MadaBurns/bv-mcp

GitHub: MadaBurns/bv-mcp

开源的 DNS 与邮件安全扫描器，通过 MCP 协议为 AI 助手和 IDE 提供 57 项安全检查，零安装即开即用。

Stars: 3 | Forks: 1

# BLACK**V**EIL DNS **了解你的安全态势。** 适用于 Claude、Cursor、VS Code 及任何 MCP 客户端的开源 DNS 和邮件安全扫描器。 [![GitHub stars](https://img.shields.io/github/stars/MadaBurns/bv-mcp?style=flat&logo=github)](https://github.com/MadaBurns/bv-mcp/stargazers) [![npm version](https://img.shields.io/npm/v/blackveil-dns)](https://www.npmjs.com/package/blackveil-dns) [![npm downloads](https://img.shields.io/npm/dm/blackveil-dns)](https://www.npmjs.com/package/blackveil-dns) [![Tests](https://img.shields.io/badge/Tests-630%2B-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions) [![Coverage](https://img.shields.io/badge/Coverage-~95%25-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions) [![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE) [![MCP](https://img.shields.io/badge/MCP-2025--03--26-blue)](https://modelcontextprotocol.io/) [![Cloudflare Workers](https://img.shields.io/badge/Cloudflare%20Workers-F38020?logo=cloudflare&logoColor=white)](https://workers.cloudflare.com/) [![TypeScript](https://img.shields.io/badge/TypeScript-5.5-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org/) ![DNS Security](https://dns-mcp.blackveilsecurity.com/badge/blackveilsecurity.com)

## 30 秒快速体验 **Claude Code** (一条命令): ``` claude mcp add --transport http blackveil-dns https://dns-mcp.blackveilsecurity.com/mcp ``` 然后提问: `scan anthropic.com` **验证端点是否在线:** ``` curl https://dns-mcp.blackveilsecurity.com/health ``` 无需安装。无需 API 密钥。只需一个 URL: ``` Endpoint https://dns-mcp.blackveilsecurity.com/mcp Transport Streamable HTTP · JSON-RPC 2.0 Auth None required ``` ## 功能特性 - **13 个类别共 57 项检查** — SPF、DMARC、DKIM、DNSSEC、SSL/TLS、MTA-STS、NS、CAA、MX、BIMI、TLS-RPT、子域名接管、仿冒域名 - **成熟度分级** — 0-4 阶段分类（从无保护到加固），并提供下一步建议 - **信任面分析** — 检测共享 SaaS 平台 (Google, M365, SendGrid) 并交叉引用 DMARC 执行情况以确定真实风险敞口 - **通俗英语修复建议** — `explain_finding` 将发现转化为任何人都能理解的指导 - **服务商智能识别** — 从 MX、SPF、DKIM 推断入站/出站邮件服务商 - **被动且只读** — 所有检查均使用公共 Cloudflare DNS-over-HTTPS；无需目标授权完整范围和限制详见 [`docs/coverage.md`](docs/coverage.md)。 ``` scan_domain("anthropic.com") ████████████████████████████████████████░░░░░ 85 / 100 Grade: A · Maturity: Intermediate SPF ·········· 80 MTA-STS ····· 85 DMARC ········ 90 NS ·········· 95 DKIM ········· 85 CAA ········· 85 DNSSEC ······· 35 BIMI ········ 95 SSL ········· 100 TLS-RPT ····· 95 MX ·········· 100 2 high · 4 medium · 5 low · 5 info ```

**[立即扫描你的域名 → blackveilsecurity.com](https://blackveilsecurity.com)**

## 工具 ``` 15 MCP tools Email Auth Infrastructure Brand & Threats Meta ──────────── ──────────────── ───────────────── ────────────── check_spf check_dnssec check_bimi scan_domain check_dmarc check_ns check_tlsrpt explain_finding check_dkim check_caa check_lookalikes compare_baseline check_mta_sts check_ssl check_mx + check_subdomain_takeover (internal — runs inside scan_domain) ``` `explain_finding` 接收任何发现并返回：含义、潜在影响、不良后果、具体修复步骤以及相关的 RFC。 **置信度标签:** `deterministic` — 直接协议/记录验证 | `heuristic` — 基于信号推断，可能需要人工验证 | `verified` — 高置信度验证信号 **子域名接管验证:** `potential` — DNS 信号，需要控制权证明 | `verified` — 检测到取消配置指纹 | `not_exploitable` — 无接管信号 ## 客户端配置

VS Code / Copilot

`.vscode/mcp.json` ``` { "servers": { "blackveil-dns": { "type": "http", "url": "https://dns-mcp.blackveilsecurity.com/mcp" } } } ```

Claude Code

`.mcp.json` ``` { "mcpServers": { "blackveil-dns": { "type": "http", "url": "https://dns-mcp.blackveilsecurity.com/mcp" } } } ``` 或通过 CLI: ``` claude mcp add --transport http blackveil-dns https://dns-mcp.blackveilsecurity.com/mcp ```

Claude Desktop

**最简单的方法:** 打开 [claude.ai](https://claude.ai) → **Settings → Connectors → Add custom connector** → 粘贴 `https://dns-mcp.blackveilsecurity.com/mcp`。 **配置文件:** 打开 **Settings → Developer → Edit Config** (`claude_desktop_config.json`) 并添加: ``` { "mcpServers": { "blackveil-dns": { "command": "npx", "args": ["mcp-remote", "https://dns-mcp.blackveilsecurity.com/mcp"] } } } ```

Cursor

`.cursor/mcp.json` ``` { "mcpServers": { "blackveil-dns": { "url": "https://dns-mcp.blackveilsecurity.com/mcp" } } } ```

关于托管 MCP 配置，请参阅 `docs/client-setup.md`。 ## CI/CD 使用 [Blackveil DNS GitHub Action](https://github.com/MadaBurns/blackveil-dns-action) 在流水线中强制执行 DNS 安全等级: ``` - uses: MadaBurns/blackveil-dns-action@v1 with: domain: example.com minimum-grade: B ``` 该操作输出 `score`、`grade`、`maturity` 和 `passed` 供后续步骤使用。 ## 监控在 Slack 或 Discord 中获取每周 DNS 安全报告。请参阅 [`examples/slack-discord-webhook/`](examples/slack-discord-webhook/) 获取现成可部署的 Cloudflare Cron Trigger 配方。 ## npm 包当你想从自己的 Node.js 应用、脚本或服务调用扫描器时，请从 npm 安装。如果你是从 VS Code、Claude、Cursor 或其他 MCP 客户端连接，请使用上面的 MCP 端点配置。 ``` npm install blackveil-dns ``` 要求: Node 18+ 或其他具有全局 `fetch`、`URL`、`AbortController` 和 Web Platform APIs 的运行时。

使用示例

``` import { scanDomain, explainFinding, formatScanReport, validateDomain } from 'blackveil-dns'; const candidate = 'example.com'; const validation = validateDomain(candidate); if (!validation.valid) { throw new Error(validation.error); } const result = await scanDomain(candidate); console.log(formatScanReport(result)); const guidance = explainFinding('SPF', 'fail', 'No SPF record found'); console.log(guidance.recommendation); ``` npm 包仅导出可复用的扫描器 API。它不会启动 MCP 服务器或 Cloudflare Worker 入口点。

覆盖范围 — 13 个类别共 57 项检查

完整的 [BLACKVEIL](https://blackveilsecurity.com) 平台在每个类别上提供更深入的分析。 | Category | Checks | MCP (Free) | Platform | |---|---:|---|---| | SPF | 8 | Policy and syntax validation | Include-chain and sender-path analytics | | DMARC | 10 | Policy, pct, reporting, alignment | Subdomain inheritance, reporting quality | | DKIM | 9 | Selector discovery, RSA key strength | Rotation heuristics, key-age drift | | DNSSEC | 6 | AD validation, signed-zone baseline | Chain-of-trust, rollover posture | | SSL/TLS | 8 | Certificate availability, validity | Protocol/cipher depth, renewal risk | | MTA-STS | 5 | TXT policy, policy retrieval | Policy hardening, reporting depth | | NS | 4 | Delegation, diversity, resiliency | Infrastructure concentration | | CAA | 4 | Presence, issuer allowlist | Issuance surface modeling | | MX | 4 | Presence, routing, provider inference | Mail routing posture | | Subdomain Takeover | 2 | Dangling CNAME detection | Expanded asset discovery | | BIMI | 2 | Record presence, logo URL, VMC | Brand indicator compliance | | TLS-RPT | 2 | Record presence, reporting URI | Reporting depth | | Lookalikes | 3 | Typosquat detection, DNS + MX probing | Expanded permutation strategies |

扫描输出 — anthropic.com (真实、未编辑)

``` BLACKVEIL DNS anthropic.com ───────────────────────────────────────────────────────────────────── CATEGORY SCORE STATUS KEY FINDINGS ───────────────────────────────────────────────────────────────────── SPF 80/100 PASS Soft fail (~all), Google shared DMARC 90/100 PASS p=reject, relaxed alignment DKIM 85/100 PASS google selector, 2048-bit RSA DNSSEC 35/100 FAIL Not enabled — no DNSKEY/DS SSL/TLS 100/100 PASS HTTPS + HSTS configured MTA-STS 85/100 PASS No MTA-STS/TLS-RPT records NS 95/100 PASS Cloudflare anycast CAA 85/100 PASS No CAA records published MX 100/100 PASS 5 MX records, Google Workspace BIMI 95/100 PASS Eligible but not published TLS-RPT 95/100 PASS No TLS-RPT record ───────────────────────────────────────────────────────────────────── ████████████████████████████████████████░░░░░ 85 / 100 Grade: A ``` ### 发现结果 ``` SEVERITY FINDING CATEGORY ───────────────────────────────────────────────────────────────────────────── HIGH DNSSEC not validated — AD flag not set DNSSEC HIGH No DNSKEY records found DNSSEC MEDIUM No DS records — chain of trust broken DNSSEC MEDIUM No MTA-STS or TLS-RPT records MTA-STS MEDIUM No CAA records — any CA can issue certs CAA MEDIUM DKIM RSA key below recommended (2048 < 4096) DKIM LOW SPF soft fail (~all) — consider -all SPF LOW Relaxed DKIM alignment (adkim=r) DMARC LOW Relaxed SPF alignment (aspf=r) DMARC LOW Low nameserver diversity (all Cloudflare) NS LOW No BIMI record — eligible with p=reject BIMI LOW No TLS-RPT record TLSRPT INFO SPF delegates to shared platform: Google Workspace SPF INFO DMARC properly configured (p=reject, sp=reject) DMARC INFO MX records found (5 records) MX INFO Inbound provider: Google Workspace MX INFO HTTPS + HSTS properly configured SSL ``` **这意味着什么。** Anthropic 拥有强大的邮件身份验证 —— DMARC 设置为 `reject`，SPF 和 DKIM 均存在，邮件由 Google Workspace 处理。由于 DMARC 执行力度强，指向 Google 的共享平台 SPF 委托保持为信息性，而不会被标记为风险。主要差距在于 DNSSEC (DNS 响应未经过加密签名) 以及 CAA、MTA-STS 和 BIMI 方面的加固机会。对任何结果运行 `explain_finding` 获取通俗英语修复建议。

协议

| Method | Path | Purpose | |---|---|---| | `POST` | `/mcp` | JSON-RPC 2.0 tool/protocol requests | | `GET` | `/mcp` | SSE stream for server notifications | | `DELETE` | `/mcp` | Session termination | | `GET` | `/health` | Health probe | 支持的方法: `initialize`, `ping`, `tools/list`, `tools/call`, `resources/list`, `resources/read`。 Prompt 方法 (`prompts/list`, `prompts/get`) 返回 `-32601 Method not found`。

