TL;DR 3P‑Tracer is a browser‑first recon tool that helps you see which third‑party services a domain relies on. It runs on the client side, uses DNS over HTTPS and certificate transparency, classifies common providers, and highlights email security posture. No logins, no API keys, nothing leaves your machine.
Live tool: 3P‑Tracer
Code: GitHub repository
About: How it works
Why we built this
Modern recon often begins with a simple question: what does this domain talk to. Many teams still reach for heavyweight setups or rate‑limited SaaS. We prefer a simpler path that lowers the barrier to entry. This is part of our ongoing effort to put capable security tooling in the browser so people can start in seconds and keep their data local. For the thinking behind this approach, read: Making Security Tools Accessible: Why I Chose the Browser.
What 3P‑Tracer does
- Comprehensive DNS analysis Live DoH queries for A, AAAA, CNAME, TXT, MX, NS, SPF, and DMARC.
- Certificate Transparency discovery Surfaces historical and shadow subdomains using CT logs.
- Service detection and classification Flags common providers across clouds, CDN and hosting, DNS, email, and security services.
- Security checks that matter DMARC policy parsing, SPF insights, a quick risk view.
- Rich output CNAME maps, categorized services, historical records, subdomain lists, and quick stats that make reporting easier.
Optional visuals to insert here:
- Screenshot of the main results view.
- CNAME mapping diagram.
- Email posture summary card.
Privacy by design
3P‑Tracer is a static web app. Analysis happens in your browser. We do not collect targets or results. DNS queries use encrypted DoH. The code is open for review under the MIT license.
Who it is for
- OSINT and recon Quick third‑party mapping before a deeper pass.
- Blue teams Inventory external dependencies and email posture without opening tickets.
- Developers Fast sanity check of what a domain exposes and which vendors it leans on.
How it works at a glance
- Query DNS for core records, including SPF and DMARC, using multiple DoH providers.
- Enumerate subdomains with certificate transparency and passive sources.
- Classify services using CNAME targets, IP ranges, and known provider patterns.
- Run safety checks for DMARC policy and basic takeover signals, then render structured results.
Quick start
- Open the live app: 3P‑Tracer
- Enter the domain you want to check
- Review the DNS, CT, and service classification sections
- Download / Save the page or copy/paste results into your notes or report
- If you find gaps or rough edges, file an issue on the repo
Roadmap
- Deeper provider fingerprints and heuristics.
- Subdomain takeover detection signals
- Export options for JSON and CSV
If any of these would unblock your workflow, comment on or upvote the matching GitHub issue or create an issue if nothing matches.
Reliability and limits
3P‑Tracer relies on public data sources. Some endpoints rate limit or change behavior. If you see incomplete sections, try again later or open an issue with details and a sample domain that you own. The About page lists current data sources and caveats.
Responsible use
Understand that we are not hunting for data, we are simply accumulating the data that is already public. Treat output as a starting point for analysis. Validate findings before acting on them. Our tool doesn’t uncover anything hidden, we simply list out what everyone else in the world can see.
Thanks
This work builds on the generosity of the open web and the teams that expose DoH, CT, and passive DNS data. It also builds on our belief that good security tools should be easy to start and easy to reason about.
SelfPromotion>
Software Supply Chain and Cloud Security are our core research areas and we also offer various trainings on this Domain. Below are some of our upcoming trainings.
</SelfPromotion>