Stop Domain Squatters Cold: TLDSweep Exposes 800+ TLDs Instantly

What if your brand's worst enemy was hiding in plain sight—just one character away from your domain name? Every single day, threat actors register deceptive lookalike domains to phish your customers, hijack your reputation, and drain your revenue. The scary part? Most companies discover these attacks after the damage is done. By then, credentials are stolen, trust is shattered, and your security team is scrambling for answers.

But what if you could flip the script? What if you could see every registered variant of your domain across 800+ top-level domains before the bad actors even launch their campaigns?

Enter TLDSweep—the open-source domain intelligence OSINT tool that's making enterprise-grade reconnaissance accessible to everyone. Created by the threat intelligence experts at DarkWebInformer.com, TLDSweep doesn't just scan domains. It weaponizes information against domain squatters, phishing operations, and brand impersonators. And here's the kicker: it runs on pure Python 3 with zero external dependencies. No pip install hell. No bloated frameworks. Just raw, blistering-fast domain intelligence.

Ready to discover why security professionals are quietly replacing their expensive commercial tools with this free powerhouse? Let's dive deep.

What is TLDSweep?

TLDSweep is a comprehensive TLD reconnaissance and domain intelligence OSINT tool developed by Dark Web Informer, a leading cyber threat intelligence platform. Released as an open-source project on GitHub at https://github.com/DarkWebInformer/TLDSweep, it represents a paradigm shift in how security teams approach domain monitoring and brand protection.

The tool's core mission is elegantly simple yet technically profound: take any base domain name and systematically probe its existence across more than 800 top-level domains—from commonplace .com and .net to obscure country-code TLDs and new generic extensions that most organizations never consider. But TLDSweep doesn't stop at mere existence checks. It performs deep reconnaissance on every discovered domain, extracting DNS records, WHOIS registration data, TLS certificate details, HTTP server fingerprints, and risk indicators that reveal the true nature behind each registration.

What makes TLDSweep genuinely revolutionary is its zero-dependency architecture. In an era where Python projects typically drag in dozens of pip packages—each a potential supply chain vulnerability—TLDSweep operates entirely within the Python 3.8+ standard library. It implements raw socket communications for DNS queries, WHOIS lookups, HTTP probing, and TLS certificate extraction. This isn't just a convenience; it's a security statement. No third-party packages means no hidden dependencies, no version conflicts, and no unexpected breakage when a maintainer abandons a critical library.

The tool has gained significant traction in the cybersecurity community for three converging reasons: the explosion of TLD availability (ICANN has approved over 1,200 gTLDs since 2012), the escalating sophistication of phishing campaigns using homograph and cousin domains, and the growing frustration with expensive commercial brand protection services that often miss critical threats. TLDSweep democratizes capabilities that previously required six-figure annual contracts.

Key Features That Make TLDSweep Irresistible

TLDSweep's feature set reads like a wishlist from a paranoid CISO—and delivers on every item with surprising elegance.

TLD Sweep Engine: The foundation. TLDSweep maintains curated lists of 800+ priority and secondary TLDs in its companion tldsweep_data.py module. The scanning logic intelligently batches queries and manages concurrency to maximize throughput without triggering rate limits.

Raw UDP DNS Resolution: Forget slow, recursive resolver chains. TLDSweep speaks directly to Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) resolvers via raw UDP sockets. It extracts complete record sets: A, AAAA, CNAME, MX, NS, SOA, TXT, SPF, and DMARC. This direct approach eliminates dependency on system resolver configurations and enables granular timeout control.

Native WHOIS with Referral Chasing: Most tools shell out to the whois command or use fragile parsing libraries. TLDSweep implements raw socket WHOIS queries with intelligent referral following. It parses creation dates, expiration dates, registrar information, DNSSEC status, and registrant details—critical for identifying domain age and ownership patterns.

Newly Registered Domain Detection: Configure a threshold (default: 90 days) to flag fresh registrations. This is phishing detection gold. Threat actors overwhelmingly favor recently registered domains for campaigns. TLDSweep surfaces these automatically.

TLS Certificate Intelligence: Extracts subject, issuer, Subject Alternative Names (SAN), serial numbers, and validity windows. SAN enumeration alone often reveals infrastructure relationships that domain owners intended to keep hidden.

HTTP/HTTPS Probing with Fingerprinting: Detects live web servers, captures status codes, server headers, page titles, redirect chains, and body hashes. The technology fingerprinting engine identifies Nginx, Apache, Cloudflare, PHP, Express.js, Next.js, Django, and more from response characteristics.

