Infrastructure artifacts are treated as primary pivots alongside content and behavioral families. They represent the operational substrate of a domain and often persist across rebrands or theme changes. By normalizing these artifacts and controlling for volatility, the system produces durable linkage points suitable for both direct attribution and structural graphing.Documentation Index
Fetch the complete documentation index at: https://none-38c466ad.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
6.1 DNS Records
DNS provides a bridge between domain names and operational infrastructure. A/AAAA, MX, CNAME, TXT, and NS records are captured and normalized into canonical forms. Shared MX or NS values, for example, can reveal continuity of email and domain management. Simplistic approaches often discard non-A records or fail to normalize across equivalent hostnames, losing valuable continuity. This system strips transient prefixes and preserves provenance, ensuring reproducibility across scans. Invariants- Stable under cosmetic changes; discontinuities imply deliberate migration
- Normalized at the record-family level, preserving original values while stripping transient prefixes.
- Acts as high-stability evidence when continuity is observed
- Low-tier: DNS rarely altered beyond A records
- Medium-tier: front-end providers rotate but MX/NS continuity remains
- High-tier: complete rotation across providers reduces persistence
6.2 IP Resolution and Hosting Context
Resolution of A/AAAA records yields IP addresses, ASNs, and geolocation. Homogeneous hosting baselines make deviations clear pivots. ASN identifiers and region buckets are normalized to suppress volatility from transient edges. Basic crawlers often record raw IPs without ASN context, making them brittle against CDN layers. Normalization to ASN-family classes mitigates this, preserving operator-level continuity even under fronting. Invariants- ASN continuity functions as operator fingerprint
- Geographic clustering highlights coordinated deployment
- Canonicalization suppresses transient edge variance
- Low-tier: default hosting persists
- Medium-tier: CDN insertion alters surface but not ASN continuity
- High-tier: rotation of ASN and CDN per domain reduces linkage
6.3 Favicon Hashes
Favicons, though cosmetic, often persist across operator domains. Hashing raw bytes provides durable correlation. Normalization strips cache-busting parameters so that superficial URL changes do not affect linkage. Without hashing, commodity workflows miss this pivot entirely. Even with hashing, failure to strip volatile parameters produces artificial divergence. Invariants- Exact hashing provides deterministic matches
- URL normalization prevents fragmentation
- Lightweight but durable across domains
- Low-tier: favicons unchanged
- Medium-tier: persistence through unconscious reuse
- High-tier: deliberate recompilation neutralizes the signal
6.4 TLS Certificates and Key Material
TLS certificates reveal coordination through CN/SAN sets, issuer details, and validity periods. Normalization expands SANs into sets and records issuer families. Public-key fingerprints (SPKI SHA-256) provide stronger linkage that survives hostname list churn. Reliance on CN fields alone misses continuity when SANs are rotated. Extracting both metadata and key fingerprints preserves persistence under partial churn. Invariants- CN/SAN sets normalized and expanded
- SPKI fingerprints treated as hard evidence
- Validity and issuance patterns captured for temporal analysis
- Low-tier: keys reused extensively
- Medium-tier: partial certificate rotation but continuity persists
- High-tier: per-domain key issuance reduces persistence
6.5 Platform-Specific Bucket Identifiers
Some ecosystems emit bucket identifiers for runtime modules or instrumentation. These values are normalized into pivot families. They provide operator-level linkage that persists across theme or asset changes. Treating these identifiers as raw asset paths causes instability across revisions. Canonicalization reduces them to durable bucket keys, with rarity controls applied to prevent collisions. Invariants- Persist across superficial site changes
- Subject to rarity gating to ensure distinctiveness
- Variants reconciled through similarity relaxation
- Low/medium-tier: stable reuse
- High-tier: deliberate bucket rotation
6.6 CDN and Distribution Identifiers
Edge distribution labels (e.g., tenant IDs from global CDNs) provide evidence of shared delivery infrastructure. Normalization reduces these to provider-family keys. They are admitted only when corroborated by non-infra pivots. Without rarity gating, shared CDN tenants produce false commonality. This system applies strict rarity controls and disallows infra-only linkages, preventing over-merging. Invariants- Supplemental only; never determinative alone
- Rarity controls and hub dampening applied
- Retains provenance for auditability
- Medium-tier: collisions from shared vendor tenants
- High-tier: per-tenant allocation reduces persistence
6.7 Extensions and App Identifiers
Identifiers from platform extensions or third-party app hosts indicate shared operational tooling. Alone they are noisy, but in aggregate with other signals they sharpen attribution. Unsophisticated crawlers often conflate vendor-wide hosts with rare, operator-specific apps. This system applies rarity weighting and requires corroboration, ensuring that only distinctive overlaps contribute. Invariants- Shared extensions count only under corroboration
- Vendor-wide hosts downweighted by rarity
- Acts as soft evidence class
- Medium-tier: operators reuse app stacks
- High-tier: domain-specific configurations break continuity
6.8 Storage Buckets
Object storage endpoints are canonicalized to root identifiers (e.g., S3 bucket names). Shared buckets provide strong operator continuity, as they often underpin multiple domains. Logging full object URLs fragments evidence by path. Canonicalization to root buckets avoids this problem and yields stable pivots. Rarity weighting prevents vendor-generic buckets from inflating graphs. Invariants- Root-level canonicalization ensures persistence
- Rarity weighting filters common buckets
- Infra-only linkages disallowed without corroboration
- Low-tier: bucket reuse persistent
- Medium-tier: path restructuring still reveals continuity
- High-tier: per-domain buckets reduce persistence
6.9 Temporal Co-Change Windows
Operators frequently make infrastructure changes in bursts. DNS and TLS issuance events are grouped into bounded windows to detect coordinated migrations. This increases sensitivity to synchronous shifts. Without temporal grouping, simultaneous changes appear isolated and miss operator-level patterns. Windowing reveals coordination while remaining non-deterministic. Invariants- Reinforcement only; never admits edges alone
- Captures synchronous migration behavior
- Window parameters omitted by design
- Medium-tier: batch changes surface naturally
- High-tier: randomized rollouts reduce visibility
6.10 Geographic Plausibility Filters
Domains are grouped into coarse regional buckets based on TLD and language metadata. These serve as veto context: implausible cross-region pairs lacking strong identity are suppressed. Straightforward clustering without geographic plausibility merges unrelated entities. The Negative Evidence Filter applies here, preventing spurious cross-region linkages. Invariants- Veto only; not admissive
- Strong evidence overrides veto
- Buckets coarse to avoid deanonymization
6.11 Parked or Placeholder Surfaces
Parked or placeholder domains are common sources of false commonality. Classification detects these and removes them from admissive evidence. Conventional systems include parked surfaces, leading to artificial clusters. By excluding them explicitly, spurious linkages are prevented. Invariants- Detected through characteristic markers
- Applied as veto context only
- Neutralizes false positives from placeholder stacks