Features
Resources
Feature
40+ automated security checks. Six categories. Weighted scoring with letter grades. Running continuously across every domain in your portfolio — so misconfigurations are caught when they happen, not during the next audit.
No credit card required · 7-day trial · Full Enterprise access
Your DNS configuration is a security surface. A missing DMARC record means anyone can send email as your domain. A dangling CNAME record pointing to a deprovisioned cloud service is an open invitation for subdomain takeover. An expired SSL certificate on a production endpoint breaks trust for every visitor. And a broken DNSSEC chain can make your domain completely unreachable for validating resolvers.
Most teams check these things manually — once, during setup, maybe again during an audit. But DNS configurations drift. Records get added, modified, or deleted. SSL certificates rotate. Nameservers change providers. What was correctly configured six months ago may be misconfigured today, and nobody knows because nobody is checking continuously.
DNS Spy's Security Center checks everything, continuously, across every domain. When something changes state — from passing to failing, or from failing to passing — you're notified immediately.
Security Center discovers all applicable checks for each domain — based on its DNS records, nameservers, SSL certificates, and your plan level.
Each domain scan cycle runs all applicable security checks. Results are stored with detailed state data — not just pass/fail, but exactly why.
Results are aggregated into a weighted security score with a letter grade — at the domain, domain group, and account level.
When a check transitions from pass to fail (or fail to pass), you're notified immediately. No noise from unchanged checks.
Security Center operates at the level you need — from a bird's-eye view of your entire portfolio down to the individual check results on a single domain.
A single security score and check summary across every domain in your account. See your overall posture at a glance, with the navigation badge showing total failed checks.
42 domains · 3 failed checks
Aggregated scores per domain group — perfect for per-client views, per-environment breakdowns, or business unit reporting. Each group gets its own Security Center page.
8 domains · 5 failed checks
The deepest view. Every check result with full state data, check history timeline, category filtering, and direct links to knowledge base remediation guides.
2 high-criticality failures
Every check is real — pulled from the actual Security Center engine. Checks marked "Enterprise" require an Enterprise plan (available during the 7-day trial).
Verifies that your nameservers are online, reachable, and properly distributed.
Verifies that all active nameservers respond to DNS queries, detecting any offline nameservers.
Verifies that at least one active nameserver has an IPv4 address.
Verifies that at least one active nameserver has an IPv6 address.
Verifies that nameserver IPs span more than one /24 subnet.
Verifies that all nameservers return the same SOA serial number.
Measures nameserver response times to identify slow or unresponsive infrastructure.
Fails when any nameserver IPv4 response exceeds 300ms or does not respond.
Fails when any nameserver IPv6 response exceeds 300ms or does not respond.
Evaluates redundancy, diversity, and cryptographic protection of your DNS infrastructure.
Verifies more than one active nameserver for fault tolerance.
Verifies CAA records exist to limit which CAs can issue certificates.
Verifies DNSKEY records exist, indicating DNSSEC is enabled.
Verifies the complete DNSSEC chain of trust (DNSKEY, DS, RRSIG).
Verifies nameserver IPs are hosted by more than one provider.
Verifies nameserver IPv6 addresses are hosted by more than one provider.
Verifies nameserver IPs are in more than one country.
Verifies nameserver IPv6 addresses are in more than one country.
Verifies nameservers are from more than one parent domain.
Validates DNS record configuration, email authentication, and zone hygiene.
Verifies a TXT record with "v=spf1" exists for email sender authentication.
Verifies a DMARC TXT record exists at _dmarc subdomain.
Verifies DMARC policy is not set to "p=none" without subdomain override.
Verifies only one SPF record exists (multiple cause delivery issues).
Verifies SPF does not contain "+all" (allows any server to send).
Verifies SPF, DKIM, and DMARC are all present and properly aligned.
Identifies CNAME records whose targets do not resolve (subdomain takeover risk).
Verifies multiple MX records or IPs for email delivery redundancy.
Verifies MX record TTL is at least 3600 seconds.
Compares NS records in zone with actual authoritative nameservers.
Verifies NS record TTL is at least 3600 seconds.
Validates SOA serial format, refresh, retry, and expire values.
Evaluates zone for RFC compliance warnings using named-checkzone.
Verifies an A record exists at the domain apex.
Verifies an AAAA record exists at the domain apex.
Verifies A or CNAME exists for the www subdomain.
Audits SSL certificate validity, configuration, and cryptographic strength.
