Collection

Tools for Domain, DNS, and Web Infrastructure Research

Editorial 16 tools 3 curated picks

A stack for tracing ownership clues, certificates, hosting changes, and exposed web infrastructure.

Stack snapshot

16 tool profiles in this workflow, including 3 curated picks.

Best for

Researchers mapping digital infrastructure, ownership clues, exposed services, and related assets around a website or organization.

Methodology

Prioritized tools that expose different layers of the web stack so investigators can move from a domain name to corroborated infrastructure context.

Editorial note

Ranking reflects corroboration value and layer coverage, not enterprise pricing or vendor prestige.

Curated picks

Top pick

SecurityTrails

Budget pick

crt.sh

Open-source pick

SpiderFoot

Stack tools

Tools in this workflow

Scan the stack, then open profiles for caveats, pricing, and disclosure context.

Live interface preview

SecurityTrails

Verified 2026-05-07

DNS history and domain intelligence for scoped investigations

Verification: Editorial review Workflow: Enrichment Pricing: Paid

Best for: Historical DNS, subdomain, IP, nameserver, and registration-adjacent context around domains already in scope.

Editorial

Tool profile

SecurityTrails

DNS history and domain intelligence for scoped investigations

Editorial

View profile Visit tool

Live interface preview

Sectigo

Verified 2026-05-07

Free certificate-transparency lookup for domain pivots

Verification: Editorial review Workflow: Discovery Pricing: Free

Best for: Certificate-transparency pivots around domains, organizations, hostnames, SAN entries, fingerprints, and historical infrastructure naming patterns.

Editorial

Tool profile

crt.sh

Free certificate-transparency lookup for domain pivots

Editorial

View profile Visit tool

Live interface preview

DNSDumpster

Verified 2026-05-07

Passive DNS and subdomain reconnaissance

Verification: Editorial review Workflow: Discovery, Pivoting Pricing: Freemium

Best for: Use it when a domain is already in scope and the next job is quick passive mapping before…

Editorial

Tool profile

DNSDumpster

Passive DNS and subdomain reconnaissance

Editorial

View profile Visit tool

Live interface preview

MXToolbox

Verified 2026-05-07

DNS, email, and blacklist diagnostics

Verification: Editorial review Workflow: Enrichment, Verification Pricing: Freemium

Best for: Use it when a domain or mail server needs quick deliverability, DNS, or blacklist context before deeper infrastructure…

Editorial

Tool profile

MXToolbox

DNS, email, and blacklist diagnostics

Editorial

View profile Visit tool

Live interface preview

WhoisXML API

Verified 2026-05-07

Domain, DNS, WHOIS, and threat intelligence APIs

Verification: Editorial review Workflow: Enrichment, Pivoting Pricing: Freemium

Best for: Use it when domain research needs structured enrichment at scale rather than one manual lookup at a time.

Editorial

Tool profile

WhoisXML API

Domain, DNS, WHOIS, and threat intelligence APIs

Editorial

View profile Visit tool

Live interface preview

ViewDNS.info

Verified 2026-05-07

Free web-based DNS and domain lookup tools

Verification: Editorial review Workflow: Discovery, Enrichment Pricing: Freemium

Best for: Use it when a domain investigation needs quick manual pivots across several lightweight DNS and hosting checks.

Editorial

Tool profile

ViewDNS.info

Free web-based DNS and domain lookup tools

Editorial

View profile Visit tool

Live interface preview

DNSlytics

Verified 2026-05-07

Reverse analytics, DNS, and domain intelligence

Verification: Editorial review Workflow: Enrichment, Pivoting Pricing: Freemium

Best for: Use it when a website or domain needs passive pivots through analytics IDs, ad IDs, DNS clues, or…

Editorial

Tool profile

DNSlytics

Reverse analytics, DNS, and domain intelligence

Editorial

View profile Visit tool

Live interface preview

Shodan

Verified 2026-05-07

Public-internet exposure search for hosts and services

Verification: Editorial review Workflow: Discovery Pricing: Freemium

Best for: Fast first-pass checks on scoped IPs, hosts, ASNs, organizations, exposed services, ports, banners, and technology fingerprints.

Tested

Tool profile

Shodan

Public-internet exposure search for hosts and services

Tested

View profile Visit tool

Live interface preview

Censys

Verified 2026-05-07

Structured search for hosts, services, and certificates

Verification: Editorial review Workflow: Pivoting Pricing: Paid

Best for: Certificate-led and host-led infrastructure mapping from a scoped technical clue.

