cyber revision

Domain, DNS and infrastructure intelligence

WHOIS, DNS record enumeration, certificate transparency, Shodan, Censys, BGP/ASN lookups and tech-stack fingerprinting.

~6 min read

Starting with the domain

For most targets, the registered domain is the entry point. It anchors the target's identity: all subdomains, mail infrastructure, web servers and auxiliary services connect back to it. Infrastructure OSINT works outward from that anchor.

WHOIS and registration records

WHOIS is a query-response protocol that returns registration data for domain names and IP address blocks. Every domain registration (and most IP allocations) creates a public record: registrant name, organisation, email address, registrar, registration date, expiry date, and name servers.

whois example.com          # domain registration record
whois 203.0.113.10         # IP WHOIS (shows the ASN, organisation, address block)

Domain privacy services now hide registrant contact details for most consumer registrations, so the registrant name field is often redacted. However, the registrar, registration date, name servers and expiry date usually remain. Name servers are the most useful output: they identify who hosts the DNS and often point to the hosting provider or CDN.

Reverse WHOIS: instead of querying by domain, query by registrant email or organisation name to find all domains registered to that entity. ViewDNS.info and DomainTools provide reverse WHOIS. A company's publicly known contact email will often reveal a cluster of additional domains they've registered: development servers, acquired brands, internal tools.

DNS record types and enumeration

DNS records are the map of a domain's services. All are publicly queryable. Record types worth knowing for OSINT:

Record What it reveals
A IPv4 address of a hostname (the actual server IP)
AAAA IPv6 address
MX Mail exchange servers (reveals the email provider: Google Workspace, Microsoft 365, on-prem)
NS Authoritative name servers for the domain
TXT SPF, DKIM and DMARC records expose email security posture; also reveals third-party integrations (Salesforce, Atlassian, HubSpot)
CNAME Alias from one name to another (can expose internal service naming)
SOA Primary name server and a contact email for the zone
PTR Reverse DNS (IP to hostname) revealing internal naming conventions 
dig example.com A                          # IPv4 addresses
dig example.com MX                         # mail servers
dig example.com TXT                        # SPF, DKIM, DMARC and integrations
dig example.com NS                         # name servers
dig @ns1.example.com example.com AXFR     # zone transfer attempt
host -t mx example.com                    # concise MX listing

DNS zone transfers (AXFR): a zone transfer replicates the entire DNS zone from the primary to a secondary name server. If misconfigured to allow public transfers, a single query dumps every DNS record: every subdomain, every internal IP, every service. Rare on well-managed infrastructure, but worth attempting: dig axfr @<nameserver> target.com.

Certificate transparency

Every public TLS certificate is submitted to Certificate Transparency (CT) logs: an append-only public record of every certificate issued by a compliant CA. This means you can enumerate all domains a certificate has ever covered, including subdomains that were never intended to be discoverable.

crt.sh is the primary CT log query interface. Use % as a wildcard:

https://crt.sh/?q=%25.example.com

This routinely reveals dev, staging, internal, test and admin subdomains: infrastructure that people forget about and don't patch. Because CT logs are append-only and public, certificates issued years ago for now-deleted subdomains still appear.

Subdomain enumeration

Beyond CT logs, subdomains can be found via passive DNS intelligence and brute-force wordlists:

  • Amass (OWASP): the most comprehensive subdomain tool, combining brute-force, CT logs, passive DNS data and search engine results: amass enum -d example.com
  • Subfinder: fast passive-only discovery pulling from many OSINT data sources simultaneously
  • dnsx and dnsrecon: DNS enumeration with wordlists and brute-force
  • SecurityTrails (securitytrails.com): historical DNS data, reverse DNS and subdomain discovery with a web UI. Shows DNS record history, which is useful if a target has moved behind a CDN and you want the real origin IP they previously used
  • DNSDumpster (dnsdumpster.com): free DNS recon and visual mapping of the domain's DNS structure

Shodan

Shodan (shodan.io) is a search engine for internet-connected devices. Rather than indexing web page content, it crawls the internet and stores the banners and responses from open ports and services. You can query it for devices and services without ever sending a packet to the target, making it effectively passive from the target's perspective.

