Finding the services companies use via their TXT records

Abenezer Belachew

Abenezer Belachew ยท October 29, 2023

4 min read

I was watching Julia Evan's talk on DNS at RubyConf during an early dinner when I came across something interesting. I thought I would share it here.

Before watching the talk, I knew what TXT records were and had even used them to verify domains for some services. However, I never knew they were public and visible for everyone. I genuinely thought they were solely used for verification purposes by the companies that employed them and were kept private. I was wrong.

๐ŸŒž For those unfamiliar, TXT records are used to store text data associated with a domain name. They have various applications, including verification and authentication. While there may be more uses, these are the two I have encountered in the past.

  • For example, when a product asks you to verify your domain, they might request you to add a TXT record to your domain. Once added, they check for the presence of this record to verify your domain.

  • Reflecting on that definition and example, I'm not sure why I didn't realize they were public before. ๐Ÿคฆ

  • Anyways, here's how you can discover the products and services companies use through their TXT records.

1. Find a company's domain

First, you need to find a company's domain. For example, let's use Stripe. Their domain is stripe.com.

Mind Blown Meme

2. Find the TXT records for the domain

Finding the TXT records for a domain is straightforward. You can use dig or nslookup. I will be using dig.

dig stripe.com TXT
  • For instance, here's the answer section for stripe.com on the day I wrote this post: Oct 29, 2023.
;; ANSWER SECTION:
www.stripe.com.         0       IN      CNAME   stripe.com.
stripe.com.             0       IN      TXT     "google-site-verification=hPfjsDwiisKJ4RP1ExOst9gAOD_0P8Q7-kxdcKUvEcc"
stripe.com.             0       IN      TXT     "liveramp-site-verification=7gyFkTwGYsvgd7IUQwyAOfImETwR06wgKjKiXq90KEY"
stripe.com.             0       IN      TXT     "h1-domain-verification=KhpNX9YNAc7bX95agGvFsPPKbYTVe1KC6xj7P1zKZrRzxcuS"
stripe.com.             0       IN      TXT     "atlassian-domain-verification=upLp21qQgja1aHG2gnAb1AmXRqb/zG0UK1a0n3zTSXZg5DgOSttR3i5uzA3T9Cdk"
stripe.com.             0       IN      TXT     "v=spf1 ip4:198.2.180.60/32 ip4:13.111.2.227/32 include:spf1.stripe.com include:greenhouse-outbound-mail.stripe.com ~all"
stripe.com.             0       IN      TXT     "MS=ms80697640"
stripe.com.             0       IN      TXT     "3l1wm9pqffwmrbvq2f5tbwjwtb8gjbr7"
stripe.com.             0       IN      TXT     "jhf40tgyx4pkkxllg33nthrwj3ty3dd8"
stripe.com.             0       IN      TXT     "kjch4f71j4hsrkjgvfbtcqlj0b5r7bjx"
stripe.com.             0       IN      TXT     "z4mthhzk10l6qc0rg4211mnnppkh2y5b"
stripe.com.             0       IN      TXT     "asv=8de0c1a866b958297e22a36216e594a6"
stripe.com.             0       IN      TXT     "edcbf4c7-b604-457b-870e-1b05f655e769"
stripe.com.             0       IN      TXT     "apple-domain-verification=8kIS0gmJTvILWQuI"
stripe.com.             0       IN      TXT     "docusign=4a93db58-af07-4632-a881-b569d41a6c57"
stripe.com.             0       IN      TXT     "docusign=4c9f5602-1c19-4e4c-bde7-77dc4b9ea8a0"
stripe.com.             0       IN      TXT     "whimsical=253112f9add9790f3a27b9d9893626451fc4cda1"
stripe.com.             0       IN      TXT     "docker-verification=ccde1a0d-8d2c-44b5-9d20-6c4e19113fc9"
stripe.com.             0       IN      TXT     "facebook-domain-verification=m7id9rt8ehlgcg9tt2yggbsi6gro7i"
stripe.com.             0       IN      TXT     "google-site-verification=PrlpJHdk11CIkPsiXoHEAJevWHAk39JRFAqVSe9l7n0"
stripe.com.             0       IN      TXT     "google-site-verification=ZgGi2-xDdfnaWxdfjn5AqtUS11jKWqSXAV_EHODFzdE"
  • So Stripe seems to have verified their site with Google, Liveramp (I didn't know what this was until minutes ago, for example), Atlassian, Docker, Docusign and a couple others.

Using nslookup

The following is the nslookup equivalent of the dig command above.

nslookup -type=TXT stripe.com

Note:

  • You can obtain different results based on the inclusion of subdomains. For instance, when you run the commands dig stripe.com TXT and dig www.stripe.com TXT, you might get different results. Not only can the specific records differ based on the site you're 'digging', but also the order in which the records are returned might vary.

  • Most of the companies I checked have verification records for Atlassian. I knew it was a big company, but I didn't realize it was so deeply integrated into the tech ecosystem.

  • As someone who frequently reads various tech blogs from different companies and regularly checks sites like stackshare.io to discover the technology used behind the scenes by companies, this was a great find.

  • I'm sure there are other ways to discover the products and services companies use, but this is a great one to add to your arsenal.

  • You can also use tools like Julia's dns-lookup or nslookup.io if you don't want to touch the terminal.

๐Ÿ’

  • I posted this on HN and there were some interesting discussions in the comments.

Completely unrelated but something I learned today

  • ๐Ÿ‡ช๐Ÿ‡ฌ Egypt achieved independence in 1922. I don't know why this surprised me, but it did. I thought it was much earlier.