Network Security

Discover, Score, and Audit Every DNS Server in an IP Range

Find every host in a CIDR running a DNS service, score each one for capability and security posture, and flag the dangerous ones — hijacking resolvers, open recursors abusable for amplification DDoS, NXDOMAIN-rewriters that lie about negative answers. Multi-baseline hijack detection compares each resolver's answer against four trusted reference resolvers (system + 1.1.1.1 + 8.8.8.8 + 9.9.9.9) at the /16 prefix, defeating CDN-geo-steering false positives. ASN and org names come from Team Cymru's IP-to-ASN DNS service — no API keys, no setup, instant enrichment on every responder.

Try DNS Infrastructure Scanner Now Talk to an Expert

Try DNS Infrastructure Scanner

CIDR or single IP

Control domain

Probes every IP in the range for DNS service; scores capability + security; flags hijacked / open-recursor / NXDOMAIN-rewriting resolvers. Multi-baseline hijack check vs 1.1.1.1 / 8.8.8.8 / 9.9.9.9. ASN via Team Cymru. 2 free runs/day.

How It Works

From target input to actionable findings in three straightforward steps.

Supply a CIDR or IP List

Enter a CIDR (e.g. 10.0.0.0/24), single IP, or paste a list. Engagement-scoped ranges > 1024 hosts are validated against the declared scope before any probe goes out.

Each Host Gets 12 Probes

Liveness via UDP/53 with TCP/53 fallback, A/AAAA/MX/TXT/NS resolution scoring, DNSSEC AD-bit check, EDNS0 support, off-zone open-recursion probe, CHAOS version.bind disclosure, random-subdomain NXDOMAIN rewrite check, multi-baseline hijack comparison, plus optional CAA/DS/DNSKEY/TLSA/SRV/NAPTR for DNSSEC chain inspection.

Score and Filter Results

Each resolver gets a 0–100 score based on capability + security posture. Filter by hijacked / open-recursor / DNSSEC / NXDOMAIN-rewriting. Sort by score, IP, ASN, or RTT. Export the full result set to CSV for SIEM ingestion or SOC handoff.

Key Capabilities

Purpose-built scanning backed by real penetration testing expertise.

Multi-Baseline Hijack Detection

Compares each resolver answer against four trusted baselines (system + 1.1.1.1 + 8.8.8.8 + 9.9.9.9). Hijack only fires when the surveyed answer is disjoint from EVERY baseline at the /16 prefix — defeats CDN geo-steering false-positives.

Open-Resolver Hunting

Probes each host with an off-zone recursive query checking the RA flag. Open resolvers are weaponisable for reflection / amplification DDoS and downstream cache poisoning.

NXDOMAIN Rewrite Detection

High-entropy random-subdomain probes catch ISP NXDOMAIN redirection, captive-portal interception, and transparent DNS hijacks where the resolver lies about negative answers.

CHAOS Version Disclosure

Sends version.bind, hostname.bind, and version.server CHAOS-class lookups to enumerate disclosed BIND / NSD / PowerDNS / Knot builds — pipes into the platform CVE retro-match workflow.

ASN / Org Enrichment via Team Cymru

Each responder gets ASN, org name, and country annotated via Team Cymru's free DNS-based IP-to-ASN service. LRU-cached so a /24 sweep that finds 30 resolvers in three AS networks makes ~6 unique lookups.

UDP/53 with TCP/53 Fallback

When a host refuses or drops UDP, the scanner re-tries TCP/53 automatically and tags the resolver as TCP-only — catches resolvers behind UDP-blocking firewalls.

Pause / Resume / Cancel

Long-running surveys can be paused mid-flight without losing state, resumed later, or cancelled cleanly. Worker-side polling means in-flight probes finish before the pause takes effect.

Live Log Panel and Real-Time Progress

Per-IP probe events stream into a live log while the survey runs; progress counters update every 32 IPs probed. CSV export at completion.

Common Use Cases

Internal network pentests — find every DNS server alive in 10.0.0.0/24 and identify shadow resolvers stood up by individual teams

External recon on customer-owned IP blocks — identify open recursors and forgotten staging resolvers still answering recursive queries

DNS-hijack hunting — query every resolver in a range for a control domain and flag those returning answers disjoint from trusted baselines

Asset enrichment chain — feed leaked internal IPs from DNS Surface Audit back into the infrastructure scanner to confirm they're live and characterise the services they expose

Cloud / VPC audits — sweep allocated CIDRs to confirm no DNS service was stood up outside the central authoritative pair

Why Use Pentestas

Security tools built by penetration testers, not just developers.

Enterprise-Grade Accuracy

Our scanning engine is built on the same methodologies our penetration testers use in manual engagements, tuned to minimize false positives and surface genuine risk.

Fast, Actionable Results

Get findings in minutes rather than days. Every result includes severity ratings, technical evidence, and clear remediation steps your team can act on immediately.

Continuous Monitoring

Schedule recurring scans from the Pentestas platform to catch regressions before they reach production. Stay ahead of new CVEs and configuration drift.

Privacy First

Your scan data is encrypted at rest and in transit. You own your data, with full control over retention and export.

Detailed Reporting

Export findings as PDF, CSV, or JSON. Feed results directly into your SIEM, ticketing system, or CI/CD pipeline through our REST API.

Instant Setup

Run scans directly from your browser. Enter a target, click scan, and receive results. Ready in under a minute.

Start scanning with DNS Infrastructure Scanner today

Create a free account and run your first scan in under a minute. Full platform access during your 14-day trial.

Launch Free Scan Request a Pentest Quote

Frequently Asked Questions

Does this work on internal networks?

Yes. Deploy the Pentestas agent inside your network perimeter and the scanner runs against private CIDRs through the agent's tunnel — same probes, same scoring, no inbound exposure.

How does multi-baseline hijack detection work?

We resolve the control domain through your system resolver plus three public baselines (1.1.1.1, 8.8.8.8, 9.9.9.9). For each surveyed resolver, we compare its answer against every baseline at the /16 prefix. A hijack finding fires only when the resolver disagrees with all four baselines — CDN geo-steering returns different PoP IPs but always at the same /16, so it doesn't false-positive.

Will the scan trigger IDS / IPS alerts?

Each host gets ~12 DNS queries spaced across UDP and TCP. The shape is well below the volumetric threshold of any modern IDS. Stealth-mode engagements can dial concurrency to 1 and timeout to 5s for a near-passive profile.

What does the 0-100 score mean?

Score combines DNS capability (which record types the resolver supports), security posture (DNSSEC validation, EDNS0), trust (no hijack vs trusted baselines, no NXDOMAIN rewriting), with strong penalties for open recursion (-30) and hijack (-50). High score = reliable upstream resolver. Low score = either broken or actively suspect.

How does this differ from a port scanner that includes port 53?

A port scanner tells you 53 is open. This tool tells you what the DNS server is, how it answers, whether it's lying, whether it leaks internal data, whether it would amplify a DDoS, and how it compares to a known-good resolver. The output is a scored, ranked resolver inventory — not a port table.