Skip to main content
DNS Tool
Engineer's DNS Intelligence Report
Generated 8 Mar 2026, 04:14 UTC
Duration 7.7s
Version v26.35.17
Integrity a8264e94db6ec37122f5121e34f79aa291babd62edcb34bb0f5b854bae872d2907d0a0473c3b86e18b5b2f6465ad161d9805ef25ebfa9731a1b162a1a3ebfbb2
Subject Domain
dpsg-bodensee.de

Engineer's DNS Intelligence Report

dpsg-bodensee.de
8 Mar 2026, 04:14 UTC · 7.7s ·v26.35.17 · SHA-3-512: a826✱✱✱✱ Verify
Executive Methodology
Recon Mode Snapshot Re-analyze New Domain
Footprint 1 SaaS Service
DNS Security & Trust Posture
Risk Level: Low Risk
5 protocols configured, 4 not configured Domain appears to be in deliberate DMARC deployment phase — quarantine fully enforced with reporting, consider upgrading to reject Why we go beyond letter grades
1 recommendation
Analysis Confidence (ICD 203)
MODERATE 66/100
Resolver agreement is inconsistent for some protocols, limiting confidence. Data currency and system maturity are adequate.
Accuracy 59% Currency 73/100 Maturity verified
Limiting factor: Resolver agreement is low for this scan — some protocols returned inconsistent results across resolvers
Intelligence Currency
Data Currency: Adequate 73/100
ICuAE Details
Currentness Excellent TTL Compliance Excellent Completeness Degraded Source Credibility Excellent TTL Relevance Degraded
DNS data shows some aging or gaps — consider re-scanning for critical decisions
Enterprise Traffic Engineering Detected DNS-based Global Server Load Balancing (GSLB)

This domain uses short TTLs across 3 record types (A record at 30s), consistent with DNS-based traffic management (GSLB). Enterprises operating large anycast networks intentionally use short TTLs to enable rapid failover, geographic steering, and load distribution. This is a deliberate infrastructure choice, not a misconfiguration. RFC 1035 §3.2.1 permits any TTL value the zone administrator selects. The findings below reflect deviation from typical values for reference, not necessarily actionable recommendations for this class of infrastructure.

The following DNS record TTLs deviate from typical values. For domains using DNS-based traffic management, short TTLs are expected and intentional.

Record Type Observed TTL Typical TTL Severity Context
A 30s 1 hour (3600s) high A TTL is below typical — observed 30s, typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-18 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
TXT 4 minutes (240s) 1 hour (3600s) high TXT TTL is below typical — observed 4 minutes (240s), typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-18 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
NS 359 minutes (21540s) 1 day (86400s) medium NS TTL is below typical — observed 359 minutes (21540s), typical value is 1 day (86400s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 86400 seconds per NIST SP 800-53 SI-18 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
MX 5 minutes (300s) 1 hour (3600s) high MX TTL is below typical — observed 5 minutes (300s), typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-18 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
AAAA 30s 1 hour (3600s) high AAAA TTL is below typical — observed 30s, typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-18 relevance guidance. Use the TTL Tuner for profile-specific recommendations.

Big Picture Questions

  • This domain runs short TTLs across multiple record types. Does it operate a global anycast network where DNS-based traffic steering justifies the query volume?
  • Are the short TTLs enabling active failover, geographic routing, or load distribution — or are they leftover from a migration that was never reverted?
  • Enterprise-grade DNS infrastructure (sub-5ms authoritative response times, globally distributed nameservers) absorbs short-TTL query volume. Would your authoritative DNS handle the same load?
Tune TTL for dpsg-bodensee.de
Reference: NIST SP 800-53 SI-7 (Information Integrity) · RFC 8767 (Serve Stale) · RFC 1035 §3.2.1 (TTL semantics) DNS provider detected: Cloudflare — provider-specific RFC compliance notes are shown inline above where applicable.
Primary NS bayan.ns.cloudflare.com
Serial 2397853741
Admin dns.cloudflare.com
Provider Cloudflare
Timer Value RFC 1912 Range
Refresh10000s1,200–43,200s (20 min – 12 hrs)
Retry2400sFraction of Refresh
Expire604800s1,209,600–2,419,200s (14–28 days)
Minimum (Neg. Cache)1800s300–86,400s (5 min – 1 day)
Expire: SOA Expire is 7 days (604800s). RFC 1912 §2.2 recommends 1,209,600–2,419,200 seconds (14–28 days). If the primary nameserver becomes unreachable, secondary nameservers will stop serving this zone after only 7 days (604800s). Cloudflare's anycast architecture reduces the practical risk, but this value departs from the RFC recommendation.
RFC 1912 §2.2

Independent RFC compliance assessment for Cloudflare. Each finding cites the specific RFC section and reports what the engineering community consensus is. We report honestly — if a provider deviates from standards, we explain what they did differently and what the RFCs actually say.

SOA Expire below RFC 1912 recommendation RFC 1912 §2.2

Cloudflare sets SOA Expire to 604,800 seconds (7 days). RFC 1912 §2.2 recommends 1,209,600–2,419,200 seconds (14–28 days). This means secondary nameservers stop serving the zone sooner if the primary becomes unreachable. Cloudflare's position is that their anycast architecture makes traditional zone transfer semantics less relevant. SOA timers are not editable on Free, Pro, or Business plans.

Below RFC recommendation
Proxied record TTLs fixed at 300s RFC 2181 §5.2

Cloudflare overrides the zone administrator's TTL to 300 seconds for all proxied (orange-cloud) records. RFC 2181 §5.2 requires TTL uniformity within an RRset but does not mandate a specific value. As the authoritative server, Cloudflare is technically within its rights, but the administrator loses TTL control. This can affect ACME DNS-01 challenges and automation workflows that depend on rapid propagation.

Technically compliant, but overrides administrator intent
Non-standard SOA serial format RFC 1912 §2.2

RFC 1912 recommends YYYYMMDDNN format for SOA serial numbers (e.g., 2026022501). Cloudflare uses a proprietary serial number format that does not encode the date. RFC 1035 only requires the serial to increment on changes, so this is compliant with the mandatory standard but breaks the convention relied on by monitoring tools.

Compliant with RFC 1035, deviates from RFC 1912 convention
Negative cache TTL delays new records RFC 2308 §5

Cloudflare's SOA MINIMUM (negative cache TTL) is 1,800–3,600 seconds (30–60 minutes). This controls how long resolvers cache NXDOMAIN responses. Newly created DNS records — including ACME DNS-01 challenge TXT records for Let's Encrypt — may be invisible for up to 1 hour even after creation. This causes certificate issuance failures for automation tools like cert-manager and Traefik. Workaround: pre-create placeholder records before they're needed. This is RFC-compliant but aggressive compared to the 300–900 seconds common at other providers.

RFC-compliant, but causes real-world automation failures
Historical RFC 2181 §5.2 violation: TTL mismatch in CNAME RRsets RFC 2181 §5.2

In February 2022, Cloudflare's resolver (1.1.1.1) returned CNAME responses with mismatched TTLs within the same RRset — including cases where one TTL was zero and another was non-zero. RFC 2181 §5.2 explicitly states: 'the TTLs of all RRs in an RRSet must be the same.' systemd-resolved (used by Arch Linux, Ubuntu, Fedora, and most modern Linux distributions) correctly rejected these responses per the RFC, causing widespread DNS resolution failures. Cloudflare acknowledged the issue and it appears to have been fixed, but it demonstrated that Cloudflare's DNS infrastructure can deviate from RFC requirements in ways that break compliant resolver implementations.

Was a documented RFC violation — appears resolved
This assessment is based on RFC specifications, provider documentation, and documented incidents from DNS engineering communities. DNS Tool does not have a commercial relationship with any provider listed.
Email Spoofing
Protected
Brand Impersonation
Not Setup
DNS Tampering
Protected
Certificate Control
Open
Recommended
Upgrade DMARC policy from quarantine to reject (p=reject) for maximum spoofing protection
Configured
SPF, DMARC (quarantine, 100%), DKIM, TLS-RPT, DNSSEC
Not Configured
MTA-STS, BIMI, DANE, CAA
Priority Actions Achievable posture: Secure
Medium Upgrade DMARC to Reject

Your DMARC policy is set to quarantine. Upgrade to p=reject for maximum protection — reject instructs receivers to discard spoofed mail entirely rather than quarantining it.

A reject policy provides the strongest protection against domain spoofing.
TypeTXT
Host_dmarc.dpsg-bodensee.de (update existing DMARC record)
Valuev=DMARC1; p=reject; rua=mailto:dmarc-reports@dpsg-bodensee.de
RFC 7489 §6.3
Low Add CAA Records

CAA records specify which Certificate Authorities may issue certificates for your domain, reducing the risk of unauthorized certificate issuance.

CAA constrains which CAs can issue certificates for this domain.
TypeCAA
Hostdpsg-bodensee.de (root of domain — adjust CA to match your provider)
Value0 issue "letsencrypt.org"
RFC 8659
Low Deploy MTA-STS

MTA-STS enforces TLS encryption for inbound mail delivery, preventing downgrade attacks on your mail transport.

MTA-STS tells sending servers to require TLS when delivering mail to your domain.
TypeTXT
Host_mta-sts.dpsg-bodensee.de (MTA-STS policy record)
Valuev=STSv1; id=dpsg-bodensee.de
RFC 8461
Registrar (NS INFERENCE) INFERRED LIVE
Cloudflare Registrar
Inferred from NS records
Email Service Provider
Unknown
Moderately Protected
Web Hosting
Unknown
Where website is hosted
DNS Hosting OBSERVED
Cloudflare
Where DNS records are edited
Email Security Methodology Can this domain be impersonated by email? Unlikely SPF and DMARC quarantine policy enforced

SPF Record RFC 7208 §4 Verified

Does this domain declare who may send email on its behalf? Yes
Success ~all 3/10 lookups

SPF valid with industry-standard soft fail (~all), 3/10 lookups

v=spf1 mx a ip4:116.203.27.89 ip6:2a01:4f8:1c1c:a09a::1 include:_spf.webhosting.systems ~all
RFC 7208 Conformant — This SPF record conforms to the syntax and semantics defined in RFC 7208 §4.
RFC Failure Mode: Unlike DMARC (where unknown tags are silently ignored per RFC 7489 §6.3), SPF with unrecognized mechanisms produces a PermError per RFC 7208 §4.6 — the record fails loudly rather than silently.
Related CVEs: CVE-2024-7208 (multi-tenant domain spoofing), CVE-2024-7209 (shared SPF exploitation), CVE-2023-51764 (SMTP smuggling bypasses SPF)
~all is the industry standard. Google, Apple, and most providers default to soft fail. CISA (BOD 18-01) and RFC 7489 confirm that DMARC policy — not SPF alone — is the primary enforcement control. Using ~all allows DKIM to be evaluated before a DMARC decision is made. This domain uses ~all + DMARC quarantine — good protection. Moving to p=reject would achieve the strongest stance.

DMARC Policy RFC 7489 §6.3 Verified

Are spoofed emails rejected or quarantined? Quarantined, not rejected
Success p=quarantine

DMARC policy quarantine (100%) - good protection

v=DMARC1; p=quarantine; pct=100; rua=mailto:12dac9ea@in.mailhardener.com,mailto:03af6dca53504976946492d985899d4d@dmarc-reports.cloudflare.net,mailto:beudyx7j@rua.dmarceye.com; ruf=mailto:12dac9ea@in.mailhardener.com,mailto:03af6dca53504976946492d985899d4d@dmarc-reports.cloudflare.net; ri=86400; aspf=r; adkim=r; fo=1
Alignment: SPF relaxed DKIM relaxed
No np= tag (DMARCbis) — non-existent subdomains inherit p= policy but adding np=reject provides explicit protection against subdomain spoofing
Forensic reporting (ruf) is configured, but most major providers do not send forensic reports. RFC 7489 §7.3 warns that forensic reports can expose PII (full message headers or bodies). Google, Microsoft, and Yahoo do not honour ruf= requests. The DMARCbis draft (draft-ietf-dmarc-dmarcbis) has formally removed ruf= from the specification. Consider removing this tag to simplify your record. RFC 7489 §7.3 — Forensic Reports
Advanced cryptographic posture detected. Domain appears to be in deliberate DMARC deployment phase — quarantine fully enforced with reporting, consider upgrading to reject
RFC 7489 Present — DMARC record published per RFC 7489 §6.3.
Monitoring Posture Note: Quarantine sequesters authentication failures while preserving full DMARC forensic telemetry (RFC 7489 §7). Some organizations maintain quarantine rather than reject as a deliberate monitoring strategy — failed messages are processed and reported but sequestered from the inbox. See NIST SP 800-177 Rev. 1 for enforcement tradeoffs.
DMARCbis (Pending): draft-ietf-dmarc-dmarcbis will elevate DMARC to Standards Track, obsolete RFC 7489, replace pct= with t= (testing flag), add np= (non-existent subdomain policy), and mandate DNS tree walk for policy discovery instead of the Public Suffix List.
Related CVEs: CVE-2024-49040 (Exchange sender spoofing), CVE-2024-7208 (multi-tenant DMARC bypass)

DKIM Records RFC 6376 §3.6 Verified

Are outbound emails cryptographically signed? Yes — verified
Found 2048-bit

Found DKIM for 3 selector(s) with strong keys (2048-bit)

key1._domainkey 2048-bit Adequate
v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3iZ3AlDj02zi0d54fFD7GNgDjlhLlBlRFP1B2/By6dwp4WRbCvY0cudVUZFJSH3oVrPucK159IYwSR98EvyXM3Gc63LeQl3XK7+B5GgLnP+DBHWDxIJBxaFGLzURpykCbXDuJ8QaS+AknhWnNP5f7KIwroevQO8+banQljw8isXO52Nv+HPeBQN63+pJC3vfDQeiipBoMLlAsRG5R73AddT1RDlL2EKm1MREqTEkZ/tBh6VIGPzxOCr/jKWsqeY5/saNqkplI1B2UeoPmrVUo2PE7uEfB8OLBYurjAVhDisTI+0zOssGousQdjxqs2/qMUhA9gR3EwnAHqY7ZhFP/wIDAQAB
key2._domainkey 2048-bit Adequate
v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmFTQ2W4oTdiCzU6HLIVO101ba5RhC3+5GMq7sxuO8AbHyKaFriIDaiQg1X+GGF711KF3s67t8QyVvMgiDpO5GpJjW1UG4Wgk92D0uiIoSVjZzfVDp6GVeNj5UCFzTISU8NupArEaYjQNcmjZ9Ln+kqszw42mUYey2J5DVBccoRXEl2Fum51cNdL0AHhDC/XTZsWUEKCs8HV3rLjV7G3f4+F7pb8UnAwkQrRRSWkBDzrAXHq2u7ojFmLmM0k4JT09TSthjuRQHwK9GZIb7z56N4TOYWjdgxPnSLXT9EAzOwRr/hiL0E6N0alwIDIMR1FpjYC5jrHkckU0fL3e7tV4IQIDAQAB
mail._domainkey 2048-bit Adequate
v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWMPfTKdQEeexkUjP1aniw0nd8W3EijveXheRt3K7gKBsyCKhLuJaGh3+KuK3svn3KDHIgGGah+hLWC5G50gGezLLzaIxHLP5SV49K8hrfl69VufAnfY7L1YtWcNdsr/+xzqUV5G36KtfmvjgVO0xTZLLFKp0OYphzNPYsLw04SwIDAQAB
RFC 6376 Conformant — DKIM keys and signatures conform to RFC 6376 §3.6 (Internet Standard).
Known Vulnerabilities: DKIM l= tag body length vulnerability (attacker appends unsigned content to signed mail), weak key exploitation (keys below 1024-bit are cryptographically breakable per RFC 6376 §3.3.3), DKIM replay attacks (re-sending legitimately signed messages at scale)

