Infrastructure - https://virginia.gov BeaverCheck Audit

D

CDN & Delivery

Action

No CDN detected

FIX

No CDN detected

A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.

No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

B

DNS Records

3 A records, 421 ms lookup

REVIEW

3 A records, 421 ms lookup

Resolves to 3 IPv4 address(es)

Got: 34.236.48.185, 44.214.226.246, 54.209.110.106

No IPv6 (AAAA) records

CNAME record at zone apex

A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.

Got: vitavirginiagov-lb02-production.terminalfour.net

No NS records found

No MX records — email not configured via DNS

CAA records not checked

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

No SPF record found in TXT records

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

DNS resolution is slow (421 ms)

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Got: 421 ms

A	34.236.48.185, 44.214.226.246, 54.209.110.106
AAAA	—
CNAME	vitavirginiagov-lb02-production.terminalfour.net
NS	—
MX	—
TXT	—
CAA	Lookup not available with standard resolver

Resolved in 421 ms

A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.

Why this matters

CNAME at the apex (example.com) breaks every other apex record (MX, TXT, NS) — DNS-protocol violation per RFC 1034.

Learn more ▾

RFC 1034 forbids CNAME alongside other records at the same name. Some DNS providers offer ALIAS / ANAME / flattened-CNAME records that work around this — use those instead. Otherwise apex-level CNAME breaks email (no MX), domain ownership verification (no TXT), and more.

Source: RFC 1034

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

Why this matters

Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.

Learn more ▾

SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.

Source: RFC 7208 (SPF)

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Why this matters

DNS resolution is slow — anycast DNS providers (Cloudflare, Route 53) typically resolve <50ms globally.

Source: DNS performance benchmarks

C

IPv6 Readiness

Action

No IPv6 support

REVIEW

No IPv6 support

No IPv6 (AAAA) records found

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

No IPv6 Support

About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B

HTTP Probe Timing

Total 1109 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

REVIEW

DNS Lookup

313 ms

TCP Connect

239 ms

TLS Handshake

241 ms

Time to First Byte

1.11 s

Total Time

1.11 s

Connection waterfall

DNS Lookup 313 ms TCP Connect 239 ms TLS Handshake 241 ms Server Processing 317 ms Content Transfer 1 ms

B

TLS Certificate Expiry & Recommendations

145 days until leaf cert expires — 2 issues to address

REVIEW

Certificate validity

145

days left

0d 30d 60d 90d+

Recommended actions

Submit your domain to hstspreload.org to be added to the Chrome preload list
Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://www.virginia.gov

https://www.virginia.gov

781 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://www.virginia.gov	200	781 ms	HTTP/1.1	Apache

A+

Crawlability

robots.txt present, sitemap with 237 URLs

PASS

robots.txt present, sitemap with 237 URLs

robots.txt is present

Got: 387 bytes

sitemap.xml is present

sitemap.xml is valid XML

sitemap.xml contains 237 entries

robots.txt references sitemap

robots.txt 200 OK

Size 387 B Sitemaps referenced 1 User-agents * Blocking No — crawling allowed

User-agent: *

Disallow: /site-config

Disallow: /_sidebar

Disallow: /_accordion

Disallow: /testing

Disallow: /archive

Disallow: /demo

Disallow: /trash

Disallow: /sidebar

Disallow: /accordion

Disallow: /modules

Disallow: /_*



User-agent: *
Disallow: /search
Disallow: /404
Disallow: /home-features
Disallow: /agencies/*/services
Sitemap: https://www.virginia.gov/sitemap.xml

sitemap.xml 200 OK

Type URL Set URLs 237 entries Valid XML Yes

Sample URLs:

A+

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

HTTP correctly 301-redirects to HTTPS

www / non-www

200https://www.virginia.gov/

https://virginia.gov/

HTTP → HTTPS

301http://www.virginia.gov/ → https://www.virginia.gov/

Consistent

A+

Domain Intelligence

virginia.gov — via get.gov, 25 years, 7 months old, hosted on RFC2270-UUNET-CUSTOMER - Verizon Business, US

PASS

virginia.gov — via get.gov, 25 years, 7 months old, hosted on RFC2270-UUNET-CUSTOMER - Verizon Business, US

Domain registered until Aug 22, 2026 (4 months remaining)

DNSSEC is enabled

Registrar: get.gov

Registrar lock is NOT enabled

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Hosting: RFC2270-UUNET-CUSTOMER - Verizon Business, US

Got: AS7046

Domain expiry

68 days

August 22, 2026

SSL certificate

145 days

Issued by DigiCert Inc

Domain age

25 years, 7 months

Registered January 4, 2001

DNSSEC

Enabled

Protects against DNS spoofing

Hosting

RFC2270-UUNET-CUSTOMER - Verizon Business, US

ASN AS7046

166.67.201.76

Registrar

get.gov

Unlocked 4 NS records

Expiry timeline

Today

+1 year

Domain expiry SSL expiry Danger zone (≤30 days)

Recommended actions

Renew the domain or enable auto-renewal to prevent accidental expiry
Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers

Registrar get.gov

Created January 4, 2001 (25 years, 7 months ago)

Expires August 22, 2026 (4 months)

Last Updated February 18, 2026

Name Servers cnsa.vita.virginia.gov, cnsb.vita.virginia.gov, snsa.vita.virginia.gov, snsb.vita.virginia.gov

DNSSEC Enabled

Registrant REDACTED FOR PRIVACY

Hosting

IP Address 166.67.201.76

ASN AS7046 (RFC2270-UUNET-CUSTOMER - Verizon Business, US)

Provider RFC2270-UUNET-CUSTOMER - Verizon Business, US

Data source: rdap (0.9s)

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more ▾

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice