Interpret DNS signals
This guide shows you how to read a domain’s DNS details and use them as one more signal when you judge a finding.
Before you start
Section titled “Before you start”You need an account with a brand that has domain findings, or a domain to look at in the demo. No DNS expertise is required.
- Open Domain Monitoring for the brand and select the domain you want to look at.
- Open the domain, then open the DNS tab. nebty has already collected the domain’s DNS records and certificate information here, so you do not have to look them up yourself.
- Read through the records. Note anything that stands out, for example mail-related records or a recently issued certificate.
- Weigh what you see alongside the Risk Score, not instead of it. Two patterns are worth treating as corroborating signals:
- Active mail records on a look-alike domain suggest it is set up to send or receive email, which raises the stakes if the domain is later used for phishing.
- A freshly issued certificate on a name that mimics your brand suggests someone is actively maintaining the site, rather than sitting on an abandoned registration.
What happens next
Section titled “What happens next”DNS details describe how a domain is set up, not who is behind it or what it will be used for. A domain with no active mail records is not automatically safe, and one with a fresh certificate is not automatically malicious on that basis alone. Treat these details as extra context for your triage decision, alongside the Risk Score and the AI Verdict, not as a verdict by themselves.
Related: Domain Monitoring.
Open a domain detail in the demo(opens the public demo with sample data)