Domain & DNS registry¶

Every domain the organization owns or controls — provider, registered owner, credential location, renewal posture, full DNS records, and what runs on it.

DNS sweep performed via Google DoH on 2026-05-05. All records below are as observed in public DNS at that time, not as-intended. Where intent and DNS disagree, both are recorded and flagged as a known issue.

Domains we own (summary)¶

Domain	Registrar / DNS	NS record style	Used for	Renewal	Vault entry
`projecteidos.com`	GoDaddy	`ns29/ns30.domaincontrol.com`	Public corporate site (currently 301 → `eidos-global.com`), Parallax, Teams Bot, Dokploy, GitLab, APEX hostnames	`[INFO NEEDED]`	`[INFO NEEDED]`
`eidos-global.com`	GoDaddy	`ns27/ns28.domaincontrol.com`	Corporate WordPress, CRM (UK + IN)	`[INFO NEEDED]`	`[INFO NEEDED]`
`tneconnect.app`	GoDaddy	`ns53/ns54.domaincontrol.com`	Workforce product marketing site, CRM TnE, workforce app tenants	`[INFO NEEDED]`	`[INFO NEEDED]`
`448.global`	GoDaddy	`ns27/ns28.domaincontrol.com`	Internal-infra estate (`*.448.global`)	`[INFO NEEDED]`	`[INFO NEEDED]`

All four domains are at GoDaddy. SOA emails route to dns.jomax.net. (GoDaddy authoritative server).

Email — Microsoft 365 across (at least) three tenants¶

Domain	M365 tenant	SPF	DMARC	DKIM at common selectors
`projecteidos.com`	`MS=ms38993142`	`v=spf1 include:spf.protection.outlook.com include:_spf.wpcloud.com -all include:secureserver.net -all` double `-all`, malformed	`p=none; rua=rua@dmarc.brevo.com` (monitoring only)	not found
`eidos-global.com`	`NETORG20317550.onmicrosoft.com`	`v=spf1 include:secureserver.net -all`	`p=quarantine; adkim=r; aspf=r; rua=mailto:dmarc_rua@onsecureserver.net`	not found
`tneconnect.app`	`NETORG20331173.onmicrosoft.com`	`v=spf1 include:secureserver.net -all`	`p=quarantine; adkim=r; aspf=r; rua=mailto:dmarc_rua@onsecureserver.net`	not found
`448.global`	`MS=ms85656935` + `NETORGFT19859797.onmicrosoft.com`	`v=spf1 include:secureserver.net -all`	`p=none` (monitoring only)	not found

The estate has at least three separate M365 tenants (NETORG20317550, NETORG20331173, NETORGFT19859797). This means independent admin consoles, billing, security policies — and the MS Azure AD that Authentik federates with is presumably one specific tenant; users in other tenants can't sign in via Authentik unless explicitly invited. Worth a Phase-2 conversation about consolidation or cross-tenant trust.

projecteidos.com SPF is malformed — two -all directives means most resolvers stop after the first -all (after _spf.wpcloud.com), and senders covered only by secureserver.net may fail SPF. Outbound mail deliverability risk.

No DKIM at common selectors (default, selector1, selector2, google, mail, dkim, k1, s1, m1) on any domain. Microsoft 365 typically uses selector1 and selector2 — these are absent. Likely DKIM is not configured. Phase-2: add DKIM in M365 admin and publish the CNAMEs.

CAA records¶

None of the four domains has CAA records. Any CA can issue a cert for any of these hosts. Phase-2: pin to Let's Encrypt + any commercial CA actually used.

