fatcousin
// industry vertical

DNS security forensics

passive DNS · DoH/DoT · Infoblox RPZ · Cloudflare DNS firewall · Route 53 Resolver · DGA clustering · DNS tunneling entropy · split-horizon leaks · multi-resolver timeline correlation.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. passive dns resolution history forensic analyzerdrop passive dns export · parse rrset timeline + first/last seen · runs locally
  2. domain generation algorithm dns cluster detectordrop dns query corpus export · cluster dga-like qname patterns · runs locally
  3. dns tunneling entropy anomaly detectordrop dns query log export · detect high-entropy subdomain bursts · runs locally
  4. multi resolver dns timeline correlatordrop 2+ dns log exports · unified qname timeline graph · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. dns over https query log forensic analyzerdrop doh resolver query log · parse qname + rcode + resolver id · runs locally
  2. dns over tls session log forensic analyzerdrop dot session log export · parse client + qname + session duration · runs locally
  3. infoblox dns security log forensic analyzerdrop infoblox rpz/security log · parse policy + action + threat feed · runs locally
  4. cloudflare dns firewall log forensic analyzerdrop cloudflare dns firewall log · parse matched rule + query type · runs locally
  5. aws route53 resolver query log forensic analyzerdrop route53 resolver query log · parse vpc + query name + response · runs locally
  6. split horizon dns policy violation detectordrop internal vs external resolver exports · detect cross-horizon leaks · runs locally
  7. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

want deeper DNS security coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready