██████╗ ███╗ ██╗███████╗
██╔══██╗████╗ ██║██╔════╝
██║ ██║██╔██╗ ██║███████╗
██║ ██║██║╚██╗██║╚════██║
██████╔╝██║ ╚████║███████║
╚═════╝ ╚═╝ ╚═══╝╚══════╝
DNS-analysis: rapid defensive triage and infrastructure footprinting for SOC and threat hunting workflows.
Tip
Designed for fast start on Debian or Ubuntu. Copy, paste, run.
sudo apt update && sudo apt install -y dnsutils bind9-host whois python3 python3-pip jq git
git clone https://github.com/FoxSecIntel/DNS-analysis.git
cd DNS-analysis
python3 -m pip install --user dnspythonThis repo is optimised for operator workflows, not script collecting. Use the scenario that matches your incident or monitoring task.
I need to quickly profile a suspicious domain.
./domain-info.sh --domain suspicious-example.comUse this first for fast DNS context before deeper pivots.
I need to check key domains for unauthorised NS or email-security drift.
Single domain:
python3 ./domain-security-monitor.py --domain example.com --output jsonBatch:
python3 ./domain-security-monitor.py --input-file domains.txt --output jsonThis includes nameserver policy checks, SPF/DMARC/DKIM posture, and expiry visibility with confidence metadata.
I need origin evidence for a domain using Cloudflare.
python3 ./cloudflare-detector.py --domain target.exampleUse this to evaluate whether a domain is truly fronted by Cloudflare and identify signal quality.
| Script | Primary Use Case | Best For |
|---|---|---|
domain-info.sh |
Quick DNS posture summary | First-pass incident triage |
domain-security-monitor.py |
Structured domain security checks with confidence + data source metadata | Brand monitoring, recurring control checks |
domain-checkNS.sh |
Nameserver integrity validation | Drift detection and change verification |
cloudflare-detector.py |
Cloudflare signal analysis and origin exposure hints | CDN/WAF bypass investigations |
domain_security_report.py |
Aggregated reporting workflows | Scheduled reporting and analyst summaries |
qa_check.sh |
Local quality checks for repo scripts | Safe pre-commit validation |
tools/domain-posture-go/domain-posture |
Multi-threaded DNS and TLS posture reconnaissance with headers, redirect, cert expiry, security.txt, and WHOIS age | Batch triage and JSON pipeline ingestion |
Tip
The monitor output is designed for machine filtering and SOC pipelines.
python3 ./domain-security-monitor.py --input-file domains.txt --output json \
| jq '.results[] | {domain, lowConfidenceSignals: (.signals | to_entries | map(select(.value.confidence == "low")))} | select(.lowConfidenceSignals | length > 0)'python3 ./domain-security-monitor.py --input-file domains.txt --output json \
| jq '.results[] | {domain, issues: (.signals | to_entries | map(select(.value.status == "fail" or .value.status == "warn")))} | select(.issues | length > 0)'Tip
Replace this with a high-contrast terminal screenshot (Catppuccin or Tokyo Night style) showing a successful monitor run.
docs/media/terminal-screenshot.png
- Keep additions workflow-driven.
- Prefer confidence-scored outputs over binary pass/fail when signal quality varies.
- Include JSON examples when adding new checks.
Warning
Use these tools only on domains and infrastructure you own or are explicitly authorised to assess. Unauthorised scanning, probing, or surveillance may violate law, policy, or contractual terms.
Apache License 2.0