DNS & Infrastructure Module¶
Module ID: dns_infra | Type: Conditional (opt-in) | Profiles: full, security
The DNS & Infrastructure module checks DNSSEC, CAA records, SSL certificate expiry, CDN detection, and HTTP/2 support. These are infrastructure-level checks that go beyond what HTML analysis can reveal.
What It Checks¶
| Check | What It Looks For |
|---|---|
| DNSSEC | Domain has DNSSEC signatures |
| CAA records | Certificate Authority Authorisation records limiting who can issue certs |
| SSL certificate expiry | Days until certificate expires |
| SSL certificate chain | Valid chain of trust |
| CDN detection | Whether the site is served via a CDN (Cloudflare, Fastly, AWS CloudFront, etc.) |
| HTTP/2 support | Server supports HTTP/2 protocol |
| IPv6 support | AAAA DNS records present |
| Nameserver redundancy | Multiple nameservers configured |
Scoring Breakdown¶
| Criterion | Deduction | Condition |
|---|---|---|
| No DNSSEC | -15 | Domain lacks DNSSEC signatures |
| No CAA records | -10 | No CAA records restricting cert issuance |
| SSL expiring soon | -15 | Certificate expires within 14 days |
| SSL expired | -25 | Certificate has already expired |
| No CDN detected | -5 | Site served directly from origin |
| No HTTP/2 | -10 | Server only supports HTTP/1.1 |
| No IPv6 | -5 | No AAAA records |
| Single nameserver | -5 | Only one nameserver configured |
Auto-Detection¶
This module is opt-in only. It does not auto-detect from HTML signals because it requires DNS lookups and network probes. Include it via:
- The
fullorsecurityprofile - Explicit module selection:
--modules dns_infra - Asking: "Include DNS checks in the audit"
Example Findings¶
P0 CRITICAL: SSL certificate expires in 3 days
The SSL certificate for example.com expires on 2026-04-17. Users will
see browser warnings and be unable to access the site securely.
Fix: Renew the SSL certificate immediately. If using Let's Encrypt,
check that auto-renewal is working: certbot renew --dry-run
Effort: Low
P1 HIGH: No CAA records
Without CAA records, any Certificate Authority can issue certificates
for your domain. This increases the attack surface for certificate
mis-issuance.
Fix: Add CAA DNS records: 0 issue "letsencrypt.org"
(replace with your CA).
Effort: Low
Notes¶
This module requires network access for DNS lookups and SSL probing. When running in offline mode, all checks are skipped and the module reports that infrastructure checks require live network access.