Complete Datapoint Definitions

Comprehensive documentation of all metrics, calculations, and analysis methods

DNS Infrastructure Analysis - Complete Datapoint Definitions

Overview

This document defines every datapoint collected, analyzed, and presented by the DNS infrastructure analysis platform. Each metric has a clear purpose and contributes to understanding connectivity circuit patterns.

Core DNS Record Types Analyzed

A Records (IPv4 Address Records)

What it is: Maps domain names to IPv4 addresses

What we measure:

Number of A records (indicates load balancing/redundancy)

TTL values (Time To Live - cache duration in seconds)

IP address geographical locations

ASN (Autonomous System Number) information

Why it matters: A records are the core connectivity circuit - they establish the primary path for web traffic to reach a domain.

AAAA Records (IPv6 Address Records)

What it is: Maps domain names to IPv6 addresses

What we measure:

Number of AAAA records

TTL values

IPv6 address analysis

Why it matters: Shows modern IPv6 adoption and future-proofing of infrastructure.

MX Records (Mail Exchange Records)

What it is: Specifies mail servers responsible for receiving email

What we measure:

Number of MX records (email redundancy)

Priority values (backup mail server order)

Mail server hostnames

TTL values

Why it matters: MX records establish email connectivity circuits - critical for business communication infrastructure.

NS Records (Name Server Records)

What it is: Specifies authoritative DNS servers for the domain

What we measure:

Number of NS records

Name server hostnames

DNS provider identification

Why it matters: NS records control DNS authority - they determine who controls the domain's connectivity circuits.

TXT Records (Text Records)

What it is: Stores arbitrary text data, often used for verification and policies

What we measure:

Number of TXT records

SPF (Sender Policy Framework) presence

DKIM (DomainKeys Identified Mail) signatures

DMARC (Domain-based Message Authentication) policies

Other verification records (Google, Microsoft, etc.)

Why it matters: TXT records establish policy and verification circuits - critical for email security and domain ownership proof.

CNAME Records (Canonical Name Records)

What it is: Creates aliases that point to other domain names

What we measure:

Number of CNAME records

Target domains

Chain length (CNAME pointing to CNAME)

Why it matters: CNAME records create connectivity aliases - they show how traffic is redirected through different circuits.

SOA Records (Start of Authority)

What it is: Contains administrative information about the DNS zone

What we measure:

Primary nameserver

Admin email

Serial number (zone version)

Refresh/retry/expire timings

Why it matters: SOA records show DNS zone management patterns and update frequencies.

Security Analysis Datapoints

Email Security Configuration

SPF Record Analysis:

Presence:: Does the domain have SPF records?

Mechanisms:: Which servers are authorized to send email?

Strictness:: Hard fail (-all) vs soft fail (~all) policies

DKIM Analysis:

Presence:: Are DKIM signatures configured?

Selectors:: How many DKIM keys are configured?

DMARC Policy:

Presence:: Is DMARC configured?

Policy:: None, quarantine, or reject for failed authentication

Reporting:: Are aggregate/forensic reports configured?

Infrastructure Redundancy

A Record Redundancy:: Multiple IP addresses for failover

MX Record Redundancy:: Multiple mail servers for email continuity

Geographic Distribution:: Are servers in different locations?

Security Score Calculation

Components (0-100 scale):

SPF configured: +25 points

DKIM configured: +25 points

DMARC configured: +30 points

A record redundancy: +10 points

MX record redundancy: +10 points

Security Grades:

A: 80-100 points (Excellent security posture)

B: 60-79 points (Good security with room for improvement)

C: 40-59 points (Moderate security, needs attention)

D: 0-39 points (Poor security, immediate action needed)

Infrastructure Fingerprinting Datapoints

Technology Stack Detection

Hosting Providers:

Cloudflare:: Detected from IP ranges and CNAME patterns

AWS:: Identified from amazonaws.com patterns

Google Cloud:: Detected from googleusercontent.com patterns

Microsoft Azure:: Identified from azure patterns

Email Platforms:

Google Workspace:: gmail.com, googlemail.com MX records

Microsoft 365:: outlook.com, protection.outlook.com patterns

Custom Email:: Self-hosted or other providers

Complexity Scoring

Calculation: (Number of record types × 10) + Total number of records

Sophistication Levels:

Enterprise:: 100+ complexity score

Business:: 50-99 complexity score

Basic:: 0-49 complexity score

Metrics:

Record Diversity:: Number of different DNS record types

Total Records:: Sum of all DNS records across all types

Configuration Depth:: Complexity of DNS setup

Business Intelligence Datapoints

Operational Maturity Assessment

Scoring Components (0-100 scale):

Email Infrastructure Maturity:: +25 points for 2+ MX records

Security Compliance:: +30 points for 2+ security records (SPF/DKIM/DMARC)

