dns-security-mcp
Allows enrichment of DNS security analysis with VirusTotal threat intelligence for domain and IP reputation checks.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@dns-security-mcpcheck DNSSEC for example.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
The Problem
DNS is the foundation of every internet service, and it is the most overlooked attack surface. Misconfigured DNSSEC, dangling CNAME records, missing SPF/DKIM/DMARC, DNS tunneling, typosquatting domains, expiring certificates, open resolvers — the attack vectors are everywhere, but the tools to detect them are fragmented across dozens of specialized utilities, each with its own syntax, its own output format, and its own learning curve.
Traditional DNS security workflow:
check DNS records -> dig / nslookup (manual parsing)
validate DNSSEC -> dnsviz.net web UI + delv CLI
audit email security -> mxtoolbox.com + dmarcian.com (2 web UIs)
detect subdomain takeover -> subjack / nuclei + manual CNAME review
find DNS tunneling -> Wireshark pcap + custom scripts
monitor certificates -> crt.sh web UI + certspotter
check typosquatting -> dnstwist CLI + manual review
scan blocklists -> multirbl.valli.org + spamhaus lookup
test infrastructure -> multiple CLI tools + web checkers
generate compliance report -> copy-paste everything into a doc
─────────────────────────────────
Total: 8+ tools, 5+ web UIs, hours of manual correlationdns-security-mcp gives your AI agent 103 tools across 13 categories via the Model Context Protocol. The agent performs DNS reconnaissance, validates DNSSEC chains, audits email authentication, detects hijacking risks, identifies tunneling, monitors certificates, catches typosquatting, checks blocklists, hardens infrastructure, and generates compliance reports — all in a single conversation, all from local DNS queries.
With dns-security-mcp:
You: "Run a full security audit on example.com"
Agent: -> dns_lookup: 14 record types resolved, 3 nameservers found
-> dnssec_full_audit: DNSSEC signed, chain valid, RRSIG expires in 12 days
-> email_full_audit: SPF present (strict), DKIM found (3 selectors),
DMARC p=reject — excellent email security
-> hijack_subdomain_takeover: 2 dangling CNAMEs detected (staging, old-api)
-> ct_unauthorized_detect: 1 certificate from unauthorized CA found
-> bl_domain_score: Risk score 15/100 — clean
-> infra_ns_diversity: 4 NS across 3 ASNs — good diversity
-> report_generate: Full SARIF report generated
"example.com has strong DNS and email security posture.
Two critical findings: staging.example.com and old-api.example.com
have dangling CNAME records pointing to decommissioned services —
immediate subdomain takeover risk. One certificate from a non-
authorized CA (Let's Debug) was found in CT logs. DNSSEC RRSIG
expires in 12 days — schedule key rotation."Related MCP server: contrastapi
How It's Different
Most DNS tools give you raw records. dns-security-mcp gives your AI agent the ability to reason across the entire DNS attack surface simultaneously.
Quick Start
Option 1: npx (no install)
npx dns-security-mcpAll 103 tools work immediately. No API keys required for core functionality — everything runs via local DNS queries.
Option 2: bunx (faster)
bunx dns-security-mcpOption 3: Clone
git clone https://github.com/badchars/dns-security-mcp.git
cd dns-security-mcp
bun installConnect to your AI agent
# With npx
claude mcp add dns-security-mcp -- npx dns-security-mcp
# With local clone
claude mcp add dns-security-mcp -- bun run /path/to/dns-security-mcp/src/index.tsAdd to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"dns-security": {
"command": "npx",
"args": ["-y", "dns-security-mcp"],
"env": {
"SECURITYTRAILS_API_KEY": "optional",
"VIRUSTOTAL_API_KEY": "optional",
"SAFEBROWSING_API_KEY": "optional",
"DNS_RESOLVER": "optional"
}
}
}
}Same JSON config format. Point the command to npx dns-security-mcp or your local installation path.
Start querying
You: "Check if example.com has any DNS security issues"That's it. The agent runs reconnaissance, validates DNSSEC, checks email security, scans for hijacking risks, and more — automatically.
What The AI Can Do
Full Security Audit
You: "Run a comprehensive DNS security audit on target.com"
Agent: -> report_full_audit {domain: "target.com"}
-> "Complete DNS security audit for target.com:
CRITICAL: 2 dangling CNAMEs (subdomain takeover risk)
HIGH: DNSSEC not enabled — vulnerable to cache poisoning
HIGH: DMARC policy is 'none' — email spoofing possible
MEDIUM: MTA-STS not configured
LOW: 2 NS servers in same /24 subnet
Score: 42/100 — significant improvements needed.
