📑 Table of Contents
- Installation
- dnsscience CLI
- scan, search, history, threat-intel, cve, dsl-query, reverse-whois
- dns-records, email, subdomains, services, enrichment
- risk, certificates, analytics, rdap, explore
- DNS4 Network Fingerprinting
- dnsscience-util Advanced Tool
- Configuration
- Example Workflows
📦 Installation
Quick Install
# Install from PyPI (recommended)
pip install dnsscience
# Or install from source
git clone https://github.com/dnsscience/cli.git
cd cli
pip install -e .Requirements
- Python 3.8 or higher
- pip package manager
- Active DNSScience account (free tier available)
Verify Installation
dnsscience --version
# Output: dnsscience, version 1.0.0⚡ dnsscience CLI
The primary command-line interface for DNS Science platform. Provides domain scanning, security analysis, threat intelligence, and more.
Authentication
# Set your API key (get it from dnsscience.io/settings)
dnsscience config set-key YOUR_API_KEY
# View current configuration
dnsscience config showdnsscience scan
Description: Comprehensive domain security and DNS analysis
Usage:
dnsscience scan DOMAIN [OPTIONS]Options:
| Option | Description | Default |
|---|---|---|
--ssl / --no-ssl |
Check SSL certificates | True |
--json |
Output in JSON format | False |
Example:
# Full security scan
dnsscience scan example.com
# Output in JSON format
dnsscience scan example.com --json
# Skip SSL certificate checks
dnsscience scan example.com --no-sslWhat It Checks:
- ✅ DNS Records (A, AAAA, MX, TXT, NS, SOA, CAA)
- ✅ Email Security (SPF, DKIM, DMARC, MTA-STS)
- ✅ DNS Security (DNSSEC validation, CAA records)
- ✅ SSL Certificates (expiry, issuer, serial numbers)
- ✅ Security misconfigurations
dnsscience search
Description: Search the DNS Science database for domains
Usage:
dnsscience search QUERY [OPTIONS]Options:
| Option | Description | Default |
|---|---|---|
--limit N |
Maximum number of results | 50 |
--json |
Output in JSON format | False |
Example:
# Search for domains
dnsscience search "bank"
# Limit results
dnsscience search "example" --limit 10dnsscience history
Description: View DNS history for a domain
Usage:
dnsscience history DOMAIN [OPTIONS]Options:
| Option | Description |
|---|---|
--days N |
Number of days to look back (default: 30) |
--json |
Output in JSON format |
Example:
# Last 30 days of DNS changes
dnsscience history example.com
# Last 90 days
dnsscience history example.com --days 90dnsscience threat-intel
Description: Check domain/IP against threat intelligence feeds
Usage:
dnsscience threat-intel TARGET [OPTIONS]Options:
| Option | Description |
|---|---|
--feeds FEEDS |
Comma-separated list of feeds to check |
--json |
Output in JSON format |
Threat Feeds Checked:
- CINS Score (malicious IPs)
- Blocklist.de
- ThreatFox (malware infrastructure)
- Feodo Tracker (botnet C2s)
- SSL Blacklist
- ShadowServer
- CISA KEV (known exploited vulnerabilities)
Example:
# Check all feeds
dnsscience threat-intel malicious-site.com
# Check specific feeds
dnsscience threat-intel 1.2.3.4 --feeds cins,threatfoxdnsscience cve
Description: Search CVE database
Usage:
dnsscience cve CVE_IDExample:
dnsscience cve CVE-2024-1234dnsscience dsl-query PRO
Description: Execute DNS Science Query Language (DSL) queries
Usage:
dnsscience dsl-query "QUERY"Example:
# Find domains with SPF issues
dnsscience dsl-query "spf.valid = false"
# Complex query
dnsscience dsl-query "mx.provider = 'Google' AND dnssec.enabled = true"Note: Requires Professional tier or higher
dnsscience reverse-whois PRO
Description: Reverse WHOIS lookups to find related domains
Subcommands:
By Email:
dnsscience reverse-whois email admin@example.comBy Organization:
dnsscience reverse-whois org "Example Corp"By Registrar:
dnsscience reverse-whois registrar "GoDaddy"Note: Requires Professional tier or higher
dnsscience dns-records NEW
Description: Browse and query collected DNS records
Subcommands:
List Records:
# List DNS records
dnsscience dns-records list --limit 50
# Filter by record type
dnsscience dns-records list --type A
# Search by domain
dnsscience dns-records list --domain example.comRecord Statistics:
# Get record type statistics
dnsscience dns-records statsdnsscience email
Description: Email deliverability analysis
Subcommands:
Check Domain:
# Check email configuration
dnsscience email check example.com
# JSON output
dnsscience email check example.com --jsonList Providers:
# List email provider statistics
dnsscience email providers --limit 20dnsscience subdomains
Description: Subdomain enumeration and discovery
Subcommands:
Enumerate:
# Enumerate subdomains for a domain
dnsscience subdomains enumerate example.com
# JSON output
dnsscience subdomains enumerate example.com --jsonList Known:
# List known subdomains from database
dnsscience subdomains list example.com --limit 100dnsscience services
Description: View service integrations and platform usage
Usage:
# Get service integration stats
dnsscience services
# JSON output
dnsscience services --jsondnsscience enrichment
Description: Get enriched data for a domain
Usage:
# Get enrichment data
dnsscience enrichment example.com
# JSON output
dnsscience enrichment example.com --jsondnsscience risk
Description: Risk scoring and threat feeds
Subcommands:
Get Risk Score:
# Get risk score for domain
dnsscience risk score example.com
# JSON output
dnsscience risk score example.com --jsonRisk Feed:
# Get high-risk domains feed
dnsscience risk feed --min-score 70 --limit 100dnsscience certificates
Description: SSL/TLS certificate management
Subcommands:
List Certificates:
# List monitored certificates
dnsscience certificates list --limit 50
# Filter expiring soon
dnsscience certificates list --expiring-days 30Check Certificate:
# Check certificate for domain
dnsscience certificates check example.com --jsondnsscience convert NEW
Description: Convert between DNS zone file formats (BIND, NSD, JSON)
Subcommands:
BIND to JSON:
# Convert BIND zone file to DNS Science JSON
dnsscience convert bind2json input.zone -o output.json
# With explicit domain name
dnsscience convert bind2json input.zone -o output.json -d example.comJSON to BIND:
# Convert DNS Science JSON to BIND zone file
dnsscience convert json2bind input.json -o output.zoneJSON to NSD:
# Convert DNS Science JSON to NSD zone file
dnsscience convert json2nsd input.json -o output.zonenamed.conf to nsd.conf:
# Migrate BIND configuration to NSD
dnsscience convert named2nsd named.conf -o nsd.confnsd.conf to named.conf:
# Migrate NSD configuration to BIND
dnsscience convert nsd2named nsd.conf -o named.confOptions:
| Option | Description |
|---|---|
-o, --output FILE |
Output file path (prints to stdout if not specified) |
-d, --domain NAME |
Domain name (optional, extracted from SOA if not provided) |
Supported Formats:
- BIND Zone File - RFC 1035 format used by BIND/named
- NSD Zone File - Compatible with NSD authoritative server
- DNS Science JSON - Portable JSON schema for zone data
- named.conf - BIND server configuration
- nsd.conf - NSD server configuration
dnsscience analytics
Description: Platform analytics and statistics
Subcommands:
Summary:
# Get analytics summary
dnsscience analytics summary
# JSON output
dnsscience analytics summary --jsonTop Domains:
# Get top queried domains
dnsscience analytics top-domains --limit 20dnsscience rdap
Description: RDAP (Registration Data Access Protocol) lookup
Usage:
# RDAP lookup
dnsscience rdap example.com
# JSON output
dnsscience rdap example.com --jsondnsscience explore
Description: Explore data in the DNS Science database
Usage:
# Explore domains
dnsscience explore domains --limit 50
# Explore TLDs
dnsscience explore tlds
# Explore nameservers
dnsscience explore nameservers --limit 20
# JSON output
dnsscience explore domains --json🔬 DNS4 Network Fingerprinting NEW PRO
Industry-first network fingerprinting suite combining JA4 + proprietary DNS4 algorithms. Detect malware C2, bots, VPNs, and more.
⚡ Quick Start
# Analyze TLS server
dnsscience dns4 tls google.com
# Detect bots from HTTP headers
dnsscience dns4 http --user-agent "Mozilla/5.0..."
# Comprehensive analysis
dnsscience dns4 analyze example.com --methods tls,tcp,sshDNS4 Commands
dnsscience dns4 tls
Description: Fingerprint TLS server response patterns
Usage:
dnsscience dns4 tls TARGET [OPTIONS]Options:
| Option | Description | Default |
|---|---|---|
--port PORT |
TLS port | 443 |
--sni HOSTNAME |
SNI hostname | target |
--json |
JSON output | False |
What It Detects:
- 🔍 Server software (nginx, Apache, Cloudflare, AWS)
- 🔐 TLS version and cipher suites
- ⚠️ Security misconfigurations
- 📜 Certificate details and validation
- 🎯 Infrastructure patterns (CDN, load balancers)
Example:
# Analyze TLS on default port
dnsscience dns4 tls example.com
# Custom port with JSON output
dnsscience dns4 tls example.com --port 8443 --jsondnsscience dns4 http
Description: Fingerprint HTTP client headers to detect bots
Usage:
dnsscience dns4 http [OPTIONS]Options:
| Option | Description |
|---|---|
--user-agent UA |
User-Agent header to analyze |
--headers-file FILE |
JSON file with full headers |
--json |
JSON output |
What It Detects:
- 🤖 Bots vs. browsers (Googlebot, scrapers, crawlers)
- 🌐 Browser type and version
- 💻 Operating system
- 🛡️ Security scanners (sqlmap, nikto, nmap)
- ⚠️ Header anomalies
Example:
# Analyze User-Agent
dnsscience dns4 http --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0"
# Analyze full headers from file
dnsscience dns4 http --headers-file headers.jsonExample headers.json:
{
"User-Agent": "Mozilla/5.0...",
"Accept": "text/html,application/xhtml+xml",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate, br"
}dnsscience dns4 cert
Description: Analyze X.509 certificates with threat correlation
Usage:
dnsscience dns4 cert --cert-file CERT.pem [OPTIONS]Options:
| Option | Description |
|---|---|
--cert-file FILE |
Certificate file (PEM format) |
--domain DOMAIN |
Associated domain |
--json |
JSON output |
What It Detects:
- 🔗 Certificate reuse across domains
- 🎭 Self-signed certificates
- 💀 Malware C2 signatures
- 🎣 Phishing infrastructure patterns
- 📊 Issuer type and generation method
Example:
dnsscience dns4 cert --cert-file /path/to/cert.pem --domain example.comdnsscience dns4 ssh
Description: Fingerprint SSH servers and detect scanners
Usage:
dnsscience dns4 ssh TARGET [OPTIONS]Options:
| Option | Description | Default |
|---|---|---|
--port PORT |
SSH port | 22 |
--json |
JSON output | False |
Example:
dnsscience dns4 ssh github.com
dnsscience dns4 ssh 192.0.2.1 --port 2222dnsscience dns4 tcp
Description: Fingerprint TCP/IP stack for OS detection
Usage:
dnsscience dns4 tcp TARGET [OPTIONS]Options:
| Option | Description | Default |
|---|---|---|
--port PORT |
TCP port | 80 |
--json |
JSON output | False |
What It Detects:
- 💻 Operating system (Linux, Windows, macOS, iOS, Android)
- 📱 Device type (server, desktop, mobile, IoT)
- 🎭 OS spoofing attempts
- ⚡ Network latency
Example:
dnsscience dns4 tcp example.com
dnsscience dns4 tcp 192.0.2.1 --port 443dnsscience dns4 lat
Description: Detect VPN/proxy usage via latency analysis
Usage:
dnsscience dns4 lat TARGET --source-ip IP [OPTIONS]Options:
| Option | Description |
|---|---|
--source-ip IP |
Source IP address (required) |
--country CODE |
Claimed country code |
--city CITY |
Claimed city |
--json |
JSON output |
What It Detects:
- 🔐 VPN usage (latency anomalies)
- 🌍 Geographic location mismatches
- 🔄 Proxy detection
- 📡 Network path changes
- 🎯 BGP hijacking indicators
Example:
# Basic VPN detection
dnsscience dns4 lat example.com --source-ip 198.51.100.1
# With claimed location
dnsscience dns4 lat example.com --source-ip 198.51.100.1 --country US --city "New York"dnsscience dns4 analyze
Description: Unified analysis across multiple DNS4 methods
Usage:
dnsscience dns4 analyze DOMAIN [OPTIONS]Options:
| Option | Description | Default |
|---|---|---|
--methods METHODS |
Comma-separated list: tls,http,tcp,ssh,lat | tls,tcp |
--include-ja4 |
Include JA4 fingerprinting | False |
--json |
JSON output | False |
Example:
# Default analysis (TLS + TCP)
dnsscience dns4 analyze example.com
# Full analysis
dnsscience dns4 analyze example.com --methods tls,tcp,ssh
# With JA4 fingerprinting
dnsscience dns4 analyze example.com --include-ja4 --jsonOutput Includes:
- 📊 Individual method results
- 🎯 Composite threat score (0-100)
- ⚠️ Malicious indicators
- 📈 Confidence levels
- 🔗 Cross-method correlations
⚡ Professional Tier Required
All DNS4 commands require Professional tier ($199/month) or higher.
Upgrade at: dnsscience.io/pricing
🛠️ dnsscience-util Advanced Tool
The world's most advanced DNS analysis, security testing, and debugging tool. Combines the power of dig, ldns, and advanced security analysis.
Installation
# Install from DNSScience tools repository
git clone https://github.com/dnsscience/dnsscience-util.git
cd dnsscience-util
pip install -r requirements.txt
chmod +x dnsscience-util.py
# Or download standalone binary
curl -O https://downloads.dnsscience.io/dnsscience-util
chmod +x dnsscience-utilKey Features
- 🌍 Global Resolver Testing: Test 258+ DNS resolvers worldwide
- 🔐 DNSSEC Validation: Complete DNSSEC chain validation
- 🔒 DoH/DoT Support: DNS-over-HTTPS and DNS-over-TLS
- 🎯 Zone Walking: NSEC/NSEC3 zone enumeration
- 📊 Analytics: Performance metrics and visualization
- ⚠️ Security Analysis: Hijacking, poisoning, anomaly detection
- 📈 Historical Trending: Track DNS changes over time
- 🔔 Monitoring & Alerts: Real-time DNS monitoring
Common Commands
Basic Query (dig-like):
# Simple A record query
dnsscience-util query example.com A
# Query with specific resolver
dnsscience-util query example.com A @8.8.8.8
# Trace query path
dnsscience-util query example.com A --traceDNSSEC Validation:
# Validate DNSSEC chain
dnsscience-util dnssec example.com
# Detailed DNSSEC analysis
dnsscience-util dnssec example.com --verboseGlobal Resolver Test:
# Test domain against all global resolvers
dnsscience-util global-test example.com
# Test specific record type
dnsscience-util global-test example.com --type MX
# Export results
dnsscience-util global-test example.com --output results.jsonDNS-over-HTTPS (DoH):
# Query using DoH
dnsscience-util doh example.com --provider cloudflare
# Available providers: cloudflare, google, quad9Security Analysis:
# Check for DNS hijacking
dnsscience-util security-check example.com --check hijacking
# Cache poisoning detection
dnsscience-util security-check example.com --check poisoning
# Full security audit
dnsscience-util security-check example.com --fullZone Walking (NSEC/NSEC3):
# Walk DNSSEC zone
dnsscience-util zone-walk example.com
# NSEC3 walking with limits
dnsscience-util zone-walk example.com --limit 1000Advanced Features
Performance Benchmarking:
# Benchmark resolver performance
dnsscience-util benchmark --resolver 8.8.8.8 --queries 1000
# Compare multiple resolvers
dnsscience-util benchmark --compare 8.8.8.8,1.1.1.1,9.9.9.9Historical Analysis:
# Track DNS changes over time
dnsscience-util history example.com --days 90
# Compare current vs. historical
dnsscience-util diff example.com --date 2024-01-01Monitoring & Alerts:
# Monitor domain for changes
dnsscience-util monitor example.com --interval 60 --alert-on-change
# Email alerts
dnsscience-util monitor example.com --email admin@example.comFull documentation: docs.dnsscience.io/util
⚙️ Configuration
API Key Setup
# Set API key
dnsscience config set-key YOUR_API_KEY
# Set custom API URL (for enterprise)
dnsscience config set-url https://api.enterprise.dnsscience.io
# View configuration
dnsscience config showConfiguration File Location
Config stored at: ~/.dnsscience/config.json
Environment Variables
# Alternative to config file
export DNSSCIENCE_API_KEY="your_api_key"
export DNSSCIENCE_API_URL="https://dnsscience.io"💡 Example Workflows
Security Audit Workflow
# 1. Full domain scan
dnsscience scan example.com --json > scan_results.json
# 2. Check threat intelligence
dnsscience threat-intel example.com
# 3. DNS4 fingerprinting
dnsscience dns4 analyze example.com --methods tls,tcp,ssh
# 4. View historical changes
dnsscience history example.com --days 90Malware C2 Detection
# 1. Analyze TLS fingerprint
dnsscience dns4 tls suspicious-domain.com
# 2. Check certificate reuse
dnsscience dns4 cert --cert-file cert.pem
# 3. Cross-reference threat intel
dnsscience threat-intel suspicious-domain.com
# 4. Check IP reputation
dnsscience threat-intel 192.0.2.1Bot Detection Workflow
# 1. Capture HTTP headers from suspicious traffic
# 2. Analyze with DNS4-HTTP
dnsscience dns4 http --headers-file captured_headers.json
# 3. If bot detected, check for known scanners
dnsscience threat-intel source-ipVPN/Proxy Detection
# Detect VPN usage for fraud prevention
dnsscience dns4 lat target.com --source-ip CLIENT_IP --country US --city "New York"
# High latency delta = VPN/proxy detected