Domain & TLD Discovery

Overview

The Domain & TLD Discovery module is the core reconnaissance engine of Pulsar. It is designed to map an organization's public-facing digital perimeter starting from minimal "seed" information. By combining active DNS interrogation with passive data harvesting, Pulsar builds a comprehensive map of subdomains and related top-level domains (TLDs) without requiring expensive third-party API keys.

Domain & Subdomain Discovery

Pulsar automates the process of identifying subdomains to uncover hidden or forgotten infrastructure. This is primarily achieved through the integration of OWASP Amass, which performs recursive DNS discovery and scraping.

How it Works

1. Seed Input: The user provides a root domain (e.g., example.com) as part of an Asset.
2. Passive Scraping: Pulsar queries public records, search engines, and certificate transparency logs to find known subdomains.
3. Active Interrogation: The system performs DNS resolution to verify the existence of discovered hosts and identifies wildcard DNS records to filter out false positives.
4. Integration: Discovered domains are automatically fed into the mapping engine to resolve associated IPv4 addresses via ZMap or Nmap.

Usage via Dashboard

1. Navigate to the Assets view and click Add Asset.
2. Enter the root domain in the target field.
3. Select a Scan Policy that has "Subdomain Discovery" enabled.
4. Launch the scan. Results will populate in the Domains tab as they are identified.

TLD Discovery

Unlike standard subdomain scanners, Pulsar attempts to identify an organization's presence across different Top-Level Domains (e.g., finding company.net or company.io when given company.com).

RIPEstat Integration

Pulsar utilizes the RIPEstat API to perform horizontal discovery:

• ASN Mapping: It identifies the Autonomous System Numbers (ASNs) associated with the initial seed.
• Reverse Lookups: It queries for other domains registered to the same organizational entities or hosted on the same IP blocks.
• Related Assets: The tool suggests related domains that share infrastructure metadata, allowing you to expand your scope with high confidence.

API Integration

For automated workflows, you can manage and query discovery results via the Pulsar REST API.

List Discovered Domains

Returns all domains associated with assets the user has permission to view.

Endpoint: GET /api/domains/

Query Parameters:

• asset: Filter by specific Asset ID.
• search: Search for a specific string within domain names.

Response Example:

{
  "count": 25,
  "results": [
    {
      "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
      "domain_name": "dev.example.com",
      "asset": "550e8400-e29b-41d4-a716-446655440000",
      "source": "Amass",
      "is_active": true,
      "last_seen": "2023-10-27T10:00:00Z"
    }
  ]
}

Manually Add a Domain

If you have out-of-band discovery results, you can manually inject them into Pulsar's database to trigger subsequent vulnerability scanning.

Endpoint: POST /api/domains/

Payload:

{
  "domain_name": "hidden-portal.example.com",
  "asset": "550e8400-e29b-41d4-a716-446655440000"
}

Discovery Policies & Optimization

Discovery can be resource-intensive. You can tune the behavior of these modules in the Scan Settings:

| Setting | Description | | :--- | :--- | | Discovery Depth | Determines how many levels of subdomains Pulsar will crawl (e.g., a.b.c.com). | | External APIs | While not required, adding keys for services like Censys or BinaryEdge in USAGE.md will increase discovery breadth. | | Confidence Level | Toggle "Confidence Tests" to require multiple sources to verify a domain before it appears in your primary dashboard. |

Note: Domain discovery is a background task handled by Celery. Depending on the scope and the policy selected, initial discovery for large organizations may take several minutes to hours.