Skip to content
Back to search
100
MCP live v3.3.3 streamable-http

com.blackveilsecurity/dns

com.blackveilsecurity/dns

DNS and email security scanner with 78 MCP tools for SPF, DMARC, DNSSEC, SSL, and brand audits.

Uptime
30.6%
36 probes
Response
746ms
last probe
Tools
77
callable

Tools · 77

check_mx

Look up MX records for a domain. Shows mail servers, email provider detection, and validates configuration. Part of the scan_domain audit.

check_spf

Look up and validate SPF record for a domain. Shows authorized senders, syntax issues, and trust surface. Part of the scan_domain audit.

check_dmarc

Look up and validate DMARC record for a domain. Shows policy enforcement, alignment mode, and reporting config. Part of the scan_domain audit.

check_dkim

Look up DKIM records for a domain. Probes common selectors and validates key strength and algorithm. Part of the scan_domain audit.

check_dnssec

Check DNSSEC status for a domain. Verifies DNSKEY/DS records and validation chain. Part of the scan_domain audit.

check_ssl

Check SSL/TLS certificate for a domain. Shows issuer, expiry, protocol versions, and HTTPS configuration. Part of the scan_domain audit.

check_mta_sts

Validate MTA-STS SMTP encryption policy. Part of the scan_domain audit.

check_ns

Look up NS (nameserver) records for a domain. Shows DNS provider, delegation, and redundancy. Part of the scan_domain audit.

check_caa

Look up CAA records for a domain. Shows which Certificate Authorities are authorized to issue certificates. Part of the scan_domain audit.

check_bimi

Validate BIMI record and VMC evidence. Part of the scan_domain audit.

check_tlsrpt

Validate TLS-RPT SMTP failure reporting. Part of the scan_domain audit.

check_http_security

Audit HTTP security headers (CSP, COOP, etc.). Part of the scan_domain audit.

check_dane

Verify DANE/TLSA certificate pinning. Part of the scan_domain audit.

check_dane_https

Verify DANE certificate pinning for HTTPS via TLSA records at _443._tcp.{domain}. Part of the scan_domain audit.

check_svcb_https

Validate HTTPS/SVCB records (RFC 9460) for modern transport capability advertisement. Part of the scan_domain audit.

check_lookalikes

Detect active typosquat/lookalike domains. Standalone.

check_subdomailing

Detect SubdoMailing risk by analyzing SPF include chain for takeover-vulnerable domains. Part of the scan_domain audit.

scan_domain

Runs a full DNS and email security audit for a domain, aggregating every scan-included check in parallel: SPF, DKIM, DMARC, DNSSEC, TLS/SSL, MTA-STS, CAA, BIMI, subdomain takeover, and more. Returns a…

batch_scan

Scan up to 10 domains at once. Returns score, grade, and finding counts per domain.

compare_domains

Side-by-side security comparison of 2–5 domains. Shows scores, category gaps, and unique weaknesses.

compare_baseline

Compare domain security against a policy baseline.

check_shadow_domains

Find TLD variants with email auth gaps. Standalone.

check_txt_hygiene

Audit TXT records for stale entries and SaaS exposure.

check_mx_reputation

Check MX blocklist status and reverse DNS.

check_srv

Probe SRV records for service footprint.

check_zone_hygiene

Audit SOA propagation and sensitive subdomains.

generate_fix_plan

Generate prioritized remediation plan with effort estimates.

generate_spf_record

Generate corrected SPF record from detected providers.

generate_dmarc_record

Generate DMARC record with configurable policy.

generate_dkim_config

Generate DKIM setup instructions and DNS record.

generate_mta_sts_policy

Generate MTA-STS record and policy file.

get_benchmark

Get score benchmarks: percentiles, mean, top failures.

get_provider_insights

Get provider cohort benchmarks and common issues.

assess_spoofability

Composite email spoofability score (0-100).

check_resolver_consistency

Check DNS consistency across 4 public resolvers.

explain_finding

Explain a finding with impact and remediation.

map_supply_chain

Map third-party service dependencies from DNS records. Correlates SPF, NS, TXT verifications, SRV services, and CAA to show who can send as you, control your DNS, and what services are integrated.

analyze_drift

Compare current security posture against a previous baseline. Shows what improved, regressed, or changed.

validate_fix

Re-check a specific control after applying a fix. Confirms whether the finding is resolved.

generate_rollout_plan

Generate a phased DMARC enforcement timeline with exact DNS records per phase.

resolve_spf_chain

Trace the full SPF include chain for a domain. Recursively resolves all includes, shows lookup count, tree depth, and flags circular includes or exceeding the 10-lookup limit.

discover_subdomains

Find subdomains of a domain using Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance.

map_compliance

Map scan findings to compliance frameworks: NIST 800-177, PCI DSS 4.0, SOC 2, CIS Controls. Shows pass/fail/partial status per control.

simulate_attack_paths

Analyze current DNS posture and enumerate specific attack paths an adversary could exploit, with severity, feasibility, steps, and mitigations.

check_dbl

Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes.

check_rbl

Check MX server IP reputation against 8 DNS-based Real-time Blocklists (Spamhaus ZEN, SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Resolves MX hosts to IPs first.

cymru_asn

Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-risk hosting ASNs.

rdap_lookup

Fetch domain registration data via RDAP (modern WHOIS replacement). Returns registrar, creation/expiration dates, EPP status, registrant info, and domain age.

check_realtime_threat_feed

Check a domain against BlackVeil real-time threat intelligence (curated intel-gateway feed). Distinct from DNSBL checks. Operator-deploy only; degrades to info when unprovisioned.

check_nsec_walkability

Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags.