MTA-STS RFC 8461 §3 Verified

Can attackers downgrade SMTP to intercept mail? Not prevented
Warning TESTING Policy Verified

MTA-STS in testing mode - TLS failures reported but not enforced

v=STSv1; id=20250628T0108Z;
Policy Details:
  • Mode: testing
  • Max Age: 7 days (604800 seconds)
  • MX Patterns: mxe8db.netcup.net

MTA-STS policy enforcement is evaluated in Mail Transport Security below.

TLS-RPT RFC 8460 §3 Verified

Will failures in TLS delivery be reported? Yes — reports configured
Success

TLS-RPT configured - receiving TLS delivery reports

v=TLSRPTv1; rua=mailto:12dac9ea@in.mailhardener.com

DMARC External Reporting Authorization RFC 7489 §7.1

Are external report receivers authorized? Yes — all authorized
Success

All 3 external reporting domains properly authorized

External Domain Authorization Auth Record
in.mailhardener.com Authorized v=DMARC1;
dmarc-reports.cloudflare.net Authorized v=DMARC1;
rua.dmarceye.com Authorized v=DMARC1
DANE / TLSA Verified Recon Methodology Can mail servers establish identity without a public CA? No
RFC 7672 §3 RFC 6698 §2 Not Configured

No DANE/TLSA records found (checked 2 MX hosts)

DANE (RFC 7672) binds TLS certificates to DNSSEC-signed DNS records, protecting email transport against man-in-the-middle attacks and rogue CAs. It is the primary transport security standard — MTA-STS (RFC 8461) was created as the alternative for domains that cannot deploy DNSSEC. Over 1 million domains use DANE globally, including Microsoft Exchange Online, Proton Mail, and Fastmail. Best practice: deploy both for defense in depth.
Email Transport Security

Two mechanisms protect email in transit. DANE is the primary standard; MTA-STS is the alternative for domains that cannot deploy DNSSEC:

  • DNSSEC + DANE (RFC 7672) — Cryptographic chain of trust from DNS root to mail server certificate. Eliminates reliance on certificate authorities. No trust-on-first-use weakness. Requires DNSSEC.
  • MTA-STS (RFC 8461) — HTTPS-based policy requiring TLS for mail delivery. Works without DNSSEC but relies on CA trust and is vulnerable on first use (§10). Created for domains where “deploying DNSSEC is undesirable or impractical” (§2).
This domain has neither DANE nor MTA-STS. Mail transport relies on opportunistic TLS without policy enforcement, leaving it vulnerable to downgrade attacks. Deploy DANE (RFC 7672) with DNSSEC for the strongest protection, or MTA-STS (RFC 8461) if DNSSEC is not feasible.

Industry trend: Microsoft Exchange Online enforces inbound DANE with DNSSEC (GA October 2024), and providers like Proton Mail and Fastmail also support DANE. Google Workspace does not support DANE and relies on MTA-STS. Both mechanisms coexist because DANE is backward-compatible — senders skip the check if the domain isn't DNSSEC-signed (RFC 7672 §1.3).

Brand Security Can this brand be convincingly faked? Likely DMARC quarantine flags but does not reject spoofed mail (RFC 7489 §6.3) — no BIMI or CAA (RFC 8659) reinforcement leaves brand impersonation largely unaddressed

BIMI BIMI Spec Verified Warning

Is the brand identity verified and displayed in inboxes? No

No valid BIMI record found

CAA RFC 8659 §4 Verified