DNS Infrastructure Scanner

The DNS Infrastructure Scanner sweeps an IP range for live DNS servers and scores each one on capability + security posture. Distinct from DNS Surface Audit — that audits one domain's zone; this surveys a network for live resolvers.

What each resolver is probed for

Per responder, ~12 probes run:

• Liveness via UDP/53 with TCP/53 fallback (catches resolvers behind UDP-blocking firewalls).
• A / AAAA / MX / TXT / NS resolution scoring.
• Optional CAA / DS / DNSKEY / TLSA / SRV / NAPTR for DNSSEC chain inspection.
• DNSSEC AD-bit check.
• EDNS0 support.
• Off-zone open-recursion probe (RA flag).
• CHAOS-class version.bind / hostname.bind disclosure.
• Random-subdomain NXDOMAIN-rewrite check.
• Multi-baseline hijack comparison vs system + 1.1.1.1 + 8.8.8.8 + 9.9.9.9 (resolver disagrees with EVERY baseline at the /16 prefix → hijack finding).
• Reverse DNS (PTR) and ASN/org enrichment via Team Cymru.

Multi-baseline hijack detection

A single-baseline comparison false-positives on every CDN — Google returns different PoP IPs depending on which resolver queries it. We compare each surveyed resolver's answer against four trusted baselines (the system resolver + 1.1.1.1 + 8.8.8.8 + 9.9.9.9) at the /16 prefix. A hijack finding fires only when the resolver's answer is disjoint from EVERY baseline at the /16 — so CDN PoP IPs (which share the first two octets even across geos) don't trigger, but actual rewriting does.

Scoring (0–100)

• +10 responded to baseline A query
• +5 per working record type (A / AAAA / MX / TXT / NS), capped at +25
• +10 DNSSEC AD-bit observed
• +10 EDNS0 supported
• +10 no hijack (A answer matches known-good)
• +5 no NXDOMAIN-rewrite
• −30 open recursion (useful but a finding)
• −50 hijack detected

High score = fully functional well-behaved resolver. Low score = either broken or actively suspect. Sort the results table by score to see usable resolvers first; sort by hijack flag to see suspect ones.

Running a survey

1. Tools → DNS Infrastructure Scanner.
2. CIDR mode: enter 10.0.0.0/24 or a single IP. IP-list mode: paste IPs one per line.
3. Control domain (default cloudflare.com). The scanner queries every responder for this domain so the answer comparison is consistent.
4. Concurrency (1–512, default 64) and timeout (0.5–10 s, default 2 s).
5. Optional extras: CAA / DS / DNSKEY / TLSA / SRV / NAPTR for DNSSEC inspection. Shuffle: randomise scan order.
6. Click Run survey.

Scope screening

Ranges > 1024 hosts require an engagement scope assertion covering the CIDR (see Engagements and Hard-refusal policy). A bare /16 sweep without an engagement scope is refused at the API tier with HTTP 451.

Pause / resume / cancel

Long surveys can be paused mid-flight without losing state, resumed later, or cancelled cleanly. In-flight probes finish before the pause takes effect.

CSV export

After completion, click Download CSV to export the full resolver table. One row per discovered resolver with score, flags, RTT, ASN, every record type, version string, and PTR.

Related

• DNS Surface Audit
• Engagements
• Hard-refusal policy