DNS Security Vulnerability Assessment
Test for zone transfer leaks, DNS rebinding, wildcard abuse, and DNSSEC gaps
DNS is the attack vector most vulnerability assessments under-test. Open zone transfers expose the full record set in one AXFR request; DNS rebinding bypasses same-origin policies; missing DNSSEC enables cache poisoning; absent CAA records let any CA issue under your brand; wildcard records mask subdomain takeovers. EdgeDNS runs the specialized probes for each of these in a single workflow, with real cryptographic DNSSEC verification rather than presence-only checks. Start free on EdgeDNS — 200 requests/month, no credit card required.
The Challenge
DNS security is frequently neglected in vulnerability assessments — yet five high-impact misconfigurations sit one DNS query away: open zone transfers (AXFR), [DNS rebinding](/guides/dns-rebinding) (same-origin bypass), missing [DNSSEC](/guides/dnssec-cryptographic-verification), absent CAA, and wildcards that mask [subdomain takeover risk](/guides/how-to-detect-subdomain-takeover). Generic vulnerability scanners detect none of these reliably, and manual checks across a portfolio don't scale. Ask your AI: *"Run a full DNS-security audit on acme.com — zone transfer, rebinding, DNSSEC, CAA, wildcards — and rank findings by severity."*
The Solution
Run comprehensive DNS security assessments using EdgeDNS specialized endpoints. The `/v1/dns/zone-hygiene` composite runs nine independent checks in a single call — DNSSEC ([RFC 4034](https://datatracker.ietf.org/doc/rfc4034/)) with cryptographic verification, CAA ([RFC 8659](https://datatracker.ietf.org/doc/rfc8659/)), AXFR ([RFC 5936](https://datatracker.ietf.org/doc/rfc5936/)), NSEC3 ([RFC 9276](https://datatracker.ietf.org/doc/rfc9276/)), open-resolver detection, SOA-field validation against [RIPE-203](https://www.ripe.net/publications/docs/ripe-203/), wildcard, and sensitive-subdomain exposure — and aggregates a weighted hygiene score. For specialized assessments, dedicated endpoints test rotation-based DNS rebinding (real same-origin bypass, not just static private IPs), fast-flux detection that distinguishes botnets from CDNs via ASN diversity ([Holz et al. NDSS](https://www.ndss-symposium.org/wp-content/uploads/2017/09/Measuring-and-Detecting-Fast-Flux-Service-Networks-paper-Thorsten-Holz.pdf)) and double-flux NS-rotation ([MITRE T1568.001](https://attack.mitre.org/techniques/T1568/001/)), wildcard probes for MX/TXT (subdomain takeover risk), and NSEC walking demonstrations.
Endpoints Used
Combine these EdgeDNS endpoints to build this solution.
/v1/dns/zone-hygieneTry in PlaygroundZone Hygiene (Composite): Single-call DNS health audit aggregating DNSSEC, CAA, AXFR, NSEC3, open-resolver, SOA, and subdomain-exposure checks with a weighted hygiene score
/v1/dns/zone-transferTry in PlaygroundZone Transfer Test: Real AXFR (RFC 5936) attempts with record-type breakdown and provider-keyed remediation snippets (BIND, PowerDNS, NSD, Knot)
/v1/dns/nsec-walkabilityTry in PlaygroundNSEC Walkability: RFC 9276 compliance check; demonstrates legacy-NSEC walkability with a sample of enumerated names
/v1/dns/rebindingTry in PlaygroundDNS Rebinding Check: Multi-query rotation test (the actual rebinding signature) plus per-resolver RFC 6303 filtering visibility — answers "are my users exposed?" depending on which resolver they use
/v1/dns/fast-fluxTry in PlaygroundFast-Flux Detection: ASN diversity (Holz AS-fraction), CDN allowlist downgrade, residential-PTR detection, and double-flux NS rotation per MITRE T1568.001
/v1/dns/wildcardTry in PlaygroundWildcard Detection: A/AAAA/CNAME/MX/TXT wildcards plus subdomain-takeover correlation against 35+ third-party services (GitHub Pages, Vercel, Firebase, Heroku, AWS S3, Azure, Fastly, Netlify, etc.)
