Find the DNS Posture Issues Other Scanners Miss
DNS Surface Audit goes beyond record enumeration. It probes for browser-side rebinding susceptibility, wildcard pollution that breaks subdomain enumeration, internal RFC1918 IP addresses leaked into your public zone, open recursion on authoritative nameservers, version disclosure via CHAOS-class queries, and split-horizon leaks via EDNS0 Client-Subnet — six findings classes that directly change how the rest of the pentest runs against the same target.
Try DNS Surface Audit
Six checks: rebinding susceptibility · wildcard DNS · internal IP leakage · open recursion · NS version disclosure · split-horizon. 2 free runs/day.
How It Works
From target input to actionable findings in three straightforward steps.
Enter a Domain
Supply the apex domain (example.com). The audit resolves authoritative nameservers, queries them directly, and runs six independent posture checks against each.
Six Posture Checks Run in Parallel
Rebinding susceptibility (TTL + answer rotation), wildcard DNS, internal-IP leakage in any record type, off-zone open recursion, CHAOS version.bind disclosure, EDNS0 Client-Subnet split-horizon leak. Each check produces a structured finding with severity and evidence.
Downstream Pentest Auto-Consumes the Flags
When you launch a web or API pentest against the same domain, the audit results pre-populate the scanner. SSRF rebinding-payload mode activates if rebinding is practical; the SSRF target corpus inherits every leaked internal IP; the subdomain enumerator filters wildcard noise; cache-poisoning escalates from passive to active when an open resolver is present.
Key Capabilities
Purpose-built scanning backed by real penetration testing expertise.
Rebinding Susceptibility Detection
Combined TTL analysis and back-to-back resolution diffs catch DNS setups where browser-side rebinding attacks become practical against authenticated users of your own application.
Wildcard DNS Discovery
Three high-entropy random-label probes detect *.<zone> wildcards so the subdomain enumerator can filter the noise and produce a real attack-surface inventory.
Internal IP Leakage Hunt
Scans every A / AAAA / CNAME / TXT record plus NS glue for RFC1918 / loopback / link-local addresses leaked into the public zone — each becomes a priority SSRF target.
Open-Recursion Detection on Authoritative NS
Probes each authoritative nameserver with an off-zone recursive query — open resolvers are weaponisable for cache poisoning and amplification. Confirmed via the RA flag.
NS Version Disclosure (CHAOS)
Sends version.bind and hostname.bind queries against each NS. Disclosed BIND / NSD / PowerDNS / Knot builds feed into the platform CVE retro-match workflow.
Split-Horizon Leak via EDNS0 Client-Subnet
Forges EDNS0 Client-Subnet declaring an RFC1918 source and compares against the public answer; non-overlapping private answers indicate the internal view is reachable from the public internet.
Common Use Cases
Why Use Pentestas
Security tools built by penetration testers, not just developers.
Enterprise-Grade Accuracy
Our scanning engine is built on the same methodologies our penetration testers use in manual engagements, tuned to minimize false positives and surface genuine risk.
Fast, Actionable Results
Get findings in minutes rather than days. Every result includes severity ratings, technical evidence, and clear remediation steps your team can act on immediately.
Continuous Monitoring
Schedule recurring scans from the Pentestas platform to catch regressions before they reach production. Stay ahead of new CVEs and configuration drift.
Privacy First
Your scan data is encrypted at rest and in transit. You own your data, with full control over retention and export.
Detailed Reporting
Export findings as PDF, CSV, or JSON. Feed results directly into your SIEM, ticketing system, or CI/CD pipeline through our REST API.
Instant Setup
Run scans directly from your browser. Enter a target, click scan, and receive results. Ready in under a minute.
Start scanning with DNS Surface Audit today
Create a free account and run your first scan in under a minute. Full platform access during your 14-day trial.
Frequently Asked Questions
Why is this different from a normal DNS lookup tool?
Does it modify my DNS in any way?
How does the audit help with subdomain enumeration?
What happens if I run this then launch a pentest against the same domain?
Go deeper on network security
Behind Cloudflare? How Pentestas Discovers the Real Origin and Scans It Anyway
Cloudflare in front of your customer's app shouldn't mean you can't pentest it. Pentestas finds the real origin via cert transparency, AAAA records, SPF leaks, and common origin-leak subdomains, then pins every scan request to it with the Host header and TLS SNI preserved.
OAST Canaries: Catching Blind SSRF, Blind XXE, and Blind Command Injection
Explore the sophisticated integration of OAST canaries within Pentestas to effectively detect and handle blind SSRF, XXE, and command injection vulnerabilities. Learn how our platform employs interactsh-server and DNS+HTTP callbacks to enhance security testing capabilities.