netrecon:~/about$ cat README.md

netrecon

Correlated network diagnostics for engineers. One input - domain, IP, or URL - runs DNS, HTTP, TLS, email posture, and CDN / infra checks, correlates the findings, and gives you likely root causes plus reproducible commands to verify yourself.

edge-only stateless no account MCP-ready JSON out

Why this, not another DNS checker

Most tools give you a wall of raw data and leave the reasoning to you. netrecon is opinionated: it runs multiple checks, correlates them, and tells you which finding matters. You still get the raw data, the JSON, and the exact shell commands to reproduce the result on your own machine - but the first thing you see is what's probably wrong.

Built for SREs who land on an unfamiliar site mid-incident and need a one-page read of its posture, and for engineers who want DNS / HTTP / TLS / CDN / email answered in one pass instead of bouncing between six tabs.

What it checks

DNS A/AAAA, NS, MX, TXT/SPF, DMARC, DKIM hints, DNSSEC posture, DoH-backed.
HTTP Redirect chain, status, headers, HSTS, CSP, cookies, caching, inline body decoders.
TLS Certificate Transparency logs + live peer handshake (via headless browser fallback) where supported.
Email posture SPF alignment, DMARC policy strength, MX hygiene, DKIM presence hints.
CDN / infra ASN, anycast detection, front-door inference, PTR clustering, Shodan-facet exposure.
Findings & fixes Correlation across modules, likely root causes, and reproducible shell commands you can paste.

How it works

Astro-built static frontend on Cloudflare Pages. Every check runs in Cloudflare Pages Functions at the edge. No servers, no queues, no database. Requests are stateless - nothing about your input is stored.

Rate-limited in-code via the Cache API at the Worker layer - no external dependency. Input validation and SSRF guards live in a shared tool registry so the HTTP API, the web UI, and the MCP server all enforce the same rules.

Agents can call netrecon as an MCP server - see the MCP page for Claude Desktop, Cursor, and VS Code configs. Programmatic clients can hit /api/analyze, /api/compare, /api/whoami, and /api/health directly.

Trust posture

No accounts, no email gating. The site is public and anonymous.
No input logging. What you analyze is not persisted. The edge runtime is stateless by design.
No ads, no trackers. Zero third-party JS.
Rate-limited. 10/min for /api/analyze and /api/compare, 20/min for /api/mcp, 60/min for /api/whoami. Per-IP.
SSRF-guarded. Inputs that resolve to private / loopback / link-local ranges are rejected at the tool boundary.

Known limitations

We try to be honest about what the edge can and can't do from inside a Worker.

TLS chain from CT logs is not a live handshake. For most targets we fall back to Certificate Transparency logs (Certspotter / crt.sh). The chain you see is what was issued, not what the peer is currently serving.
Browser Rendering path loses issuer. When netrecon uses Cloudflare Browser Rendering to capture a real TLS 1.3 handshake, Chrome's security state doesn't expose the certificate issuer. This is a browser limitation, not ours. See the blog for the full write-up.
No IPv6-only clients. Outbound fetches use whatever the Worker runtime picks - typically v4 where available.
Not an uptime monitor. We give you a point-in-time snapshot. We don't poll, alert, or track history.

Acknowledgments

netrecon is a frontend for a lot of other people's excellent work.

SSLMate Certspotter + crt.sh Certificate Transparency logs
Team Cymru ASN / IP-to-network mapping
ipwho.is geolocation and ISP hints
Shodan free facets port / product / CVE exposure summaries
Cloudflare Pages, Functions, Browser Rendering

Credits

Built by Yossi Ben Hagai - yossibh.github.io.