About - 3rd Party Tracer

🔍 Project Overview

3rd Party Tracer is a powerful client-side web application designed to analyze DNS records and identify third-party services associated with any domain. Built with pure HTML, JavaScript, and CSS, it provides comprehensive insights into an organization's digital footprint and cloud service dependencies.

The tool leverages multiple data sources and advanced DNS analysis techniques to discover and categorize third-party services, helping organizations understand their cloud service relationships and potential security implications.

🚀 Key Features

Comprehensive DNS Analysis: DoH queries, multiple record types, Certificate Transparency logs
Service Detection: Cloud providers, email services, CDN, DNS services, security providers
Security Analysis: Subdomain takeover detection, DMARC policy analysis, risk assessment
Rich Visualization: Categorized services, historical records, CNAME mapping, statistics
Client-Side Only: No server dependencies, works offline, privacy-focused
Real-Time Analysis: Live DNS queries and subdomain discovery

🛠️ Technology Stack

Frontend HTML5, CSS3, Vanilla JavaScript

DNS DNS over HTTPS (DoH)

APIs Certificate Transparency, Threat Intelligence

Architecture Client-side only, no server dependencies

📋 How It Works

1. DNS Record Analysis

The tool starts by querying various DNS record types to understand the domain's configuration:

TXT Records: Service ownership proofs and configurations
SPF Records: Authorized email service providers
DMARC Records: Email security and reporting services
MX Records: Email hosting providers
A/CNAME Records: Direct IP mappings and service redirects

2. Subdomain Discovery

Leverages multiple sources for comprehensive subdomain enumeration:

Certificate Transparency Logs: Historical SSL certificate data
Threat Intelligence Platforms: Passive DNS and security data
DNS Enumeration APIs: Additional coverage and validation

3. Service Classification

Each discovered subdomain is analyzed and categorized using:

IP-based Classification: ASN data for cloud provider identification
CNAME Target Analysis: Service identification through redirects
Pattern Matching: Regex patterns for known service providers
Vendor Consolidation: Prevents duplicate entries

4. Security Assessment

Comprehensive security analysis including:

Subdomain Takeover Detection: CNAME resolution validation
DMARC Policy Evaluation: Detailed tag parsing and analysis
Infrastructure Risk Assessment: IP range analysis and ASN data
Cloud Service Dependency Mapping: Service relationship visualization

🔗 APIs & Data Sources

This tool integrates with several APIs and data sources to provide comprehensive analysis. We extend our gratitude to these services for making their data publicly available.

DNS over HTTPS Providers

dns.google/resolve

Google's public DNS service providing encrypted DNS queries over HTTPS. Used for secure DNS resolution without ISP interference.

Cloudflare DNS

cloudflare-dns.com/dns-query

Cloudflare's DNS over HTTPS service providing fast and secure DNS resolution with global CDN coverage.

crt.sh Certificate Transparency

crt.sh/?q=%25.{domain}&output=json

Certificate Transparency log search service operated by Comodo. Provides historical SSL certificate data for subdomain discovery.

SSLMate CT Search API

api.certspotter.com/v1/issuances

Certificate Transparency log aggregation service by SSLMate (formerly Cert Spotter). Provides comprehensive SSL certificate data for domain analysis.

HackerTarget API

api.hackertarget.com/hostsearch

HackerTarget's DNS enumeration service providing subdomain discovery and host information for security research.

IPinfo.io

ipinfo.io/{ip}/json

IP geolocation and ASN data service providing detailed information about IP addresses for service classification.

DNS.pub

doh.pub/dns-query

Public DNS over HTTPS service providing encrypted DNS queries as a backup DNS resolver.

Alibaba DNS

dns.alidns.com/resolve

Alibaba Cloud's DNS service providing global DNS resolution with extensive coverage in Asia-Pacific regions.

🔒 Privacy & Security

3rd Party Tracer is designed with privacy and security in mind:

Client-Side Only: No data is sent to our servers - all processing happens in your browser
DNS over HTTPS: All DNS queries are encrypted using DoH protocols
No Tracking: No analytics, cookies, or user tracking mechanisms
Open Source: Transparent code available for security review
No API Keys Required: Uses only public APIs and services

🔐 Paranoid Self-Host / Airgapped Deployment

For security-conscious environments, airgapped networks, or self-hosted deployments, the following domains must be allowed through your firewall or proxy. Domains are grouped by functionality and criticality.

DNS over HTTPS Providers (Core Functionality)

Required for DNS record queries. The tool uses multiple providers for redundancy:

Domain	Purpose
`dns.google`	Google DNS over HTTPS (primary)
`cloudflare-dns.com`	Cloudflare DNS over HTTPS (primary)
`doh.powerdns.org`	PowerDNS DoH (fallback)
`dns.alidns.com`	Alibaba Cloud DNS (fallback)

Certificate Transparency Logs (Subdomain Discovery)

Required for subdomain discovery via SSL certificate data:

Domain	Purpose
`crt.sh`	Certificate Transparency log search (Comodo)
`api.certspotter.com`	SSLMate CT Search API (formerly Cert Spotter)

Subdomain Discovery APIs

Additional sources for subdomain enumeration:

Domain	Purpose
`api.hackertarget.com`	HackerTarget DNS enumeration service
`ip.thc.org`	THC reverse DNS database API

IP Geolocation (Service Classification)

Used for IP-to-location mapping and ASN data for service classification:

Domain	Purpose
`ipinfo.io`	IP geolocation and ASN data service

DNS-Based Blocklists (Threat Detection)

Blocklist checking via DNS queries (no HTTP required, uses DoH):

Domain	Purpose
`dbl.spamhaus.org`	Spamhaus Domain Block List (via DNS)
`zen.spamhaus.org`	Spamhaus ZEN IP Block List (via DNS)
`multi.surbl.org`	SURBL multi-list blocklist (via DNS)
`multi.uribl.com`	URIBL multi-list blocklist (via DNS)

Analytics (Optional - Can Be Blocked)

Privacy-focused analytics service (optional, can be blocked without affecting functionality):

Domain	Purpose
`plausible.io`	Privacy-focused analytics (optional)

Fully Airgapped Environments: For complete network isolation, DNS queries can be routed through an internal DNS resolver that supports DNS over HTTPS. Subdomain discovery features will be limited without Certificate Transparency and discovery API access, but core DNS analysis functionality will continue to work.

🎯 Use Cases

Security Research: Identify potential attack vectors and service dependencies
Asset Discovery: Map organizational digital footprint and cloud services
Compliance Auditing: Document third-party service usage for regulatory requirements
Penetration Testing: Reconnaissance phase for security assessments
Cloud Migration Planning: Understand current service dependencies before migration
Vendor Risk Assessment: Identify and evaluate third-party service providers

🤝 Contributing

We welcome contributions from the security research community! Whether it's bug reports, feature requests, or code contributions, your input helps make this tool better for everyone.

To contribute:

Fork the repository on GitHub
Create a feature branch for your changes
Test thoroughly with multiple domains
Submit a pull request with detailed description

📞 Support & Contact

For questions, issues, or feature requests:

GitHub Issues: Create an issue
Live Demo: Try the application
Cyfinoid Research: Visit our website

📄 License

This project is licensed under the MIT License. See the LICENSE file for details.

🙏 Acknowledgments

Special thanks to:

Certificate Transparency Initiative: For making SSL certificate data publicly accessible
DNS over HTTPS Providers: Google, Cloudflare, and others for secure DNS services
Subdomain Discovery Services: HackerTarget for subdomain enumeration
IP Geolocation Services: IPinfo.io for ASN and location data
Open Source Community: For inspiration and collaboration

About 3rd Party Tracer