DNS Security Audit — Zone Snapshot & Auth Posture
Full DNS zone snapshot for security audit — SPF, DMARC, mail, nameserver, and address records
How to Use This Tool
- Enter the apex domain or delegated hostname to audit.
- The tool validates and normalizes the public DNS name.
- lookupAllDnsRecords queries A, AAAA, MX, TXT, NS, CNAME, and other returned types.
- Results include records grouped by type, summary flags, and queriedAt ISO timestamp.
- emailAuth block exposes SPF and DMARC TXT strings when published.
- Export JSON for compliance evidence or schedule via dns-history API.
About This Tool
DNS security audits verify that a zone publishes correct authentication records, sane nameserver delegation, and expected mail routing before incidents or compliance reviews. VSPIC DNS security audit calls the dns-history action with lookupAllDnsRecords for the domain you enter, returning structured records, byType grouping, summary flags for SPF and DMARC, nameservers, ipv4 and ipv6 arrays, mailServers, queriedAt ISO timestamp, and note that year-over-year archives require saved snapshots or external passive DNS.
Treat each run as an audit sample: review summary.hasSpf and summary.hasDmarc, validate nameserver delegation against approved providers, confirm MX targets match expected mail infrastructure, and export JSON for change-management evidence. This page is not a hosted monitoring SaaS — it documents authoritative public DNS right now for security review workflows.
Common use cases
- •View all DNS records of a domain after migration
- •Confirm DNS records after domain changes
- •Test for DNS leaks when using a VPN
- •Debug email delivery with MX and TXT records
Why use VSPIC for ?
- Full multi-record DNS security snapshot in one click.
- SPF and DMARC presence flagged in summary for quick audit triage.
- Nameserver and mail routing visible for delegation review.
- queriedAt timestamp for audit evidence and incident timelines.
- Structured JSON suitable for diff scripts and ticketing systems.
- Free with no account — complements paid DNS monitoring.
DNS security audit scope
DNS is the control plane for mail authentication, domain verification, and traffic routing. A security audit captures whether SPF and DMARC exist, whether nameservers match approved providers, whether MX records point at expected mail hosts, and whether unexpected A or CNAME records suggest hijack or shadow IT.
This audit uses live public DNS — not credentialed registrar access. Pair with whois-lookup for registration metadata and dns-hijacking-detector when delegation anomalies appear.
SPF and DMARC in audit context
summary.hasSpf and summary.hasDmarc booleans flag authentication record presence. emailAuth block includes raw TXT strings for reviewer inspection. Missing DMARC on mail-sending domains is a common audit finding — receivers treat unsigned mail with elevated suspicion.
Follow with spf-dkim-dmarc-checker when you need alignment and syntax validation beyond presence flags.
Nameserver delegation review
nameservers array shows current NS delegation. Unexpected NS hosts — especially recently changed NS pointing at free DNS providers — warrant hijack investigation. Compare against last known good export from change management.
NS mismatch between apex and child zones may indicate partial delegation errors blocking mail or web.
MX and mail routing audit
summary.mailServers lists MX targets with priorities. Audit confirms mail routes through approved gateways, not attacker-controlled hosts introduced during zone compromise. Unexpected single MX to unknown hostname is high-severity finding.
Pair with email-deliverability-checker for full MX, SPF, DKIM, and DMARC validation depth.
Address records and shadow infrastructure
summary.ipv4 and summary.ipv6 reveal web hosting targets. Unexpected A records pointing at bulletproof hosting or foreign ranges during audit may indicate compromise. cnameTarget shows CDN or alias chains.
Cross-reference ipv4 values with malware-ip-checker when addresses appear on threat feeds.
Building audit history without passive DNS fees
Schedule weekly API calls with action dns-history and your domain parameter. Store JSON in Git, S3, or your CMDB. Diff tools highlight added MX hosts, removed SPF, or NS drift. That pipeline is genuine DNS security history for zones you control.
queriedAt stamps each audit sample for SOC2 and ISO evidence.
Relationship to domain-dns-audit and dns-monitoring-tool
All call dns-history with identical backend shape. DNS security audit emphasizes security review language — SPF, DMARC, NS, MX posture. DNS monitoring tool emphasizes scheduled drift detection. Pick the page matching your workflow — API action is the same.
Cross-link dns-hijacking-detector when NS or A records change unexpectedly between audits.
TXT record sensitivity in audits
Snapshots copy SPF, DKIM, DMARC, and domain verification TXT into exports. Treat audit files as reconnaissance-sensitive if they consolidate authentication posture for high-value brands.
Rotate verification tokens if exports leak from shared drives.
API action dns-history
GET /ip-tools/api/extended?action=dns-history&domain=example.com. Parse records, byType, summary, emailAuth, queriedAt, and note from JSON. Automate post-change audits in CI.
Fail pipelines when summary.hasSpf flips false on production mail domains.
Important notes & limitations
- Does not retrieve DNS changes from previous years automatically.
- Reflects one public resolver path — split-horizon internal DNS may differ.
- Not a zone transfer (AXFR) — hidden unpublished records may be absent.
- Does not validate SPF syntax depth or DMARC enforcement policy strength.
- TXT exports may contain verification tokens — treat files as sensitive.
Frequently Asked Questions
Yes. VSPIC offers this DNS security audit at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. It captures current public DNS at query time. Save repeated snapshots yourself for historical audit trails.
It flags SPF presence in summary and emailAuth. Use spf-record-checker for full syntax and lookup validation.
DNS security audit returns full zone snapshot via dns-history. Email DNS health check focuses on mail authentication validation depth.
ISO timestamp of the audit snapshot. Attach to security review tickets and compliance evidence.
Yes. Call the extended API with action dns-history and your domain. Schedule weekly jobs and diff JSON exports.
dns-history with the domain parameter.
Next step for your check
Continue with spf dkim dmarc checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
SPF DKIM DMARC Checker
Validate email authentication DNS records for any domain
Use Free →DNS Hijacking Detector
DNS Hijacking Detector — free online tool
Use Free →Email DNS Health Check
Email DNS Health Check — free online tool
Use Free →Domain DNS Audit
Domain DNS Audit — free online tool
Use Free →DNS Lookup Tool — DNS Checker
Free DNS lookup tool and DNS checker — query A, AAAA, MX, TXT, NS, CNAME, and SOA records for any domain.
Use Free →Reverse DNS Lookup
Resolve IP addresses to hostnames via PTR records
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS