Is this DNS security checker free?

Yes, completely free with no signup required. You can check as many domains as you want.

How does the DNS security checker work?

The checker queries Cloudflare's DNS-over-HTTPS (DoH) API to retrieve DNS records for your domain. It runs 8 security tests covering DNSSEC, SPF, DMARC, CAA, nameserver redundancy, SOA configuration, MX records, and dangling CNAME detection. No traffic is sent to your servers — only DNS lookups are performed.

What is DNSSEC and why does it matter?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. Without DNSSEC, attackers can forge DNS responses to redirect users to malicious sites (DNS spoofing). With DNSSEC enabled, resolvers can verify that DNS responses haven't been tampered with.

What is a good DNS security grade?

Grades range from A+ to F across 13 levels. An A+ means all 8 tests pass with maximum scores — DNSSEC enabled, strict SPF and DMARC policies, CAA records set, and good nameserver redundancy. Anything below C indicates missing email authentication or other significant DNS security gaps.

Why are SPF and DMARC important?

SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication) prevent email spoofing. Without them, anyone can send emails pretending to be from your domain — enabling phishing attacks against your customers and partners. Together they tell receiving mail servers how to handle unauthorized emails.

What is a dangling CNAME?

A dangling CNAME is a DNS record that points to a target that no longer exists. Attackers can register the abandoned target and serve their own content on your domain — a vulnerability known as subdomain takeover. The checker detects this by resolving the CNAME target.

FreeDNS Security Checker

Analyze any domain's DNS security configuration and get an instant grade from A+ to F — covering DNSSEC, SPF, DMARC, CAA and more.

8 DNS Security Tests in Seconds

Enter a domain name. Get a full DNS security audit covering authentication, integrity, and resilience.

Instant A+ to F grade
DNSSEC validation check
Email spoofing detection (SPF + DMARC)
Dangling CNAME and subdomain takeover risk

🔒

DNSSEC

Cryptographic DNS authentication

✉

SPF + DMARC

Email authentication policies

📋

CAA Records

Certificate authority restrictions

⚠

Dangling CNAME

Subdomain takeover detection

Stop Email Spoofing Before It Starts

SPF and DMARC are your first line of defense against phishing. This checker tells you exactly where you stand.

SPF record validation and policy strength
DMARC policy check (none/quarantine/reject)
MX record validation
Clear remediation steps for each issue

Example Results

SPF Record +15

DMARC Record +15

DNSSEC -15

CAA Records -10

Full DNS Record Inspection

Beyond security tests, see all your DNS records in one place. A, AAAA, MX, NS, TXT, CAA, SOA, and CNAME records are displayed in a clean, copyable format.

All major DNS record types
TTL values and full record data
One-click copy for sharing
Queried via Cloudflare DoH for accuracy

Raw DNS Records

; A Records
example.com  300  IN  A  93.184.216.34

; MX Records
example.com  3600  IN  MX  10 mail.example.com

; TXT Records
example.com  3600  IN  TXT  v=spf1 -all

DNS Scan: —

Score: 0 / 100

Scan Time: —

Tests Passed: 0 / 0

Test	Score	Reason	Recommendation

What Is DNS Security?

DNS (Domain Name System) translates domain names into IP addresses. DNS security protects this process from manipulation, spoofing, and hijacking. Properly configured DNS records prevent email fraud, certificate mis-issuance, and subdomain takeover attacks. Our tests are based on NIST SP 800-81r3 recommendations and the relevant IETF standards for each protocol.

DNSSEC

+15 / -15

DNSSEC adds cryptographic signatures to DNS records. Resolvers verify signatures to ensure responses haven't been tampered with in transit. Without DNSSEC, attackers can forge DNS replies (cache poisoning) to redirect users to malicious servers. Enable it through your domain registrar and DNS provider.