Favicon Hashing for Shodan Integration: Computes MMH3 and MD5 hashes of favicons—enabling direct correlation with Shodan's internet-wide scanning database. This bridges your domain reconnaissance with broader infrastructure intelligence.

ASN Lookup via Team Cymru: Maps discovered IPs to Autonomous System Numbers for network attribution and geolocation context.

Bogon IP Detection: Automatically flags RFC 1918 private addresses and reserved IPs that have no business appearing in public DNS responses—a subtle indicator of misconfiguration or deliberate deception.

Rich Alerting and Reporting: Native Telegram and Discord webhook integration delivers formatted alerts with scan summaries, timing metrics, and diff reports. The interactive HTML reports feature sortable tables and complete scan metadata. Scan diffing highlights NEW and GONE domains between runs—essential for continuous monitoring.

Watch Mode for Continuous Surveillance: Configure automatic re-scan intervals for persistent brand monitoring without cron jobs or external schedulers.

Real-World Use Cases Where TLDSweep Dominates

1. Brand Protection and Phishing Detection

Your company spent millions building brand trust. One convincing phishing domain can destroy it overnight. TLDSweep enables proactive brand monitoring by discovering lookalike domains before they're weaponized. Security teams can identify yourbrand-paymennt.com or yourbrand-security.net during the reconnaissance phase—when the attacker is still configuring infrastructure.

2. M&A Due Diligence and Digital Asset Inventory

During mergers and acquisitions, understanding the complete domain portfolio is critical. TLDSweep rapidly inventories all registered variants of target company domains, revealing shadow IT registrations, forgotten properties, and potential intellectual property conflicts that traditional audits miss.

3. Threat Actor Infrastructure Mapping

When investigating a specific threat group, understanding their domain registration patterns provides actionable intelligence. TLDSweep's batch processing and export capabilities enable analysts to correlate registration dates, DNS infrastructure, and TLS certificate characteristics across hundreds of suspicious domains.

4. Compliance and Supply Chain Security

Regulatory frameworks like NIST CSF, ISO 27001, and DORA increasingly emphasize third-party risk management. TLDSweep helps organizations monitor their supply chain's domain posture—identifying when partners register suspicious lookalikes or when their domains exhibit security anomalies like missing DMARC records.

5. Bug Bounty and Penetration Testing Reconnaissance

Professional security testers use TLDSweep to expand attack surface discovery. Cousin domains often run outdated software, expose administrative interfaces, or share credentials with primary domains. The technology fingerprinting and favicon hashing accelerate correlation with known vulnerable infrastructure.

Step-by-Step Installation & Setup Guide

Getting TLDSweep operational takes under two minutes. Here's the complete walkthrough.

Prerequisites

• Python 3.8 or newer (verify with python --version or python3 --version)
• Git for repository cloning
• No pip packages required—seriously

Installation

Step 1: Clone the Repository

# Clone from GitHub
git clone https://github.com/DarkWebInformer/TLDSweep.git

# Enter the project directory
cd TLDSweep

Step 2: Verify Project Structure

Ensure both required files are present:

ls -la
# Expected output:
# tldsweep.py       (main scanner script)
# tldsweep.py       (TLD lists and WHOIS server mappings)

Both files must reside in the same directory. The data module contains the 800+ TLD database and WHOIS server mappings that the main script depends upon.

Step 3: Run Your First Scan

Interactive mode for guided configuration:

python tldsweep.py

Direct CLI scan for immediate results:

python tldsweep.py example

Replace example with your target base domain (omit the TLD—TLDSweep handles all variants).

Optional: Enhanced Favicon Hashing

For Shodan-compatible MMH3 hashing, install the optional dependency:

pip install mmh3

This is purely optional—TLDSweep falls back to MD5 hashing without it.

Notification Configuration

Create a .env file in the project root for persistent alert configuration:

# Discord webhook for rich embed notifications
TLDSWEEP_DISCORD_WEBHOOK=https://discord.com/api/webhooks/YOUR_WEBHOOK_URL

# Telegram bot configuration
TLDSWEEP_TELEGRAM_TOKEN=123456789:ABCdefGHIjklMNOpqrsTUVwxyz
TLDSWEEP_TELEGRAM_CHAT_ID=-1001234567890

Alternatively, pass credentials as CLI flags for one-off scans:

# Discord alert for this scan only
python tldsweep.py example --discord-webhook "https://discord.com/api/webhooks/..."

# Telegram alert for this scan only
python tldsweep.py example --telegram "BOT_TOKEN:CHAT_ID"

REAL Code Examples from TLDSweep

Let's examine practical implementations using actual commands and patterns from the repository.

Example 1: Basic Full Reconnaissance Scan

The foundation of TLDSweep's capability—comprehensive domain intelligence with a single command:

# Complete reconnaissance: DNS, WHOIS, HTTP/HTTPS, TLS, fingerprinting
python tldsweep.py example

What's happening under the hood? TLDSweep spawns concurrent workers across multiple reconnaissance phases. DNS resolution runs with 100 threads by default, hitting Cloudflare and Quad9 resolvers directly via UDP sockets. WHOIS lookups chase referrals through 20 parallel threads. HTTP/HTTPS probes and TLS certificate grabs execute across 30 threads. The results aggregate into a unified dataset with risk scoring applied automatically.

Output includes: registered status per TLD, complete DNS records, WHOIS registration dates and registrar, live HTTP server detection with technology fingerprints, TLS certificate details, and calculated risk indicators. Files <domain>_scans.json and <domain>_report_<timestamp>.html generate automatically.

Example 2: Rapid DNS-Only Reconnaissance

When speed matters more than depth—ideal for initial triage:

# Fastest scan mode: DNS resolution only, skips WHOIS/HTTP/TLS
python tldsweep.py example --quick

Strategic use case: During incident response, quickly identify which TLD variants resolve to active infrastructure. The --quick flag eliminates all non-DNS reconnaissance, reducing scan time from minutes to seconds for most domains. This is particularly valuable when monitoring hundreds of brand variants during active phishing campaigns.

Example 3: Brand Protection with New Registration Filtering

The killer feature for security operations centers:

# Only show domains registered within last 30 days
python tldsweep.py example --new-only --newly-registered 30

Critical insight: The --new-only flag combines DNS resolution with targeted WHOIS creation-date queries, skipping full reconnaissance on older domains. This dramatically reduces scan time while surfacing exactly the domains most likely to be weaponized against your brand. The default 90-day threshold catches slow-burn campaigns; tightening to 30 days focuses on active threat actor infrastructure provisioning.

Example 4: Performance-Tuned Enterprise Scanning

Customize concurrency for your network environment and target sensitivity:

# Aggressive threading for dedicated infrastructure
python tldsweep.py example \
  --threads 50 \
  --dns-threads 200 \
  --timeout 3

Parameter breakdown:

• --threads 50: Increases WHOIS/HTTP/TLS workers from default 30
• --dns-threads 200: Massive DNS parallelism for large TLD lists
• --timeout 3: Aggressive socket timeout for fast-fail on unresponsive targets

Warning: These settings may trigger rate limits on some WHOIS servers. TLDSweep implements per-server throttling, but monitor for temporary blocks during large sweeps.

Example 5: Continuous Monitoring with Watch Mode

Transform TLDSweep into a persistent sentinel:

# Re-scan every 60 minutes, alert on changes
python tldsweep.py example --watch 60

Operational excellence: Watch mode enables set-and-forget brand protection. Each re-scan automatically diff's against previous results, generating alerts only when NEW domains appear or previously-seen domains vanish. The --watch parameter accepts minutes, so --watch 1440 enables daily checks. Combine with .env notification configuration for complete autonomous monitoring.

Example 6: Multi-Format Export for SIEM Integration

Feed TLDSweep intelligence into your security stack:

# Generate all export formats simultaneously
python tldsweep.py example \
  --output results.json \
  --csv results.csv \
  --html-report report.html

Integration patterns: The JSON export includes cumulative scan history with diff tracking—perfect for ingestion into Splunk, Elastic, or custom SOAR platforms. CSV enables analyst spreadsheet analysis. HTML reports provide executive-friendly visualization with sortable tables and complete metadata.

Advanced Usage & Best Practices

Optimize Your TLD Strategy: Not all TLDs matter equally for your threat model. Create custom TLD lists with --tld-file custom_tlds.txt focusing on high-risk extensions (.tk, .ml, .ga for free domains commonly abused) and your geographic regions.

Resolver Redundancy: While Cloudflare and Quad9 are excellent defaults, specify --resolvers 8.8.8.8,1.1.1.1,9.9.9.9 for multi-provider resilience during critical investigations.

