Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"dns-mcp": {
"args": [
"run",
"--rm",
"-i",
"--dns",
"9.9.9.9",
"dns-mcp",
"python",
"server.py"
],
"command": "docker"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Real-time DNS security analysis for AI assistants via MCP. Gives your assistant the ability to investigate domains the way a practitioner would — DNSSEC chain validation, email authentication posture, and registration intelligence — without leaving your chat session.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'pre-commit' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked pre-commit against OSV.dev.
Click any tool to inspect its schema.
output_guideField-by-field reference: DNSSEC chain status values, DS vs DNSKEY parent/child relationship, FCrDNS fields, DANE status, RBL listed/clean/error semantics, detect_hijacking passed convention
dns-mcp://output-guide
rbl_referenceReturn code tables for all 8 RBLs including Spamhaus quota codes
dns-mcp://rbl-reference
test_zonesLive NSEC/NSEC3 test zones on deflationhollow.net with parameters and risk levels
dns-mcp://test-zones
email_security_auditDomain email security audit: SPF, DKIM, DMARC, MTA-STS, BIMI — graded A through F with prioritized recommendations
dnssec_chain_auditFull DNSSEC chain-of-trust audit from the IANA root trust anchor down to the target domain
soc_email_forensicsForensic phishing analysis of a raw email (.eml or pasted headers) — returns TRUSTABLE / SUSPICIOUS / PHISHING / FURTHER ANALYSIS REQUIRED
nist_800_81r3_auditDomain security posture audit aligned with NIST SP 800-81r3 — covers delegation integrity, DNSSEC, CAA, email authentication, reputation, and resolver integrity
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in security
AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.
Model Context Protocol for WinDBG
Signed receipts for agent, API, and MCP interactions. Portable and offline-verifiable.
MCP Security Weekly
Get CVE alerts and security updates for Dns MCP Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Real-time DNS security analysis for AI assistants via MCP. Gives your assistant the ability to investigate domains the way a practitioner would — DNSSEC chain validation, email authentication posture, and registration intelligence — without leaving your chat session.
Built by a cybersecurity professional for SOC investigation workflows. Not a toy — the same queries you would run at the command line, accessible through any MCP-compatible assistant in real time.
dns-mcp is a Streamable HTTP MCP server with OAuth via Pocket
ID. Tool implementations are thin wrappers around the
dns_tool Python library, which
owns all DNS logic. The server itself is ~430 lines of code: auth bootstrap,
tool registration, and prompt loading.
Claude.ai / Claude Code / any MCP client
│
│ Streamable HTTP + OAuth bearer (JWT)
▼
Caddy reverse proxy (TLS, DNS-01 / Let's Encrypt)
│
▼
dns-mcp container (FastMCP, OAuth verifier)
│
▼
dns_tool library (DoH client, validators, parsers)
│
▼
doh.lab.deflationhollow.net (Unbound DoH resolver, optional)
Three benefits over the previous stdio-only architecture:
whoami.dns_tool is published independently and reusable. The
same code powers a CLI, this MCP server, and (eventually) a REST API.The old stdio architecture lives at server.py.legacy for porting reference.
The remote branch (mcp-shim Go bridge) is deprecated.
dns-mcp 2.0.0 currently exposes 19 tools. Ten additional tools from the
1.x stdio architecture are pending port into dns_tool — see
Open work.
| Tool | Description |
|---|---|
ping | Server uptime, current timestamp, dns_tool version + commit hash |
whoami | Authenticated user identity from JWT claims |
| Tool | Description |
|---|---|
dns_query | Standard DNS lookup over DoH — 20 record types (A, AAAA, MX, TXT, NS, SOA, CNAME, PTR, SRV, CAA, DNSKEY, DS, RRSIG, NSEC, NSEC3, TLSA, SSHFP, HTTPS, SVCB, NAPTR) |
dnssec_validate | Full DNSSEC chain walk from IANA root trust anchor down to target. Real cryptographic validation at every zone cut. Returns structured verdict + per-zone findings + event transcript |
nsec_info | NSEC / NSEC3 denial-of-existence analysis — zone walkability assessment, NSEC3 hash parameters, opt-out detection |
| Tool | Description |
|---|---|
check_spf | SPF record parsing with recursive include resolution (RFC 7208 10-lookup limit) |
check_dmarc | DMARC policy retrieval with organizational domain fallback |
check_dkim | DKIM public key record verification for a selector + domain pair |
enumerate_dkim_selectors | Probe a domain for DKIM keys at well-known selector names; returns the selectors that resolve |
check_dane | DANE TLSA records for all MX hosts of a domain |
check_tlsa | Standalone TLSA record lookup at _<port>._<proto>.<host> |
| Tool | Description |
|---|---|
check_rbl | IP reputation against 8 DNS-based RBLs (Spamhaus ZEN, SpamCop, UCEProtect L1/L2, Mailspike, PSBL, Barracuda, SORBS) |
check_dbl | Domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL) |
cymru_asn | ASN lookup via Team Cymru DNS service — BGP prefix, org, country |
check_fast_flux | Fast-flux detection — repeated A/AAAA queries to identify rotating IPs and short TTLs |
| `detect_hijacki |