Tested

Tool profile

Censys

Structured search for hosts, services, and certificates

Tested

View profile Visit tool

Live interface preview

urlscan GmbH

Verified 2026-05-07

URL render, screenshot, and network trace capture

Verification: Editorial review Workflow: Verification Pricing: Freemium

Best for: Capturing a URL render, screenshot, DOM/network trace, redirects, loaded resources, and visible page behavior during phishing, web-evidence, or…

Editorial

Tool profile

urlscan.io

URL render, screenshot, and network trace capture

Editorial

View profile Visit tool

Live interface preview

Wappalyzer

Verified 2026-05-07

Passive website technology fingerprinting

Verification: Editorial review Workflow: Enrichment Pricing: Freemium

Best for: Passive website technology fingerprinting, technographic enrichment, and first-pass context around public domains before deeper web or infrastructure research.

Editorial

Tool profile

Wappalyzer

Passive website technology fingerprinting

Editorial

View profile Visit tool

Live interface preview

BuiltWith

Verified 2026-05-07

Website technology and competitor-footprint profiling

Verification: Editorial review Workflow: Enrichment Pricing: Freemium

Best for: Website technology profiling, historical stack checks, commercial due diligence, competitor research, and domain-context enrichment.

Editorial

Tool profile

BuiltWith

Website technology and competitor-footprint profiling

Editorial

View profile Visit tool

Live interface preview

Google Cloud

Verified 2026-05-07

Multi-source reputation context for indicators

Verification: Editorial review Workflow: Verification Pricing: Freemium

Best for: Quick reputation triage for suspicious URLs, domains, IPs, file hashes, and already-public malware or phishing indicators.

Editorial

Tool profile

VirusTotal

Multi-source reputation context for indicators

Editorial

View profile Visit tool

Live interface preview

Knownsec

Verified 2026-05-07

Internet asset search and exposure intelligence

Verification: Editorial review Workflow: Discovery Pricing: Freemium

Best for: Use it when a scoped host, service, product, or organization needs additional exposure context beyond Shodan or Censys.

Editorial

Tool profile

ZoomEye

Internet asset search and exposure intelligence

Editorial

View profile Visit tool

Live interface preview

Netlas

Verified 2026-05-07

Internet asset and attack-surface search

Verification: Editorial review Workflow: Discovery Pricing: Freemium

Best for: Use it when infrastructure research needs another structured lens on internet-exposed assets and certificates.

Editorial

Tool profile

Netlas.io

Internet asset and attack-surface search

Editorial

View profile Visit tool

Live interface preview

SpiderFoot

Verified 2026-05-07

Automated OSINT collection for scoped leads

Verification: Editorial review Workflow: Enrichment Pricing: Freemium

Best for: Authorized OSINT automation around domains, IPs, subnets, ASNs, emails, usernames, and organization exposure review.

Tested

Tool profile

SpiderFoot

Automated OSINT collection for scoped leads

Tested

View profile Visit tool

Workflow notes

This collection is built for analysts who start with a domain, host, or website and need to understand what is visible without jumping straight to attribution.

Use this stack when

The case needs domain history, certificate clues, web rendering, exposed-service context, or technology-stack evidence around a scoped web asset.

Recommended sequence

Start with SecurityTrails or crt.sh when the question is DNS history, subdomains, or certificates.
Use Shodan and Censys when the investigation shifts from domain clues into exposed services and host relationships.
Use urlscan.io when a suspicious page needs a preserved render and request snapshot.
Add Wappalyzer or BuiltWith when visible web stack, analytics tags, ecommerce tooling, or CMS footprint matters.
Use VirusTotal or GreyNoise only when the lead includes reputation, scanning, or background-noise questions.
Use SpiderFoot when a known domain deserves broader automated collection before manual narrowing.

Editorial guardrail

No single tool here proves ownership, compromise, or attribution. Build a defensible chain from domain clue to web evidence to infrastructure context.

Related OSINT4ALL paths

Use these connected pages when the same investigation needs a different entry point or a deeper decision aid.

Curated picks

Tools in this workflow

Use this stack when

Recommended sequence

Editorial guardrail

Related OSINT4ALL paths

Weekly tool decisions, not another noisy list.