Last updated:

AI Dorks — Domain & Infrastructure

Claude prompts that turn a domain or IP into a sourced infrastructure picture — running live DNS-over-HTTPS, RDAP, certificate-transparency, and Wayback queries in Claude’s code sandbox and saving the results.

🔗 Related
Corporate & Shells Image Geolocation Social & Footprint Domain Recon Google Dorks List
Public-source, authorized use. These are prompt-engineering aids, not jailbreaks. Use them on subjects and infrastructure you’re authorized to investigate; they keep to public sources, respect site terms, and exclude breach data and private-individual targeting. Paste a prompt into Claude, fill the highlighted fields, and have it show its work and cite sources.

Use Claude as a passive infrastructure-recon engine

Each prompt is written for Claude’s code environment, which has live internet and preinstalled libraries. They query public, no-key sources — RDAP, Cloudflare/Google DoH, crt.sh, the Wayback availability API, ipinfo — parse the results, and save JSON/CSV you can chain into later steps. They stick to passive and self-authorized methods: no scanning of hosts you don’t own, no bypassing controls. They also pair naturally with classic Google dorking operators such as site:, inurl: and intitle: — Claude can write those queries for you and triage the results.

Frequently asked questions

What is an "AI dork"?

It’s a precise, copy-paste prompt that gets an AI model to perform a focused OSINT task — here, tailored to Claude’s code sandbox so it actually fetches and parses public data rather than guessing.

Do these scan or attack a target?

No. The infrastructure prompts use passive, public sources (RDAP, certificate transparency, DNS, Wayback). Any liveness or banner check is scoped to hosts you own or are authorized to test.

Why run them in Claude instead of a browser?

Claude’s sandbox can fetch from public APIs, parse with Python, correlate pivots, and save structured output in one pass — and explain its reasoning with citations.

What is RDAP and how do I look one up?

RDAP (Registration Data Access Protocol) is the structured, modern replacement for WHOIS. These prompts have Claude query a public RDAP endpoint such as rdap.org for a domain or IP and parse the registrar, dates and contacts into a table — no API key needed.

What is passive DNS reconnaissance?

Passive DNS recon studies a domain's records and history without probing the target directly. These prompts use public DNS-over-HTTPS resolvers and certificate-transparency logs to map subdomains and infrastructure from public data only.

How do I find subdomains with Google dorks?

Operators like site:*.example.com -www surface some subdomains, but they miss a lot. These prompts have Claude combine that Google-dorking approach with certificate-transparency and passive DNS for fuller coverage, and it can write the site: and inurl: queries for you. See the Google Dorks list for the operators.