Full SARIF report generated with 8 findings."Email Spoofing Assessment
You: "Can someone spoof emails from our domain bigcorp.com?"
Agent: -> email_spoofability_score {domain: "bigcorp.com"}
-> email_check_spf {domain: "bigcorp.com"}
-> email_check_dmarc {domain: "bigcorp.com"}
-> email_check_dkim {domain: "bigcorp.com"}
-> "Spoofability score: 72/100 (HIGH RISK)
SPF: Present but uses ~all (softfail) instead of -all
DKIM: Only 1 selector found (google), missing others
DMARC: Policy is p=none with no rua reporting
Recommendation: Change SPF to -all, set DMARC p=reject,
add DKIM for all sending services."Subdomain Takeover Hunt
You: "Check all subdomains of startup.io for takeover risk"
Agent: -> hijack_subdomain_takeover {domain: "startup.io", use_ct: true}
-> hijack_dangling_cname {domain: "startup.io"}
-> hijack_dangling_ns {domain: "startup.io"}
-> hijack_dangling_mx {domain: "startup.io"}
-> "Found 4 subdomains at risk:
CRITICAL: docs.startup.io -> CNAME to ReadTheDocs (unclaimed)
CRITICAL: staging.startup.io -> CNAME to Heroku (app deleted)
HIGH: old-blog.startup.io -> CNAME to Ghost.io (expired)
MEDIUM: mail2.startup.io -> MX points to decommissioned server
All 4 can be claimed by an attacker. Immediate action required."DNS Tunneling Detection
You: "Analyze these DNS queries for tunneling: [list of suspicious queries]"
Agent: -> tunnel_full_scan {queries: [...], timestamps: [...]}
-> "Tunneling probability: 94/100 (VERY HIGH)
Entropy: 4.8 bits/char avg (normal is <3.5)
Query length: 180+ chars avg (normal is <50)
Tool signature: Matches iodine encoding pattern
Covert channel: Beaconing detected at 30s intervals
TXT payloads: Base64-encoded data in responses
Verdict: Active DNS tunnel, likely iodine-based C2."Typosquatting Detection
You: "Find typosquatting domains targeting mybank.com"
Agent: -> typo_full_scan {domain: "mybank.com", check_registered: true}
-> "Generated 847 typosquat variants across 7 techniques.
42 are registered and resolving:
- myb4nk.com (homoglyph) -> resolves to 185.x.x.x (suspicious)
- mybank.co (TLD variation) -> parked page
- my-bank.com (combosquat) -> phishing page detected
- mybanк.com (IDN/Cyrillic 'к') -> redirect to credential harvester
HIGH RISK: 4 domains actively serving phishing content.
Recommend takedown requests for mybanк.com and my-bank.com."Certificate Transparency Monitoring
You: "Monitor certificates issued for our domain in the last 7 days"
Agent: -> ct_monitor {domain: "company.com", days: 7}
-> ct_unauthorized_detect {domain: "company.com"}
-> ct_expiry_monitor {domain: "company.com", days_threshold: 30}
-> "Certificate activity for company.com (last 7 days):
3 new certificates issued:
- *.company.com by Let's Encrypt (expected)
- api.company.com by DigiCert (expected)
- company.com by GoGetSSL (UNAUTHORIZED — not in CAA)
Expiring soon: 2 certificates expire within 30 days.
Action: Investigate the GoGetSSL certificate — your CAA
record only allows Let's Encrypt and DigiCert."Tools Reference (103 tools)
Category Overview
Category | Tools | Description |
:mag: DNS Reconnaissance | 12 | Record lookup, zone transfer, cache snooping, NSEC walking, propagation, split-horizon |
:shield: DNSSEC Validation | 8 | Chain of trust, DS/DNSKEY/RRSIG/NSEC checks, algorithm audit, key rollover |
:email: Email Security | 9 | SPF, DKIM, DMARC, BIMI, MTA-STS, DANE, PTR, spoofability scoring |
:warning: Hijacking & Takeover | 9 | Dangling CNAME/NS/MX, delegation chain, DNS rebinding, registrar security, BGP impact |
:hole: DNS Tunneling Detection | 7 | Entropy analysis, length checks, TXT payloads, tool signatures, covert channels |
:lock: Certificate Transparency | 7 | CT log search, wildcard audit, unauthorized CA detection, expiry monitoring |
:globe_with_meridians: Domain Intelligence | 10 | WHOIS/RDAP, domain age, history, DGA detection, reputation, hosting info |
8 | Homoglyph, bitsquat, TLD variation, combosquat, soundsquat, IDN homograph, keyboard proximity | |
:no_entry: Blocklist & Reputation | 6 | DNSBL/RBL, SURBL, phishing lists, malware lists, fast-flux detection, risk scoring |
:gear: Infrastructure Security | 9 | Open resolver, amplification, rate limiting, software CVE, EDNS, TCP fallback, DNS cookies |
:detective: DNS Privacy | 6 | DoH, DoT, DoQ testing, ECS leak detection, resolver audit, DNS leak test |
:biohazard: Passive DNS & Threat Intel | 7 | Passive DNS, co-hosting, IP-to-domains, malicious feeds, C2 detection, sinkhole check |
:page_facing_up: Compliance & Reporting | 5 | RFC compliance, CIS benchmarks, full audit, SARIF/Markdown/JSON reports, baseline comparison |
Tool | Description |
| Resolve all DNS record types for a domain in parallel |
| Perform PTR (reverse DNS) lookup with Forward Confirmed rDNS (FCrDNS) validation |
| Attempt AXFR (full zone transfer) against a domain's nameserver via TCP |
| Enumerate subdomains using passive CT (Certificate Transparency) log lookups via crt.sh |
| Perform DNS cache snooping by sending non-recursive query (RD=0) to a nameserver |
| Attempt DNSSEC NSEC zone walking to enumerate domain names in a signed zone |
| Detect wildcard DNS configurations by resolving random non-existent subdomains |
| Fingerprint a DNS server by querying CHAOS class TXT records (version.bind) |
| Test whether a nameserver is an open recursive resolver (RD=1 for external domain) |
| Check DNS propagation by querying 20+ globally distributed public resolvers |
| Detect split-horizon (split-brain) DNS by comparing internal vs external resolver responses |
| Analyze DNS TTL values across all record types for a domain |
Tool | Description |
| Full DNSSEC chain of trust validation from root to TLD to domain |
| Check DS (Delegation Signer) records for a domain |
| List all DNSKEY records for a domain |
| Check RRSIG (Resource Record Signature) records and expiry |
| Check NSEC/NSEC3 records for a domain |
| Inventory all DNSSEC algorithms used in DS, DNSKEY, and RRSIG records |
| Check for DNSSEC key rollover indicators |
| Comprehensive DNSSEC audit: all 7 checks combined with unified report |
Tool | Description |
| Check SPF (Sender Policy Framework) record with mechanism analysis |
| Check DKIM records by probing common selectors (google, selector1, dkim, etc.) |
| Check DMARC record with policy analysis and reporting configuration |
| Check BIMI (Brand Indicators for Message Identification) record |
| Check MTA-STS (Mail Transfer Agent Strict Transport Security) configuration |
| Check DANE/TLSA records for a domain's MX hosts |
| Check PTR and FCrDNS (Forward-Confirmed reverse DNS) for MX hosts |
| Calculate email spoofability score (0-100) based on SPF, DKIM, DMARC |
| Comprehensive email security audit across all protocols |
Tool | Description |
| Detect dangling CNAME records that could allow subdomain takeover |
| Detect dangling NS records that could allow full domain takeover |
| Detect dangling MX records that could allow email hijacking |
| Walk the DNS delegation chain and verify consistency |
| Detect DNS rebinding candidates via IP changes combined with low TTL |
| Check domain registrar security posture via RDAP |
| Monitor DNS record changes by comparing against a stored baseline |
| Full subdomain takeover scan using CT logs and CNAME resolution |
| Assess BGP-level impact of domain hijacking via Team Cymru ASN lookup |
Tool | Description |
| Calculate Shannon entropy per subdomain label to detect tunneling |
| Measure subdomain label and total query lengths for anomaly detection |
| Detect encoded payloads in TXT records: base64, hex, binary markers |
| Analyze queries for record type abuse patterns used in tunneling |
| Match patterns against known tools: iodine, dns2tcp, dnscat2, Cobalt Strike, Sliver C2, DNSStager |
| Detect covert channels through beaconing timing analysis and label pattern analysis |
