Overview
Much of my work as a security researcher involves finding exposed products and services on the internet. In every case, I did this by inspecting HTTP response bodies and headers and looking for specific keywords. But I wondered, what if there were another way to detect these products? This is where my research extends to DNS.
This blog will walkthrogh how to map products and services by passively detecting DNS TXT records. By examining these records, we can identify technologies used in an organisation's infrastructure without directly probing the target. In this blog, I will also discuss a recent real-world case: the Salesloft supply chain breach, and why these detection methods are important beyond just theory.
DNS TXT Records as a Detection Surface
TXT records are overlooked in attack surface management, but they are a goldmine of intelligence. Organisations routinely use them for domain verification, email authentication (SPF, DKIM, DMARC), and third-party service integrations. Each of these records is essentially a breadcrumb that can reveal what services an organisation depends on.
One particularly useful (and common) pattern is the google-site-verification= syntax. When present in a domain’s TXT records, this indicates that the organisation has integrated Google Workspace. From a detection standpoint, this is valuable because:
It requires no intrusive scanning just passive DNS lookups.
The target host will never know you scanned their infrastructure as you are querying public DNS servers.
It maps directly to vendor and service usage.
It provides early indicators of potential exposure when those vendors suffer a breach.
Spin Up Your Own Scan
You can quickly detect Salesloft Drift exposure today through open source tooling and frameworks - Nuclei and Amass - by using these tools, you can conduct a simple DNS check on any given domain. If the drift-domain-verification string is found, it indicates that the target is running Drift in their infrastructure. Here is how you run the following commands:
Amass
After the enumeration process has been completed you will need to extract the data from the Open Asset Model (OAM) using the assoc sub-command:
Feel free to adjust the dates and domain accordingly.
After you run this command it will present a list of associated organisations like so:
Nuclei
Replace google.com with the domain you’d like to scan. The output will appear like so:
Why Should I Care?
Supply chain compromises are uniquely dangerous because they exploit trust. Traditional detection strategies often lag behind adversary operations in these contexts. TXT record analysis provides a lightweight, scalable method to build an early warning system. This technique is building a product-service exposure map from DNS data. By cataloguing which domains rely on which vendors, defenders gain a clear picture of where their attack surface extends into the supply chain.
When breaches like Salesloft occur, that map becomes the difference between immediate response and blind exposure. The major benefit of using this technique is that companies must have a TXT record to verify their domain; if they don't, the third-party service will be disconnected or go offline.
Salesloft Drift: Real-World Context
Just after my talk at DEFCON33, there was a Salesloft supply chain breach, and this highlights why this approach is not just a research exercise. Attackers exploited the Drift integration to gain access to organisations, effectively bypassing traditional perimeter controls.
If one can rapidly identify third parties that organisations rely on, particularly Salesloft Drift via TXT records, you’re in a stronger position to:
Prioritise Threat Hunting: Knowing Drift was affected, you can immediately scope where in your environment to look for suspicious behaviour.
Risk Assess Third-Party Exposure: Many organisations can be affected by supply chain attacks, as a red/blue teamer, you could easily map out exposure to these third party services.
Improve Incident Response Speed: Instead of waiting for vendor disclosures or media coverage, you can proactively detect service usage.
Closing Thoughts
The Salesloft incident reminds us that in today's threat environment, your security is only as strong as your weakest vendor. TXT record detection isn't a be all end all solution, but it's a very effective way to uncover dependencies.
As attackers keep taking advantage of trust relationships, defenders need easy and scalable ways to understand their risks. TXT records is one way to provide just that, an often overlooked detection method with significant real-world effects.