Infrastructure Complexity:: +25 points for 20+ total records

Service Diversification:: +20 points for 5+ subdomains

Maturity Levels:

Mature:: 75+ points (Well-established operations)

Growing:: 50-74 points (Expanding capabilities)

Developing:: 0-49 points (Early-stage infrastructure)

Business Insights Generated

Email Redundancy Status:: Single point of failure vs redundant systems

Security Compliance Posture:: Basic, moderate, or strong security focus

Infrastructure Scale:: Basic, business-level, or enterprise-level complexity

Operational Patterns:: Growth indicators from DNS complexity

Threat Surface Analysis Datapoints

Attack Vector Identification

IP Address Exposure:

Count:: Number of publicly exposed IP addresses

Risk Factor:: Each IP = +10 risk points

Subdomain Exposure:

High Risk:: 10+ subdomains = +30 risk points

Moderate Risk:: 5-10 subdomains = +20 risk points

Low Risk:: <5 subdomains = minimal points

Email Infrastructure Exposure:

Risk Factor:: Each MX record = +5 risk points

Risk Scoring

Total Risk Score (0-100+ scale):

Combination of IP exposure + subdomain exposure + email exposure + record diversity

High Risk:: 75+ points

Medium Risk:: 50-74 points

Low Risk:: 0-49 points

Security Recommendations

Generated based on findings:

DNS filtering implementation for high-risk scores

Subdomain security policies for extensive subdomain structures

Email security records for missing SPF/DKIM/DMARC

Circuit Turn-On Date Estimation

Methodology

TTL-Based Analysis: Lower TTL values suggest more recent configuration changes

Record Complexity: More complex setups typically indicate recent deployment

Estimation Algorithm:

A Records:: max(30 days, TTL/100 × record_count)

MX Records:: max(14 days, TTL/200 × record_count)

TXT Records:: max(7 days, TTL/300 × record_count)

Confidence Levels:

High:: Recent changes with supporting evidence

Medium:: Moderate indicators of recent activity

Low:: Minimal evidence, estimates based on defaults

Subdomain Discovery

Analysis Scope

Common Subdomains Checked:

www, mail, ftp, admin, api, blog, shop, test, dev, staging

Security-related: secure, ssl, vpn

Business-related: support, help, portal

Metrics:

Total Found:: Number of responsive subdomains

Service Diversity:: Variety of subdomain purposes

Exposure Assessment:: Public accessibility of services

Geolocation and Network Intelligence

IP Address Analysis

Geographic Data:

Country:: Physical server location

Region/City:: More specific location data

ISP/Organization:: Hosting provider identification

Network Information:

ASN:: Autonomous System Number

Network Range:: IP block ownership

Route Analysis:: Network path optimization

SSL Certificate Analysis

Certificate Data

Basic Information:

Issuer:: Certificate Authority (Let's Encrypt, DigiCert, etc.)

Validity Period:: Start and end dates

Subject:: Domain(s) covered

Security Metrics:

Key Type:: RSA, ECDSA key types

Key Size:: 2048-bit, 4096-bit strength

SHA-256 Fingerprint:: Unique certificate identifier

Data Sources and APIs

Primary DNS Resolution

Method:: Direct DNS queries to authoritative servers

Fallback:: Multiple DNS servers for reliability

Validation:: Cross-verification of results

External Intelligence APIs

IPInfo:: Geolocation and ASN data

VirusTotal:: Security reputation scanning

SecurityTrails:: Historical DNS data

Shodan:: Network service discovery

Caching Strategy

Performance:: SQLite caches for repeated queries

Freshness:: TTL-based cache invalidation

Reliability:: Fallback to direct queries if cache fails

Data Accuracy and Limitations

Accuracy Considerations

DNS Propagation:: Recent changes may not be globally visible

Geographic Precision:: IP geolocation accuracy varies

API Dependencies:: External services may have rate limits or outages

Estimation Confidence

Circuit Turn-On Dates:: Best estimates based on available signals

Security Assessments:: Based on publicly visible DNS records only

Business Intelligence:: Inferred from infrastructure patterns

Data Freshness

Real-Time Analysis:: DNS queries performed during analysis

Historical Comparison:: Change detection over time

Cache Management:: Balance between performance and accuracy

Security Scoring

Scale: 0-100 points
SPF: +25 points
DKIM: +25 points
DMARC: +30 points
Redundancy: +20 points total

Complexity Scoring

Formula: (Record types × 10) + Total records
Enterprise: 100+ score
Business: 50-99 score
Basic: 0-49 score

Maturity Assessment

Scale: 0-100 points
Mature: 75+ points
Growing: 50-74 points
Developing: 0-49 points

Risk Assessment

Scale: 0-100+ points
High Risk: 75+ points
Medium Risk: 50-74 points
Low Risk: 0-49 points