← Back to documentation

DNS Infrastructure Analysis

Comprehensive technical analysis of domain infrastructure to assess operational readiness and threat potential.

What is DNS Infrastructure Analysis?

DNS Infrastructure Analysis is our comprehensive technical assessment of suspicious domains to determine their operational capabilities and threat level. By analyzing DNS records, security configurations, and infrastructure patterns, we can identify which domains pose immediate risks versus those that are dormant.

This analysis goes beyond simple domain registration monitoring to provide actionable intelligence about the technical sophistication and readiness of potential threats to your brand.

Key Infrastructure Components

Our system analyzes multiple aspects of domain infrastructure to build a complete threat profile:

Web Records (A/AAAA)

Analysis of web server infrastructure including IPv4 (A) and IPv6 (AAAA) records. These records indicate whether a domain is configured to host websites, which is essential for phishing attacks.

What we check:

  • • Presence of A and AAAA records
  • • IP address geolocation and hosting provider
  • • Multiple IP addresses (load balancing/redundancy)
  • • IP reputation and abuse history

Mail Records (MX)

Evaluation of mail server configuration through MX records. Email infrastructure is crucial for phishing campaigns and business email compromise attacks.

What we analyze:

  • • MX record configuration and priorities
  • • Mail server hostnames and providers
  • • Professional vs. free email service setup
  • • Mail server IP reputation

SPF Configuration

Sender Policy Framework analysis to determine email authentication setup. Proper SPF configuration indicates sophisticated attackers who understand email security.

Assessment criteria:

  • • Presence and validity of SPF records
  • • Authorized sending sources and mechanisms
  • • Policy strictness (soft fail vs. hard fail)
  • • Common misconfigurations and security implications

DKIM Configuration

DomainKeys Identified Mail analysis to assess email signing infrastructure. DKIM setup suggests professional email operations and higher threat sophistication.

Detection methods:

  • • Common DKIM selector probing (default, mail, google, etc.)
  • • Public key presence and validity
  • • Key strength and algorithm analysis
  • • Integration with popular email services

DMARC Policy

Domain-based Message Authentication, Reporting, and Conformance policy analysis. DMARC implementation indicates advanced email security understanding.

Policy evaluation:

  • • DMARC policy presence and configuration
  • • Policy action (none, quarantine, reject)
  • • Alignment requirements (SPF/DKIM)
  • • Reporting configuration and forensic settings

Analysis Workflow

Our infrastructure analysis follows a systematic approach to ensure comprehensive coverage:

1

Initial Discovery

Domain detected through similarity analysis and added to monitoring queue

2

DNS Enumeration

Comprehensive DNS record queries for all infrastructure components

3

Security Analysis

Email security configuration assessment (SPF, DKIM, DMARC)

4

Risk Scoring

Infrastructure risk calculation based on detected components

5

Continuous Monitoring

Ongoing surveillance for infrastructure changes and threat evolution

Infrastructure Status Indicators

Each infrastructure component is clearly marked in our alert system to help you understand the threat level:

+
Configured

Infrastructure component is active and properly configured

-
Not Configured

Infrastructure component is not present or not functional

Timing and Frequency

Infrastructure analysis is performed at strategic intervals to balance thoroughness with resource efficiency:

  • Initial Analysis: Performed within 24 hours of domain detection
  • Periodic Re-analysis: Weekly checks for infrastructure changes
  • Event-Triggered Analysis: Immediate re-analysis when DNS changes are detected
  • Certificate Monitoring: Real-time analysis when SSL certificates are issued

Technical Implementation

Our infrastructure analysis leverages multiple data sources and techniques:

  • Authoritative DNS queries: Direct queries to authoritative name servers
  • Passive DNS analysis: Historical DNS data for infrastructure evolution tracking
  • Certificate Transparency monitoring: SSL certificate issuance and changes
  • Multi-resolver validation: Cross-validation across multiple DNS resolvers

Interpreting Results

Understanding infrastructure analysis results helps prioritize response efforts:

High Risk Configuration

Multiple infrastructure components active, especially email security configurations

Action: Immediate investigation and potential legal action

Medium Risk Configuration

Basic web or email infrastructure present but incomplete setup

Action: Enhanced monitoring and preparation for escalation

Low Risk Configuration

Minimal or no infrastructure configured - likely dormant domain

Action: Continue monitoring for infrastructure changes

Learn More

Understand how infrastructure analysis integrates with our broader threat detection system:

Threat Indicators →Detection Methods →