Technical Details
A public, non-sensitive breakdown of what DomainLens scans and reports.
Safe Disclosure Notice
This page documents product capability only. It does not expose secrets, credentials, private infrastructure, exploit payloads, or internal operational data.
Scan Coverage
Identity & Registration
- RDAP (RFC 9083) registration data via IANA bootstrap discovery
- EPP status code analysis with security implications
- WHOIS ownership fallback and lifecycle metadata
- Domain age, expiry window, registrar/NS change signals
- Lifecycle volatility scoring and stage classification
- Punycode/IDN, homoglyph, and brand-typosquat indicators
- TLD risk heuristics and composite domain risk scoring
DNS & Advanced DNS
- Core DNS records (A/AAAA/CNAME/MX/NS/TXT/SOA/SRV/CAA/PTR)
- IPv4 and IPv6 reverse lookup (PTR) support
- DNSSEC plus CAA policy quality checks
- HTTPS and SVCB service binding record analysis
- Wildcard resolution and dangling CNAME detection
- AXFR zone transfer exposure and split DNS consistency checks
TLS & Certificates
- Certificate metadata, SANs, key type/strength, and expiry
- Protocol and cipher negotiation assessment
- Deprecated protocol acceptance tests
- Forward secrecy, OCSP/CRL, CT/SCT, HTTP/2 and HTTP/3 signals
- OCSP stapling status detection and freshness check
- mTLS/client certificate requirement hints
Headers & Web Security
- Security header checks (HSTS, CSP, frame, content type, etc.)
- Modern isolation headers (COOP, COEP, CORP, Clear-Site-Data)
- CSP quality and redirect hygiene checks
- CORS posture and risky HTTP method checks
- Reporting-Endpoints header analysis (modern and deprecated Report-To)
- Network Error Logging (NEL) policy detection
- CSP and COOP reporting endpoint validation
- Cookie hardening checks (Secure, HttpOnly, SameSite, prefixes)
- Server fingerprinting and technology stack detection
Email Security
- SPF policy quality and lookup limit checks
- DMARC presence and policy strength evaluation
- DKIM selector probing and MX posture
- Active SMTP STARTTLS handshake and certificate validation
- DANE/TLSA checks for SMTP transport hardening
- MTA-STS, TLS-RPT, and BIMI coverage
Exposure & Attack Surface
- Well-known sensitive path exposure checks
- Subdomain discovery and takeover risk signals
- JavaScript endpoint discovery (API, GraphQL, WebSocket, OAuth)
- Third-party dependency inventory with provider categorization
- Page title/classification and DOM plus favicon fingerprinting
- Technology-based CVE correlation with EPSS and KEV enrichment
Infrastructure Intelligence
- IP resolution, reverse DNS, and geo/ASN enrichment
- Cloud/CDN/WAF indicator detection
- Anycast/multi-edge pattern signals
- RPKI origin-validation signals for routed IP trust posture
- DNS blacklist reputation checks
Historical Drift
- Baseline snapshot persistence per scanned domain
- Change detection for score, certificate, DNS, and exposure signals
- Drift findings surfaced with severity-tagged context
- Historical comparisons to catch regressions over time
Reporting & Scoring
- Severity-tagged findings with rationale and remediation notes
- Overall score and grade
- Category-level scores and grades
- Top prioritized action list for remediation planning
- In-app guidance panels for high-friction findings (for example, CT/subdomain cleanup)
Detailed Scan + Report Matrix
Each line below summarizes what DomainLens checks and the primary outputs included in the report.
| Module | What is checked | What is reported |
|---|---|---|
| Domain Validation | Input format validation and normalization for domains, IPv4, and IPv6 addresses. | Validated target domain (or reverse-looked-up domain from IP input) and error state. |
| DNS Lookup | A, AAAA, CNAME, MX, NS, TXT, SOA, SRV, CAA, PTR. | Record name/type/value/TTL list and resolver errors when present. |
| RDAP Lookup (NEW) | IANA bootstrap discovery, structured RDAP registration data, EPP status codes, entities, abuse contacts. | RDAP registration fields, EPP security analysis, entity roles, protection flags, and findings. |
| WHOIS | Registrar, organization, created/updated/expiry dates, nameservers, referrals. | Structured WHOIS fields and raw WHOIS text snapshot (supplementary to RDAP or fallback). |
| Certificate Metadata | Subject, issuer, validity window, serial, thumbprint, SAN entries, signature algorithm. | Certificate metadata and days-to-expiry calculations. |
| TLS Analysis | Negotiated protocol/cipher/strength, cert-chain validity, weak protocol acceptance tests. | TLS findings with pass/warn/fail severity and remediation notes. |
| Deep TLS | Forward secrecy, key strength, OCSP/CRL/CT signals, HTTP/2 and HTTP/3 indicators, chain details, OCSP stapling status, mTLS/client-cert requirements. | Advanced TLS findings, full certificate chain entries, OCSP stapling classification, and mTLS detection indicators. |
| Web Server + Tech Fingerprinting | Response status/redirect/headers and common framework/CMS/library fingerprints. | Detected technologies, server headers, and generator metadata. |
| Security Headers | HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP, Clear-Site-Data, CORS wildcard and redirect correctness checks. | Header-by-header findings and configuration recommendations. |
| Reporting-Endpoints + NEL (NEW) | Reporting-Endpoints (modern), Report-To (deprecated), CSP report-uri/report-to, COOP reporting, NEL policy detection, endpoint security validation. | Parsed reporting endpoints with security status, NEL policy details, and endpoint validation findings. |
| Email Security | SPF, DKIM, DMARC, MX, SMTP STARTTLS probing, DANE/TLSA, MTA-STS, TLS-RPT, BIMI checks and policy quality logic. | Email posture findings, parsed policy fields, STARTTLS result details, and transport-security indicators. |
| Cookie Security | Secure/HttpOnly/SameSite flags, prefix rules, sensitive cookie patterns, third-party and long-lived cookie heuristics. | Per-cookie analyses and risk findings for cookie hardening. |
| Info Disclosure | Well-known sensitive path checks (targeted, non-bruteforce). | Discovered paths with status codes and severity-tagged findings. |
| Advanced DNS | DNSSEC, CAA quality, HTTPS/SVCB service records, wildcard DNS, dangling CNAME, AXFR exposure, dual-stack DNS, split-DNS consistency. | Advanced DNS findings and supporting resolver evidence. |
| Web Exposure | Sensitive file checks, HTTP methods, CORS reflection, TRACE, login/admin endpoints, directory listing, source map and leak-pattern checks, plus page title/classification and DOM/favicon fingerprinting. | Exposure findings, portal indicators, fingerprint signals, and evidence list. |
| Subdomain Discovery | Certificate Transparency enumeration, subdomain classification, liveness probes, takeover pattern signals. | Subdomain inventory with classification and takeover risk flags. |
| DNSBL Reputation | Resolved IPv4 checked against major public DNS blocklists. | Per-list listed/clean results and blacklist response metadata. |
| CVE Correlation | Technology-to-keyword mapping and NVD API lookup for known CVEs, with EPSS probability and KEV (Known Exploited Vulnerabilities) enrichment. | CVE IDs, severity/CVSS, EPSS score, KEV flags, published date, matched technology, and version confidence. |
| JS Endpoint Discovery (NEW) | Extraction of API, GraphQL, WebSocket, SSO/OAuth, cloud storage, and internal hostname references from inline and external JavaScript. | Discovered endpoints with type classification, source context, and security findings. |
| Third-Party Inventory (NEW) | Categorized inventory of external dependencies (analytics, CDN, payment, chat, font, social, etc.) with known provider database matching. | Third-party dependencies by category with provider identification and supply-chain risk findings. |
| Infrastructure Intel | IP/ASN/geo/reverse-DNS enrichment, CDN/WAF/cloud indicators, and RPKI origin-validation checks. | Infrastructure profile, RPKI posture signal, and infra-focused findings. |
| Your Public Info | Public IP, GeoIP metadata (city/region/country/lat/lon), ISP/org/ASN, reverse DNS, plus local hostname/address and device/app context. | Personal network/device context snapshot for operator awareness and troubleshooting. |
| Domain Risk | Age/expiry/WHOIS update/privacy signals, suspicious TLD, IDN/punycode, homoglyph and typosquat heuristics. | Domain risk score plus identity-risk findings. |
| Historical Drift | Baseline persistence and comparison across rescans for security score, certificate, DNS, exposure, and reputation deltas. | Drift change list with previous/current values and severity-tagged regression findings. |
| Scoring + Prioritization | Weighted severity rollups across security categories. | Overall score/grade, category scores/grades, and top action recommendations. |
Report Outputs
Scope Boundaries
DomainLens is focused on external, publicly observable domain posture. It is not a replacement for authenticated application penetration testing, source-code review, internal network assessment, or full cloud IAM posture audits.
This transparency helps security teams understand where DomainLens is strong and where complementary controls are still required.