DNS & Domain Security
150 points total
Evaluates the security posture of your domain's DNS configuration — DNSSEC, SPF/DMARC presence at the DNS layer, CAA records, name-server delegation, NS count and network diversity, open resolver behavior on authoritative NS, zone transfer protections, and wildcard exposure.
Checks
| Check | Weight | What it measures |
|---|---|---|
DNSSEC Validation dns_dnssec_validation | 20 pts | Verifies that DNSSEC is properly configured with a valid DS → DNSKEY → RRSIG chain. |
CAA Record Presence dns_caa_record_presence | 20 pts | Checks for Certificate Authority Authorization records restricting which CAs can issue certificates for your domain. |
NS Delegation Consistency dns_ns_delegation_consistency | 15 pts | Compares the NS records at the parent zone with those at the authoritative zone to detect delegation mismatches. |
NS Resilience dns_ns_resilience | 15 pts | Evaluates how many authoritative NS hostnames exist and whether they resolve to addresses in more than one /24 subnet — single-NS setups and single-subnet clustering increase outage and hijack risk. |
Open Resolver on Authoritative NS dns_open_resolver | 15 pts | Probes authoritative nameservers with an external recursive query; open resolvers can be abused for DNS amplification attacks. |
Zone Transfer (AXFR) Check dns_zone_transfer_axfr_check | 15 pts | Attempts an AXFR zone transfer against each authoritative nameserver to detect open transfers. |
SPF Record Check dns_spf_record_check | 15 pts | Verifies that an SPF TXT record exists on the root domain. |
DMARC Record Check dns_dmarc_record_check | 15 pts | Verifies that a DMARC TXT record exists at _dmarc.<domain>. |
Wildcard Detection dns_wildcard_detection | 10 pts | Tests whether the domain resolves wildcard queries (*.domain), which can mask subdomain takeover risks. |
MX Record Check dns_mx_record_check | 10 pts | Checks for the presence of MX records for mail delivery. |
Pass / Warn / Fail Logic
For many checks, earned points follow the verdict: full weight on pass, partial credit on some checks for warn, and none on fail. Where it matters, we spell out the points below.
DNSSEC Validation
Pass if full chain validates; warn if signatures detected but inconclusive; fail if DS record exists without valid signatures or DNSSEC is absent.
CAA Record Presence
Pass if CAA records are published; fail if absent.
NS Delegation Consistency
Pass if parent and authoritative NS sets match; warn/fail on mismatch.
NS Resilience
NS names are read from the zone’s NS records (DNS-over-HTTPS). Up to 8 hostnames are resolved to IPv4; each address is bucketed by /24 (first three octets). Fail if there are no NS records or only a single NS name. Warn if there are two or more NS names but at most one distinct /24 among successfully resolved addresses (that includes multiple NS names that all map into the same /24, or multiple names where resolvers return no IPv4 so subnet count stays ≤1). Pass if there are two or more NS names and more than one distinct /24.
Points (this check)
Simple verdict scoring on this check’s weight (15 points): pass earns 100% (15 pts), warn earns 50% (7.5 pts), fail earns 0%. Category score is still the sum of earned points divided by points possible across checks in this category.
Open Resolver on Authoritative NS
Pass if no NS answers recursion with RA + answers for an external name; fail if any authoritative NS behaves as an open resolver.
Zone Transfer (AXFR) Check
Pass if all nameservers refuse AXFR; fail if any allows it.
SPF Record Check
Pass if valid SPF record is present; fail if missing.
DMARC Record Check
Pass if valid DMARC record is present; fail if missing.
Wildcard Detection
Pass if no wildcard resolution; warn if wildcard detected.
MX Record Check
Pass: MX rows returned, or no MX (common for non-mail domains; null MX still recommended for an explicit declaration). Full detail: Scoring → DNS.
Findings & How to Fix Them
These are the specific findings RedScore may report for this category, along with remediation guidance.
dnssec_brokenEnable and validate DNSSEC at your DNS provider; ensure DS and RRSIG/DNSKEY chain is consistent.
dnssec_missingEnable and validate DNSSEC at your DNS provider; ensure DS and RRSIG/DNSKEY chain is consistent.
dnssec_partialDNSSEC signatures were detected but full chain validation was inconclusive. Verify the DS → DNSKEY → RRSIG chain with your registrar.