A surprising amount of information about an organisation lives in its DNS records, certificate transparency logs, and historical infrastructure data. For OSINT investigators, security researchers, and attack-surface managers, the discipline of "domain reconnaissance" has become well-developed: knowing which tools surface which information, how to interpret the data, and where the limits are. Done well, it produces detailed inventories of an organisation’s internet-facing infrastructure, including assets the organisation itself may not know it owns.
A practical guide.
What domain reconnaissance produces
The output of a thorough domain recon is something like:
Every domain registered to or associated with the target organisation.
Every subdomain currently or historically resolving under those domains.
Every IP address associated with those subdomains, including IP ranges owned or rented.
Every TLS certificate issued for those domains, with issuance dates and SAN entries.
Mail-handling infrastructure (MX records, mail-server configuration, SPF/DKIM/DMARC records).
Cloud-service usage (CDN providers, cloud regions, third-party services connected via DNS).
Historical records, what existed in the past but has been removed.
Combined with passive scanning data (covered in the Shodan/Censys post), this gives a comprehensive view of an organisation’s internet-facing presence.
Certificate Transparency
Certificate Transparency (CT) is one of the most useful single resources for reconnaissance. Defined by RFC 6962, CT requires that every TLS certificate issued by a participating Certificate Authority be logged to a public, append-only log. Browsers reject certificates that do not appear in CT logs. The result: a public, searchable record of every TLS certificate issued for any domain.
Tools that query CT logs:
crt.sh (crt.sh). The most-used public CT log search interface. Supports wildcard searches (%.example.com) that return every subdomain that has had a certificate issued.
Censys Search (search.censys.io). Includes CT log data as one of its indexed sources alongside their internet-wide scans.
Google Transparency Report (transparencyreport.google.com/https/certificates). Google’s interface to CT logs.
A wildcard CT search of an organisation’s primary domain often reveals subdomains that are not advertised, are not in the public DNS records, and represent infrastructure the organisation may have forgotten about. The subdomain "test-prod-2019.target.com" with a valid recent certificate is a finding.
DNS-based reconnaissance
A standard set of DNS queries:
NS, MX, SOA, A, AAAA, TXT, SPF, DMARC. The basics. dig and nslookup are the standard command-line tools.
Reverse DNS. Querying the IP addresses associated with the target’s domains can reveal hosting providers, cloud regions, and sometimes additional hostnames associated with the same IP.
Zone walking (where DNSSEC NSEC records are improperly configured). Old technique; rarely useful in 2026 but occasionally still finds value.
Subdomain enumeration tools that combine multiple techniques:
Amass (github.com/owasp-amass/amass). The OWASP-maintained subdomain enumeration framework. Combines passive sources (CT logs, search engines, threat intelligence feeds), active sources (DNS resolution, certificate inspection), and brute-force techniques.
Subfinder (github.com/projectdiscovery/subfinder). Project Discovery’s tool; passive enumeration only, fast.
Assetfinder, Findomain. Lighter-weight alternatives.
DNSDumpster (dnsdumpster.com). Web-based tool that aggregates DNS information into a useful summary.
Passive DNS
Passive DNS is the practice of recording DNS queries observed across the internet to build a historical record of which domains resolved to which IPs over time. Several commercial and free services aggregate this data:
SecurityTrails (securitytrails.com). Commercial; comprehensive historical DNS records, certificate data, and WHOIS data.
DNSDB / Farsight (now part of DomainTools). Commercial passive DNS service; the canonical reference for many threat researchers.
CIRCL Passive DNS (circl.lu/services/passive-dns/). Free passive DNS from the Computer Incident Response Center Luxembourg.
VirusTotal’s passive DNS data. Available through their API; useful for correlating malware indicators with DNS history.
PassiveTotal (now part of Microsoft Defender). Commercial; threat-intelligence focus.
Passive DNS is particularly useful for:
Tracking infrastructure changes over time. When did a domain start resolving to which IP? When did it stop?
Pivoting from a known indicator. Given an IP, what domains have ever pointed to it? Given a domain, what other domains have shared its IP history?
Discovering threat-actor infrastructure. Operators often reuse infrastructure across campaigns; passive DNS reveals the connections.