Key search operators:

hostname:example.com              # results associated with a hostname
org:"Acme Corporation"            # filter by organisation in WHOIS
net:203.0.113.0/24                # specific IP range
port:22 org:"Acme Corporation"    # open SSH at a specific org
product:nginx country:GB          # Nginx servers in the UK
vuln:CVE-2021-44228               # systems flagged with a specific CVE
http.title:"admin panel"          # by page title
ssl.cert.subject.cn:example.com   # by certificate common name

The last operator is especially powerful: if a target uses a CDN (Cloudflare, Akamai) to hide their real origin IP, querying Shodan by the certificate CN often reveals the origin server's IP, which may be directly reachable. Shodan also shows the specific software version in service banners, which is searchable by known CVE.

Censys

Censys (censys.io) scans more comprehensively than Shodan and offers a structured query syntax. It's particularly strong for TLS certificate and infrastructure correlation:

services.port=22 and autonomous_system.organization="Acme Corp"
parsed.names: example.com   # in certificate search

Shodan and Censys scan on different schedules with different coverage. Using both gives a more complete picture. Censys also publishes a free Internet-wide scan dataset for researchers.

FOFA

FOFA (fofa.info) is the Chinese equivalent of Shodan, operated by Baimai Security. It has excellent coverage of Chinese-hosted infrastructure and a different view of some global targets:

domain="example.com"
cert="example.com"
ip="203.0.113.0/24"

Useful when targets have infrastructure in mainland China or when Shodan and Censys have missed something.

BGP and ASN intelligence

An Autonomous System (AS) is a block of IP addresses under a single administrative entity, identified by an ASN. Knowing a target's ASN lets you enumerate all IP ranges they own: every public IP in their network, including assets that Shodan hasn't yet indexed.

  • BGP.he.net (bgp.he.net): enter a company name, IP or ASN to see all associated prefixes. Click "Prefixes" on any ASN record to get the complete list of IP ranges, the full network footprint.
  • RIPEstat (stat.ripe.net): RIPE's analytics platform for European IP space, with allocation data, routing history and geolocation
  • ARIN (arin.net): North American IP block WHOIS

Tech stack fingerprinting

Knowing what technology a target runs is intelligence that directly informs attack paths:

  • BuiltWith (builtwith.com): analyses a website's headers, scripts and HTML to identify the CMS, CDN, analytics platform, JavaScript frameworks, e-commerce systems and payment providers
  • Wappalyzer: browser extension that identifies the same stack inline as you browse
  • Response headers: curl -I https://example.com returns Server:, X-Powered-By: and sometimes X-Generator: headers; many frameworks leak their name and exact version
  • Job listings: consistently underestimated. A posting for a "senior Kubernetes engineer with GitLab CI experience" tells you the orchestration platform and CI/CD toolchain without querying a single system

Quick recall

  • WHOIS: name servers, registrar, dates; registrant often redacted. Reverse WHOIS via ViewDNS finds all domains for an org.
  • Key DNS records: A (IP), MX (mail provider), TXT (SPF/DKIM/integrations), NS (name servers). Zone transfer (AXFR) dumps everything if misconfigured.
  • crt.sh queries CT logs and reveals subdomains, including forgotten dev/staging/admin, since CT logs are permanent.
  • Shodan/Censys: passive search engines for exposed services. ssl.cert.subject.cn: on Shodan bypasses CDN protection. FOFA for Chinese/Asia-Pacific coverage.
  • BGP.he.net: enter any IP or org name to get all owned IP ranges from one ASN lookup.
  • Stack fingerprinting: BuiltWith, response headers and job listings reveal current tech without active scanning.
PreviousNext