/v1/dns/dnssecTry in PlaygroundDNSSEC Validation: Cryptographic verification per RFC 4034: DS digest match, RRSIG signature verification (RSA-SHA256/512, ECDSA P-256/P-384, Ed25519)
/v1/dns/caaTry in PlaygroundCAA Records: CAA policy plus Certificate Transparency cross-reference — detects mis-issuance by CAs not in the allowlist
Results You Can Achieve
One call, nine independent DNS checks
The zone-hygiene composite endpoint runs DNSSEC, CAA, AXFR, NSEC3, open-resolver, SOA-field validation, wildcard, sensitive-subdomain, and nameserver-redundancy checks in parallel and returns a weighted hygiene score (0–100) plus a letter grade. Replaces the workflow of orchestrating seven separate endpoints.
Real cryptographic DNSSEC verification
Computes DS digests and verifies RRSIG signatures locally with Web Crypto — detecting the most common DNSSEC misconfiguration (KSK rolled, DS not updated at registrar) with a concrete remediation message.
Fast-flux detection that distinguishes botnets from CDNs
ASN diversity (Holz AS-fraction), known-CDN allowlist, residential-PTR signature, and double-flux NS rotation. Eliminates the false positives that plague naive fast-flux tooling.
Open-resolver detection on every nameserver
Catches NSes accidentally configured as open recursive resolvers — a top-five misconfiguration that turns customer infrastructure into reflection-amplification weapons.
Code Example
DNS security vulnerability scan
async function dnsSecurityScan(domain) {
const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };
const [zoneTransfer, rebinding, wildcard, dnssec, caa] = await Promise.all([
fetch(`https://api.edgedns.dev/v1/dns/zone-transfer?domain=${domain}`, { headers }),
fetch(`https://api.edgedns.dev/v1/dns/rebinding?domain=${domain}`, { headers }),
fetch(`https://api.edgedns.dev/v1/dns/wildcard?domain=${domain}`, { headers }),
fetch(`https://api.edgedns.dev/v1/dns/dnssec?domain=${domain}`, { headers }),
fetch(`https://api.edgedns.dev/v1/dns/caa?domain=${domain}`, { headers }),
].map(p => p.then(r => r.json())));
const findings = [];
if (zoneTransfer.data.is_vulnerable) {
findings.push({
severity: 'critical',
finding: 'Zone transfer allowed - full DNS zone exposed',
remediation: 'Restrict AXFR to authorized secondary nameservers only'
});
}
if (rebinding.data.is_vulnerable) {
findings.push({
severity: 'high',
finding: 'DNS rebinding vulnerability detected',
remediation: 'Implement DNS pinning and validate Host headers'
});
}
if (wildcard.data.has_wildcard) {
findings.push({
severity: 'medium',
finding: 'Wildcard DNS record detected - may mask subdomain takeover',
remediation: 'Review wildcard necessity and monitor subdomain claims'
});
}
if (!dnssec.data.has_dnssec) {
findings.push({
severity: 'medium',
finding: 'DNSSEC not enabled - vulnerable to cache poisoning',
remediation: 'Enable DNSSEC signing at your DNS provider'
});
}
if (!caa.data.records || caa.data.records.length === 0) {
findings.push({
severity: 'low',
finding: 'No CAA records - any CA can issue certificates',
remediation: 'Add CAA records to restrict certificate issuance'
});
}
return { domain, findings, riskLevel: findings.some(f => f.severity === 'critical') ? 'critical' : 'moderate' };
}Learn More
Explore industry standards and best practices related to this use case.
NIST SP 800-81-2: Secure DNS Deployment Guide
NIST comprehensive guide for secure DNS deployment covering DNSSEC, zone transfers, and best practices
RFC 4033 - DNS Security Introduction (DNSSEC)
IETF specification introducing DNS Security Extensions and threat model
OWASP Web Security Testing Guide
Comprehensive web security testing methodology including DNS-related vulnerability testing
Ready to build DNS Security Vulnerability Assessment?
Get started with 200 free API requests per month. No credit card required.