DNS records are one of the richest sources of technology intelligence available through passive reconnaissance. Unlike HTTP-based detection that requires loading a webpage, DNS data is available through public resolvers without directly interacting with the target's web server. For OSINT professionals, DNS reconnaissance is often the first step in building a technology profile of a target domain.
TXT Records: The OSINT Gold Mine
DNS TXT records have become a standard mechanism for domain ownership verification. SaaS providers require customers to add specific TXT records to prove they control a domain. This means TXT records effectively create a public registry of which services an organization uses:
google-site-verification=...— Google Search Console or Google Workspacev=spf1 include:_spf.google.com— Google Workspace for emailMS=ms...— Microsoft 365atlassian-domain-verification=...— Atlassian products (Jira, Confluence)facebook-domain-verification=...— Facebook Business Manager_dmarcTXT records — reveal email authentication policy and often the email security provider
A single domain can have dozens of TXT records, each revealing a different SaaS relationship. This information is entirely public and requires no interaction with the target's web servers.
CNAME and NS Records
CNAME records are particularly valuable for identifying CDN providers, hosting platforms, and email services. A CNAME pointing to *.cloudfront.net confirms AWS CloudFront. One pointing to *.netlify.app identifies Netlify hosting. Nameserver (NS) records reveal the DNS provider, which often correlates with the hosting or CDN provider — for example, Cloudflare nameservers indicate Cloudflare is in the stack.
MX Records and Email Infrastructure
MX records identify the email provider for a domain. Common patterns include:
*.google.comor*.googlemail.com— Google Workspace*.outlook.comor*.protection.outlook.com— Microsoft 365*.pphosted.com— Proofpoint email security*.mxrouting.net— MXroute email hosting
Email infrastructure reveals organizational decisions about communication and security. Enterprise-grade email security (Proofpoint, Mimecast) signals a larger organization with dedicated IT security.
Automating DNS Reconnaissance
WhatStack's OSINT tools include a dedicated DNS analyzer that automatically queries all relevant record types and matches them against known technology signatures. This is part of the broader ten-analyzer detection pipeline that combines DNS intelligence with HTTP, HTML, JavaScript, and ads.txt analysis for a complete technology profile.
For investigators and security researchers, DNS-based detection is especially valuable because it works even when a website is behind a WAF or rate-limits HTTP requests. The WhatStack scanner performs DNS reconnaissance automatically as part of every scan. Learn more about our OSINT capabilities on the OSINT page.