Skip to content

Interpret DNS signals

This guide shows you how to read a domain’s DNS details and use them as one more signal when you judge a finding.

You need an account with a brand that has domain findings, or a domain to look at in the demo. No DNS expertise is required.

  1. Open Domain Monitoring for the brand and select the domain you want to look at.
  2. Open the domain, then open the DNS tab. nebty has already collected the domain’s DNS records and certificate information here, so you do not have to look them up yourself.
  3. Read through the records. Note anything that stands out, for example mail-related records or a recently issued certificate.
  4. Weigh what you see alongside the Risk Score, not instead of it. Two patterns are worth treating as corroborating signals:
    • Active mail records on a look-alike domain suggest it is set up to send or receive email, which raises the stakes if the domain is later used for phishing.
    • A freshly issued certificate on a name that mimics your brand suggests someone is actively maintaining the site, rather than sitting on an abandoned registration.

DNS details describe how a domain is set up, not who is behind it or what it will be used for. A domain with no active mail records is not automatically safe, and one with a fresh certificate is not automatically malicious on that basis alone. Treat these details as extra context for your triage decision, alongside the Risk Score and the AI Verdict, not as a verdict by themselves.

Related: Domain Monitoring.

Open a domain detail in the demo(opens the public demo with sample data)