51 tools from the Blackveil Dns MCP Server, categorised by risk level.
View the Blackveil Dns policy →analyze_drift Compare current security posture against a previous baseline. Shows what improved, regressed, or changed. assess_spoofability Composite email spoofability score (0-100). batch_scan Scan up to 10 domains at once. Returns score, grade, and finding counts per domain. check_bimi Validate BIMI record and VMC evidence. check_caa Look up CAA records for a domain. Shows which Certificate Authorities are authorized to issue certificates. check_dane Verify DANE/TLSA certificate pinning. check_dane_https Verify DANE certificate pinning for HTTPS via TLSA records at _443._tcp.{domain}. check_dbl Check domain reputation against DNS-based Domain Block Lists (Spamhaus DBL, URIBL, SURBL). Returns listing status with decoded return codes. check_dkim Look up DKIM records for a domain. Probes common selectors and validates key strength and algorithm. check_dmarc Look up and validate DMARC record for a domain. Shows policy enforcement, alignment mode, and reporting config. check_dnssec Check DNSSEC status for a domain. Verifies DNSKEY/DS records and validation chain. check_dnssec_chain Walk the DNSSEC chain of trust from root to target domain. Reports DS/DNSKEY records, algorithm usage, and linkage status at each zone level. check_fast_flux Detect fast-flux DNS behavior by performing multiple rounds of A/AAAA queries with delays. Compares IP answer sets and TTLs across rounds to identi... check_http_security Audit HTTP security headers (CSP, COOP, etc.). check_lookalikes Detect active typosquat/lookalike domains. Standalone. check_mta_sts Validate MTA-STS SMTP encryption policy. check_mx Look up MX records for a domain. Shows mail servers, email provider detection, and validates configuration. check_mx_reputation Check MX blocklist status and reverse DNS. check_ns Look up NS (nameserver) records for a domain. Shows DNS provider, delegation, and redundancy. check_nsec_walkability Assess zone walkability risk by analyzing NSEC3PARAM configuration. Detects plain NSEC zones, weak NSEC3 parameters, and opt-out flags. check_rbl Check MX server IP reputation against 8 DNS-based Real-time Blocklists (Spamhaus ZEN, SpamCop, UCEProtect, Mailspike, Barracuda, PSBL, SORBS). Reso... check_resolver_consistency Check DNS consistency across 4 public resolvers. check_shadow_domains Find TLD variants with email auth gaps. Standalone. check_spf Look up and validate SPF record for a domain. Shows authorized senders, syntax issues, and trust surface. check_srv Probe SRV records for service footprint. check_ssl Check SSL/TLS certificate for a domain. Shows issuer, expiry, protocol versions, and HTTPS configuration. check_subdomailing Detect SubdoMailing risk by analyzing SPF include chain for takeover-vulnerable domains. check_svcb_https Validate HTTPS/SVCB records (RFC 9460) for modern transport capability advertisement. check_tlsrpt Validate TLS-RPT SMTP failure reporting. check_txt_hygiene Audit TXT records for stale entries and SaaS exposure. check_zone_hygiene Audit SOA propagation and sensitive subdomains. compare_baseline Compare domain security against a policy baseline. compare_domains Side-by-side security comparison of 2–5 domains. Shows scores, category gaps, and unique weaknesses. cymru_asn Map domain IPs to Autonomous System Numbers via Team Cymru DNS. Returns ASN, prefix, country, registry, and organization for each IP. Flags high-ri... discover_subdomains Find subdomains of a domain using Certificate Transparency logs. Reveals shadow IT, forgotten services, and unauthorized certificate issuance. explain_finding Explain a finding with impact and remediation. get_benchmark Get score benchmarks: percentiles, mean, top failures. get_provider_insights Get provider cohort benchmarks and common issues. map_compliance Map scan findings to compliance frameworks: NIST 800-177, PCI DSS 4.0, SOC 2, CIS Controls. Shows pass/fail/partial status per control. rdap_lookup Fetch domain registration data via RDAP (modern WHOIS replacement). Returns registrar, creation/expiration dates, EPP status, registrant info, and ... scan_domain Look up any domain to get a full DNS and email security audit. Use this whenever a user mentions a domain name, asks to check/scan/lookup/analyze a... simulate_attack_paths Analyze current DNS posture and enumerate specific attack paths an adversary could exploit, with severity, feasibility, steps, and mitigations. validate_fix Re-check a specific control after applying a fix. Confirms whether the finding is resolved. generate_dkim_config Generate DKIM setup instructions and DNS record. generate_dmarc_record Generate DMARC record with configurable policy. generate_fix_plan Generate prioritized remediation plan with effort estimates. generate_mta_sts_policy Generate MTA-STS record and policy file. generate_rollout_plan Generate a phased DMARC enforcement timeline with exact DNS records per phase. generate_spf_record Generate corrected SPF record from detected providers. map_supply_chain Map third-party service dependencies from DNS records. Correlates SPF, NS, TXT verifications, SRV services, and CAA to show who can send as you, co... resolve_spf_chain Trace the full SPF include chain for a domain. Recursively resolves all includes, shows lookup count, tree depth, and flags circular includes or ex... The Blackveil Dns MCP server exposes 51 tools across 2 categories: Read, Write.
Use Intercept, the open-source MCP proxy. Write YAML rules for each tool — rate limits, argument validation, or deny rules — then run Intercept in front of the Blackveil Dns server.
Blackveil Dns tools are categorised as Read (43), Write (8). Each category has a recommended default policy.
Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.