← Back to list

DNS Guard - Domain Threat Intelligence Platform

May 1, 2025

DNS Guard - Domain Threat Intelligence Platform

DNS Guard

Domain threat intelligence platform — analyze any domain for DNS abuse, misconfigurations, phishing, typosquatting, and security threats. Built as a Final Year Project.


Project Repository

https://github.com/Trident09/DNS-Guard_FYP_SEM_X

Features

Feature Description
Threat Score ML-based 0–100 risk score with radial gauge
DNSSEC Check Validates DNSKEY, RRSIG, DS records
WHOIS Analysis Registrar, age, expiry, new/expiring domain flags
WHOIS Diff Detects changes between scans
Certificate Transparency Cert count, wildcard detection, spike alerts
Passive DNS Historical IP resolution, fast-flux detection
Typosquat Detection Edit-distance matching against top brands
Subdomain Enumeration Brute-force + CT log discovery
Reverse IP Co-hosted domains, high-density hosting detection
Threat Intelligence Spamhaus DBL + PhishTank blocklist checks
IP Geolocation Map SVG world map with hover tooltips
Feature Importance Chart SHAP-style bar chart from ML model
Risk Summary Actionable recommendations per scan
AI Chatbot Context-aware DNS security assistant (Groq API + fallback)
PDF Report Comprehensive downloadable report
Dark / Light Mode Persistent theme toggle
Recent Searches localStorage history on home page

Architecture

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Frontend  │────▶│   Backend   │────▶│  AI Service │
│  Next.js 14 │     │  FastAPI    │     │  FastAPI    │
│  Port 3000  │     │  Port 8000  │     │  Port 8001  │
└─────────────┘     └──────┬──────┘     └─────────────┘
                           │
              ┌────────────┼────────────┐
              ▼            ▼            ▼
         PostgreSQL      Redis       Qdrant
          Port 5432    Port 6379   Port 6333

Quick Start

Prerequisites

1. Clone & configure

git clone <repo-url>
cd FYP
cp .env.example .env
# Edit .env if needed (defaults work out of the box)

2. Start everything

docker compose up --build -d

3. Open the app

http://localhost:3000

4. Stop

docker compose down

Environment Variables

See .env.example for all variables. Key ones:

Variable Default Description
POSTGRES_USER dnsabuse Database user
POSTGRES_PASSWORD changeme Change in production
POSTGRES_DB dnsabuse_db Database name
REDIS_URL redis://redis:6379/0 Redis connection
AI_SERVICE_URL http://ai:8001 Internal AI service URL
GROQ_API_KEY (empty) Groq API key — get free at console.groq.com
LLM_MODEL llama-3.1-8b-instant Groq model name
VIRUSTOTAL_API_KEY (empty) Optional — enhances threat intel
SHODAN_API_KEY (empty) Optional — enhances reverse IP
SECRET_KEY changeme Change in production

Project Structure

FYP/
├── frontend/               # Next.js 14 app
│   ├── app/
│   │   ├── page.tsx                    # Home / search page
│   │   ├── layout.tsx                  # Root layout + SEO metadata
│   │   ├── analyze/[domain]/
│   │   │   ├── page.tsx                # Analysis results page
│   │   │   └── layout.tsx              # Per-domain SEO metadata
│   │   └── api/
│   │       ├── analyze/route.ts        # Proxy → backend /analyze
│   │       ├── chat/route.ts           # Proxy → backend /chat
│   │       └── report/[domain]/pdf/    # Proxy → backend PDF
│   └── components/
│       ├── ThreatScoreCard.tsx         # Radial gauge
│       ├── RiskSummary.tsx             # Recommendations panel
│       ├── FeatureImportanceChart.tsx  # SHAP-style bar chart
│       ├── GeoMap.tsx                  # SVG world map
│       ├── WhoisDiff.tsx               # WHOIS change detection
│       ├── DnssecBadge.tsx             # DNSSEC status badge
│       ├── ThemeToggle.tsx             # Dark/light mode
│       ├── ChatBot.tsx                 # AI assistant
│       └── ...                         # Other data cards
│
├── backend/                # FastAPI backend
│   └── app/
│       ├── api/
│       │   ├── analyze.py              # Main analysis endpoint
│       │   ├── chat.py                 # Chat proxy to AI service
│       │   └── reports.py             # PDF download endpoint
│       ├── services/
│       │   ├── dns_resolver.py         # DNS + DNSSEC resolution
│       │   ├── whois_lookup.py         # WHOIS data
│       │   ├── cert_transparency.py    # crt.sh CT log queries
│       │   ├── passive_dns.py          # Historical DNS records
│       │   ├── typosquat.py            # Brand similarity detection
│       │   ├── subdomain_enum.py       # Subdomain discovery
│       │   ├── reverse_ip.py           # Reverse IP lookup
│       │   ├── threat_intel.py         # Spamhaus + PhishTank
│       │   ├── geo_ip.py               # IP geolocation (ip-api.com)
│       │   └── pdf_report.py           # ReportLab PDF generation
│       ├── workers/tasks.py            # Celery async tasks
│       └── config.py                   # Pydantic settings
│
├── ai/                     # AI / ML service
│   └── app/
│       ├── api/
│       │   ├── score.py                # Threat scoring endpoint
│       │   └── chat.py                 # Chatbot endpoint (Groq API + fallback)
│       ├── features/extractor.py       # 40-feature vector extraction
│       └── models/
│           ├── ensemble.py             # Ensemble model (RF + rules)
│           └── mlp.py                  # MLP neural network
│
├── scripts/
│   └── update_feeds.py                 # Threat feed updater
├── data/
│   ├── raw/                            # Raw feed data
│   ├── threat_feeds/                   # Processed threat feeds
│   └── knowledge_base/                 # Qdrant RAG documents
├── docker-compose.yml
├── .env.example
└── .gitignore

API Reference

See docs/API.md for full endpoint documentation.

Quick reference

Method Endpoint Description
POST /analyze Full domain analysis
POST /chat AI chatbot message
GET /report/{domain}/pdf Download PDF report
GET /whois/{domain} WHOIS only
GET /certs/{domain} Certificate transparency
GET /passive-dns/{domain} Passive DNS history
GET /subdomains/{domain} Subdomain enumeration
GET /reverse-ip/{domain} Reverse IP lookup
GET /threat-intel/{domain} Blocklist check

ML Model

The threat scoring model uses a 40-feature vector extracted from the domain name and DNS records:

The ensemble combines rule-based scoring with an MLP neural network. Feature importance is returned with each score for explainability.


Chatbot

The AI assistant uses the Groq API (LLaMA 3.1 8B Instant) when a GROQ_API_KEY is configured. Without a key, it falls back to a comprehensive rule-based engine covering:


Development

Run frontend locally

cd frontend
npm install
npm run dev        # http://localhost:3000

Run backend locally

cd backend
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8000

Run AI service locally

cd ai
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8001

Update threat feeds

python scripts/update_feeds.py

License

Academic project — Final Year Project. Not for production use without security hardening.