Reference: RFC 4033, 4034, 4035 · NIST SP 800-81r3 §4

SPF

SPF Record

+15 / -15

Sender Policy Framework (SPF) is a TXT record that lists which servers are allowed to send email for your domain. Receiving mail servers check this record to decide whether to accept, reject, or flag incoming mail. Use "-all" (hard fail) for strict enforcement or "~all" (soft fail) during rollout.

Reference: RFC 7208

DMARC Record

+15 / -15

DMARC builds on SPF and DKIM to tell receiving servers what to do with unauthorized emails (none, quarantine, or reject). It also enables aggregate reporting so you can monitor who is sending email from your domain. Start with p=none for monitoring, then move to p=quarantine or p=reject.

Reference: RFC 7489

CAA

CAA Records

+10 / -10

Certificate Authority Authorization (CAA) records specify which CAs are allowed to issue TLS certificates for your domain. Without CAA records, any CA can issue a certificate, increasing the risk of unauthorized certificate issuance. Add records like: 0 issue "letsencrypt.org"

Reference: RFC 8659

Nameserver Redundancy

+10 / -5

Multiple nameservers across different providers protect against single points of failure. If one nameserver or provider experiences an outage, others continue serving DNS queries. Best practice is to have at least 2 nameservers from different networks or providers.

Reference: RFC 2182 · NIST SP 800-81r3 §5

SOA

SOA Configuration

+5 / -5

The Start of Authority record defines zone-level settings including refresh intervals, retry timing, expiration, and negative caching TTL. Misconfigured SOA values can cause slow propagation, excessive queries, or stale records. Follow RFC 1912 recommended values for reliable zone transfers.

Reference: RFC 1035, RFC 1912

MX Records

+10 / -10

Mail Exchanger records direct email to your mail servers. Multiple MX records with different priorities provide failover if the primary server is unavailable. Domains that don't send or receive email should still set a null MX record to explicitly signal this.

Reference: RFC 5321, RFC 7505 (Null MX)

Dangling CNAME

+10 / -25

A dangling CNAME points to a hostname that no longer resolves. If the target was a cloud service (S3, Azure, Heroku), an attacker can claim it and serve content on your domain. This enables phishing, cookie theft, and reputation damage. Regularly audit CNAME records and remove any pointing to decommissioned services.

Reference: RFC 1034 §3.6 · Hardenize: Dangling DNS Detection

Scoring Methodology

The score starts at 100 and is adjusted by modifiers from each of the 8 DNS security tests. Positive modifiers reward good configuration; negative modifiers penalize missing or weak settings. The final score maps to a 13-grade scale from A+ to F. Test selection and weights are based on NIST SP 800-81r3 deployment recommendations and the relevant IETF RFCs for each protocol. Scoring approach inspired by internet.nl, the open-source internet standards compliance test suite.

Test	Pass	Fail	Weight
DNSSEC	+15	-15	High
SPF Record	+15	-15	High
DMARC Record	+15	-15	High
CAA Records	+10	-10	Medium
MX Records	+10	-10	Medium
Nameserver Redundancy	+10	-5	Medium
SOA Configuration	+5	-5	Low
Dangling CNAME	+10	-25	Critical

Standards & References

Each test in this checker maps to one or more published standards. We follow the security recommendations from NIST and validate against the IETF specifications that define each protocol.

NIST SP 800-81r3 — Secure DNS Deployment Guide (2025)

DNSSEC RFC 4033, 4034, 4035 — DNS Security Extensions

SPF RFC 7208 — Sender Policy Framework

DMARC RFC 7489 — DMARC

CAA RFC 8659 — CA Authorization Records

MX RFC 5321, RFC 7505 — SMTP & Null MX

SOA RFC 1035, RFC 1912 — DNS Operations

Scoring Inspired by internet.nl (open source)

Check Your HTTP Security Headers Too

DNS is one layer. HTTP security headers protect against XSS, clickjacking, and protocol downgrade attacks. Run both checks for a complete picture of your web security posture.

Check Security Headers