// SCAN REPORT

Blackveil Dns

51 tools. 8 can modify or destroy data without limits.

8 write tools that can modify data. Rate limits recommended.

Last updated:

8 can modify or destroy data
43 read-only
51 tools total
// TOOL MAP
Read (43) Write / Execute (8) Destructive / Financial (0)
// WHAT CAN GO WRONG

Write operations (generate_dkim_config, generate_dmarc_record, generate_fix_plan) modify state. Without rate limits, an agent can make hundreds of changes in seconds — faster than any human can review or revert.

// RECOMMENDED RULES
Rate limit write operations
generate_dkim_config:
  rules:
    - rate_limit: 30/hour

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
analyze_drift:
  rules:
    - rate_limit: 60/minute

Controls API costs and prevents retry loops from exhausting upstream rate limits.

// ALL 51 BLACKVEIL DNS TOOLS
WRITE 8 tools
Write generate_dkim_config Write generate_dmarc_record Write generate_fix_plan Write generate_mta_sts_policy Write generate_rollout_plan Write generate_spf_record Write map_supply_chain Write resolve_spf_chain
READ 43 tools
Read analyze_drift Read assess_spoofability Read batch_scan Read check_bimi Read check_caa Read check_dane Read check_dane_https Read check_dbl Read check_dkim Read check_dmarc Read check_dnssec Read check_dnssec_chain Read check_fast_flux Read check_http_security Read check_lookalikes Read check_mta_sts Read check_mx Read check_mx_reputation Read check_ns Read check_nsec_walkability Read check_rbl Read check_resolver_consistency Read check_shadow_domains Read check_spf Read check_srv Read check_ssl Read check_subdomailing Read check_svcb_https Read check_tlsrpt Read check_txt_hygiene Read check_zone_hygiene Read compare_baseline Read compare_domains Read cymru_asn Read discover_subdomains Read explain_finding Read get_benchmark Read get_provider_insights Read map_compliance Read rdap_lookup Read scan_domain Read simulate_attack_paths Read validate_fix
// FAQ
How do I prevent bulk modifications through Blackveil Dns? +

The Blackveil Dns server has 8 write tools including generate_dkim_config, generate_dmarc_record, generate_fix_plan. Set rate limits in your policy file -- for example, rate_limit: 10/hour prevents an agent from making more than 10 modifications per hour. Intercept enforces this at the transport layer.

How many tools does the Blackveil Dns MCP server expose? +

51 tools across 2 categories: Read, Write. 43 are read-only. 8 can modify, create, or delete data.

How do I add Intercept to my Blackveil Dns setup? +

One line change. Instead of running the Blackveil Dns server directly, prefix it with Intercept: intercept -c com-blackveilsecurity-dns.yaml -- npx -y @blackveil-dns. Download a pre-built policy from policylayer.com/policies/com-blackveilsecurity-dns and adjust the limits to match your use case.

Let agents act without letting them run wild.

Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.

Currently onboarding teams running MCP in production.
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.

// REQUEST EARLY ACCESS

We're letting people in as fast as we can.

You're in the queue.

We'll be in touch as soon as we can let you in.