osint_domain_recon
Perform domain reconnaissance by analyzing DNS records, WHOIS data, subdomains, and email security from multiple free sources without API keys.
Instructions
Quick domain reconnaissance combining free sources: DNS (A/MX/NS/TXT), WHOIS, crt.sh subdomains, HackerTarget hosts, and email security analysis. No API keys required.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| domain | Yes | Domain to perform recon on |
Implementation Reference
- src/meta/recon.ts:36-80 (handler)The core implementation of the osint_domain_recon logic, aggregating results from DNS, WHOIS, crt.sh, and HackerTarget.
export async function domainRecon(domain: string): Promise<DomainReconResult> { const errors: string[] = []; // Run all free sources in parallel const [aResult, mxResult, nsResult, txtResult, whoisResult, crtshResult, htResult, emailResult] = await Promise.allSettled([ dnsLookup(domain, "A"), dnsLookup(domain, "MX"), dnsLookup(domain, "NS"), dnsLookup(domain, "TXT"), whoisDomain(domain), crtshSearch(domain), hackertargetHostsearch(domain), dnsEmailSecurity(domain), ]); // DNS const a = aResult.status === "fulfilled" ? aResult.value.map((r) => r.value) : (errors.push(`DNS A: ${(aResult as PromiseRejectedResult).reason}`), []); const mx = mxResult.status === "fulfilled" ? mxResult.value.map((r) => ({ exchange: r.value, priority: r.priority })) : (errors.push(`DNS MX: ${(mxResult as PromiseRejectedResult).reason}`), []); const ns = nsResult.status === "fulfilled" ? nsResult.value.map((r) => r.value) : (errors.push(`DNS NS: ${(nsResult as PromiseRejectedResult).reason}`), []); const txt = txtResult.status === "fulfilled" ? txtResult.value.map((r) => r.value) : []; // WHOIS let whois: DomainReconResult["whois"]; if (whoisResult.status === "fulfilled") { const w = whoisResult.value; whois = { registrar: w.registrar, registrationDate: w.registrationDate, expirationDate: w.expirationDate, nameservers: w.nameservers, }; } else { errors.push(`WHOIS: ${whoisResult.reason}`); } // Subdomains (deduplicated from crt.sh + HackerTarget) const subdomainSet = new Set<string>(); let crtshCount = 0; let htCount = 0; if (crtshResult.status === "fulfilled") { crtshCount = crtshResult.value.uniqueSubdomains.length; for (const s of crtshResult.value.uniqueSubdomains) subdomainSet.add(s.toLowerCase()); } else { - src/protocol/tools.ts:468-475 (registration)Registration of the osint_domain_recon tool in the protocol registry, defining its schema and mapping it to the domainRecon function.
const osintDomainReconTool: ToolDef = { name: "osint_domain_recon", description: "Quick domain reconnaissance combining free sources: DNS (A/MX/NS/TXT), WHOIS, crt.sh subdomains, HackerTarget hosts, and email security analysis. No API keys required.", schema: { domain: z.string().describe("Domain to perform recon on"), }, execute: async (args) => json(await domainRecon(args.domain as string)), };