# blackveil-dns BLACKVEIL DNS ## Quick Start ```bash # Connect this server (installs CLI if needed) npx -y @smithery/cli@latest mcp add MadaBurns/bv-mcp # Browse available tools npx -y @smithery/cli@latest tool list MadaBurns/bv-mcp # Get full schema for a tool npx -y @smithery/cli@latest tool get MadaBurns/bv-mcp check_mx # Call a tool npx -y @smithery/cli@latest tool call MadaBurns/bv-mcp check_mx '{}' ``` ## Direct MCP Connection Endpoint: `https://bv-mcp--madaburns.run.tools` **Optional config:** - `apiKey` (query) — Optional API key for higher rate limits. Leave blank for free tier (50 req/min). ## Tools (41) - `check_mx` — Validate MX records and email provider detection. - `check_spf` — Validate SPF syntax, policy, and trust surface. - `check_dmarc` — Validate DMARC policy, alignment, and reporting. - `check_dkim` — Probe DKIM selectors and validate key strength. - `check_dnssec` — Verify DNSSEC validation and DNSKEY/DS records. - `check_ssl` — Verify SSL/TLS certificate and HTTPS config. - `check_mta_sts` — Validate MTA-STS SMTP encryption policy. - `check_ns` — Analyze NS delegation and provider diversity. - `check_caa` — Check authorized Certificate Authorities via CAA. - `check_bimi` — Validate BIMI record and VMC evidence. - `check_tlsrpt` — Validate TLS-RPT SMTP failure reporting. - `check_http_security` — Audit HTTP security headers (CSP, COOP, etc.). - `check_dane` — Verify DANE/TLSA certificate pinning. - `check_dane_https` — Verify DANE certificate pinning for HTTPS via TLSA records at _443._tcp.{domain}. - `check_svcb_https` — Validate HTTPS/SVCB records (RFC 9460) for modern transport capability advertisement. - `check_lookalikes` — Detect active typosquat/lookalike domains. Standalone. - `scan_domain` — Full DNS and email security audit. Score, grade, maturity, findings. Start here. - `compare_baseline` — Compare domain security against a policy baseline. - `check_shadow_domains` — Find TLD variants with email auth gaps. Standalone. - `check_txt_hygiene` — Audit TXT records for stale entries and SaaS exposure. - `check_mx_reputation` — Check MX blocklist status and reverse DNS. - `check_srv` — Probe SRV records for service footprint. - `check_zone_hygiene` — Audit SOA propagation and sensitive subdomains. - `generate_fix_plan` — Generate prioritized remediation plan with effort estimates. - `generate_spf_record` — Generate corrected SPF record from detected providers. - `generate_dmarc_record` — Generate DMARC record with configurable policy. - `generate_dkim_config` — Generate DKIM setup instructions and DNS record. - `generate_mta_sts_policy` — Generate MTA-STS record and policy file. - `get_benchmark` — Get score benchmarks: percentiles, mean, top failures. - `get_provider_insights` — Get provider cohort benchmarks and common issues. - `assess_spoofability` — Composite email spoofability score (0-100). - `check_resolver_consistency` — Check DNS consistency across 4 public resolvers. - `explain_finding` — Explain a finding with impact and remediation. - `map_supply_chain` — Map third-party service dependencies from DNS records. Correlates SPF, NS, TXT verifications, SRV services, and CAA to … - `analyze_drift` — Compare current security posture against a previous baseline. Shows what improved, regressed, or changed. - `validate_fix` — Re-check a specific control after applying a fix. Confirms whether the finding is resolved. - `generate_rollout_plan` — Generate a phased DMARC enforcement timeline with exact DNS records per phase. - `resolve_spf_chain` — Recursively resolve the full SPF include chain. Shows lookup count, tree depth, and flags issues like circular includes… - `discover_subdomains` — Discover subdomains via Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certific… - `map_compliance` — Map scan findings to compliance frameworks: NIST 800-177, PCI DSS 4.0, SOC 2, CIS Controls. Shows pass/fail/partial sta… - `simulate_attack_paths` — Analyze current DNS posture and enumerate specific attack paths an adversary could exploit, with severity, feasibility,… ```bash # Get full input/output schema for a tool npx -y @smithery/cli@latest tool get MadaBurns/bv-mcp ``` ## Resources - `dns-security://guides/security-checks` — Overview of all DNS/email security checks performed by Blackveil DNS, including SPF, DMARC, DKIM, DNSSEC, SSL/TLS, MTA-… - `dns-security://guides/scoring` — How DNS/email security scores and grades are calculated, including category weights and severity penalties. - `dns-security://guides/record-types` — List of DNS record types queried by this server and their purpose in security analysis. - `dns-security://guides/agent-workflows` — Recommended tool usage patterns and decision trees for common DNS security tasks. - `dns-security://guides/intelligence` — How benchmark and provider cohort features work, privacy guarantees, and data freshness. - `dns-security://guides/remediation` — Step-by-step DNS record fix patterns for each check category, using generate_* tools. ## Prompts (7) - `full-security-audit` (domain) — DNS & email security audit with remediation - `email-auth-check` (domain) — Email auth posture: SPF, DMARC, DKIM, MTA-STS - `policy-compliance-check` (domain, minimum_grade) — Check domain against security policy baseline - `remediation-workflow` (domain) — Scan, plan fixes, generate DNS records - `email-hardening-guide` (domain) — Email hardening plan with DNS record generation - `provider-benchmark` (domain) — Benchmark domain against email provider cohort - `attack-surface-assessment` (domain) — Spoofability, lookalikes, shadow domain analysis