DNS Supply Chain
pro/v1/domain/supply-chainMaps the third-party dependency graph for a domain derived entirely from public DNS records. Parses SPF includes (email senders), NS records (DNS hosting), CAA records (certificate authorities), SRV records (advertised services), and TXT verification tokens (SaaS integrations) to produce a vendor dependency inventory with trust grading — explicitly showing which third parties can, in principle, compromise the domain if breached.
What It Does
Queries SPF (TXT), NS, CAA, SRV, and filtered TXT records in parallel via DoH. For each record type, classifies terminal hostnames/values into known vendors (Google, Microsoft, AWS, Cloudflare, Akamai, Let's Encrypt, DigiCert, Google Site Verification, etc.) and assigns a trust level based on the attack surface that vendor owns: critical (can send email as the domain, or hijack DNS resolution, or issue certs), high (operates HTTPS infrastructure), medium (advertised service endpoints), low (SaaS integration proof-tokens). Reports risk signals for concentration (single NS provider = single point of failure), excessive vendors, and insecure services.
Why It's Useful
Vendor risk management programs typically inventory contracted SaaS vendors — but they miss the silent trust relationships encoded in DNS: the 20 email services your SPF authorizes, the single DNS provider that can redirect all traffic, the four CAs authorized to issue your certs. This endpoint surfaces those DNS-derived trust relationships so the security team can review them against the written vendor inventory.
Use Cases
Third-Party Risk Review
Align written vendor inventory with actual DNS-authorized vendors to catch shadow dependencies and stale authorizations.
Close gaps between contracted vendor list and actual trust surface.
Blast-Radius Assessment
During a vendor-industry breach (DNS provider, CA, email service), identify all owned domains that depend on that vendor.
Rapid scoping of compromised-vendor impact across the domain portfolio.
Single-Point-of-Failure Audit
Identify domains with only one NS provider, one CAA issuer, or one email-sender vendor — single points of failure for availability and trust.
Inform DNS, CA, and email-sender redundancy planning.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to analyzeExample: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
dependencies | array | Per-vendor entries with name, category, trust, source (SPF/NS/CAA/SRV/TXT), evidence |
summary | object | Counts by trust level and by category |
risk_signals | array | Concentration risks, excessive vendors, insecure services |
recommendations | array | Remediation steps |
Code Examples
curl "https://api.edgedns.dev/v1/domain/supply-chain" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/supply-chain?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/supply-chain',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full DNS Supply Chain guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the DNS Supply Chain endpoint live in the playground.