Checks if SSL certificates match the hostnames of the DNS records they serve.
Checks for weak key lengths (RSA < 2048 bits or EC < 256 bits).
Checks for deprecated algorithms like SHA-1 or MD5.
Checks if connections negotiate deprecated TLS 1.0 or 1.1.
Checks for incomplete or invalid certificate chains.
Checks if any certificates are self-signed (browsers won't trust them).
Tracks domain registration and SSL certificate expiration at multiple intervals.
Checks if domain registration has already expired.
Checks if domain expires within the next 7 days.
Checks if domain expires within the next 30 days.
Checks if domain expires within the next 90 days.
Checks if any SSL certificates have already expired.
Checks if any SSL certificates expire within 7 days.
Checks if any SSL certificates expire within 30 days.
Checks if any SSL certificates expire within 90 days.
Not all checks are created equal. A dangling CNAME is far more dangerous than a missing IPv6 AAAA record. The scoring formula reflects this reality.
Checks that detect active vulnerabilities or critical misconfigurations. A single high-criticality failure significantly impacts your score.
Examples: Dangling CNAME, SSL Hostname Mismatch, SPF Record Missing, Domain Expired
Checks for best practices and defense-in-depth. Important for security posture, but not immediately exploitable.
Examples: DMARC Policy Strength, MX Redundancy, CAA Records, Response Time
Checks for completeness and hygiene. Nice to have, but failures here don't represent immediate risk.
Examples: IPv6 AAAA Record, RFC Compliance, Geographic Distribution, WWW Record
Letter Grade Scale
DNS security tools either give you a one-time scan or a checklist you run manually. Security Center is continuous, scored, and integrated into your workflow.
Every domain receives a security score from 0–100 based on a weighted formula. High-criticality checks carry 3x weight, medium checks 2x, and low checks 1x. The score translates to a letter grade (A through F) so you can communicate security posture at a glance.
This weighted approach means your score reflects actual risk. A domain with a dangling CNAME (high-criticality) and a missing IPv6 AAAA record (low-criticality) gets scored appropriately — the dangerous vulnerability dominates the score, not the cosmetic gap.
Security Center works at three levels. Account-wide gives you a single score across your entire portfolio. Domain Group lets you view per-client or per-environment scores. Individual Domain shows the deepest detail with every check result and history.
For MSPs, this means one dashboard for your business, per-client views for reporting, and per-domain drill-downs for remediation. For enterprise teams, group by environment (production, staging, dev) or business unit and track security posture independently.
Every check run is recorded as a SecurityCheckEvent with timestamp, pass/fail status, and detailed state data. When a check changes state — from pass to fail or fail to pass — a new event is created and a notification is sent.
Need to prove to an auditor when your DMARC record was first detected? Need to trace when a dangling CNAME appeared? The history is there — per check, per domain, with full state data at each transition.
Security Center sends alerts only when a check's result changes — not every time it runs. A check that fails and stays failed generates one notification. When it passes again, you get another. Zero noise, full coverage.
State-change notifications are delivered through your configured channels (email, Slack, Discord, PagerDuty) and include the domain, check name, previous state, new state, and the detailed state data explaining why the check failed or passed.
Every security check links to a knowledge base article explaining what it verifies, why it matters, and exactly how to fix a failure. Click from a failed check directly to its resolution guide.
The knowledge base is integrated directly into the Security Center interface. When your team sees a failed "Dangling CNAME Detection" check, they can click through to learn what a dangling CNAME is, why it's dangerous, and step-by-step instructions to remediate it — without leaving DNS Spy.
Enterprise plan unlocks the most critical security checks: Dangling CNAME Detection for subdomain takeover prevention, DNSSEC Validation for chain-of-trust verification, Comprehensive Email Security for SPF/DKIM/DMARC alignment, and full SSL/TLS auditing.
These are the checks that catch the vulnerabilities most tools miss. A dangling CNAME is one of the easiest attack vectors on the internet. A broken DNSSEC chain can cause your domain to be unreachable by validating resolvers. Misaligned email authentication lets attackers send email as your domain. Enterprise checks address all of these.
Use Domain Groups to generate per-client security scores. Show clients their letter grade, highlight failed checks, and demonstrate remediation progress over time. The Security Center becomes your differentiator — a security posture dashboard that most MSP tools don't offer for DNS.
Security Center runs the checks your team would run manually — SPF, DMARC, DNSSEC, dangling CNAMEs, SSL health — but automatically, continuously, and across every domain. State-change alerts mean your team is notified the moment a misconfiguration is introduced, not during the next quarterly audit.
