DNS Surface Audit

The DNS Surface Audit goes beyond record enumeration. It probes the target's DNS posture for six finding classes that directly change how the rest of the pentest runs against the same target.

The six checks

1. Rebinding susceptibility — does the authoritative NS return short TTLs (≤ 30 s) and/or rotate IPs across queries? If so, browser-side DNS-rebinding attacks become practical against authenticated users. Severity LOW (short TTL alone) or MEDIUM (rotation confirmed).
2. Wildcard DNS — does the zone answer *.<domain> with a non-NXDOMAIN response? Wildcard records pollute subdomain enumeration. Severity INFO (the finding matters for downstream filtering, not standalone).
3. Internal IP leakage — does any record reference an RFC1918 / loopback / link-local address? Internal IPs leaked into public DNS are high-value SSRF targets. Severity MEDIUM.
4. Open recursion on authoritative NS — does the customer's NS answer recursive queries for off-zone names with the RA flag? Open resolvers are weaponisable for cache poisoning and amplification DDoS. Severity HIGH.
5. NS version disclosure — CHAOS-class version.bind / hostname.bind queries that return a real version string. Feeds the CVE retro-match workflow. Severity LOW.
6. Split-horizon via EDNS0 Client-Subnet — the NS returns a different (private) answer when the query carries an RFC1918 ECS option. The internal view leaks publicly. Severity HIGH.

Downstream pentest integration

The audit's findings auto-apply to the next web/API scan against the same domain:

• Rebinding susceptible + scan target accepts URL input → SSRF detector activates its rebinding payload corpus.
• Internal IP leakage → each leaked IP joins the SSRF target list.
• Wildcard DNS → subdomain enumerator filters wildcard answers from results.
• Open recursion → cache-poisoning probes escalate from passive to active mode.
• NS version disclosed → versions feed the CVE retro-match against the disclosed build.

No re-configuration required on the scan side. The pentest automatically consumes the audit's downstream_flags when it dispatches.

Running an audit

1. Tools → DNS Surface Audit.
2. Enter a domain (apex — example.com, not https://example.com).
3. Click Run audit. Audit takes 5–30 seconds.

Results are persisted; the next web/API scan against the same domain automatically consumes the flags. The Audit dashboard shows every audit you've run, with the downstream_flags that will auto-apply visible as chips.

Rate limits

Unauthenticated (marketing-site preview): 2 audits per day per IP. Authenticated tenant: per-plan limits — see Plans and limits.

Related

• DNS Infrastructure Scanner
• Methodology Library