Industry-Leading DNS Auditing

The DNS Institute enables domain owners and DNS professionals to monitor and check conformance and vulnerabilities of their DNS infrastructure, through scheduled protocol tests, vulnerability tests, alerts, news, and statistics with complete reporting. Our DNS auditing solutions enable organizations to proactively identify and remediate DNS misconfigurations and vulnerabilities, measure and manage risk, and ensure accuracy and compliance with no to little additional software or infrastructure costs.

The DNS Institute is a consulting and documentation service covering the Domain Name System and its security. Our offerings include: automated DNS monitoring, DNS server and client configuration reviews, custom DNS development, DNS server installations, DNS server conformance and regression testing, DNS zone data auditing, DNS vulnerability testing, server penetration testing, DNSSEC deployments, DNS performance evaluations, DNS installation and management instruction, DNS documentation, and more.

Contact us for a demo or free evaluation.

Recent Research

• DNSSEC Report 2020-10 for Top 100 Banking Institutions
  Only 4.7% of the domains owned by the largest banks were DNSSEC signed.
• TLD Delegation and Nameserver Failures (2020-09)
  An analysis of 1508 top-level domain names found many interesting and even critical problems in at least 20 TLDs, including DNSSEC failures.
• DNS Nameserver Counts for Top Million Websites (2020-08)
  The most popular NS nameserver domain name was cloudflare.com.
• DNS Mistakes (Part 2): Lots of Typos
  More mistakes often caused by typos, copy-and-paste issues, or misunderstandings for what is allowed in DNS.
• DNS Mistakes (Part 1): Missing or Added Trailing Dots
  Technical mistakes caused with a missing trailing dot in zone files and for a trailing period appended when not meant to.
• Potential Email Compromise via Dangling DNS MX
  While the Dangling MX concept is already known, our paper also describes a novel vulnerability and research approach where the Dangling MX or other DNS target is an existing registered domain, but available for purchase or unknown third-party use.
• IPv6 Report 2020-06 for US Government and Military Domains
  651 (50%) US government domains had at least one IPv6 problem and 19% completely failed for IPv6.
• DNS Lame Delegations Report 2019-11
  Various examples of invalid or broken nameservers as listed in NS records.
• DNS over IPv6 Report 2019-10 for Fortune 500 (US) Companies
  56% of the Fortune 500 companies have a domain that doesn't work via IPv6.
• DNSSEC Report 2019-09 for Top 100 Banking Institutions
  Only 18 out of the largest 100 banking institutions had signed domains. And only 68 domains out of 1518 domains (4.4%) were DNSSEC signed.
• Query Times Report 2019-08 for Top 100 Banking Institutions
  The three fastest banks in this study were: Lloyds Banking Group PLC, Canadian Imperial Bank of Commerce, and Bank of New York Mellon Corp.

Random Recent DNS Checks

• Japan Post Bank Co. Ltd. — japanpost.jp — Working nameservers must be in at least two topologically-separate networks (IPv6): WARNING
• USAA — usaa.com — RRSIG algorithm RSA/SHA-1 is not recommended : WARNING
• Nordea Bank AB — nordeabank.ru — There should be at least two working NS delegations : FAIL