture

Interactive diagrams of the request lifecycle, engine internals, email security verdict chain, and package dependencies.

View Architecture Diagrams
Straight talk about your data.

We use two cookies, both essential:

  • _csrf — Prevents cross-site request forgery. Required for form submissions. Security-only.
  • _dns_session — Only exists if you choose to sign in. No account required to use DNS Tool.

We log your IP address for two reasons: rate limiting (so nobody abuses the service) and security (identifying malicious actors and complying with legal obligations). We check source geography for analysis accuracy — DNS responses vary by region, and knowing which resolver answered from where makes the science better.

No tracking cookies. No analytics cookies. No ad networks. No data brokers. Our code is open-core — the application framework is publicly available under BUSL-1.1 with timed Apache-2.0 conversion. Verify it yourself.

If you create an account and want out, account deletion removes your login and scan history. Public domain analyses remain available because they contain only public DNS records, already hashed. Full details: Privacy Pledge.