What is passive domain reconnaissance?
Passive reconnaissance gathers intelligence about a target domain without sending any traffic to it. Instead, this tool queries public databases that have already indexed the internet: Certificate Transparency logs for subdomains, Shodan's InternetDB for open ports and CVEs, DNS aggregators for record data, and threat intelligence platforms for malicious indicators. The target never sees your IP address or knows they're being researched.
Key Terminology
- Certificate Transparency (CT)
- A public logging system for TLS certificates. Every certificate issued by a trusted CA is logged, revealing all hostnames it covers — a goldmine for subdomain discovery.
- Shodan InternetDB
- A free, no-auth API that returns pre-scanned data for any IP: open ports, detected services, known CVEs, CPE identifiers, and hostnames. No active scanning required.
- RDAP
- Registration Data Access Protocol — the structured replacement for WHOIS. Returns domain/IP registration data as machine-readable JSON instead of freeform text.
- OTX AlienVault
- Open Threat Exchange — a crowd-sourced threat intelligence platform. Provides threat pulses, malware indicators, and reputation data for IPs, domains, and hashes.
🌐 Domain Recon Dashboard — Frequently Asked Questions
What APIs does the Domain Recon Dashboard query?
It queries crt.sh for Certificate Transparency subdomain enumeration, HackerTarget for DNS records and host discovery, Shodan InternetDB for open ports and CVEs on discovered IPs, RDAP for structured WHOIS data, OTX AlienVault for threat intelligence, RIPE Stat for abuse contacts and BGP data, HackerTarget for HTTP security headers, and the Wayback Machine CDX API for archive history.
Is this tool passive or active?
This tool is entirely passive. It queries public databases and APIs that aggregate already-collected data. No packets are sent to the target domain — all queries go to third-party API endpoints like crt.sh, Shodan, HackerTarget, and others.