Assess Host Security with cnspec

Scan domains and IP addresses for DNS, TLS, HTTP header, and email security with cnspec

Rely on cnspec to scan domains and IP addresses for TLS certificate health, HTTP header security, DNS configuration, and email authentication. This is useful for verifying that your web-facing infrastructure follows security best practices.

Prerequisites

To scan a host with cnspec, you must have:

cnspec installed on your workstation
Network access to the target domain or IP address

Scan a host

To scan a domain or IP address:

cnspec scan host example.com

To scan a specific port:

cnspec scan host example.com --port 8443

cnspec automatically applies all enabled policies that are applicable to the host. Enable any of the following policies to assess your network endpoints:

Policy	What it checks
Mondoo TLS/SSL Security	Certificate validity, protocol versions, cipher strength, and PFS support
Mondoo HTTP Security	Security headers such as CSP, HSTS, X-Frame-Options, and server disclosure
Mondoo DNS Security	DNSSEC, record hygiene, wildcard records, and nameserver redundancy
Mondoo Email Security	SPF, DKIM, and DMARC configuration for domains with MX records

To learn how to enable policies, read Manage Policies.

Open source cnspec users can find these policies in the cnspec GitHub repository and scan with a local copy or directly from a URL using --policy-bundle:

cnspec scan host example.com --policy-bundle mondoo-tls-security.mql.yaml

Or scan directly from the repository URL:

cnspec scan host example.com --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-tls-security.mql.yaml

Query a host interactively

To open an interactive shell for exploring a host:

cnspec shell host example.com

Example queries

This query checks the TLS certificate expiration:

cnspec> tls.certificates[0].expiresIn
tls.certificates[0].expiresIn: 89 days

This query retrieves HTTP security headers:

cnspec> http.header.xFrameOptions
http.header.xFrameOptions: "DENY"

This query checks DNS records:

cnspec> dns.records
dns.records: [
  dns.record type="A" rdata=["93.184.216.34"]
  dns.record type="AAAA" rdata=["2606:2800:220:1:248:1893:25c8:1946"]
]

Exit the cnspec shell

To exit the cnspec shell, either press Ctrl + D or type exit.

Learn more

To learn more about how the MQL query language works, read Write Effective MQL.
For a list of all the network resources and fields you can query, read the Network Resource Pack Reference.
To continuously monitor domains through Mondoo Platform, read Secure a Domain or IP Address.