kalilinux.org

15-check dossier · scoreboard above, section details below

Get a pack →

Scanning…

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

resolving dmarc…

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

inspecting web surface…

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.

kalilinux.org

15-check dossier · scoreboard above, section details below

Get a pack →

Multiple findings need attention

Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.

Pass: 8
Warn: 4
Fail: 3

What an auditor would flag first

high
MX
no MX records — domain cannot receive email
SOC 2 CC6.6
high
SPF
no SPF record — phishing risk
SOC 2 CC6.7ISO 27001 A.13.2.1
high
DMARC
no DMARC record — spoofing risk
SOC 2 CC6.7ISO 27001 A.13.2.1

Need this as an artifact your auditor can verify?

Your kalilinux.org scan flagged 3 high and 1 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.

Get a pack →See methodology See a sample$29

Scanning…

15-check summary

DNS recordsA/AAAA records present
MXno MX records — domain cannot receive email
SPFno SPF record — phishing risk
DMARCno DMARC record — spoofing risk
DKIMno DKIM selectors found — likely not configured
TLS certificatecert valid for 149 days
Redirect chainredirects to different domain: kali.org
Security headers1 security header(s) missing
CORSno CORS headers — cross-origin requests blocked by default
Web surfaceHTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
MTA-STSnot applicable: no _mta-sts TXT record
TLS-RPTnot applicable: no TLSRPT record
DNSSECDNSSEC not configured — no DS or DNSKEY records found
WHOISdomain registered until 2026-10-16
Certificate Transparencycheck failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

dns

info

Open standalone →

A/AAAA records present

Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).

A: ttl=10800 217.70.184.55
AAAA: —
NS: ttl=10800 ns-249-c.gandi.net.
ttl=10800 ns-216-b.gandi.net.
ttl=10800 ns-170-a.gandi.net.
SOA: ttl=10800 ns1.gandi.net. hostmaster.gandi.net. 1780531200 10800 3600 604800 10800
CAA: —
TXT: —

fetched 2026-06-04T04:45:32.693Z

dns

info

Open standalone →

resolving…

mx

high

Open standalone →

no MX records — domain cannot receive email

Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).

Recommendations

Add MX records pointing to your mail provider (e.g. MX 10 mail.example.com)
If the domain should not receive email, publish 'v=spf1 -all' to signal no senders

no MX records

mx

info

Open standalone →

resolving mx…

spf

high

Open standalone →

no SPF record — phishing risk

Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).

Recommendations

Publish a TXT record: v=spf1 include:<your-provider> -all
Example for Google Workspace: v=spf1 include:_spf.google.com -all

no SPF record

spf

info

Open standalone →

resolving spf…

dmarc

high

Open standalone →

no DMARC record — spoofing risk

Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).

Recommendations

Publish a DMARC TXT record at _dmarc.<domain>: v=DMARC1; p=none; rua=mailto:dmarc@<domain>
Start with p=none to collect reports, then move to p=quarantine and finally p=reject

no DMARC record

dmarc

info

Open standalone →

resolving dmarc…

dkim

low

Open standalone →

no DKIM selectors found — likely not configured

Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).

Recommendations

Enable DKIM signing in your mail provider and publish the provided TXT record
Common selectors: google._domainkey, selector1._domainkey (Microsoft), mail._domainkey

no DKIM record on probed selectors (default, google, k1, selector1, selector2, mxvault)

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

cert valid for 149 days

Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.

subject cn:: kalilinux.org
issuer:: GandiCert / Gandi SAS
valid:: Apr 16 00:00:00 2026 GMT → Oct 31 23:59:59 2026 GMT
authorized:: yes
sha256:: 16:E0:0B:F6:89:1B:A3:39:09:B4:A6:05:D4:FF:19:56:41:BB:DA:23:54:4F:A1:03:FE:B5:3A:5D:84:ED:B4:0D
sans: kalilinux.org

fetched 2026-06-04T04:45:32.749Z

tls

info

Open standalone →

fetching tls cert…

redirects

medium

Open standalone →

redirects to different domain: kali.org

Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).

Recommendations

Verify this cross-domain redirect is intentional (e.g. domain migration or CDN)
Ensure the destination domain is owned and expected — unintended redirects can leak traffic

final status: 200 · 3 hops

[302] https://kalilinux.org/
[301] https://kali.org/
[200] https://www.kali.org/

fetched 2026-06-04T04:45:33.010Z

redirects

info

Open standalone →

tracing redirects…

headers

low

Open standalone →

1 security header(s) missing

Why it matters: Security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy — defend against XSS, clickjacking, and downgrade attacks. Absent headers map directly to OWASP ASVS V14 findings (ISO 27001 A.8.23).