A deploy that changes DNS records can introduce misconfigurations that aren't immediately obvious — a broken CNAME chain, an NS record inconsistency, a TTL that's too low. Security Center catches these within the next check cycle and sends an alert through Slack or PagerDuty.
The audit trail of every check state transition, combined with letter-grade scoring at the account, group, and domain level, gives compliance teams the documentation they need. Export-ready, timestamped, and covering every major DNS security control.
40+
Automated security checks
6
Check categories
3
Scope levels (Account, Group, Domain)
A–F
Letter grade scoring
Add your domains and Security Center starts auditing immediately. 40+ checks, weighted scoring, and state-change alerts — no configuration required.
No credit card required · 7-day trial · Full Enterprise access
Monitor 60+ record types across all authoritative nameservers.
Look-alike domain detection and brand protection.
Track WHOIS changes and domain expiration dates.
Certificate discovery, expiration tracking, and TLS auditing.
Organize domains by client, environment, or business unit.
Email, Slack, Discord & PagerDuty alert channels.
Connect Claude & AI agents to your DNS monitoring.
The Security Center is DNS Spy's automated security auditing engine. It continuously runs 40+ checks against every domain in your portfolio — covering DNS configuration, email authentication, SSL/TLS health, nameserver connectivity, performance, resilience, and expiration tracking. Each check produces a pass/fail result with detailed state data, and the results are aggregated into a weighted security score with a letter grade.
The security score uses a weighted formula based on check criticality. High-criticality checks carry 3x weight, medium checks carry 2x weight, and low checks carry 1x weight. The score represents the percentage of weighted checks that pass. This means a failed high-criticality check (like a dangling CNAME or expired SSL certificate) impacts your score much more than a failed low-criticality check (like missing IPv6 root AAAA record).
Security Center operates at three levels: Account-wide (every domain in your account aggregated into a single score and check view), Domain Group (checks aggregated across domains in a specific group — great for per-client views when you manage multiple clients), and Individual Domain (the deepest view, showing every check result, state data, and history for a single domain). All three levels use the same scoring formula.
Enterprise-only checks include: Dangling CNAME Detection, DNSSEC Validation, Comprehensive Email Security (SPF + DKIM + DMARC alignment), and all SSL/TLS checks (hostname mismatch, deprecated TLS protocols, self-signed certificates, weak keys, weak signature algorithms, invalid chains) plus SSL certificate expiration tracking. All connectivity, performance, resilience, DNS record, and domain expiration checks are available on all paid plans.
Yes. Every time a security check runs, the result is stored as a SecurityCheckEvent with the timestamp, status (pass/fail), and detailed state data. When a check changes state — from pass to fail or fail to pass — DNS Spy creates a new event and sends a notification. This gives you a complete audit trail of your domain's security posture over time.
A state-change notification fires when a check's result transitions from pass to fail or from fail to pass. You don't get notified every time a check runs — only when the result changes. This eliminates noise while ensuring you never miss when something breaks (or when something you fixed is confirmed resolved). Notifications are delivered via email, Slack, Discord, or PagerDuty.
The Dangling CNAME Detection check identifies CNAME records whose targets do not resolve to any address. This is a subdomain takeover vulnerability — an attacker can register the dangling target (such as a deprovisioned cloud service, deleted CDN endpoint, or removed SaaS platform) and serve content on your subdomain. Dangling CNAMEs are one of the most common and dangerous DNS misconfigurations.
The DNSSEC Validation check verifies the complete chain of trust: DNSKEY records exist, DS records are published in the parent zone, and RRSIG signatures are present and valid. It queries with the EDNS0 DO (DNSSEC OK) flag to retrieve signature records. If DNSSEC is enabled but the chain is broken, this check will fail — alerting you to a misconfiguration that could cause DNSSEC-validating resolvers to reject your domain's responses entirely.
Yes. Each security check links to a knowledge base article that explains what the check verifies, why it matters, and how to fix a failure. These articles are integrated directly into the Security Center interface — you can click through from a failed check to its resolution guide without leaving the dashboard.
Security checks run as part of each domain scan cycle, with a built-in throttle of 30 minutes between runs of the same check for the same domain. This ensures checks stay current without excessive resource consumption. Checks also run during public scans, so you can see security results even before signing up.
Most organizations don't know — because they've never checked. Start your free trial and find out in minutes.
Start Free Trial
Features
Resources