| All 6 tunnel checks combined with overall probability score (0-100) |
Tool | Description |
| Search CT logs via crt.sh for certificates issued to a domain |
| Audit CT logs for wildcard certificates |
| Detect unauthorized certificates by cross-referencing CT logs with CAA records |
| Monitor CT logs for recently issued certificates within N days |
| Check CAA (Certification Authority Authorization) DNS records |
| Build a full certificate inventory from CT logs |
| Find certificates expiring within N days |
Tool | Description |
| Query RDAP for domain WHOIS information |
| Determine domain age via RDAP creation date |
| Retrieve domain event history from RDAP |
| Assess domain expiry risk via RDAP |
| Detect if a domain is a parked/for-sale page |
| Analyze domains for DGA (Domain Generation Algorithm) characteristics |
| Search CT logs for recently issued certs to discover new domains |
| Multi-source domain reputation check |
| Get hosting infrastructure details for a domain |
| Find related domains through shared NS, MX, IP, and CT co-occurrence |
Tool | Description |
| Generate visually similar domain variants (o/0, l/1, rn/m, Cyrillic lookalikes) |
| Generate all single-bit-flip variants of each character in the domain |
| Test common TLD confusions (.com/.co/.cm/.om/.net, etc.) |
| Generate brand+keyword combinations (login-, secure-, my-, -app, etc.) |
| Generate phonetically similar variants using sound substitutions |
| Generate IDN homograph variants using Cyrillic, Greek, Armenian characters |
| Generate QWERTY keyboard proximity typos: adjacent keys, omissions, doubles, swaps |
| All 7 typosquatting techniques combined with optional registration check |
Tool | Description |
| Check an IP against multiple DNS-based blocklists (DNSBL/RBL) |
| Check a domain against domain-based blocklists (SURBL, Spamhaus DBL, URIBL) |
| Check domain for phishing indicators via blocklists and domain age |
| Check domain against malware-specific blocklists (abuse.ch, etc.) |
| Detect fast-flux DNS behavior via multiple timed resolutions |
| Aggregated domain risk score (0-100) from DNSBL, age, DNSSEC, SPF/DMARC |
Tool | Description |
| Test if a nameserver is an open resolver accepting external recursive queries |
| Measure DNS amplification factor of a nameserver |
| Test Response Rate Limiting (RRL) on a nameserver |
| Fingerprint DNS server software via CHAOS version.bind |
| Test EDNS0 compliance of a nameserver |
| Test TCP fallback support for large responses |
| Test DNS Cookie support (RFC 7873) |
| Test zone transfer (AXFR) protection |
| Analyze nameserver diversity (count, ASN distribution, /24 subnets) |
Tool | Description |
| Test DNS-over-HTTPS (DoH) endpoint connectivity and response |
| Test DNS-over-TLS (DoT) endpoint connectivity and security |
| Test DNS-over-QUIC (DoQ) support |
| Test EDNS Client Subnet (ECS) leak on a resolver |
| Comprehensive privacy audit of a DNS resolver |
| DNS leak test: determine which resolver(s) your system actually uses |
Tool | Description |
| Query passive DNS data for a domain |
| Analyze domain co-hosting via reverse DNS and CT logs |
| Resolve IP to all known domains via PTR records and CT log searches |
| Check domain against free threat intelligence feeds (Spamhaus, SURBL, URLhaus) |
| Analyze domains for C2 indicators: DGA score, fast-flux, low TTL, DNSBL |
| Map domain infrastructure: NS, MX, IP, ASN (Team Cymru), registrar (RDAP) |
| Check if a domain resolves to known sinkhole operators (Microsoft, Shadowserver, abuse.ch) |
Tool | Description |
| Test compliance with RFC 1035, 4034, 6891, 7208, 7489 |
| CIS DNS Benchmark-style checks: DNSSEC, email auth, NS diversity, zone transfer, version hiding |
| Comprehensive audit across all categories with severity ratings |
| Full audit with output in JSON, Markdown, or SARIF format |
| Compare current audit against a previous baseline to detect drift |
Configuration
Environment Variables
All environment variables are optional. Core functionality (103 tools) works entirely via local DNS queries with zero external API calls.
# Optional: Custom DNS resolver (default: system resolver)
export DNS_RESOLVER=8.8.8.8
# Optional: SecurityTrails API for enriched passive DNS data
export SECURITYTRAILS_API_KEY=your-key
# Optional: VirusTotal API for domain reputation enrichment
export VIRUSTOTAL_API_KEY=your-key
# Optional: Google Safe Browsing API for phishing/malware URL checks
export SAFEBROWSING_API_KEY=your-keyVariable | Required | What it enables |
| No | Override the system DNS resolver for all queries |
| No | Enriched passive DNS and domain intelligence data |
| No | Domain reputation scoring via VirusTotal |
| No | Google Safe Browsing checks for phishing/malware domains |
Without any API keys, all 103 tools function using local DNS queries, public DNS resolvers, RDAP, crt.sh (Certificate Transparency), and DNS-based blocklists. API keys only add optional enrichment from third-party threat intelligence services.
