Engineer's DNS Intelligence Report
TLP:AMBER
Limited disclosure — recipients may share within their organization only
Engineer's DNS Intelligence Report
spitalmciuc.ro
Footprint
DNS Security & Trust Posture
Risk Level:
High Risk
2 protocols configured, 7 not configured
Why we go beyond letter grades
Resolver agreement is inconsistent for some protocols, limiting confidence. Data currency and system maturity are adequate.
Accuracy 65%
Currency 74/100
Maturity verified
Limiting factor: Resolver agreement is low for this scan — some protocols returned inconsistent results across resolvers
Currentness Excellent
TTL Compliance Excellent
Completeness Degraded
Source Credibility Excellent
TTL Relevance Degraded
ICuAE Details
The following DNS record TTLs deviate from recommended values. Incorrect TTLs can cause caching issues, slow propagation, or unnecessary DNS traffic.
| Record Type | Observed TTL | Typical TTL | Severity | Context |
|---|---|---|---|---|
| NS | 20945s |
1 day (86400s) |
medium | NS TTL is below typical — observed 20945s, typical value is 1 day (86400s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 86400 seconds per NIST SP 800-53 SI-18 relevance guidance. Use the TTL Tuner for profile-specific recommendations. |
| SOA | 20945s |
1 hour (3600s) |
high | SOA TTL is above typical — observed 20945s, typical value is 1 hour (3600s). Long TTLs reduce DNS query volume but slow propagation when records change. Consider 3600 seconds for a balance of performance and flexibility per NIST SP 800-53 SI-18 relevance guidance. |
| MX | 4 hours (14400s) |
1 hour (3600s) |
medium | MX TTL is above typical — observed 4 hours (14400s), typical value is 1 hour (3600s). Long TTLs reduce DNS query volume but slow propagation when records change. Consider 3600 seconds for a balance of performance and flexibility per NIST SP 800-53 SI-18 relevance guidance. |
| A | 4 hours (14400s) |
1 hour (3600s) |
medium | A TTL is above typical — observed 4 hours (14400s), typical value is 1 hour (3600s). Long TTLs reduce DNS query volume but slow propagation when records change. Consider 3600 seconds for a balance of performance and flexibility per NIST SP 800-53 SI-18 relevance guidance. |
| TXT | 13745s |
1 hour (3600s) |
medium | TXT TTL is above typical — observed 13745s, typical value is 1 hour (3600s). Long TTLs reduce DNS query volume but slow propagation when records change. Consider 3600 seconds for a balance of performance and flexibility per NIST SP 800-53 SI-18 relevance guidance. |
Big Picture Questions
- How often do you actually change this record? If it hasn’t changed in months, a short TTL is generating unnecessary DNS queries without any benefit.
- Are you preparing for a migration or IP change? Short TTLs make sense temporarily — but should be raised back to 1 hour (3600s) once the change is complete.
- Every DNS lookup adds 20–150ms of latency. With a 60s TTL, returning visitors trigger a fresh lookup every minute. With 3600s, they get cached responses for an hour — faster page loads, no extra infrastructure needed.
- Google runs A records at ~30s because they operate a global anycast network and need to steer traffic dynamically. For a typical website without that infrastructure, copying those TTLs increases query volume with zero upside.
Primary NS
alfa.hostx.ro
Serial
2026012201
Admin
office.creative-designs.ro
Provider
Unknown
| Timer | Value | RFC 1912 Range |
|---|---|---|
| Refresh | 3600s | 1,200–43,200s (20 min – 12 hrs) |
| Retry | 1800s | Fraction of Refresh |
| Expire | 1209600s | 1,209,600–2,419,200s (14–28 days) |
| Minimum (Neg. Cache) | 86400s | 300–86,400s (5 min – 1 day) |
All SOA timer values are within RFC 1912 recommended ranges.
Suggested Scanner Configuration
High Confidence
Based on 20 historical scans of this domain
| Parameter | Current | Suggested | Severity | Rationale |
|---|---|---|---|---|
| timeout_seconds | 5s |
8s |
low | Average scan duration is 30.3s, suggesting DNS responses are slow for this domain. Increasing timeout from 5s to 8s prevents premature resolution failures. RFC 8767 |
Email Spoofing
Partial
Brand Impersonation
Not Setup
DNS Tampering
Unsigned
Certificate Control
Open
Recommended
Publish a DMARC record starting with p=none and rua reporting
Configured
SPF (hard fail), DKIM
Not Configured
DMARC, MTA-STS, TLS-RPT, BIMI, DANE, DNSSEC, CAA
Priority Actions
5 total
Achievable posture: Moderate Risk
Critical
Publish DMARC Record
Add a DMARC record to protect your domain against email spoofing and receive authentication reports.
DMARC tells receivers how to handle mail that fails SPF/DKIM checks.
| Field | Value |
|---|---|
| Type | TXT |
| Host | _dmarc.spitalmciuc.ro (DMARC policy record) |
| Value | v=DMARC1; p=none; rua=mailto:dmarc-reports@spitalmciuc.ro |
Medium
Enable DNSSEC
DNSSEC is not enabled for this domain. DNSSEC provides cryptographic authentication of DNS responses, preventing cache poisoning and DNS spoofing attacks.
Low
Add CAA Records
CAA records specify which Certificate Authorities may issue certificates for your domain, reducing the risk of unauthorized certificate issuance.
