Skip to main content

Zone Hygiene

developer
GET/v1/dns/zone-hygiene

Single-call DNS health audit that fans out to nine independent checks and aggregates a weighted score. In one request: DNSSEC posture (cryptographic verification per RFC 4034 — see /v1/dns/dnssec), CAA presence (RFC 8659), zone-transfer / AXFR exposure (RFC 5936), NSEC3 RFC 9276 compliance, open-resolver detection on every NS, SOA-serial consistency across resolvers, SOA-field validation against RIPE-203 bounds (refresh/retry/expire/minimum), wildcard detection, and exposure of sensitive subdomains (admin., vpn., kibana., jenkins., etc.). Each check contributes to a weighted 0–100 hygiene score and a letter grade (A–F).

What It Does

Enumerates authoritative nameservers, then runs nine checks in parallel: (1) NS redundancy (RFC 1034); (2) SOA-serial consistency across multiple resolvers — any drift means replication is failing silently; (3) SOA-field validation per RIPE-203 (refresh ≥ 24h, retry ≥ 2h, expire ≥ 14d, minimum ≤ 24h); (4) wildcard probe at the apex; (5) sensitive-subdomain probe (filtered against the wildcard's IPs to avoid false positives); (6) open-resolver test — sends `dig +rd @<ns> a.root-servers.net` to each NS and flags any that return a recursive answer (NSes acting as reflection-amplification sources); (7) DNSSEC analysis with cryptographic verification; (8) CAA cross-reference; (9) zone-transfer (AXFR) check. Returns a `composite` block with the cross-endpoint signals, a `checks[]` array (one entry per check area with passed/failed/severity_max/finding_count), a weighted `hygiene_score` (0–100), and a letter `hygiene_grade`.

Why It's Useful

The natural top-of-funnel question — "audit my DNS in one call" — should not require knowing about and orchestrating seven separate endpoints. Competitors lead with this exact shape (intoDNS, nslookup.io DNS Health's 39 checks, dnsviz). The composite turns "audit your DNS" from a workflow into a single API call with a single score. The open-resolver check alone is a top-five misconfiguration — it turns a customer's NSes into reflection-amplification weapons — and most DNS-health tools don't test it. SOA-field validation against RIPE-203 catches replication problems before they cause an outage.

Use Cases

DNS Administrator

Single-call DNS health audit

Replace seven separate API calls (dnssec, caa, zone-transfer, nsec-walkability, ns, mx, sensitive-subdomain enumeration) with one composite request. The endpoint fans out to nine independent checks in parallel, aggregates a weighted hygiene score (0–100), and returns a letter grade (A–F) alongside per-area pass/fail summaries in `checks[]`.

The natural top-of-funnel question — "audit my DNS in one call" — finally has a one-call answer.

Platform / SRE

CI / pre-deploy gate

Block deploys (or fail a pre-flight job) when the hygiene score drops below a threshold. A grade regression from A to C between two runs almost always indicates a real configuration change — expired RRSIG, accidental open-resolver, leaked sensitive subdomain — caught before users see the impact.

Catches DNS regressions inside the deploy pipeline rather than via a customer support ticket two days later.

Network Security Engineer

Open-resolver and SOA-drift detection

The composite probes each authoritative NS for open-recursion behavior (a top-five misconfiguration that turns customer NSes into reflection-amplification weapons) and queries SOA from multiple resolvers to detect serial drift between primary and secondary nameservers. Both are silent failure modes that don't surface in normal DNS queries.

Surfaces two classes of high-impact misconfiguration that most DNS tooling skips entirely.

Compliance Officer

Compliance evidence collection

Run on a schedule against the entire domain portfolio. The composite produces dated, structured audit evidence covering DNSSEC posture (with cryptographic verification), CAA + Certificate Transparency cross-reference, AXFR exposure, NSEC3 RFC 9276 compliance, and SOA-field validation against RIPE-203 — the major DNS-security controls auditors expect to see documented.

A single dated JSON snapshot per domain replaces a manual evidence-collection workflow that typically takes hours per scope.

Parameters

NameTypeRequiredDescription
domainstringRequiredThe zone apex to audit (e.g., example.com)Example: example.com

Response Fields

FieldTypeDescription
domainstringThe audited zone
nameserversarrayAuthoritative nameservers
soa_consistencyobjectPer-resolver SOA: serial, primary_ns, rname, refresh, retry, expire, minimum, error. Plus aggregate `unique_serials` array.
soa_field_validationarrayPer-field SOA validation against RIPE-203 bounds: { field, value, recommended_min, recommended_max, status } where status is "ok", "too_low", "too_high", or "unknown"
soa_drift_detectedbooleanWhether SOA serial drift was observed across resolvers
wildcard_detectedbooleanTrue when the apex has a wildcard DNS record. Sensitive-subdomain results are filtered to those whose IPs differ from the wildcard's (so genuine subdomains still surface).
wildcard_ipsarrayIPs returned by the wildcard probe; empty for CNAME-based wildcards
exposed_subdomainsarraySensitive subdomain names that resolve publicly with non-wildcard IPs. Each entry: name, ips[], record_type, cname_target.
exposed_countnumberCount of exposed sensitive subdomains
open_resolver_checkarrayPer-NS open-resolver result: nameserver, ip, is_open_resolver, status. An open recursor is a reflection-amplification vector and should be disabled.
open_resolvers_detectednumberNumber of NSes acting as open recursive resolvers
checksarrayPer-area check summary: { check, passed, severity_max, finding_count }. Areas: nameserver_redundancy, soa_drift, soa_fields, wildcard, sensitive_subdomains, open_resolver, dnssec, caa, zone_transfer.
compositeobjectCross-endpoint signals: { dnssec_status, has_caa, caa_unauthorized_ct_issuers[], zone_transfer_vulnerable, nsec3_compliant }
hygiene_scorenumberWeighted 0–100 score deducting points by finding severity (critical=30, high=18, medium=8, low=3). Drives the letter grade.
hygiene_gradestringLetter grade derived from hygiene_score: A (≥90), B (≥80), C (≥70), D (≥60), F (<60)
findingsarrayHuman-readable findings with severity (critical | high | medium | low | info)
recommendationsarrayConcrete remediation steps
limitationsarrayCaveats about the analysis (e.g., CNAME-wildcard skip path)

Code Examples

cURL
curl "https://api.edgedns.dev/v1/dns/zone-hygiene" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d "domain=example.com"
JavaScript
const response = await fetch(
  'https://api.edgedns.dev/v1/dns/zone-hygiene?domain=example.com',
  {
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY'
    }
  }
);

const data = await response.json();
console.log(data);
Python
import requests

response = requests.get(
    'https://api.edgedns.dev/v1/dns/zone-hygiene',
    headers={'Authorization': 'Bearer YOUR_API_KEY'},
    params={
    'domain': 'example.com'
    }
)

data = response.json()
print(data)

Read the full Zone Hygiene guide

Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.

Read the guide →

Related Endpoints

Nameservers

List nameservers and detect DNS provider

DNSSEC Check

Verify DNSSEC signing and validation

CAA Records

Check which CAs can issue certificates

Zone Transfer Check

Test for DNS zone transfer vulnerability

NSEC Walkability

Grade zone-enumeration risk from NSEC3PARAM configuration

DNS Propagation

Check DNS consistency across resolvers

Subdomain Takeover

Detect dangling CNAMEs vulnerable to subdomain takeover

External References

Learn more about the standards and protocols behind this endpoint.

RFC 1035 - DNS SpecificationIANA DNS Parameters

Try This Endpoint

Test the Zone Hygiene endpoint live in the playground.

Open in PlaygroundGet API Key