NIS 2 21.2.g
Cybersecurity hygiene
UnveilScan findings mapped to this control
The scanner emits 18 distinct findings on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
dns.anomaly.mx_change
⏱ 15 min
DNS — Anomaly.mx change
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
dns.glue_ghost_ns
⏱ 15 min
DNS — Glue ghost ns
Risk if ignored: Delegation points at a hostname without A/AAAA. Small latency penalty today, takeover vector if the ghost name becomes registrable.
operational
dns.glue_ns_mismatch
⏱ 30 min
DNS — Glue ns mismatch
Risk if ignored: Resolvers may hit dead or unauthorised NS, causing intermittent outages or — worst case — hijack via stale delegation.
security operational
Also maps to 1 other control
dns.hosting_asn_bulletproof
⏱ 15 min
DNS — Hosting asn bulletproof
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
dns.ip_on_abuse_list
⏱ 15 min
DNS — Ip on abuse list
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
dns.ip_on_reputation_list
⏱ 1h
DNS — Ip on reputation list
Risk if ignored: Emails bounce, sessions get captcha-locked, partners' security tools flag traffic from your IP.
operational reputational
Also maps to 2 other controls
dns.open_resolver
⏱ 1h
DNS — Open resolver
Risk if ignored: Your server gets weaponised for DNS-amplification DDoS attacks against third parties, leading to hosting-provider sanctions and IP reputation damage.
security operational reputational
Also maps to 2 other controls
dns.threat_otx_pulses
⏱ 15 min
DNS — Threat otx pulses
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 2 other controls
email.dkim_revoked
⏱ 15 min
EMAIL — Dkim revoked
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.dmarc_adkim_relaxed
⏱ 15 min
EMAIL — Dmarc adkim relaxed
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.dmarc_aspf_relaxed
⏱ 15 min
EMAIL — Dmarc aspf relaxed
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.dmarc_missing
⏱ 30 min
EMAIL — Dmarc missing
Risk if ignored: No enforcement of SPF/DKIM alignment — perfect conditions for spoofed invoices and executive-impersonation fraud.
security legal financial
Also maps to 1 other control
email.dmarc_none
⏱ 15 min
EMAIL — Dmarc none
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.dmarc_pct_partial
⏱ 15 min
EMAIL — Dmarc pct partial
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.spf_all_permissive
⏱ 15 min
EMAIL — Spf all permissive
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.spf_missing
⏱ 30 min
EMAIL — Spf missing
Risk if ignored: Anyone can send mail from your domain — invoicing fraud, credential phishing against your own customers.
security legal reputational
Also maps to 1 other control
email.spf_too_many_lookups
⏱ 15 min
EMAIL — Spf too many lookups
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational
Also maps to 1 other control
email.spf_weak
⏱ 15 min
EMAIL — Spf weak
Risk if ignored: Low impact, mostly a maturity signal. Fix when you next touch this area.
operational