com.blackveilsecurity/dns
com.blackveilsecurity/dnsDNS and email security scanner with 78 MCP tools for SPF, DMARC, DNSSEC, SSL, and brand audits.
Tools · 77
Look up MX records for a domain. Shows mail servers, email provider detection, and validates configuration. Part of the scan_domain audit.
Look up and validate SPF record for a domain. Shows authorized senders, syntax issues, and trust surface. Part of the scan_domain audit.
Look up and validate DMARC record for a domain. Shows policy enforcement, alignment mode, and reporting config. Part of the scan_domain audit.
Look up DKIM records for a domain. Probes common selectors and validates key strength and algorithm. Part of the scan_domain audit.
Check DNSSEC status for a domain. Verifies DNSKEY/DS records and validation chain. Part of the scan_domain audit.
Check SSL/TLS certificate for a domain. Shows issuer, expiry, protocol versions, and HTTPS configuration. Part of the scan_domain audit.
Validate MTA-STS SMTP encryption policy. Part of the scan_domain audit.
Look up NS (nameserver) records for a domain. Shows DNS provider, delegation, and redundancy. Part of the scan_domain audit.
Look up CAA records for a domain. Shows which Certificate Authorities are authorized to issue certificates. Part of the scan_domain audit.
Validate BIMI record and VMC evidence. Part of the scan_domain audit.
Validate TLS-RPT SMTP failure reporting. Part of the scan_domain audit.
Audit HTTP security headers (CSP, COOP, etc.). Part of the scan_domain audit.
Verify DANE/TLSA certificate pinning. Part of the scan_domain audit.
Verify DANE certificate pinning for HTTPS via TLSA records at _443._tcp.{domain}. Part of the scan_domain audit.
Validate HTTPS/SVCB records (RFC 9460) for modern transport capability advertisement. Part of the scan_domain audit.
Detect active typosquat/lookalike domains. Standalone.
Detect SubdoMailing risk by analyzing SPF include chain for takeover-vulnerable domains. Part of the scan_domain audit.
Runs a full DNS and email security audit for a domain, aggregating every scan-included check in parallel: SPF, DKIM, DMARC, DNSSEC, TLS/SSL, MTA-STS, CAA, BIMI, subdomain takeover, and more. Returns a…
Scan up to 10 domains at once. Returns score, grade, and finding counts per domain.
Side-by-side security comparison of 2–5 domains. Shows scores, category gaps, and unique weaknesses.
Compare domain security against a policy baseline.
Find TLD variants with email auth gaps. Standalone.
Audit TXT records for stale entries and SaaS exposure.
Check MX blocklist status and reverse DNS.
Probe SRV records for service footprint.
Audit SOA propagation and sensitive subdomains.
Generate prioritized remediation plan with effort estimates.
Generate corrected SPF record from detected providers.
Generate DMARC record with configurable policy.
Generate DKIM setup instructions and DNS record.
Generate MTA-STS record and policy file.
Get score benchmarks: percentiles, mean, top failures.
Get provider cohort benchmarks and common issues.
Composite email spoofability score (0-100).
Check DNS consistency across 4 public resolvers.
Explain a finding with impact and remediation.
Map third-party service dependencies from DNS records. Correlates SPF, NS, TXT verifications, SRV services, and CAA to show who can send as you, control your DNS, and what services are integrated.
Compare current security posture against a previous baseline. Shows what improved, regressed, or changed.
Re-check a specific control after applying a fix. Confirms whether the finding is resolved.
Generate a phased DMARC enforcement timeline with exact DNS records per phase.
Trace the full SPF include chain for a domain. Recursively resolves all includes, shows lookup count, tree depth, and flags circular includes or exceeding the 10-lookup limit.
Find subdomains of a domain using Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance.
Map scan findings to compliance frameworks: NIST 800-177, PCI DSS 4.0, SOC 2, CIS Controls. Shows pass/fail/partial status per control.
Analyze current DNS posture and enumerate specific attack paths an adversary could exploit, with severity, feasibility, steps, and mitigations.
Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes.
Check MX server IP reputation against 8 DNS-based Real-time Blocklists (Spamhaus ZEN, SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Resolves MX hosts to IPs first.
Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-risk hosting ASNs.
Fetch domain registration data via RDAP (modern WHOIS replacement). Returns registrar, creation/expiration dates, EPP status, registrant info, and domain age.
