# dns MCP server

DNS & email security scanner — tools for SPF, DMARC, DKIM, DNSSEC, SSL, and more.

## Links
- Registry page: https://www.getdrio.com/mcp/com-blackveilsecurity-dns
- Repository: https://github.com/MadaBurns/bv-mcp

## Install
- Command: `npx -y blackveil-dns`
- Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- Auth: Not captured

## Setup notes
- Package: Npm blackveil-dns v2.9.2
- Environment variable: BV_API_KEY (secret)
- Remote endpoint: https://dns-mcp.blackveilsecurity.com/mcp

## Tools
- check_mx - Look up MX records for a domain. Shows mail servers, email provider detection, and validates configuration. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_spf - Look up and validate SPF record for a domain. Shows authorized senders, syntax issues, and trust surface. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dmarc - Look up and validate DMARC record for a domain. Shows policy enforcement, alignment mode, and reporting config. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dkim - Look up DKIM records for a domain. Probes common selectors and validates key strength and algorithm. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dnssec - Check DNSSEC status for a domain. Verifies DNSKEY/DS records and validation chain. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_ssl - Check SSL/TLS certificate for a domain. Shows issuer, expiry, protocol versions, and HTTPS configuration. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_mta_sts - Validate MTA-STS SMTP encryption policy. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_ns - Look up NS (nameserver) records for a domain. Shows DNS provider, delegation, and redundancy. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_caa - Look up CAA records for a domain. Shows which Certificate Authorities are authorized to issue certificates. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_bimi - Validate BIMI record and VMC evidence. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_tlsrpt - Validate TLS-RPT SMTP failure reporting. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_http_security - Audit HTTP security headers (CSP, COOP, etc.). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dane - Verify DANE/TLSA certificate pinning. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dane_https - Verify DANE certificate pinning for HTTPS via TLSA records at _443._tcp.{domain}. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_svcb_https - Validate HTTPS/SVCB records (RFC 9460) for modern transport capability advertisement. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_lookalikes - Detect active typosquat/lookalike domains. Standalone. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_subdomailing - Detect SubdoMailing risk by analyzing SPF include chain for takeover-vulnerable domains. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- scan_domain - Look up any domain to get a full DNS and email security audit. Use this whenever a user mentions a domain name, asks to check/scan/lookup/analyze a domain, or wants to know about a domain's security posture. Returns score, grade, maturity stage, and prioritized findings. Start here for any domain-related question. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- batch_scan - Scan up to 10 domains at once. Returns score, grade, and finding counts per domain. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- compare_domains - Side-by-side security comparison of 2–5 domains. Shows scores, category gaps, and unique weaknesses. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- compare_baseline - Compare domain security against a policy baseline. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_shadow_domains - Find TLD variants with email auth gaps. Standalone. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_txt_hygiene - Audit TXT records for stale entries and SaaS exposure. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_mx_reputation - Check MX blocklist status and reverse DNS. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_srv - Probe SRV records for service footprint. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_zone_hygiene - Audit SOA propagation and sensitive subdomains. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate_fix_plan - Generate prioritized remediation plan with effort estimates. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate_spf_record - Generate corrected SPF record from detected providers. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate_dmarc_record - Generate DMARC record with configurable policy. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate_dkim_config - Generate DKIM setup instructions and DNS record. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate_mta_sts_policy - Generate MTA-STS record and policy file. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- get_benchmark - Get score benchmarks: percentiles, mean, top failures. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- get_provider_insights - Get provider cohort benchmarks and common issues. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- assess_spoofability - Composite email spoofability score (0-100). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_resolver_consistency - Check DNS consistency across 4 public resolvers. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- explain_finding - Explain a finding with impact and remediation. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- map_supply_chain - Map third-party service dependencies from DNS records. Correlates SPF, NS, TXT verifications, SRV services, and CAA to show who can send as you, control your DNS, and what services are integrated. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- analyze_drift - Compare current security posture against a previous baseline. Shows what improved, regressed, or changed. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- validate_fix - Re-check a specific control after applying a fix. Confirms whether the finding is resolved. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- generate_rollout_plan - Generate a phased DMARC enforcement timeline with exact DNS records per phase. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- resolve_spf_chain - Trace the full SPF include chain for a domain. Recursively resolves all includes, shows lookup count, tree depth, and flags circular includes or exceeding the 10-lookup limit. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_subdomains - Find subdomains of a domain using Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- map_compliance - Map scan findings to compliance frameworks: NIST 800-177, PCI DSS 4.0, SOC 2, CIS Controls. Shows pass/fail/partial status per control. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- simulate_attack_paths - Analyze current DNS posture and enumerate specific attack paths an adversary could exploit, with severity, feasibility, steps, and mitigations. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dbl - Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_rbl - Check MX server IP reputation against 8 DNS-based Real-time Blocklists (Spamhaus ZEN, SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Resolves MX hosts to IPs first. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- cymru_asn - Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-risk hosting ASNs. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- rdap_lookup - Fetch domain registration data via RDAP (modern WHOIS replacement). Returns registrar, creation/expiration dates, EPP status, registrant info, and domain age. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_nsec_walkability - Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_dnssec_chain - Walk the DNSSEC chain of trust from root to target domain. Reports DS/DNSKEY records, algorithm usage, and linkage status at each zone level. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_fast_flux - Detect fast-flux DNS behavior by performing multiple rounds of A/AAAA queries with delays. Compares IP answer sets and TTLs across rounds to identify rotating infrastructure. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_authoritative_dns_infra - Check authoritative DNS infrastructure posture for a hostname. Uses BV_INFRA_PROBE when available for raw DNS, routing, RPKI, and vantage-point evidence. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- check_root_server_set - Check the DNS root server set against official root hints, root glue, delegation, serial, and DNSKEY cross-root evidence. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- discover_brand_domains - Find a brand's hidden domain portfolio with standard or deep discovery by aggregating certificate, DNS, mail-policy, redirect, TXT verification, MX platform, and candidate-seeding signals. Returns ranked candidate domains with provenance and combined-confidence scoring. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_single - Run a full brand audit on a single target with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Discovers brand-related domains, looks up registrar + registrant for each candidate, and classifies each into consolidated, real registrar-sprawl shadowIt, authorized vendor dependency, indeterminate, or impersonation relationships. Gated tier-wide by monthly BRAND_AUDIT_QUOTAS (free/agent=0, developer=50, partner=200, enterprise=500, owner=unlimited). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_batch_start - Enqueue an async brand audit across up to 50 target domains with optional standard/deep discovery depth, brand aliases, and caller-supplied candidate domains. Returns { auditId, queuedAt, targetCount, etaSeconds } immediately; poll with brand_audit_status and fetch results with brand_audit_get_report once complete. Each target consumes 1 unit of the monthly BRAND_AUDIT_QUOTAS budget. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_status - Poll the status of an enqueued brand audit. Returns audit-level status (queued | running | completed | failed), progress 'N/M', and per-target statuses. Owner-scoped — auditIds owned by other principals surface as notFound. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_get_report - Fetch the result JSON for a completed brand audit. With `target` set, returns the per-target CheckResult; without, returns the audit-level aggregate. Returns notReady when polling against an in-flight audit. Phase 3 will add R2 signed-URL PDF retrieval; this v2.19.0 version returns inline JSON only. Endpoint: https://dns-mcp.blackveilsecurity.com/mcp
- brand_audit_watch - Register, list, or delete recurring brand-audit watches. Watches run on a daily/weekly/monthly cadence via the scheduled cron tick — each run enqueues a fresh brand_audit_batch_start and (when configured) POSTs a diff webhook on classification drift. Owner-scoped; per-principal cap of 20 active watches. Phase 4 (v2.21.0+). Endpoint: https://dns-mcp.blackveilsecurity.com/mcp

