Infrastructure - https://inco.by BeaverCheck Audit

D

CDN & Delivery

Action

No CDN detected

FIX

No CDN detected

A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.

No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

B

DNSSEC

Unsigned (DNSSEC not deployed)

REVIEW

Unsigned (DNSSEC not deployed)

DNSSEC is not deployed

The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).

B

CAA Records

No CAA records (any CA may issue certificates)

REVIEW

No CAA records (any CA may issue certificates)

No CAA records published

Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.

B

Reverse DNS

0/1 IPs match cert SAN

REVIEW

0/1 IPs match cert SAN

PTR for 86.57.162.36 does not match any cert SAN: static.86.57.162.36.grodno.by

Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.

C

IPv6 Readiness

Action

No IPv6 support

REVIEW

No IPv6 support

No IPv6 (AAAA) records found

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

No IPv6 Support

About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B

Crawlability

no robots.txt, no sitemap

REVIEW

no robots.txt, no sitemap

No robots.txt found

robots.txt is optional but recommended. It tells search engine crawlers which pages to index.

No sitemap.xml found

A sitemap helps search engines discover and index your pages more efficiently.

robots.txt is optional but recommended. It tells search engine crawlers which pages to index.

Why this matters

No robots.txt — crawlers fetch /robots.txt and get 404; not breaking but means default crawl behavior with no directives or sitemap reference.

Learn more ▾

A minimal robots.txt with `User-agent: * / Allow: / / Sitemap: https://example.com/sitemap.xml` covers the basics. Without it, crawlers behave fine but lose the sitemap signal and can't be selectively blocked from crawl-traps.

Source: robotstxt.org

A sitemap helps search engines discover and index your pages more efficiently.

Why this matters

No sitemap.xml — Google relies on crawl-graph discovery alone, slowing indexing of deep or fresh URLs.

Learn more ▾

A sitemap accelerates Google's discovery of new and updated content. Most CMSes auto-generate one; static-site frameworks need a build-step plugin. Reference it from robots.txt and submit in Search Console to confirm Google can fetch it.

Source: sitemaps.org / Google Search Central

robots.txt No robots.txt found

No robots.txt found

This is fine for most sites — a missing robots.txt allows all crawling by default.

sitemap.xml No sitemap found

No sitemap found

Adding a sitemap helps search engines discover your pages.

B

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

REVIEW

www/non-www, trailing slash, HTTP→HTTPS

HTTP version does not redirect to HTTPS

Got: HTTP 0 Expected: 301 redirect to HTTPS

www / non-www

https://www.inco.by/

200https://inco.by/

HTTP → HTTPS

http://inco.by/

HTTP version does not redirect to HTTPS

B

HTTP Probe Timing

Total 1019 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

REVIEW

DNS Lookup

97 ms

TCP Connect

62 ms

TLS Handshake

71 ms

Time to First Byte

1.02 s

Total Time

1.02 s

Connection waterfall

DNS Lookup 97 ms TCP Connect 62 ms TLS Handshake 71 ms Server Processing 789 ms Content Transfer 0 ms

B

TLS Certificate Expiry & Recommendations

50 days until leaf cert expires — 3 issues to address

REVIEW

Certificate validity

50

days left

0d 30d 60d 90d+

Recommended actions

Submit your domain to hstspreload.org to be added to the Chrome preload list
Enable DNSSEC on your domain for DNS spoofing protection
Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy

B

Operational Status Page

No status page link detected

REVIEW

No status page link detected

No operational status page link detected

Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.

B

Health Check Endpoint

No conventional health endpoint found

REVIEW

No conventional health endpoint found

Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: connection error, /health: connection error, /healthz: connection error, /ping: connection error, /status: connection error.

A

DNS Records

1 A records, 147 ms lookup

PASS

1 A records, 147 ms lookup

Resolves to 1 IPv4 address(es)

Got: 86.57.162.36

Single A record — no DNS redundancy

Multiple A records provide failover if one server goes down.

No IPv6 (AAAA) records

2 nameserver(s) configured

Got: u1.hoster.by, u2.hoster.by

No MX records — email not configured via DNS

No SPF record found in TXT records

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

DNS resolution time: 147 ms

Got: 147 ms

A	86.57.162.36
AAAA	—
CNAME	—
NS	u1.hoster.by, u2.hoster.by
MX	—
TXT	—
CAA	Lookup not available with standard resolver

Resolved in 147 ms

Multiple A records provide failover if one server goes down.

Why this matters

Single A record means a single point of failure — if that IP goes down, your site is unreachable until DNS TTL expires.

Learn more ▾

Add multiple A records for round-robin failover, or use a managed DNS provider with health-checked failover (Route 53, Cloudflare, NS1). Short TTL (60-300s) lets clients recover faster on outages.

Source: SRE practice / DNS architecture

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

Why this matters

Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.

Learn more ▾

SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.

Source: RFC 7208 (SPF)

A+

Subdomain Takeover

No subdomain takeover risk detected

PASS

No subdomain takeover risk detected

No CNAME record present

A

Multi-Resolver DNS Speed

Mean 94ms across 3 resolvers (spread 79ms)

PASS

Mean 94ms across 3 resolvers (spread 79ms)

Google: 53ms

Got: 53ms via 8.8.8.8:53

Cloudflare: 98ms

Got: 98ms via 1.1.1.1:53

Quad9: 132ms

Got: 132ms via 9.9.9.9:53

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://inco.by

https://inco.by

707 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://inco.by	200	707 ms	HTTP/1.1	openresty

A+

Domain Intelligence

inco.by — via Reliable Software, Ltd, 15 years, 11 months old, hosted on BELPAK-AS - Republican Unitary Telecommunication Enterprise Beltelecom, BY

PASS

inco.by — via Reliable Software, Ltd, 15 years, 11 months old, hosted on BELPAK-AS - Republican Unitary Telecommunication Enterprise Beltelecom, BY

Domain registered until Oct 15, 2027 (1 years, 4 months remaining)

Registrar: Reliable Software, Ltd

Hosting: BELPAK-AS - Republican Unitary Telecommunication Enterprise Beltelecom, BY

Got: AS6697

Domain expiry

496 days

October 15, 2027

SSL certificate

50 days

Issued by Let's Encrypt

Domain age

15 years, 11 months

Registered September 20, 2010

DNSSEC

Status unknown

Protects against DNS spoofing

Hosting

BELPAK-AS - Republican Unitary Telecommunication Enterprise Beltelecom, BY

ASN AS6697

86.57.162.36

Registrar

Reliable Software, Ltd

Lock status unknown 2 NS records

Expiry timeline

Today

+1 year

Domain expiry SSL expiry Danger zone (≤30 days)

Registrar Reliable Software, Ltd

Created September 20, 2010 (15 years, 11 months ago)

Expires October 15, 2027 (1 years, 4 months)

Last Updated August 16, 2025

Name Servers u1.hoster.by, u2.hoster.by

Hosting

IP Address 86.57.162.36

ASN AS6697 (BELPAK-AS - Republican Unitary Telecommunication Enterprise Beltelecom, BY)

Provider BELPAK-AS - Republican Unitary Telecommunication Enterprise Beltelecom, BY

Data source: whois (0.8s)

A+

CDN Cache Observability

1 cache header(s) present

PASS

1 cache header(s) present

CDN cache state observable via 1 header(s)

Got: x-served-by=inco.by