Check a domain against BlackVeil real-time threat intelligence (curated intel-gateway feed). Distinct from DNSBL checks. Operator-deploy only; degrades to info when unprovisioned.
Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags.
Walk the DNSSEC chain of trust from root to target domain. Reports DS/DNSKEY records, algorithm usage, and linkage status at each zone level.
Detect fast-flux DNS behavior by performing multiple rounds of A/AAAA queries with delays. Compares IP answer sets and TTLs across rounds to identify rotating infrastructure.
Sweep an explicit subdomain list (or a built-in 15-name list of common labels) for dangling CNAMEs and provider-deprovisioned takeover fingerprints. Pair with discover_subdomains for full-inventory co…
Check authoritative DNS infrastructure posture for a hostname. Uses BV_INFRA_PROBE when available for raw DNS, routing, RPKI, and vantage-point evidence.
Check the DNS root server set against official root hints, root glue, delegation, serial, and DNSKEY cross-root evidence.
Find a brand's hidden domain portfolio with standard or deep discovery by aggregating certificate, DNS, mail-policy, redirect, TXT verification, MX platform, and candidate-seeding signals. Returns ran…
Run a full brand audit on a single target with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Discovers brand-related domains, looks up registrar + regis…
Enqueue an async brand audit across up to 50 target domains with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Returns { auditId, queuedAt, targetCount,…
Poll the status of an enqueued brand audit. Returns audit-level status (queued | running | completed | failed), progress 'N/M', and per-target statuses. Owner-scoped — auditIds owned by other principa…
Fetch the result JSON for a completed brand audit. With `target` set, returns the per-target CheckResult; without, returns the audit-level aggregate. Returns notReady when polling an in-flight audit. …
Returns the caller's recurring brand-audit watches: watchId, domain, interval, webhook presence, last-run time, and active state. Owner-scoped. Read-only.
Creates a recurring brand-audit watch for a domain on a daily/weekly/monthly cadence. Each run enqueues a fresh brand_audit_batch_start and (when a webhook is configured) POSTs a diff webhook on class…
Permanently removes a recurring brand-audit watch by watchId. Owner-scoped — a watchId owned by another principal surfaces as notFound. Returns confirmation of deletion.
Start an async cloud-bucket discovery scan for a target domain. Operator-deploy only; degrades to info when unprovisioned. Returns a scanId immediately — poll progress with scan_buckets_status and ret…
Poll the status of a cloud-bucket discovery scan by scanId. Operator-deploy only; degrades to info when unprovisioned. Returns scan status (running | completed | failed) and progress metadata.
Retrieve findings from a completed cloud-bucket discovery scan. Operator-deploy only; degrades to info when unprovisioned. Optionally scoped to a specific scanId; omit to retrieve the most recent find…
Start an async OSINT investigation for a domain. Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status and retrieve r…
Start an async deep-infrastructure OSINT investigation for a query (domain, IP, or org). Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with o…
Start an async supply-chain OSINT investigation for a query. Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status.
Start an async OSINT investigation for a username (cross-platform presence, breach correlation). Owner/enterprise tier only — people-centric OSINT is restricted to prevent misuse. Returns an investiga…
Start an async OSINT investigation for an email address (breach exposure, account correlation). Owner/enterprise tier only — people-centric OSINT is restricted to prevent misuse. Returns an investigat…
Poll the status of an OSINT investigation by investigationId. Operator-deploy only; degrades to info when unprovisioned. Returns current status (running | completed | failed) and progress metadata.
Retrieve the final report of a completed OSINT investigation by investigationId. Operator-deploy only; degrades to info when unprovisioned or not yet complete.
Query Microsoft Entra sign-in logs for a tenant. Optionally filter by user principal name, failure status, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when …
Query the Microsoft 365 Unified Audit Log for a tenant. Optionally filter by operation type, user, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when absent.
Retrieve Conditional Access policies for a Microsoft Entra tenant. Requires m365Proxy service binding; returns { unprovisioned: true } when absent.
Assess Conditional Access coverage gaps for a Microsoft Entra tenant — identifies users and apps not protected by any enforced policy. Requires m365Proxy service binding; returns { unprovisioned: true…
Similar MCP servers embedding-nearest
How to use
Add to your Claude Desktop / Cursor / Cline MCP config:
{
"mcpServers": {
"com.blackveilsecurity/dns": {
"url": "https://dns-mcp.blackveilsecurity.com/mcp",
"transport": "streamable-http"
}
}
}