架构

``` MCP Client │ │ POST /mcp (JSON-RPC 2.0) │ ┌───▼──────────────────────┐ │ Cloudflare Worker │ │ │ │ Hono ─► Origin check │ │ ─► Auth │ │ ─► Rate limiting │ │ ─► Session mgmt │ └───┬──────────────────────┘ │ ┌───▼──────────────────────┐ │ Tool Handlers │ │ 14 checks in parallel │ └───┬──────────────────────┘ │ ┌───▼──────────────────────┐ │ Cloudflare DoH │ │ DNS-over-HTTPS │ └──────────────────────────┘ ``` - 输入清理和域名验证 - 可选 bearer-token 认证 - 按 IP 限速 (KV + 内存回退) - `check_lookalikes` 限制为每个 IP 每天 10 次，缓存 60 分钟 - 扫描结果缓存 (KV + 内存回退) - 结构化 JSON 日志实现细节见 `CLAUDE.md`。

安全性

完整详情见 `docs/security-and-observability.md`。 - 域名输入在执行前经过验证和清理 - 拒绝 IP 字面量 (标准和替代数字形式) - SSRF 防护阻止不安全/私有目标 - 错误响应经过清理 —— 仅显示已知验证错误 - DNS 通过 Cloudflare DoH，可选二次确认 - 速率限制: `tools/call` 每 IP `50/min` 和 `300/hr` - 控制面流量: 每 IP `60/min` 和 `600/hr` - 全局每日上限: 每天 `500,000` 次未认证工具调用 (成本上限) - 会话创建: 每 IP `60/min` **自然语言便利:** `tools/call` 支持 `scan` 作为 `scan_domain` 的别名。在聊天客户端中，说 `scan example.com`。原始 JSON-RPC 期望 `params.name` 为 `scan` 或 `scan_domain`。

服务商检测

`check_mx` 和 `scan_domain` 推断托管邮件服务商。 - **入站** — MX 主机匹配 - **出站** — SPF include/redirect 信号 + DKIM 选择器提示 - 元数据: `detectionType`, `providers`, `providerConfidence` (0.0-1.0), `signatureSource`, `signatureVersion` - 回退顺序: 运行时源 -> 陈旧缓存 -> 内置签名可选配置: | Variable | Purpose | |---|---| | `PROVIDER_SIGNATURES_URL` | Runtime provider-signature JSON source | | `PROVIDER_SIGNATURES_SHA256` | Required pinned digest | | `PROVIDER_SIGNATURES_ALLOWED_HOSTS` | Hostname allowlist |

## 开发 ``` git clone https://github.com/MadaBurns/bv-mcp.git cd bv-mcp npm install npm run dev # localhost:8787/mcp ``` ``` npm test # 630+ tests, ~95% coverage npm run typecheck ```

私有部署

``` cp wrangler.private.example.jsonc .dev/wrangler.deploy.jsonc # 替换 .dev/wrangler.deploy.jsonc 中的 KV namespace IDs 和 analytics dataset npm run deploy:private ``` 提交的 [wrangler.jsonc](wrangler.jsonc) 对开源使用保持通用。真实的 KV ID、会话存储和 Analytics Engine 数据集名称应仅存在于被忽略的 `.dev/wrangler.deploy.jsonc` 文件中。

手动请求示例和失败模式见 `docs/troubleshooting.md`。 ## 文档 | Document | Path | |---|---| | Client setup | `docs/client-setup.md` | | Security & observability | `docs/security-and-observability.md` | | Scoring | `docs/scoring.md` | | Coverage & limitations | `docs/coverage.md` | | Troubleshooting | `docs/troubleshooting.md` | | Style guide | `docs/style-guide.md` | ## 为什么做这个大多数 DNS 和邮件安全工具是付费仪表板或需要本地设置的 CLI 脚本。这两种方式都不适合在 AI 助手中进行对话时检查域名。一个端点 URL。无需安装。无需 API 密钥。将任何 MCP 客户端指向 `https://dns-mcp.blackveilsecurity.com/mcp`，了解你的安全态势。

由 [**BLACKVEIL**](https://blackveilsecurity.com) 构建和维护 —— 新西兰拥有的网络安全咨询公司。 Featured in [SecurityBrief](https://securitybrief.co.nz/story/exclusive-how-cybersecurity-startup-blackveil-is-targetting-ai-driven-threats) · [NZ Herald](https://www.nzherald.co.nz/video/herald-now/ryan-bridge-today/cybersecurity-medimap-hack/OMLGW3OMXOVSSJ3RLFXPMAVGKE/) · [Modern Cyber](https://www.youtube.com/watch?v=W4aJHpfB5rY) 需要持续监控？[BLACKVEIL](https://blackveilsecurity.com) 提供实时告警和 Buck AI 来帮助你修复此扫描器发现的问题。 MIT License

标签：API安全, Claude, Cursor, CVE检测, DKIM, DMARC, DNSSEC, DNS安全, DNS枚举, Email Security, GitHub, GraphQL安全矩阵, JSON-RPC, JSON输出, MCP, Serverless, SPF, SSL/TLS, TypeScript, VS Code, 域名安全, 子域名接管, 安全扫描器, 安全插件, 开源, 程序员工具, 网络安全工具, 自动化攻击, 邮件安全, 配置审计, 零安装