Security

An overview of the security measures in place for Mr.DNS.

Transport Security

All traffic to Mr.DNS is served exclusively over HTTPS with TLS 1.2 or 1.3. HTTP requests are redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enabled.

Content Security Policy

Every page is served with a strict Content Security Policy. Inline scripts use per-request cryptographic nonces, preventing injection of unauthorized scripts. External resources (CDN scripts, fonts) are allowed only from a specific allowlist.

Rate Limiting

All AJAX and API endpoints enforce per-IP rate limits. Requests that exceed the threshold receive an HTTP 429 response. This mitigates abuse and protects the DNS infrastructure we query on your behalf.

Input Validation

All user-supplied input is validated server-side before use. Domain names, IP addresses, port numbers, and record types are checked against strict allowlists. Raw DNS queries are performed using a dedicated DNS library (NetDNS2) with no shell interpolation.

No Sensitive Data Storage

DNS queries, IP addresses you look up, and hostnames you test are not stored in any database. They exist only in memory for the duration of the request. Server access logs are retained for up to 30 days and contain only standard HTTP log fields (requesting IP, URL, status, user agent).

Dependency Management

Server-side dependencies are managed via Composer. We use well-maintained libraries with active security track records: NetDNS2 (DNS resolution), GuzzleHTTP (HTTP requests), and MaxMind GeoIP2 (IP geolocation). Client-side, we use Bootstrap and Font Awesome sourced from trusted CDNs with Subresource Integrity where applicable.

Outbound Requests

Many tools (SSL checker, BIMI checker, MTA-STS checker, HTTP headers) make outbound HTTP or TCP requests on your behalf. These originate from our server's IP address. We validate URLs against HTTPS-only requirements and enforce connection timeouts to prevent server-side request forgery (SSRF) to internal addresses.

Responsible Disclosure

If you discover a security vulnerability in Mr.DNS, please report it responsibly to info@generatorlabs.com. We ask that you:

  • Give us reasonable time to investigate and remediate before public disclosure.
  • Avoid accessing, modifying, or deleting data belonging to other users.
  • Not perform denial-of-service testing or automated scanning beyond what is needed to demonstrate the issue.

We do not currently operate a paid bug bounty programme, but we will acknowledge and thank researchers who report valid vulnerabilities responsibly.