DNSArmor is an open-source DNS security auditing tool that performs a comprehensive security review of any domain's DNS configuration — in a single command. It covers DNSSEC, email authentication, zone security, reputation checks, and more, with clear findings, evidence, and actionable fix recommendations.
| Module | What it audits |
|---|---|
| 🔐 DNSSEC | Chain-of-trust validation, DS records, key algorithms (RSA vs ECDSA), RRSIG signature expiry |
| 📧 Email Security | SPF (syntax, -all enforcement, lookup count), DKIM (key presence and size), DMARC (p=reject), MTA-STS, TLSRPT |
| 🔄 Zone Transfer | AXFR exposure across all nameservers |
| 🕵️ DNS Rebinding | A/AAAA records resolving to private/loopback/link-local IPs |
| 📡 Subdomain Takeover | Dangling CNAMEs pointing to 13+ cloud services (GitHub Pages, S3, Heroku, Netlify, etc.) |
| 🌍 Nameserver Security | NS count, registrar diversity, open resolver detection, authoritative flag (AA) validation |
| ⏱️ TTL Analysis | Dangerously low or excessively high TTLs on A, MX, NS, CNAME, and TXT records |
| 📋 CAA Records | Certificate Authority Authorization — issue, issuewild, iodef tags |
| 🔍 Blocklist Check | IP and domain reputation across 13 DNS-based blocklists (Spamhaus, SURBL, URIBL, and more) |
Every finding includes:
- Severity — Critical / High / Medium / Low / Info / Pass
- Evidence — the exact DNS record or response that triggered the finding
- Fix — a plain-English recommendation
- Provider tips — optional guidance tailored to Cloudflare, Route 53, GoDaddy, or Azure DNS
git clone https://github.com/SecPod-OpenSource/dnsarmor.git
cd dnsarmor
pip install -e .git clone https://github.com/SecPod-OpenSource/dnsarmor.git
cd dnsarmor
python -m venv venv
# Windows:
venv\Scripts\activate
# macOS / Linux:
source venv/bin/activate
pip install -e .# Full security audit
dnsarmor scan example.com
# Quick scan — email, DNSSEC, and subdomain takeover only
dnsarmor quick example.com
# Specific modules
dnsarmor scan example.com --modules email,dnssec,caa
# Generate an HTML report
dnsarmor scan example.com --format html -o report.html
# JSON output for scripting or CI
dnsarmor scan example.com --format json -o results.json
# Include common subdomain takeover checks
dnsarmor scan example.com --subdomains
# Show only high and critical findings
dnsarmor scan example.com --severity high
# Provider-specific fix tips (cloudflare / route53 / godaddy / azure / generic)
dnsarmor scan example.com --provider cloudflarednsarmor scan <domain> Full security audit
dnsarmor quick <domain> Quick critical checks only
dnsarmor modules List available modules
dnsarmor --version Show version
dnsarmor --help Show help
| Option | Short | Description |
|---|---|---|
--modules |
-m |
Comma-separated module list (e.g. email,dnssec) |
--format |
-f |
Output format: terminal (default), json, or html |
--output |
-o |
Write output to a file |
--severity |
-s |
Minimum severity to display: info / low / medium / high / critical |
--provider |
-p |
DNS provider for tailored fix tips |
--subdomains |
Check common subdomains for takeover vulnerabilities | |
--timeout |
-t |
DNS query timeout in seconds (default: 5) |
--workers |
-w |
Parallel worker threads (default: 10) |
--resolver |
Custom DNS resolver IP (default: 8.8.8.8 / 1.1.1.1) |
Rich-formatted panels with colour-coded severity, evidence, and fix recommendations grouped by module.
Self-contained HTML file with a summary dashboard, per-module sections, collapsible finding cards, and monospace evidence blocks. Open in any browser.
Machine-readable output with all findings, evidence, grade, and scan metadata — suitable for CI pipelines or custom dashboards.
from dnsarmor.orchestrator import ScanOrchestrator
orchestrator = ScanOrchestrator("example.com")
result = orchestrator.run()
print(f"Grade: {result.grade}")
for finding in result.findings:
print(f"[{finding.severity.value}] {finding.title}")
if finding.evidence:
print(f" Evidence: {finding.evidence}")
print(f" Fix: {finding.recommendation}")# Install dev dependencies
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Run with coverage
pytest tests/ -v --cov=dnsarmor --cov-report=term-missing-
tldextractintegration for accurate compound-TLD handling (.co.uk,.com.au, etc.) - TLSA / DANE record validation
- MTA-STS policy file fetch and validation (currently checks DNS signal only)
- WHOIS domain expiry check
- Certificate Transparency (CT) log monitoring
- CI/CD integration mode — configurable exit codes by severity
- Markdown output format (for GitHub Issues and PR comments)
- JSON Lines streaming output for large-scale bulk scanning
- Publish to PyPI (
pip install dnsarmor) - Periodic monitoring mode (scheduled rescans with diff output)
Contributions are welcome. Please open an issue first to discuss proposed changes, then submit a pull request.
# Install dev tools
pip install -e ".[dev]"
# Lint and format
ruff check dnsarmor/
black dnsarmor/Licensed under the Apache License 2.0 — see LICENSE for full terms.