CLI Usage
# Show help
npx dns-security-mcp --help
# List all 103 tools with descriptions
npx dns-security-mcp --list
# Run any tool directly from the command line
npx dns-security-mcp --tool dns_lookup '{"domain":"example.com","types":["A","AAAA","MX","TXT"]}'
npx dns-security-mcp --tool dnssec_validate '{"domain":"cloudflare.com"}'
npx dns-security-mcp --tool email_spoofability_score '{"domain":"google.com"}'
npx dns-security-mcp --tool hijack_subdomain_takeover '{"domain":"target.com","use_ct":true}'
npx dns-security-mcp --tool tunnel_full_scan '{"queries":["aGVsbG8.tunnel.evil.com","d29ybGQ.tunnel.evil.com"]}'
npx dns-security-mcp --tool typo_full_scan '{"domain":"mybank.com","check_registered":true}'
npx dns-security-mcp --tool report_generate '{"domain":"example.com","format":"sarif"}'
# Using Bun (faster startup)
bunx dns-security-mcp --tool bl_domain_score '{"domain":"suspicious-site.xyz"}'
# With custom DNS resolver
DNS_RESOLVER=1.1.1.1 npx dns-security-mcp --tool dns_propagation '{"domain":"example.com"}'Architecture
src/
index.ts # CLI entrypoint (--help, --list, --tool, stdio server)
protocol/
mcp-server.ts # MCP server setup (stdio transport)
tools.ts # Tool registry — all 103 tools assembled here
types/
index.ts # Shared types (ToolDef, ToolContext, ToolResult)
utils/
dns-client.ts # Shared DNS query client (UDP/TCP, dns-packet)
rate-limiter.ts # Per-provider rate limiter
cache.ts # TTL cache for DNS responses
dns/ # DNS Reconnaissance tools (12)
dnssec/ # DNSSEC Validation tools (8)
email/ # Email Security tools (9)
hijack/ # Hijacking & Takeover tools (9)
tunnel/ # DNS Tunneling Detection tools (7)
ct/ # Certificate Transparency tools (7)
domain/ # Domain Intelligence tools (10)
typo/ # Typosquatting & Brand Protection tools (8)
blocklist/ # Blocklist & Reputation tools (6)
infra/ # Infrastructure Security tools (9)
privacy/ # DNS Privacy tools (6)
threat/ # Passive DNS & Threat Intel tools (7)
report/ # Compliance & Reporting tools (5)
data/ # Static data (DKIM selectors, DNSBL lists, tool signatures)Design decisions:
3 dependencies, nothing else —
@modelcontextprotocol/sdkfor the MCP protocol,zodfor input validation,dns-packetfor raw DNS packet crafting. No bloated dependency tree. No native modules. No C bindings.100% local core — Every tool works via direct DNS queries using
dgram(UDP) andnet(TCP) sockets withdns-packetfor wire-format encoding/decoding. No external API calls required for any core functionality.13 providers, 1 server — Each security category is an independent module. The AI agent picks which tools to use based on the investigation context.
Raw DNS access — Unlike tools built on
dns.resolve(), dns-security-mcp crafts raw DNS packets. This enables DNSSEC record queries (DS, DNSKEY, RRSIG, NSEC), CHAOS class queries (version.bind), non-recursive queries (cache snooping), AXFR attempts (zone transfer), and EDNS options — none of which are possible with Node's built-in DNS module.TTL caching — DNS responses are cached respecting record TTL values. CT log queries cached for 15 minutes. RDAP responses cached for 10 minutes. Prevents redundant queries during multi-tool workflows.
Graceful degradation — Missing API keys never crash the server. Optional enrichment tools return clear messages: "Set SECURITYTRAILS_API_KEY for enriched passive DNS data."
Multiple output formats — Reports can be generated as JSON (machine-readable), Markdown (human-readable), or SARIF (IDE/CI integration).
Part of the MCP Security Suite
Project | Domain | Tools |
Browser-based security testing | 39 tools | |
Cloud security (AWS/Azure/GCP) | 38 tools | |
GitHub security posture | 39 tools | |
Vulnerability intelligence | 23 tools | |
OSINT & reconnaissance | 37 tools | |
Dark web & threat intelligence | 66 tools | |
dns-security-mcp | DNS security intelligence | 103 tools |
Contributing
Contributions are welcome. See CONTRIBUTING.md for guidelines.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/badchars/dns-security-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server