How DNS Daddy Works
A step-by-step guide to protecting your domains from typosquatting attacks
Quick Start Guide
Sign Up
Create your free account to get started
Add Domain
Enter your domain name to monitor
Configure
Select TLDs and alert preferences
Monitor
Get alerts when threats are detected
Adding a Domain
Enter Your Domain
From your dashboard, enter the domain name you want to protect (e.g., "yourbrand.com") and click "Add Domain".
Choose Your Settings
- Email Alerts: Add email addresses to receive notifications
- Check Frequency: Daily, Weekly, or Monthly scans
- TLD Selection: Choose which domain extensions to monitor
Pro Tip
Use the "Daddy" preset for maximum protection - it scans 49 TLDs including all popular and commonly abused extensions.
Understanding Scans
What We Scan For
DNS Daddy uses DNStwist technology to generate and check thousands of potential lookalike domains using various fuzzing techniques:
Typos
Common typing mistakes like "gogle.com" instead of "google.com"
Transpositions
Swapped characters like "googel.com"
Homoglyphs
Visually similar characters like "g00gle.com" (zeros instead of o's)
Hyphenation
Adding hyphens like "goo-gle.com"
Additions
Extra characters like "googles.com" or "google1.com"
TLD Variants
Same name on different extensions like "google.net"
Domain Details Page
After adding a domain, click on it to see detailed information and detected threats.
Domain Overview
- Registration details (registrar, dates)
- SSL certificate status and expiry
- Email security (SPF, DMARC, DKIM)
Threat Detection
- List of detected lookalike domains
- DNS records (A, MX, NS records)
- Shodan port scan data
- Screenshots of active threats
Notifications
- Configure email alert recipients
- Toggle alert types (SSL, domain expiry, etc.)
- Schedule automated PDF reports
Actions
- Run new scans manually
- Re-scan existing lookalikes for changes
- Export CSV or PDF reports
Understanding Results
Threat Indicators
Not all lookalike domains are equal. Here's how to prioritize threats:
| Indicator | Meaning | Risk Level |
|---|---|---|
| Active + MX | Domain has IP address AND email capability - can send phishing emails | HIGH |
| Active | Domain has IP address - website may be live | MEDIUM |
| Registered | Domain is registered but not pointing anywhere | LOW |
| Available | Domain is not registered - consider defensive registration | NONE |
Shodan Port Data
Open ports provide additional context about a threat:
- 80, 443 - Web servers (HTTP/HTTPS) - likely hosting a fake site
- 22, 23, 3389 - Remote access ports - potentially compromised server
- 25, 587 - Email ports - can send spoofed emails
Taking Action on Threats
When you discover a malicious lookalike domain, here are your options:
Report to Registrar
Contact the domain registrar (shown in WHOIS data) to report abuse. Most have abuse reporting forms.
Effectiveness: HighReport to Hosting Provider
If the site is active, report to the hosting provider using the IP address.
Effectiveness: Medium-HighGoogle Safe Browsing
Report phishing sites to Google to get them flagged in Chrome and other browsers.
Effectiveness: MediumLegal Action
For persistent threats, consult with legal counsel about UDRP or trademark claims.
Effectiveness: Very HighFeature Overview
Screenshots
Automatic screenshots of active lookalike domains for evidence and quick identification.
Shodan Integration
Open port scanning via Shodan API reveals services running on threat domains.
PDF Reports
Generate professional reports for stakeholders, legal teams, or compliance.
SSL Monitoring
Track certificate expiration and receive alerts before your SSL expires.
Email Security
Check SPF, DMARC, and DKIM configuration to prevent email spoofing.
Scheduled Reports
Receive automated weekly or monthly security reports via email.