17 authoritative sources

What it is: Anycast resolvers that traverse the DNS hierarchy starting at IANA-delegated root servers.

How D3 uses it: D3 queries multiple geographically distributed resolvers to obtain A, AAAA, MX, NS, TXT, CAA, CNAME and SOA records. Multi-resolver queries catch hijack or split-horizon anomalies invisible to a single resolver.

What it is: The nameservers listed in the TLD registry delegation for the domain, queried directly without caching.

How D3 uses it: D3 falls back to direct authoritative queries to detect discrepancies between recursive cache and authoritative truth — a key signal for DNS hijacking.

What it is: Cryptographic chain of trust from the IANA-signed root zone through TLD and domain zone.

How D3 uses it: D3 verifies the DNSSEC validation chain (DS, DNSKEY, RRSIG) and reports whether the domain has a valid, broken or missing DNSSEC deployment.

What it is: The successor to WHOIS. Structured JSON responses from TLD-specific authoritative RDAP servers, routed via IANA's bootstrap registry.

How D3 uses it: D3 uses IANA bootstrap to route each query to the correct TLD-specific RDAP server, obtaining registrar, registrant (where published), registration/expiry dates, EPP status codes and nameservers in structured form. RDAP is mandatory for all ICANN-accredited gTLD registrars since 2019.

What it is: The legacy plain-text registration data protocol, still used by most ccTLDs and some gTLDs.

How D3 uses it: D3 falls back to TCP port 43 WHOIS for TLDs not yet serving RDAP, with TLD-specific parsers for registries such as DNS Belgium (.be), SIDN (.nl), and DENIC (.de).

What it is: A DNS TXT record that authorises which mail servers may send email on behalf of the domain.

How D3 uses it: D3 retrieves, parses and validates the SPF record, scoring it for completeness, correctness and security posture.

What it is: Cryptographic key published in DNS that allows receiving mail servers to verify message integrity and origin.

How D3 uses it: D3 probes common DKIM selector names to determine whether DKIM is deployed and whether the key is valid.

What it is: A policy record that specifies how receiving servers should handle messages failing SPF or DKIM checks.

How D3 uses it: D3 retrieves and interprets the DMARC policy (none / quarantine / reject), reporting percentage, and aggregate/forensic reporting addresses.

What it is: Advanced email authentication and transport security standards.

How D3 uses it: D3 checks for BIMI brand indicators, MTA-STS policy enforcement, DANE/TLSA certificate pinning and TLS-RPT reporting — each scored for presence and correctness.

What it is: Publicly auditable append-only logs of every TLS certificate issued by a participating Certificate Authority.

How D3 uses it: D3 queries CT aggregators to surface recently issued certificates for the domain and its subdomains — a key signal for detecting unauthorised certificate issuance (a prerequisite for HTTPS-based man-in-the-middle attacks).

What it is: The world's most widely-used domain and IP reputation blocklists. DBL lists domains involved in spam/phishing. SBL lists spam-source IPs. XBL lists exploited/botnet IPs. ZRD lists newly registered domains with no send history.

How D3 uses it: D3 queries each list for the domain and its resolved IP addresses, reporting exact list membership and severity.

What it is: Google's enterprise threat intelligence API covering malware distribution, phishing, social engineering and unwanted software.

How D3 uses it: D3 queries the Web Risk Lookup API (v1) for the domain, reporting any active threat classifications with their expiry timestamps.

What it is: The Centralized Zone Data Service provides zone files for all participating generic top-level domains (.com, .net, .org and hundreds of others). Each zone file lists every registered domain under that TLD.

How D3 uses it: D3 processes gTLD zone files daily via ICANN CZDS to detect newly registered domains matching brand keywords, using 12 mutation techniques (deletion, substitution, transposition, IDN homoglyphs, combosquatting and more).

What it is: Active DNS probing of every generated typosquatting variant.

How D3 uses it: Each lookalike variant is DNS-resolved to determine whether it is registered (NS records), actively used (A/AAAA), email-capable (MX) or passive. Active variants are scored higher for threat risk.

What it is: The EU Network and Information Security Directive 2 mandates specific cybersecurity risk management measures for in-scope organisations, including domain and DNS security controls.

How D3 uses it: D3 maps each scan finding to relevant NIS2 Article 21 obligations, producing an evidence-backed compliance status for every control that the domain configuration can speak to.

What it is: The international standard for information security management systems. Annex A lists 93 controls across four domains.

How D3 uses it: D3 maps findings to the Annex A controls relevant to domain security (particularly domains 5, 8 and 12), supporting ISMS evidence collection and external audits.

What it is: The authoritative list of all delegated top-level domains, registries and their technical parameters.

How D3 uses it: D3 uses the IANA root zone database to validate TLD existence, route RDAP queries via bootstrap, and determine whether a domain's TLD is gTLD, ccTLD or new TLD — which affects applicable data availability and legal jurisdiction.