Per-domain detail¶

`projecteidos.com`¶

Field	Value
Registrar	GoDaddy
Nameservers	`ns29.domaincontrol.com`, `ns30.domaincontrol.com`
SOA serial	`2026041301` (last updated 2026-04-13)
Apex A record	`145.241.230.130` — not E1, not Dokploy E2
Apex behaviour	HTTP 301 → `https://eidos-global.com/`
Apex `Server:` header	`Apache/2.4.66 (Debian)`, `x-powered-by: PHP/8.3.30`, `x-redirect-by: WordPress`
`www`	A record `145.241.230.130` (same as apex)
MX	`0 projecteidos-com.mail.protection.outlook.com` (M365)
Brevo verification	`brevo-code:12c21e5857bdd32b3b2dffbbbf0ef484`
Microsoft verification	`MS=ms38993142`

Subdomain A records (all → E1 = 140.238.97.163):

Subdomain	A	Service	App doc
`parallax`	140.238.97.163	E1 → E5 (Paid ADB)	01
`bot`	140.238.97.163	E1 → E2 (Dokploy → Teams Bot)	07
`git`	140.238.97.163	E1 → E2 (Dokploy → GitLab)	16
`platform`	140.238.97.163	E1 → E2 (Dokploy itself)	18
`apex-ur`	140.238.97.163	E1 → E5 (Paid ADB alias)	08
`apex1`	140.238.97.163	E1 → E3 (Free ADB Eidos tenant)	09
`apex2`	140.238.97.163	E1 → E4 (Free ADB Fourway)	10

The apex (projecteidos.com) and www are the only *.projecteidos.com hostnames not pointing to E1. Everything else is on E1 → backend. The apex is a 301 to eidos-global.com, served by an Apache+WordPress stack at 145.241.230.130 (likely GoDaddy WP Cloud, not in our control as documented).

`eidos-global.com`¶

Field	Value
Registrar	GoDaddy
Nameservers	`ns27.domaincontrol.com`, `ns28.domaincontrol.com`
SOA serial	`2026022700` (last updated 2026-02-27)
Apex A record	`145.241.230.130`
Apex behaviour	live WordPress site (HTTP 200)
Apex `Server:` header	`Apache/2.4.66 (Debian)`, `x-powered-by: PHP/8.3.30`
WordPress signature	`link: <https://eidos-global.com/wp-json/>; rel="https://api.w.org/"`
`www`	CNAME → `eidos-global.com`
MX	`0 eidosglobal-com01c.mail.protection.outlook.com`

Subdomain A records (→ E1 = 140.238.97.163):

Subdomain	A	Service	App doc
`crm`	140.238.97.163	E1 → E2 (Dokploy → Twenty CRM UK)	04
`in.crm`	140.238.97.163	E1 → E2 (Dokploy → Twenty CRM IN)	05

`tneconnect.app`¶

Field	Value
Registrar	GoDaddy
Nameservers	`ns53.domaincontrol.com`, `ns54.domaincontrol.com`
SOA serial	`2026031100` (last updated 2026-03-11)
Apex A record	`145.241.230.130`
Apex behaviour	live WordPress (HTTP 200)
Apex `Server:` header	`Apache/2.4.66 (Debian)`, `x-powered-by: PHP/8.3.30`
WordPress signature	`link: <https://tneconnect.app/wp-json/>; rel="https://api.w.org/"`
`www`	CNAME → `tneconnect.app`
MX	`0 tneconnect-app.mail.protection.outlook.com`

Reminder: .app TLD is HSTS-preloaded; cert lapse is fatal.

Subdomain A records (→ E1 = 140.238.97.163):

Subdomain	A	Service	App doc
`crm`	140.238.97.163	E1 → E2 (Twenty CRM TnE)	06
`fourway`	140.238.97.163	E1 → E4 Free ADB	02
`eidos-global`	140.238.97.163	E1 → E3 Free ADB	03

`448.global`¶

Field	Value
Registrar	GoDaddy
Nameservers	`ns27.domaincontrol.com`, `ns28.domaincontrol.com`
SOA serial	`2025111600` (last updated 2025-11-16)
Apex A records	`15.197.225.128`, `3.33.251.168` (AWS IPs — likely GoDaddy parking page)
Apex behaviour	HTTP 405 (no real content)
MX	`0 448-global.mail.protection.outlook.com`
Microsoft verification	`MS=ms85656935`
M365 tenant	`NETORGFT19859797.onmicrosoft.com`

Subdomain A records (all → O1 = 140.238.90.91):

Subdomain	A	App doc
`auth`	140.238.90.91	14
`vault`	140.238.90.91	15
`s3`	140.238.90.91	17
`portainer`	140.238.90.91	19
`wg`	140.238.90.91	20
`monitor`	140.238.90.91	21
`notify`	140.238.90.91	23
`coder`	140.238.90.91	24
`n8n`	140.238.90.91	25
`ai`	140.238.90.91	26
`draw`	140.238.90.91	27
`tools`	140.238.90.91	28
`videos`	140.238.90.91	29
`apex1`	140.238.90.91	30
`apex2`	140.238.90.91	31

448.global apex itself has no real content — the value is in the subdomains.

Confirmed VPS public IPs¶

Server	Public IPv4	OCID
E1 EIDOSDev1 Caddy proxy	`140.238.97.163`	`ocid1.instance.oc1.uk-london-1.anwgiljrbm2l2oickmz6rrbvwz7f4lxmzcvpoxqyzl47gw45spnpo5h2y6ra`
E2 EIDOSDev1 Dokploy	`145.241.230.130`	`ocid1.instance.oc1.uk-london-1.anwgiljtbm2l2oicsz2npzclars3a3v5gu6xya4vpohnjygv7wiievozrwqa`
O1 ORA448Global all-in-one	`140.238.90.91`	`[INFO NEEDED]`

All confirmed via OCI console 2026-05-06.

Wildcard A records¶

All four domains have a * (wildcard) A record so any unspecified subdomain resolves to the right Caddy host:

Domain	Wildcard target	Caddy host
`*.projecteidos.com`	`140.238.97.163`	E1
`*.eidos-global.com`	`140.238.97.163`	E1
`*.tneconnect.app`	`140.238.97.163`	E1
`*.448.global`	`140.238.90.91`	O1

Operational consequence: new subdomains do not require a DNS change at GoDaddy. Adding a new app to E1 (or O1) is a Caddy-only operation — add a site block, caddy reload, and the subdomain is live. Useful for quick deploys; do bear in mind that any unconfigured subdomain still hits Caddy, which simply 404s rather than misrouting.

Confirmed via DNS sweep 2026-05-08.

Architecture notes¶

WordPress apex domains bypass E1 Caddy¶

The 3 WordPress apex domains (projecteidos.com, eidos-global.com, tneconnect.app) all resolve to 145.241.230.130 which is the public IP of E2 (Dokploy) — same host where the rest of the PE-side apps live. Apex DNS goes direct to E2's Traefik; subdomains go via E1 Caddy → E2.

Captured as architectural note KI-025 — low-priority cleanup; no immediate risk.

Other gaps¶

Renewal expiry dates per domain — [INFO NEEDED]
Registrar account access — [INFO NEEDED] — must be in Vault, MFA enforced
Domain registry-lock / transfer-lock status — [INFO NEEDED]
WHOIS privacy enabled — [INFO NEEDED]
DNSSEC — [INFO NEEDED] (not detected in lookups; default-off at GoDaddy)

Risks¶

E2 dual-ingress architectural inconsistency (KI-025) — low-priority cleanup.
No CAA records on any of the 4 domains (KI-026).
Malformed SPF on projecteidos.com with double -all (KI-027).
DMARC p=none on projecteidos.com and 448.global (KI-028).
DKIM not configured at common M365 selectors on any domain (KI-029).
At least three separate M365 tenants (KI-030).
Renewal posture, registrar lock, DNSSEC, WHOIS privacy — all [INFO NEEDED].

Phase-2 actions¶

Resolve KI-025 (low-priority): standardize on a single ingress path or document the dual setup explicitly.
Add CAA records on all 4 domains.
Fix projecteidos.com SPF (single trailing -all).
Move DMARC to p=quarantine then p=reject on projecteidos.com and 448.global.
Configure DKIM in M365 admin for each tenant; publish selector1/selector2 CNAMEs.
Plan M365 tenant consolidation (long-term).
GoDaddy account credentials → Vault, MFA on registrar accounts.
Enable registry-lock + transfer-lock on all 4 domains.
Capture renewal dates + auto-renew status; calendar 60/30/7-day reminders.