See what your DNS logs already know.
Upload a DNS log. ShadowDNS detects AI tools, shadow IT applications, and suspicious DNS activity from logs you already collect — and returns a structured visibility report. No agents. No deployment.
What you get
Three answers hidden in your DNS logs.
ShadowDNS turns existing DNS traffic into a structured visibility report you can review, share, and act on.
AI tools observed in DNS traffic
Per-tool and per-device breakdown of AI services resolving on your network — based on a published, human-reviewable signature list.
ChatGPT · Claude · Gemini · Cursor · Windsurf · Perplexity · DeepSeek · Copilot
Shadow IT worth reviewing
File-sharing, remote-access, and messaging apps appearing in your DNS data — categorized and risk-flagged for triage.
Dropbox · WeTransfer · Notion · Discord · TeamViewer · AnyDesk
Suspicious DNS activity
Early signals worth investigating: NRDs, IOC matches, resolver bypass, and NXDOMAIN outliers — no SIEM project required.
Newly registered domains · Known-bad indicators · DoH bypass · NXDOMAIN spikes
Why it matters
DNS already sees it. Most teams don't.
Shadow IT
Employees adopt SaaS tools faster than IT can review them.
AI adoption
AI-related services continue to appear across enterprise networks.
DNS visibility
DNS logs often contain the evidence teams need, but not the context.
The deliverable
A structured visibility report built from your DNS data.
Not a dashboard. A focused report: what was detected, why it matters, and what you might do next.
- Summary of findings
- AI tools detected by tool and device
- Shadow IT categorized and risk-flagged
- DNS findings: NRDs, IOC matches, DoH bypass
- Top queried domains and most active clients
- Suggested next steps for each finding
DNS Visibility Assessment
Sample DNS Dataset
Generated Jul 14, 2026 · 2,418,332 queries · 312 devices · 7-day window
DNS activity overview
Total DNS queries
2,418,332
Unique domains
18,204
Unique clients
312
Avg queries / client
7,751
Most active client
WS-ENG-014
Most queried domain
chatgpt.com
9
AI tools in use
14
Shadow-IT apps
3
DNS security findings
Observations
- 47 devices resolved ChatGPT-related domains in the last 7 days.
- TeamViewer and AnyDesk activity was observed on 6 endpoints.
- 12 devices queried newly registered domains. Review legitimacy and business justification.
AI tool findings
Each detection is a match between observed DNS queries and a curated signature for the named tool.
ChatGPT · OpenAI
Jul 8 → Jul 14
- Devices
- 47
- Queries
- 18,432
- Supporting domains
- chatgpt.com, openai.com, oaistatic.com
- Example devices
- WS-ENG-014, WS-MKT-022, MAC-EXEC-001
Claude · Anthropic
Jul 9 → Jul 14
- Devices
- 12
- Queries
- 4,211
- Supporting domains
- claude.ai, anthropic.com
- Example devices
- WS-ENG-014, WS-ENG-007
Gemini · Google
Jul 8 → Jul 14
- Devices
- 24
- Queries
- 6,502
- Supporting domains
- gemini.google.com, generativelanguage.googleapis.com
- Example devices
- WS-MKT-022, laptop-22, workstation-01
Cursor · Anysphere
Jul 10 → Jul 14
- Devices
- 4
- Queries
- 1,287
- Supporting domains
- cursor.sh
- Example devices
- WS-ENG-014, WS-ENG-007
Shadow IT findings
Dropbox
File sharing
- Devices
- 18
- Queries
- 3,902
- Supporting domains
- dropbox.com, dropboxusercontent.com
- Example devices
- WS-MKT-022, WS-FIN-008
Recommendation · Confirm whether personal Dropbox accounts are sanctioned for file transfer.
WeTransfer
File sharing
- Devices
- 11
- Queries
- 1,204
- Supporting domains
- wetransfer.com
- Example devices
- WS-MKT-022
Recommendation · Review for one-off large transfers leaving the network.
Notion
Productivity
- Devices
- 22
- Queries
- 2,810
- Supporting domains
- notion.so
- Example devices
- WS-ENG-014, WS-MKT-022
Recommendation · Confirm whether usage maps to a managed workspace.
Discord
Messaging
- Devices
- 14
- Queries
- 3,188
- Supporting domains
- discord.com, discordapp.com
- Example devices
- WS-ENG-007
Recommendation · Validate against acceptable-use policy; restrict if not sanctioned.
How it works
From DNS log to visibility report — in minutes.
No agents. No deployment. No procurement process.
Export DNS logs
Windows DNS, Pi-hole, or generic CSV.
Upload the CSV
Drag and drop at /scan. 50 MB cap on free.
ShadowDNS analyzes
Parses, categorizes, and flags findings.
Visibility report
Structured report, ready in minutes.
Trust & privacy
Built with the boring fundamentals.
ShadowDNS is an independent, early-stage product designed for practical DNS visibility — not a marketing surface.
Early access pricing
Early access pricing for an early-stage product.
Pricing locked in for early customers. Early access features are being rolled out incrementally.
Pro
$49/mo
Unlimited reports and weekly re-runs (rolling out to early access users).
Join Early AccessFAQ
Common questions.
Is my data safe?
Uploads are processed in-region, never shared, and auto-deleted after 7 days. You can delete a report on demand.
Do I need to install anything?
No. ShadowDNS reads existing DNS logs — no agents, no kernel modules, no firewall changes.
What log formats are supported?
Windows DNS debug log, Pi-hole, and generic CSV at launch. Infoblox and BIND coming next.
How accurate is AI / shadow-IT detection?
Detections are based on DNS queries matching a curated signature library of known AI and SaaS service domains. Every signature is published and human-reviewable.
Run your first report in 5 minutes.
Upload a DNS log. Review the findings. Share the report with your team.