Config-Driven Operations: Store complex scan profiles in JSON files and invoke with --config scan_profile.json. This enables version-controlled, repeatable reconnaissance across your team.

Graceful Interruption: TLDSweep handles Ctrl+C intelligently—completing in-flight requests before shutdown. Never lose partial results from accidental interruption.

Cross-Platform Scripting: The pure Python implementation runs identically on Windows (PowerShell), Linux, and macOS. Containerize with minimal base images since no compilation or complex dependencies exist.

Correlation with External Intelligence: Export favicon hashes to Shodan, cross-reference ASN data with BGPStream, and compare TLS certificate serials against Certificate Transparency logs for comprehensive infrastructure mapping.

Comparison with Alternatives

The Verdict: TLDSweep uniquely combines enterprise-grade depth with hacker-tool simplicity. It outperforms similar open-source tools in reconnaissance comprehensiveness while eliminating the dependency management that plagues Python security tools. Against commercial alternatives, it delivers 80-90% of functionality at 0% of cost—with full source code transparency.

Frequently Asked Questions

Q: Does TLDSweep work on Windows? A: Absolutely. TLDSweep is fully cross-platform, running natively on Windows, Linux, and macOS without modification. The pure Python standard library implementation eliminates compilation dependencies that often break Windows compatibility.

Q: How does TLDSweep handle WHOIS rate limiting? A: The tool implements intelligent per-server throttling with configurable delays. However, aggressive scans across hundreds of TLDs may still trigger temporary blocks from some registries. Use --threads and --whois-threads conservatively for sensitive targets, or employ --quick mode to skip WHOIS entirely.

Q: Can I scan domains without any internet access? A: No—TLDSweep requires internet connectivity to query DNS resolvers, WHOIS servers, and web infrastructure. However, it functions through most corporate proxies since it uses standard ports (53/UDP for DNS, 43/TCP for WHOIS, 80/443 for HTTP/HTTPS).

Q: Is TLDSweep legal to use? A: Yes, for legitimate security research and defensive purposes. TLDSweep performs only passive reconnaissance—queries that any user or search engine might execute. Always ensure your usage complies with your organization's policies and applicable laws. Never use reconnaissance data for unauthorized access or harassment.

Q: How accurate is the newly registered detection? A: Accuracy depends on WHOIS server data quality, which varies by TLD. Generic TLDs (.com, .net, .org) typically provide reliable creation dates. Some country-code TLDs redact or limit this data. The default 90-day threshold is configurable—tighten for higher confidence or loosen for broader coverage.

Q: Can I integrate TLDSweep into automated workflows? A: Yes. The JSON export format with diff tracking, combined with exit codes and stderr/stdout separation, enables seamless CI/CD and SOAR integration. Watch mode provides built-in scheduling for standalone deployment.

Q: What Python version is required? A: Python 3.8 or newer. The latest stable Python version is always recommended for performance and security updates. No virtual environment is required, though creating one is harmless.

Conclusion: Your Domain Intelligence Arsenal Starts Here

The domain threat landscape has exploded in complexity. With over 1,200 gTLDs available and threat actors automating registration at scale, manual monitoring is organizational malpractice. Commercial solutions extract exorbitant fees for capabilities that fundamentally amount to API aggregation and scheduled scanning.

TLDSweep shatters this paradigm.

By delivering comprehensive TLD reconnaissance, deep infrastructure fingerprinting, and intelligent alerting in a zero-dependency, fully transparent package, Dark Web Informer has created something genuinely rare: an open-source security tool that outperforms its commercial equivalents in specific dimensions while remaining accessible to individual researchers and lean security teams.

The technical architecture—raw sockets, standard library purity, graceful concurrency—reflects mature engineering priorities: reliability, auditability, and deployment flexibility. This isn't a prototype or weekend project. It's production-ready infrastructure for the modern threat landscape.

Your next step is simple. Clone https://github.com/DarkWebInformer/TLDSweep, run your first scan against your organization's base domain, and confront the reality of your exposed attack surface. The results may surprise you—and they'll certainly inform your defensive strategy more concretely than any quarterly vendor report.

Star the repository, contribute improvements, and join the community of security professionals who refuse to let domain squatters operate in shadow. Your brand's integrity depends on the visibility TLDSweep provides. Don't let another newly registered phishing domain slip past your defenses.

For real-time cyber threat intelligence beyond domain reconnaissance, visit DarkWebInformer.com—the platform powering TLDSweep's continued development.