## Resources
- dns-security://guides/security-checks - Overview of all DNS/email security checks performed by Blackveil DNS, including SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-STS, NS, CAA, MX, and Subdomain Takeover. MIME type: text/markdown
- dns-security://guides/scoring - How DNS/email security scores and grades are calculated, including category weights and severity penalties. MIME type: text/markdown
- dns-security://guides/record-types - List of DNS record types queried by this server and their purpose in security analysis. MIME type: text/markdown
- dns-security://guides/agent-workflows - Recommended tool usage patterns and decision trees for common DNS security tasks. MIME type: text/markdown
- dns-security://guides/intelligence - How benchmark and provider cohort features work, privacy guarantees, and data freshness. MIME type: text/markdown
- dns-security://guides/remediation - Step-by-step DNS record fix patterns for each check category, using generate_* tools. MIME type: text/markdown

## Prompts
- full-security-audit - DNS & email security audit with remediation Arguments: domain
- email-auth-check - Email auth posture: SPF, DMARC, DKIM, MTA-STS Arguments: domain
- policy-compliance-check - Check domain against security policy baseline Arguments: domain, minimum_grade
- remediation-workflow - Scan, plan fixes, generate DNS records Arguments: domain
- email-hardening-guide - Email hardening plan with DNS record generation Arguments: domain
- provider-benchmark - Benchmark domain against email provider cohort Arguments: domain
- attack-surface-assessment - Spoofability, lookalikes, shadow domain analysis Arguments: domain

## Metadata
- Owner: com.blackveilsecurity
- Version: 2.9.2
- Runtime: Npm
- Transports: STDIO, HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: Apr 21, 2026
- Source: https://registry.modelcontextprotocol.io