Enter DNS configuration signals
Formula used
Risk score is the weighted sum of signals, clamped to 0–100.
Score = Σ(weightᵢ × conditionᵢ)
Score = min(100, max(0, Score))
Score = min(100, max(0, Score))
- Open AXFR adds 35 points.
- No transfer policy adds 20 points; weak adds 10.
- No ACL adds 10; no TSIG adds 10.
- Internet exposure +5; recursion +5; no monitoring +5.
- Unknown/outdated patch +5; no rate limiting +3; no DNSSEC +2.
- More nameservers add up to +3 for drift risk.
How to use this calculator
- Enter the zone and authoritative server count.
- Select what you know about transfer controls and monitoring.
- Run external AXFR tests to confirm exposure when possible.
- Click Calculate Risk and review reasons and actions.
- Download CSV/PDF to share with your security team.
Tip: Treat “Unknown” selections as operational risk until verified.
Example data table
Illustrative inputs and computed score| Zone | NS | Policy | Open AXFR | ACL | TSIG | Exposure | Recursion | Monitoring | Patch | RRL | DNSSEC | Score | Level |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| example.com | 4 | weak | unknown | no | no | internet | yes | no | unknown | no | no | 57 | High |
Example row shows how “unknown” and missing controls elevate risk.