CAA constrains which CAs can issue certificates for this domain.
| Field | Value |
|---|---|
| Type | CAA |
| Host | spitalmciuc.ro (root of domain — adjust CA to match your provider) |
| Value | 0 issue "letsencrypt.org" |
Low
Add TLS-RPT Reporting
TLS-RPT (TLS Reporting) sends you reports about TLS connection failures when other servers try to deliver mail to your domain.
TLS-RPT sends you reports about TLS connection failures to your mail servers.
| Field | Value |
|---|---|
| Type | TXT |
| Host | _smtp._tls.spitalmciuc.ro (SMTP TLS reporting record) |
| Value | v=TLSRPTv1; rua=mailto:tls-reports@spitalmciuc.ro |
Low
Deploy MTA-STS
MTA-STS enforces TLS encryption for inbound mail delivery, preventing downgrade attacks on your mail transport.
MTA-STS tells sending servers to require TLS when delivering mail to your domain.
| Field | Value |
|---|---|
| Type | TXT |
| Host | _mta-sts.spitalmciuc.ro (MTA-STS policy record) |
| Value | v=STSv1; id=spitalmciuc.ro |
Registrar (RDAP)
LIVE
Unknown
Where domain was purchased
Email Service Provider
Unknown
Limited Protection
Web Hosting
Unknown
Where website is hosted
DNS Hosting
Unknown
Where DNS records are edited
Email Security Methodology Can this domain be impersonated by email? Likely SPF alone cannot prevent spoofing
SPF Record RFC 7208 §4 Consistent
Does this domain declare who may send email on its behalf?
Yes
Success
-all
1/10 lookups
SPF valid with strict enforcement (-all), 1/10 lookups
v=spf1 ip4:89.38.241.67 ip4:89.38.241.66 mx ip4:141.138.139.222 -all
RFC 7489: -all may cause rejection before DMARC evaluation, preventing DKIM from being checked
RFC 7208 Conformant — This SPF record conforms to the syntax and semantics defined in RFC 7208 §4.
RFC Failure Mode: Unlike DMARC (where unknown tags are silently ignored per RFC 7489 §6.3), SPF with unrecognized mechanisms produces a PermError per RFC 7208 §4.6 — the record fails loudly rather than silently.
Related CVEs:
CVE-2024-7208 (multi-tenant domain spoofing),
CVE-2024-7209 (shared SPF exploitation),
CVE-2023-51764 (SMTP smuggling bypasses SPF)
SPF hard fail (-all): compliance-strong, but can short-circuit DMARC.
RFC 7489 notes that -all can cause some receivers to reject mail during the SMTP transaction — before DKIM is checked and before DMARC can evaluate the result. A message that would pass DMARC via DKIM alignment may be rejected prematurely. For most domains, ~all + DMARC p=reject is the strongest compatible posture — it allows every authentication method (SPF, DKIM, DMARC) to be fully evaluated before a decision is made.
DMARC Policy RFC 7489 §6.3 Consistent
Are spoofed emails rejected or quarantined?
No policy published
Warning
No DMARC record found
RFC Stance: RFC 7489 is classified as Informational (not Standards Track). DMARC is a widely adopted industry practice but is not an IETF-mandated standard.
Operational Security: Without DMARC, receiving mail servers have no policy for handling SPF/DKIM failures. Spoofed messages may be delivered to recipients.
DMARCbis (Pending): draft-ietf-dmarc-dmarcbis will elevate DMARC to Standards Track, obsolete RFC 7489, replace
pct= with t= (testing flag), add np= (non-existent subdomain policy), and mandate DNS tree walk for policy discovery instead of the Public Suffix List.Related CVEs:
CVE-2024-49040 (Exchange sender spoofing),
CVE-2024-7208 (multi-tenant DMARC bypass)
DKIM Records RFC 6376 §3.6 Consistent
Are outbound emails cryptographically signed?
Yes — verified
Found
2048-bit
Found DKIM for 1 selector(s) with strong keys (2048-bit)
default._domainkey
2048-bit
Adequate
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsfuaeJb745niBbxGk8gJA9ihhcBBBznTQ/tzRp8eovr9n2s6GjY4eBhtKSpE+gBBLQuYq8Drw8SQ3LhUbLyDbKw0aeMeib/xxtr5ZPn4ewQdajMAmu1Ry9IV4xRIrj7uIMiQoGMvLXkN6oseSOTAqyJKstcNCSeLQgukQU5/tUWKpPI1ufhJ0qZV8hXB47Mnq0Pc6qE3hIJf0HHau4EMEiiZmzf40bLRxdeolESYsGnZf9iF3/C7EMJpVp6C3I6Mdh8DOyzk6dB1THfktDK5LpXHwyzjYzIDQG+u34bt0E4ENzaAp0Bu1VXr0QLRYzwKv8fw8oCCii0ahsD35Ygy0wIDAQAB;
RFC 6376 Conformant — DKIM keys and signatures conform to RFC 6376 §3.6 (Internet Standard).
Known Vulnerabilities:
DKIM
l= tag body length vulnerability (attacker appends unsigned content to signed mail),
weak key exploitation (keys below 1024-bit are cryptographically breakable per RFC 6376 §3.3.3),
DKIM replay attacks (re-sending legitimately signed messages at scale)