Recommendations

Add response header — Content-Security-Policy: default-src 'self' (tune per app)

final url: https://www.kali.org/

security headers

strict-transport-security: max-age=2592000
content-security-policy: —
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
referrer-policy: same-origin
permissions-policy: interest-cohort=()

other headers

cache-control: max-age=600
cf-cache-status: DYNAMIC
cf-ray: a06449e89d45e5c9-IAD
connection: keep-alive
content-encoding: gzip
content-type: text/html; charset=utf-8
date: Thu, 04 Jun 2026 04:45:33 GMT
expect-ct: max-age=86400, enforce
expires: Thu, 04 Jun 2026 04:55:32 UTC
last-modified: Mon, 01 Jun 2026 15:30:00 GMT
server: cloudflare
transfer-encoding: chunked
vary: Origin
x-request-id: 01KT8F6VCNCT09ZH9ETMX5W775
x-xss-protection: 1; mode=block

fetched 2026-06-04T04:45:33.003Z

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

no CORS headers — cross-origin requests blocked by default

Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).

origin: https://domainposture.com
method: GET
preflight status: 302

access-control-* headers

access-control-allow-origin: —
access-control-allow-methods: —
access-control-allow-headers: —
access-control-allow-credentials: —
access-control-max-age: —
access-control-expose-headers: —

no access-control-* headers returned — site does not advertise CORS to this origin

fetched 2026-06-04T04:45:32.821Z

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)

Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).

robots.txt

present

## All robots
User-agent: *

## Allow everything...
Disallow:

## ...expect for archived pages (kali-docs/kali-tools)
Disallow: /docs/development/leveraging-the-kali-bot/
Disallow: /docs/virtualization/import-premade-virtualbox-legacy/
Disallow: /docs/virtualization/install-vmware-guest-tools-legacy/
Disallow: /docs/virtualization/install-virtualbox-guest-additions-legacy/
Disallow: /docs/installation/mini-iso/
Disallow: /docs/nethunter/dojo-kali-linux-on-android/
Disallow: /docs/arm/efikamx/
Disallow: /docs/arm/imx-6ull-evk/
Disallow: /docs/arm/nanopi2/
Disallow: /docs/arm/raspberry-pi-with-luks-full-disk-encryption/
Disallow: /docs/arm/ss808-mk808/
Disallow: /tools/mfterm/
Disallow: /tools/libfreefare/
Disallow: /tools/libnfc/
Disallow: /tools/mfcuk/
Disallow: /tools/mfoc/
Disallow: /tools/sickle-tool/
Disallow: /tools/spectools/
Disallow: /tools/curlftpfs/
Disallow: /tools/outguess/
Disallow: /tools/de4dot/
Disallow: /docs/wsl/mesa-21/
Disallow: /docs/arm/gemini-pda/
Disallow: /docs/introduction/kali-linux-default-passwords/
Disallow: /docs/policy/kali-linux-root-user-policy/
Disallow: /docs/general-use/kali-domains/
Disallow: /docs/nethunter/nethunter-mitmf/
Disallow: /docs/nethunter/nethunter-mana-wireless/
Disallow: /docs/development/public-packaging/
Disallow: /docs/arm/galaxy-note-10.1/
Disallow: /tools/freerdp2/
Disallow: /tools/backdoor-factory/
Disallow: /tools/winexe/
Disallow: /tools/zenmap-kbx/
Disallow: /tools/abootimg/
Disallow: /tools/android-sdk/
Disallow: /tools/bluez-firmware/
Disallow: /tools/fake-hwclock/
Disallow: /tools/faraday-client/
Disallow: /tools/firmware-sof/
Disallow: /tools/initramfs-tools/
Disallow: /tools/ipv6-toolkit/
Disallow: /tools/king-phisher/
Disallow: /tools/netkit-ftp/
Disallow: /tools/netkit-telnet/
Disallow: /tools/netkit-tftp/
Disallow: /tools/p7zip/
Disallow: /tools/pev/
Disallow: /tools/plecost/
Disallow: /tools/radare2-cutter/
Disallow: /tools/rtlsdr-scanner/
Disallow: /tools/smali/
Disallow: /tools/u-boot/
Disallow: /tools/usbutils/
Disallow: /tools/xprobe/
Disallow: /tools/zd1211-firmware/


## Point out where sitemap is
Sitemap: https://www.kali.org/sitemap.xml

sitemap.xml

present — 608 url(s)

head

title: Kali Linux | Penetration Testing and Ethical Hacking Linux Distribution
description: —

social

og:site_name: Kali Linux
og:title: Kali Linux | Penetration Testing and Ethical Hacking Linux Distribution
og:description: Home of Kali Linux, an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments.
og:locale: en_US
og:image: https://www.kali.org/images/kali-logo.svg
og:url: https://www.kali.org/

fetched 2026-06-04T04:45:33.043Z

web-surface

info

Open standalone →

inspecting web surface…

dnssec

low

Open standalone →

DNSSEC not configured — no DS or DNSKEY records found

Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).

Recommendations

Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar

enabled: no
DS records: —
DNSKEY records: —

fetched 2026-06-04T04:45:32.645Z

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

not applicable: no _mta-sts TXT record

Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).

no _mta-sts TXT record

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

not applicable: no TLSRPT record

Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).

no TLSRPT record

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

domain registered until 2026-10-16

Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).

registrar: Gandi SAS
created: 2011-10-16T20:56:04Z
expires: 2026-10-16T20:56:04Z
statuses: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

fetched 2026-06-04T04:45:32.942Z

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).

crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.