Knogin
[Developers]

OSINT DNS Intelligence: Domain & Nameserver Analysis

DNS records are among the most revealing artifacts in a threat investigation. A domain registered yesterday with no SPF record, a nameserver shared with fifty other suspicious domains, and an MX record pointing to a free

Back to All Modules
Category: IntelligenceLast Updated: Feb 23, 2026
intelligence

Overview#

DNS records are among the most revealing artifacts in a threat investigation. A domain registered yesterday with no SPF record, a nameserver shared with fifty other suspicious domains, and an MX record pointing to a free mail provider tells a story before anyone has visited the site. Security teams at financial institutions, government agencies, and managed security providers use DNS intelligence to evaluate domains at scale, validate email authentication, detect fast-flux infrastructure, and reconstruct attacker movements during incident response.

With support for 30+ DNS record types and historical DNS tracking, the platform gives analysts the context they need to understand domain infrastructure, assess configuration risk, and identify connections to known threat actor patterns.

Key Features#

  • DNS Resolution and Record Analysis: Complete DNS record type support (A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, PTR, SRV, and more) with global resolver coverage and sub-second response times
  • Email Security Validation: SPF, DKIM, DMARC, and MTA-STS record analysis to assess email authentication posture and identify spoofing vulnerabilities
  • DNSSEC Validation: Cryptographic signature verification for signed zones including DNSKEY, DS, RRSIG, and NSEC/NSEC3 record analysis
  • Historical DNS Tracking: Track DNS record changes over time, detect infrastructure migrations, identify previous hosting relationships, and reconstruct domain history
  • Passive DNS Intelligence: Aggregate historical resolution data showing which domains resolved to which IPs over time, revealing infrastructure relationships and threat actor patterns
  • DNS Threat Detection: Identify fast-flux networks, domain generation algorithms, DNS tunneling, and suspicious record configurations indicating malicious activity
  • Nameserver Intelligence: Analyse nameserver configurations, identify shared hosting relationships, detect nameserver hijacking, and assess DNS provider security posture
  • Reverse DNS Analysis: Map IP addresses to hostnames, identify co-hosted domains, and discover infrastructure relationships through PTR record analysis

Use Cases#

  • Threat Investigation: Analyse DNS records of suspicious domains to identify hosting infrastructure, email configuration, and connections to known threat actor networks
  • Phishing Detection: Evaluate DNS configurations of suspected phishing domains including recent registration, missing email security records, and infrastructure patterns common to phishing campaigns
  • Infrastructure Mapping: Enumerate an organisation's DNS footprint including mail servers, subdomains, third-party services, and CDN configurations for attack surface assessment
  • Email Security Auditing: Validate SPF, DKIM, and DMARC configurations across organisational domains to identify email spoofing vulnerabilities and authentication gaps
  • Incident Response: Rapidly assess DNS infrastructure associated with indicators of compromise, track domain resolution changes during active incidents, and identify related malicious domains

Integration#

The platform integrates with the broader Argus OSINT ecosystem for cross-domain intelligence correlation, domain intelligence modules for comprehensive domain analysis, and threat intelligence feeds for IOC enrichment with DNS context. DNS findings export in STIX/TAXII format to OpenCTI and MISP, enabling community sharing of infrastructure indicators. Works alongside Shodan for port-level exposure detail, SpiderFoot for automated follow-on reconnaissance, and Maltego for graph-based infrastructure visualisation.

Open Standards#

  • DNS (RFC 1034 / RFC 1035): The capability is built entirely on the DNS protocol, resolving more than 30 record types including A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, PTR, SRV, and DNSKEY across globally distributed resolvers.
  • DNSSEC (RFC 4034 / RFC 4035): Cryptographic signature verification for signed zones is implemented natively, with analysis of DNSKEY, DS, RRSIG, NSEC, and NSEC3 records to confirm chain-of-trust integrity.
  • DNS over HTTPS, DoH (RFC 8484): All DNS resolution uses the DoH JSON API, querying Cloudflare, Google Public DNS, Quad9, and OpenDNS resolvers with the application/dns-json content type.
  • Sender Policy Framework, SPF (RFC 7208): SPF record parsing and validation is part of the email security analysis feature, identifying domains that lack or misconfigure outbound sender authorisation.
  • DomainKeys Identified Mail, DKIM (RFC 6376): DKIM selector record retrieval and validation is included in the email authentication posture assessment for each queried domain.
  • DMARC (RFC 7489): DMARC policy record analysis is performed alongside SPF and DKIM to evaluate aggregate email authentication posture and identify spoofing exposure.
  • STIX 2.1 / TAXII 2.1 (OASIS): DNS infrastructure indicators are exported as STIX 2.1 Indicator and Domain-Name objects and shared via TAXII 2.1 feeds to platforms such as OpenCTI and MISP.

Last Reviewed: 2026-02-23 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.