WHOIS and registration data
WHOIS data, registrant name, organisation, address, registration date, expiration, has historically been a primary recon source. GDPR and ICANN policy changes since 2018 have substantially restricted public WHOIS data; most domains now show "Redacted for Privacy" rather than registrant details. The remaining useful information:
Registration date. Often visible.
Registrar. Always visible.
Name servers. Always visible.
Historical WHOIS data from before redaction is preserved by services like DomainTools (commercial) and partial public archives. For older domains, useful information may exist in historical records that is not visible in current WHOIS.
For attribution work, tying a domain to a specific person or organisation, WHOIS in 2026 is much less useful than a decade ago. Other techniques (CT logs, hosting patterns, payment-processor information for compromised sites) often produce stronger attribution.
ASN and IP-block information
For investigations involving infrastructure rather than just domain names:
BGP Toolkit / Hurricane Electric (bgp.he.net). Free interface to AS routing information. Given an IP, what AS announces it. Given an AS, what IP ranges it announces. Useful for understanding hosting relationships.
RIPE Database (ripe.net/manage-ips-and-asns/db). The European IP registry. Similar registries exist for other regions (ARIN, APNIC, LACNIC, AfriNIC).
Spur.us, IPInfo, MaxMind GeoIP. Commercial IP intelligence services that classify IPs by usage type (residential, datacenter, VPN, Tor exit, mobile, etc.).
Modern integrated platforms
Several platforms aggregate DNS, certificate, scan, and threat data into single interfaces:
Censys (censys.io). Internet-wide scans, CT logs, and historical infrastructure data. Strong query language. Free tier and commercial.
Shodan (shodan.io). Originally focused on internet-exposed devices; expanded to broader infrastructure intelligence. Strong for finding specific exposed services on a target’s IP range.
SecurityTrails. Domain-centric integrated view of DNS history, certificates, WHOIS.
Maltego (covered in detail in the next post). Link-analysis platform that integrates dozens of recon sources for visual investigation.
Recon-ng (github.com/lanmaster53/recon-ng). Open-source modular recon framework; aggregates data from many sources into a single workflow.
Putting it together
A workflow for a thorough domain reconnaissance:
Start with the canonical domain. WHOIS what is visible. Note the registrar and name servers.
Wildcard CT search to enumerate every subdomain that has had a certificate. crt.sh is the standard.
Passive DNS to find historical resolutions for the domain and its subdomains. SecurityTrails or commercial alternatives.
Active subdomain enumeration with Amass or Subfinder using a combination of passive and brute-force techniques.
For each discovered subdomain, resolve to current IP. Note hosting provider via BGP/ASN lookup.
For each unique IP and IP range, scan with Censys or Shodan to identify exposed services.
Cross-reference with threat-intelligence feeds for any indicators that the discovered infrastructure has been associated with malicious activity.
Document. Spreadsheet, mind map, or Maltego graph; the structure depends on the scale of the investigation.
The output is the "attack surface inventory" of the target. For investigators, it is the foundation for understanding what the target operates online. For security teams investigating their own organisation, it is the recurring "we own how many subdomains?" exercise that frequently surfaces forgotten assets.
Operational notes
Some recon techniques are passive (consume already-public data); others are active (probe the target). The distinction matters legally and ethically. Active probing of systems you do not own may violate computer-misuse laws in your jurisdiction. Authorised penetration testing has specific permission frameworks; unsolicited probing does not.
CT log searches and passive DNS queries are passive, they consume public records. DNS resolution is technically active but produces no notable load and is not generally controversial.
Aggressive subdomain brute-forcing produces traffic to the target’s DNS servers; this is observable to the target.
Scanning the target’s IP ranges with Censys/Shodan is using their public scan data; scanning yourself is active.
The credible OSINT investigator stays on the passive side or operates with explicit authorisation. The lawful and ethical use of these tools is what separates the discipline from generic hacking.
The category of tools and techniques here is broad and continually evolving. The fundamental principle has stayed consistent: organisations leak more about their infrastructure publicly than they realise, and structured collection of that public information produces a useful and often surprising picture.