Shadow Domains: a beginner's guide
Discover alt-TLD domain variants with risk grading
Shadow domains: the permutations attackers actually register
Shadow domains are the lookalike domains an attacker registers to impersonate a real brand — typosquats (`goggle.com`), homographs (`gооgle.com` using Cyrillic characters), TLD-flips (`brand.co` vs `brand.com`), hyphenation tricks (`brand-login.com`), and semantic variants (`brandsupport.com`). The attacker's goal is to get a victim to mistake the shadow for the real thing: click a link in a phishing email, type the URL from memory, follow a Google result that almost-but-not-quite matches the brand. Shadow-domain detection is the practice of enumerating the permutations an attacker is most likely to register, checking which ones already exist, and flagging the ones that look live.
You should care because shadow domains are the raw material of phishing campaigns (APWG reports phishing attacks continue to climb year over year), and they are registered in advance of the campaign — often weeks before the first phishing email goes out. Catching a shadow registration early means you can file a UDRP complaint, alert browser blocklists, or monitor the domain's preparation — all before the campaign launches. Catching it late means you're responding to inbound customer reports of phishing that's already succeeded. The economics of brand protection strongly favor early detection.
The five things every shadow-domain check looks at:
Character-level typosquats. Insertions, deletions, substitutions, transpositions, and doubled characters — all the edit-distance-of-one variants of the real name.
TLD variants. The same name at `.com`, `.net`, `.org`, `.co`, `.io`, `.app`, country-code TLDs, and the new-gTLD long tail (`.xyz`, `.top`, `.click` — historically favored by phishing operations per ICANN CCT data).
Homograph attacks. Visually identical Unicode characters from Cyrillic, Greek, or other scripts that substitute for Latin letters. `аpple.com` with a Cyrillic `а` is indistinguishable from `apple.com` in most fonts.
Hyphenation and prefix/suffix tricks. `brand-login.com`, `secure-brand.com`, `mybrand.net` — legitimate-looking additions that phishing campaigns lean on.
DNS and HTTP presence. A permutation that's registered but has no MX records and no responding website is less urgent than one that's fully set up to send mail and serve HTTPS.
Three questions a shadow-domain check answers:
Which permutations of my brand are already registered, and by whom?
Which of those look actively weaponized (responding web server, active MX, TLS cert) versus speculatively squatted?
Is anyone registering a net-new permutation of my brand right now that we should preemptively buy, file UDRP on, or alert Safe Browsing about?
The cost of ignoring shadow domains is letting phishing campaigns set up their infrastructure in your blind spot. The fix is continuous monitoring of the permutation space, alerting on new registrations, and a standing process for filing takedowns on the ones that cross the line into active impersonation. The ICANN SSR2 report and Palo Alto Unit 42's research both cover the adversary economics in detail, and the APWG Phishing Trends reports publish quarterly data on the TLD and registration patterns most associated with abuse.
The Shadow Domains endpoint, in plain language
In one sentence: Discover alt-TLD domain variants with risk grading
Enumerates alt-TLD variants of a domain (e.g., example.com → example.net, example.co, example.io, ccTLDs) and probes each registered variant for email infrastructure and web presence. Unlike typosquat detection which focuses on character mutations of the brand name, shadow-domain discovery focuses on the same brand across different TLDs — catching look-alikes registered by squatters, competitors, or legitimate subsidiaries.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Phase 1: For each of ~25 common TLDs (com, net, org, co, io, biz, info, me, us, uk, de, fr, it, es, eu, nl, ch, ca, au, jp, cn, in, br, ru, io) generates a variant and queries NS records via DoH (DNS over HTTPS) to determine registration status. Phase 2: For each registered variant, probes A, MX, SPF (Sender Policy Framework), and DMARC (Domain-based Message Authentication, Reporting and Conformance) records in parallel. Grades each variant by risk: critical (active mail infra pointing to a different operator), high (active web presence), medium (parked but registered), low (NS only, no active infrastructure). Returns the full variant matrix with per-variant risk grade and evidence.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Shadow Domains tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Brand squatters register alt-TLD variants long before attacks — the domain is dormant until a phishing or impersonation campaign lights it up. Discovering these dormant variants before they activate gives legal teams time to pursue UDRP takedowns and email teams time to block deliveries from lookalike senders.
Picture this in real life. Imagine a brand protection analyst. Here's the situation they're walking into: Run a quarterly shadow-domain scan for every trademarked brand to catch speculative registrations before campaigns activate. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Shadow Domains tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Shadow Domains tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/domain/shadow-domains`.
When would I actually use this?
If you're still on the fence about whether the Shadow Domains tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a brand protection analyst, a email security lead, and a legal / IP counsel — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Brand Protection Proactive Sweep
Imagine you're a brand protection analyst. Run a quarterly shadow-domain scan for every trademarked brand to catch speculative registrations before campaigns activate.
Why it matters: Early takedown notices cut phishing campaign lifespans before they reach employees or customers.
Story 2: Email Impersonation Defense
Imagine you're an email security lead. Identify shadow domains with active MX records and add them to sender-reputation lists for inbound filtering.
Why it matters: Block lookalike-sender phishing at the MTA before it reaches user inboxes.
Story 3: M&A Due Diligence
Imagine you're a legal / IP counsel. During acquisition, audit shadow TLDs to understand what brand assets the seller does and does not control.
Why it matters: Scope post-close brand-acquisition work with accurate shadow-domain inventory.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Shadow Domains tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the Shadow Domains tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Shadow Domains tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Shadow Domains tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/shadow-domains?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The brand domain whose alt-TLD variants should be discovered | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried brand domain |
variants_checked | number | Total TLD (top-level domain) variants probed |
registered_count | number | Number of registered variants |
variants | array | Per-variant analysis with NS, A, MX, SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting and Conformance), risk_level |
high_risk_variants | array | Variants graded critical or high |
findings | array | Aggregate findings with severity |
recommendations | array | Remediation steps (monitoring, takedown, defensive registration) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
TLD (top-level domain) — The ending of a website name like .com, .org, or .dev.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.