Mondoo
Docs
Networking

Secure Domains and IP Addresses with cnspec

Scan domains and IP addresses for DNS, TLS, HTTP header, and email security with cnspec.

Scan your internet-facing hosts to find security risks before they become incidents. cnspec evaluates TLS certificates, HTTP security headers, DNS configuration, and email authentication for any domain or IP address, letting you verify that your public-facing infrastructure follows security best practices.

Prerequisites

To scan a host with cnspec, you must have:

Scan a host

Scan a domain or IP address:

cnspec scan host example.com

Scan a specific port:

cnspec scan host example.com --port 8443

cnspec automatically applies all enabled policies that are applicable to the host. Enable any of these policies to assess your network endpoints:

PolicyWhat it checks
Mondoo TLS/SSL SecurityCertificate validity, protocol versions, cipher strength, and PFS support
Mondoo HTTP SecuritySecurity headers such as CSP, HSTS, X-Frame-Options, and server disclosure
Mondoo DNS SecurityDNSSEC, record hygiene, wildcard records, and nameserver redundancy
Mondoo Email SecuritySPF, DKIM, and DMARC configuration for domains with MX records

To learn how to enable policies, read Manage Policies.

Open source cnspec users can find these policies in the cnspec GitHub repository and scan with a local copy or directly from a URL using --policy-bundle:

cnspec scan host example.com --policy-bundle mondoo-tls-security.mql.yaml

Or scan directly from the repository URL:

cnspec scan host example.com --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-tls-security.mql.yaml

Explore and test checks interactively

Open a cnspec shell to query a host:

cnspec shell host example.com

Check TLS certificate expiration

cnspec> tls.certificates[0].expiresIn
tls.certificates[0].expiresIn: 89 days

Retrieve HTTP security headers

cnspec> http.header.xFrameOptions
http.header.xFrameOptions: "DENY"

Check DNS records

cnspec> dns.records
dns.records: [
  dns.record type="A" rdata=["93.184.216.34"]
  dns.record type="AAAA" rdata=["2606:2800:220:1:248:1893:25c8:1946"]
]

To exit the cnspec shell, press Ctrl + D or type exit.

Continuously scan with Mondoo Platform

Go beyond one-off scans. Use Mondoo Platform to continuously monitor your domains and IP addresses. To learn more, read Secure a Domain or IP Address.

Learn more

Ubiquiti UniFi

Scan Ubiquiti UniFi network controllers against security and compliance best practices with cnspec.

IPinfo

Query IP address information from ipinfo.io with cnspec.

On this page

PrerequisitesScan a hostExplore and test checks interactivelyCheck TLS certificate expirationRetrieve HTTP security headersCheck DNS recordsContinuously scan with Mondoo PlatformLearn more