dnsspectre — DNS hygiene and subdomain takeover detection. Part of SpectreHub.
- Scans DNS zones for dangling records pointing to deleted resources
- Detects subdomain takeover vectors (CNAME, NS, MX targets)
- Checks for missing CAA records
- Supports Route53, Cloud DNS, Azure DNS, and Cloudflare
- Outputs text, JSON, SARIF, and SpectreHub formats
- Not a DNS monitoring service — point-in-time scanner
- Not a penetration testing tool — detects risk, does not exploit
- Not a DNS manager — reports findings, never modifies records
- Not a certificate manager — flags missing CAA, does not issue certs
brew tap ppiankov/tap
brew install dnsspectregit clone https://github.com/ppiankov/dnsspectre.git
cd dnsspectre
make builddnsspectre scan --provider route53 --format json| Command | Description |
|---|---|
dnsspectre scan |
Scan DNS zones for dangling records and takeover risk |
dnsspectre init |
Generate config file and provider credentials |
dnsspectre version |
Print version |
dnsspectre feeds DNS hygiene findings into SpectreHub for unified visibility across your infrastructure.
spectrehub collect --tool dnsspectrednsspectre operates in read-only mode. It inspects and reports — never modifies, deletes, or alters your DNS records.
| Document | Contents |
|---|---|
| CLI Reference | Full command reference, flags, and configuration |
MIT — see LICENSE.
Built by Obsta Labs