check_dnssec_chain

Walk the DNSSEC chain of trust from root to target domain. Reports DS/DNSKEY records, algorithm usage, and linkage status at each zone level.

check_fast_flux

Detect fast-flux DNS behavior by performing multiple rounds of A/AAAA queries with delays. Compares IP answer sets and TTLs across rounds to identify rotating infrastructure.

check_subdomain_takeover

Sweep an explicit subdomain list (or a built-in 15-name list of common labels) for dangling CNAMEs and provider-deprovisioned takeover fingerprints. Pair with discover_subdomains for full-inventory co…

check_authoritative_dns_infra

Check authoritative DNS infrastructure posture for a hostname. Uses BV_INFRA_PROBE when available for raw DNS, routing, RPKI, and vantage-point evidence.

check_root_server_set

Check the DNS root server set against official root hints, root glue, delegation, serial, and DNSKEY cross-root evidence.

discover_brand_domains

Find a brand's hidden domain portfolio with standard or deep discovery by aggregating certificate, DNS, mail-policy, redirect, TXT verification, MX platform, and candidate-seeding signals. Returns ran…

brand_audit_single

Run a full brand audit on a single target with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Discovers brand-related domains, looks up registrar + regis…

brand_audit_batch_start

Enqueue an async brand audit across up to 50 target domains with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Returns { auditId, queuedAt, targetCount,…

brand_audit_status

Poll the status of an enqueued brand audit. Returns audit-level status (queued | running | completed | failed), progress 'N/M', and per-target statuses. Owner-scoped — auditIds owned by other principa…

brand_audit_get_report

Fetch the result JSON for a completed brand audit. With `target` set, returns the per-target CheckResult; without, returns the audit-level aggregate. Returns notReady when polling an in-flight audit. …

list_brand_audit_watches

Returns the caller's recurring brand-audit watches: watchId, domain, interval, webhook presence, last-run time, and active state. Owner-scoped. Read-only.

register_brand_audit_watch

Creates a recurring brand-audit watch for a domain on a daily/weekly/monthly cadence. Each run enqueues a fresh brand_audit_batch_start and (when a webhook is configured) POSTs a diff webhook on class…

delete_brand_audit_watch

Permanently removes a recurring brand-audit watch by watchId. Owner-scoped — a watchId owned by another principal surfaces as notFound. Returns confirmation of deletion.

scan_buckets_start

Start an async cloud-bucket discovery scan for a target domain. Operator-deploy only; degrades to info when unprovisioned. Returns a scanId immediately — poll progress with scan_buckets_status and ret…

scan_buckets_status

Poll the status of a cloud-bucket discovery scan by scanId. Operator-deploy only; degrades to info when unprovisioned. Returns scan status (running | completed | failed) and progress metadata.

scan_buckets_findings

Retrieve findings from a completed cloud-bucket discovery scan. Operator-deploy only; degrades to info when unprovisioned. Optionally scoped to a specific scanId; omit to retrieve the most recent find…

osint_investigate_domain_start

Start an async OSINT investigation for a domain. Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status and retrieve r…

osint_investigate_infrastructure_start

Start an async deep-infrastructure OSINT investigation for a query (domain, IP, or org). Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with o…

osint_investigate_supply_chain_start

Start an async supply-chain OSINT investigation for a query. Operator-deploy only; degrades to info when unprovisioned. Returns an investigationId immediately — poll with osint_investigation_status.

osint_investigate_username_start

Start an async OSINT investigation for a username (cross-platform presence, breach correlation). Owner/enterprise tier only — people-centric OSINT is restricted to prevent misuse. Returns an investiga…

osint_investigate_email_start

Start an async OSINT investigation for an email address (breach exposure, account correlation). Owner/enterprise tier only — people-centric OSINT is restricted to prevent misuse. Returns an investigat…

osint_investigation_status

Poll the status of an OSINT investigation by investigationId. Operator-deploy only; degrades to info when unprovisioned. Returns current status (running | completed | failed) and progress metadata.

osint_investigation_report

Retrieve the final report of a completed OSINT investigation by investigationId. Operator-deploy only; degrades to info when unprovisioned or not yet complete.

query_signins

Query Microsoft Entra sign-in logs for a tenant. Optionally filter by user principal name, failure status, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when …

query_ual

Query the Microsoft 365 Unified Audit Log for a tenant. Optionally filter by operation type, user, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when absent.

get_ca_policies

Retrieve Conditional Access policies for a Microsoft Entra tenant. Requires m365Proxy service binding; returns { unprovisioned: true } when absent.

assess_coverage

Assess Conditional Access coverage gaps for a Microsoft Entra tenant — identifies users and apps not protected by any enforced policy. Requires m365Proxy service binding; returns { unprovisioned: true…

Similar MCP servers embedding-nearest

DNS MCP Server
Real-time DNS security analysis — DNSSEC, email auth, and RDAP. Built for SOC investigations.
0 tools
basicsec-mcp
Model Context Protocol server for DNS and email security scanning using basicsec
0 tools
mclose/dns-mcp
Real-time DNS security analysis via MCP. DNSSEC validation, email posture and domain intelligence.
0 tools
MCPAmpel - MCP Security Scanner
Scan installed MCP servers for security vulnerabilities with 16 detection engines.
0 tools
com.cognivators/mcp-safeguard
MCP server security scanner: detects prompt injection, credential leaks, SSRF, tool poisoning.
0 tools
mcpampel
MCP security scanner plugin - scan your installed MCP servers with 16 engines
0 tools

How to use

Add to your Claude Desktop / Cursor / Cline MCP config:

{
  "mcpServers": {
    "com.blackveilsecurity/dns": {
      "url": "https://dns-mcp.blackveilsecurity.com/mcp",
      "transport": "streamable-http"
    }
  }
}