Score every domain against essential DNS safeguards quickly. Tune weights, accept partials, track improvements easily. Turn results into actions that harden your name servers.
Each control is assigned a weight and a status factor: Pass = 1.0, Partial = 0.5, Fail = 0.0.
Base Compliance (%) = ( Σ(weight × factor) ÷ Σ(weight) ) × 100
Final Compliance subtracts penalty points from flagged high-risk findings and a small incident penalty from the past 90 days, then clamps the result between 0 and 100.
| Sample domain | Highlights | Compliance | Risk |
|---|---|---|---|
| alpha.example | DNSSEC, DMARC enforcement, restricted transfers, strong monitoring | 93.5% | 6.5 |
| beta.example | SPF/DKIM partial, missing CAA, incidents reported | 76.0% | 24.0 |
| gamma.example | No DNSSEC, open resolver flagged, transfers unrestricted | 52.0% | 48.0 |
Numbers are illustrative and depend on your chosen weights.
DNS policy compliance starts with a clear inventory of zones, registrars, authoritative providers, and any delegated subdomains. Record which teams own each record set, which services depend on low TTL changes, and which hosts send email. Include split-horizon or internal zones, third-party SaaS delegations, and registrar protections such as transfer locks. This calculator helps translate that inventory into measurable controls, so policy requirements are applied consistently across production and nonproduction environments.
Not every DNS safeguard carries the same impact. Weighted scoring lets you emphasize controls that reduce the largest blast radius, such as restricting recursion, protecting transfer paths, or enforcing authentication records. Pass, Partial, and Fail map to fixed factors, producing a transparent base percentage. Adjusting weights creates an auditable rationale for why some gaps matter more than others, and supports benchmarking across teams. Penalties capture urgent exposure that deserves immediate prioritization.
SPF, DKIM, and DMARC operate as a chain: SPF authorizes senders, DKIM provides message integrity, and DMARC aligns identifiers while publishing an enforcement policy. A "none" DMARC policy may help collect reports, but it does not stop spoofing. Strong alignment, monitored aggregate reports, and sensible key rotation improve deliverability while reducing impersonation risk. Ensure subdomains follow policy, avoid excessive SPF lookups, and validate DKIM selectors in every sending system.
Authoritative name servers should answer authoritatively, not recursively. Disabling recursion blocks abuse as an open resolver and reduces amplification exposure. Zone transfers should be limited to approved secondaries using allow lists and authenticated channels. DNSSEC adds integrity for records in transit, CAA constrains certificate issuance, and PTR alignment supports mail reputation when relevant. Where transfers are required, use TSIG, review ACLs regularly, and keep secondary endpoints hardened.
Controls are only durable when operations reinforce them. Monitoring should alert on record changes, NXDOMAIN rates, latency spikes, and transfer attempts. MFA and change approvals on the DNS platform reduce takeover risk, while backups support recovery. Incident history adds a small confidence penalty. Exporting to CSV or PDF simplifies reviews and audit evidence for teams. Re-run assessments after migrations and quarterly to prove continuous control.
Partial means the control is implemented but not fully enforced, documented, or consistently applied. It receives half credit, helping you reflect progress while still highlighting the remaining work.
Start with your policy or audit requirements, then raise weights for controls that prevent broad abuse, like recursion hardening and transfer restriction. Keep totals realistic, and document your rationale for repeatable scoring.
No. It is a scoring and prioritization tool. Use evidence from DNS queries, provider dashboards, and change tickets to decide Pass, Partial, or Fail, then track improvements over time.
Public recursion can be abused for DNS amplification and data leakage. It also increases operational load and attack surface. Because exposure is immediate, the calculator subtracts penalty points even if other controls are strong.
Many teams target 75% as a minimum baseline and 90% for mature posture. Use thresholds that match your risk appetite, regulatory expectations, and the criticality of the domain or service.
Reassess after major DNS changes, provider migrations, or incidents. For stable environments, a quarterly review supports audit evidence and catches drift in records, access controls, and monitoring.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.