ServicesAssessmentsIndustriesSpectraAgentPricingInsightsAboutContactStart Free Assessment
Home Assessments DNS Security Assessment
🌐 Assessment

DNS Security Assessment

DNSSEC, subdomain takeover, zone integrity, and record hygiene — the layer attackers hit first and defenders forget.

Start Free Assessment → Talk to Our Team
Free
First 2 assessments
<10 min
To complete
24h
Team review
What We Assess

8 Areas We Examine

01
DNSSEC Signing & Validation
Is your zone signed? Are DS records published at the parent? Do key rollovers happen cleanly? Is validation enforced on resolvers you control?
02
Subdomain Takeover Risk
CNAMEs pointing at de-provisioned S3 buckets, Heroku apps, Azure resources, or expired SaaS trials — where an attacker can reclaim the resource and serve content as you.
03
Dangling & Stale Records
A records pointing to IPs you no longer own, MX records for decommissioned mail servers, orphaned TXT verification tokens.
04
DNS Provider Redundancy
Secondary DNS providers, geographic diversity, and resilience to a single-provider outage (ask anyone who relied only on one big provider in recent incidents).
05
Email Authentication (SPF/DKIM/DMARC)
SPF record syntax and lookup limit, DKIM selector rotation, DMARC policy (none/quarantine/reject), and alignment with the From header.
06
CAA Records
DNS-level allowlist of certificate authorities permitted to issue certificates for your domain — the only real defense against rogue issuance.
07
Wildcard & Catch-All Exposure
Overly broad wildcard A/CNAME records that accidentally resolve internal hostnames, or leak staging environments.
08
Zone Transfer (AXFR) Protection
Can an outsider run `dig AXFR` against your nameservers and walk your entire zone? It happens more often than you'd think.
Who This Assessment Is For

Any organisation with a domain. Critical for enterprises with many subdomains, SaaS providers, companies that have acquired others (inherited DNS mess), and anyone whose brand depends on email deliverability.

Common Findings We Uncover
DNSSEC not enabled on primary domain
CNAMEs pointing at deleted S3 buckets or expired SaaS
DMARC at `p=none` — no enforcement, brand spoofable
No CAA records — any CA can issue certs for your domain
AXFR (zone transfer) accepted from arbitrary IPs
Compliance Frameworks Mapped
NIST SP 800-81 Rev. 2CERT-In DNS GuidelinesICANN Best PracticesISO 27001M3AAWG

Common Questions

What exactly is a subdomain takeover?
If you have a CNAME like `blog.yourcompany.com` pointing to `yourcompany.ghost.io` and you stop paying for the Ghost subscription, the subdomain now points at a provider who will rent that name to anyone who claims it next. An attacker can then serve any content — including phishing pages — from a hostname under your brand, with a valid cert, bypassing user suspicion and email filters.
Is DNSSEC actually worth the operational overhead?
For banking, government, and critical infrastructure — yes, unambiguously. For small SaaS companies it's a judgement call; the biggest risk DNSSEC mitigates is resolver-level DNS poisoning, which matters more when your users are on untrusted networks. We'll give you a direct recommendation based on your threat model.
How long does this assessment take?
The automated AI assessment takes under 10 minutes and uses only passive DNS lookups against your public records. Nothing is scanned, nothing is brute-forced. Our team reviews and contacts you within 24 hours with a prioritised remediation plan.

Ready to Find Your Gaps?

Start the DNS Security Assessment now. Free for first 2 assessments. Results in under 10 minutes.

Start Free Assessment →
No agents. No server access required. No credit card.

Other Assessments

🌐 DNS Security 🔐 SSL/TLS 📧 Email Security 🔌 API Security View All 20 →