When they go rogue,you stay ready.
DoppelShield is a URL forensics tool for spotting look-alike domains. Enter a link and it decodes the host, flags any Cyrillic or Greek homoglyphs, follows redirects safely, and tells you whether the domain resolves at all.
What is a homograph attack?
Many Cyrillic and Greek letters are near-perfect twins of Latin ones: Cyrillic аеорс read as aeopc, Greek αο as ao. An attacker registers раypal.com (with a Cyrillic р and а) and, to the eye, it is indistinguishable from paypal.com. The browser, however, connects to a completely different domain.
How DoppelShield works
- Decode the host: The host is converted from its ASCII A-label (the IDNA
xn--ACE form) back to Unicode, then scanned for characters from the Cyrillic and Greek scripts, the ones most often confusable with Latin letters. - Per-character evidence: Each flagged character is isolated and tagged with its exact Unicode codepoint and script, so you see precisely what is impersonating what.
- Safe redirect tracing: Redirects are followed one hop at a time, each re-validated, up to a fixed limit. Loop detection and a wall-clock deadline keep the trace bounded.
- Connect-time SSRF guard: The server resolves and pins the exact IP it connects to, blocking loopback, private, and cloud-metadata ranges. DNS-rebinding and redirect-to-internal attacks can't slip through.
- No information disclosure: Blocked and unresponsive targets return one uniform verdict, so the tool can never be used to map an internal network.
Limitations
DoppelShield focuses on script-based homoglyphs (Cyrillic and Greek) and structural red flags. It is not a malware scanner or a reputation service: a domain can be entirely Latin and still be malicious. Treat a clean result as “no homoglyphs detected,” not “safe”. Always verify before entering sensitive information.
Privacy & acceptable use
DoppelShield needs no account and does not store the URLs you submit. Each scan runs in memory and is discarded once the response is sent; server logs keep only a request id and the outcome, never the URL, its query string, or your IP address. The link you enter is fetched from DoppelShield's server, not your browser, so the destination site sees the scanner rather than you. Please submit only URLs you have a legitimate reason to inspect.