Connor: How We Built a Transparent DNS Scanner

Connor is a DNS and infrastructure metadata scanner. It continuously scans 50,000 domains, collecting DNS records, TLS certificate data, WHOIS registration, and the HTTP response from a single probe to the domain root. Every observation is Ed25519 signed at the moment of collection. The signed receipt travels with the data. Anyone can verify what was observed, when, and by whom.

Connor operates in the same category as Censys [1], Shodan [2], and SecurityTrails [3]. It does not crawl websites, index page content, follow links, or traverse URL paths. It collects publicly available infrastructure metadata and signs it.

What Connor collects

Each domain is observed across five planes. The fast plane covers 9 DNS record types (A, AAAA, MX, NS, TXT, CNAME, SOA, CAA, SRV) and a single HTTPS HEAD probe that records status code and response headers. Four enrichment planes follow: WHOIS (domain registration via RDAP), ASN (autonomous system from IP geolocation), robots.txt (AI crawler blocking policies), and DNSSEC (signing validation). Each plane produces its own Ed25519 receipt with a derivation path unique to that observation type.

The only HTTP requests Connor makes to a target domain are HEAD / (liveness probe, GET fallback on 405) and GET /robots.txt (collected as a data point for AI blocking analysis). Certificate data comes from public CT logs via crt.sh. WHOIS comes from RDAP servers. DNSSEC validation runs through dns.google. None of these requests touch the target domain's server.

Identification

Every request Connor makes carries the User-Agent `Connor-DNS-Intelligence/0.5 (+https://connor.dns.drm3.network)`. HTTPS only, 8 second timeouts, maximum 5 redirect hops. The scanner self-identifies on every request. No impersonation, no spoofing.

Provenance receipts

Connor signs every observation with Ed25519 using deterministic key derivation. Each observation plane has its own signing key at a unique path: connor/scanner, connor/whois, connor/asn, connor/robots, connor/dnssec. All public keys are published in the DRM3 signer registry [6]. A composite receipt wraps the enrichment planes, chaining back to the fast scan that sourced the DNS data.

The time machine [5] gives every scanned domain a permanent URL where the latest observation and its receipt are publicly visible. The receipt includes the signed inputs, the output hash (SHA-256 of the canonicalized observation), and the Ed25519 signature. Verification runs in the browser. Nothing leaves your machine.

Opt-out

Domain operators can request exclusion from scanning. The opt-out form is on the Connor product page [4]. Requests are processed within 7 business days after domain ownership verification. The same page accepts opt-in requests from operators who want their domain added to the catalog.

Why publish the methodology

Infrastructure scanners operate in a space where trust is the product. If the data is signed but the collection method is opaque, the signature proves the scanner saw something, not that the collection was legitimate. Publishing the methodology, the User-Agent, the exact HTTP requests, and the opt-out process is the other half of the provenance chain. The signature covers the what. The methodology covers the how.

Connor's scanning methodology, identification headers, and opt-out process are documented at drm3.io/products/connor [4]. The signer registry is at status.drm3.network [6]. Every domain in the catalog has a public time machine page with a verifiable receipt.