Infrastructure - https://bridgeslab.sph.umich.edu BeaverCheck Audit

D

Multi-Resolver DNS Speed

Action

Mean 626ms across 3 resolvers (spread 1221ms)

FIX

Mean 626ms across 3 resolvers (spread 1221ms)

Cloudflare: 2ms

Got: 2ms via 1.1.1.1:53

Google: 653ms

Got: 653ms via 8.8.8.8:53

Quad9: 1223ms

Got: 1223ms via 9.9.9.9:53

High latency spread between resolvers: 1221ms (min 2ms / max 1223ms)

Wide gap between the fastest and slowest public resolver suggests a geographic anycast issue or an authoritative-server cache problem. Users in different regions will see materially different DNS times.

F

HTTP Probe Timing

Action

Total 4232 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

FIX

DNS Lookup

634 ms

TCP Connect

146 ms

TLS Handshake

150 ms

Time to First Byte

4.09 s

Total Time

4.23 s

Connection waterfall

DNS Lookup 634 ms TCP Connect 146 ms TLS Handshake 150 ms Server Processing 3.16 s Content Transfer 146 ms

D

CDN & Delivery

Action

No CDN detected

FIX

No CDN detected

A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.

No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

C

DNS Records

Action

1 A records, 656 ms lookup

REVIEW

1 A records, 656 ms lookup

Resolves to 1 IPv4 address(es)

Got: 141.211.28.127

Single A record — no DNS redundancy

Multiple A records provide failover if one server goes down.

No IPv6 (AAAA) records

CNAME record at zone apex

A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.

Got: bridgeslab2.miserver.it.umich.edu

No NS records found

No MX records — email not configured via DNS

No SPF record found in TXT records

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

DNS resolution is slow (656 ms)

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Got: 656 ms

A	141.211.28.127
AAAA	—
CNAME	bridgeslab2.miserver.it.umich.edu
NS	—
MX	—
TXT	—
CAA	Lookup not available with standard resolver

Resolved in 656 ms

Multiple A records provide failover if one server goes down.

Why this matters

Single A record means a single point of failure — if that IP goes down, your site is unreachable until DNS TTL expires.

Learn more ▾

Add multiple A records for round-robin failover, or use a managed DNS provider with health-checked failover (Route 53, Cloudflare, NS1). Short TTL (60-300s) lets clients recover faster on outages.

Source: SRE practice / DNS architecture

A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.

Why this matters

CNAME at the apex (example.com) breaks every other apex record (MX, TXT, NS) — DNS-protocol violation per RFC 1034.

Learn more ▾

RFC 1034 forbids CNAME alongside other records at the same name. Some DNS providers offer ALIAS / ANAME / flattened-CNAME records that work around this — use those instead. Otherwise apex-level CNAME breaks email (no MX), domain ownership verification (no TXT), and more.

Source: RFC 1034

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

Why this matters

Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.

Learn more ▾

SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.

Source: RFC 7208 (SPF)

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Why this matters

DNS resolution is slow — anycast DNS providers (Cloudflare, Route 53) typically resolve <50ms globally.

Source: DNS performance benchmarks

B

DNSSEC

Unsigned (DNSSEC not deployed)

REVIEW

Unsigned (DNSSEC not deployed)

DNSSEC is not deployed

The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).

B

CAA Records

No CAA records (any CA may issue certificates)

REVIEW

No CAA records (any CA may issue certificates)

No CAA records published

Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.

B

Reverse DNS

0/1 IPs match cert SAN

REVIEW

0/1 IPs match cert SAN

PTR for 141.211.28.127 does not match any cert SAN: bridgeslab2.miserver.it.umich.edu

Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.

C

IPv6 Readiness

Action

No IPv6 support

REVIEW

No IPv6 support

No IPv6 (AAAA) records found

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

No IPv6 Support

About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B

TLS Certificate Expiry & Recommendations

143 days until leaf cert expires — 3 issues to address

REVIEW

Certificate validity

143

days left

0d 30d 60d 90d+

Recommended actions

Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
Enable DNSSEC on your domain for DNS spoofing protection
Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy

B

CDN Cache Observability

No CDN cache-status headers in the response

REVIEW

No CDN cache-status headers in the response

Without an X-Cache / CF-Cache-Status / X-Vercel-Cache / Age header, you can't tell from outside whether a request hit the cache or went to origin. Operationally important: enables debugging stale-content reports and verifying cache rules. Most managed CDN platforms emit at least one of these by default; absence often means the platform's diagnostic headers are stripped at an upstream proxy.

B

Operational Status Page

No status page link detected

REVIEW

No status page link detected

No operational status page link detected

Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.

B

Health Check Endpoint

No conventional health endpoint found

REVIEW

No conventional health endpoint found

Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.

A+

Subdomain Takeover

No subdomain takeover risk detected

PASS

No subdomain takeover risk detected

CNAME does not point at a known takeover-able service

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://bridgeslab.sph.umich.edu

https://bridgeslab.sph.umich.edu

3852 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://bridgeslab.sph.umich.edu	200	3852 ms	HTTP/1.1	gunicorn

A+

Crawlability

robots.txt present, sitemap with 7 URLs

PASS

robots.txt present, sitemap with 7 URLs

robots.txt is present

Got: 437 bytes

sitemap.xml is present

sitemap.xml is valid XML

sitemap.xml contains 7 entries

Sitemap index with 7 child sitemaps

robots.txt references sitemap

robots.txt 200 OK

Size 437 B Sitemaps referenced 2 User-agents CCBot, anthropic-ai, Claude-Web, Bytespider, Bytedance, GPTBot Blocking No — crawling allowed

User-agent: GPTBot
Crawl-delay: 10

User-agent: CCBot
Crawl-delay: 10

User-agent: anthropic-ai
Crawl-delay: 10

User-agent: Claude-Web
Crawl-delay: 10

#To block Bytespider from crawling:
User-agent: Bytespider
Disallow: /

#To block Bytedance from crawling:
User-agent: Bytedance
Disallow: /

Sitemap: http://bridgeslab.sph.umich.edu/sitemap.xml
Sitemap: http://bridgeslab.sph.umich.edu/protocols/sitemap-index-bridgeslabproto-mw_.xml

sitemap.xml 200 OK

Type Sitemap Index URLs 7 entries Valid XML Yes

Child Sitemaps:

A+

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

HTTP correctly 301-redirects to HTTPS

www / non-www

https://www.bridgeslab.sph.umich.edu/

200https://bridgeslab.sph.umich.edu/

HTTP → HTTPS

301http://bridgeslab.sph.umich.edu/ → https://bridgeslab.sph.umich.edu/

Consistent

A+

Domain Intelligence

umich.edu — 41 years, 2 months old

PASS

umich.edu — 41 years, 2 months old

Domain registered until Jul 31, 2027 (1 years, 2 months remaining)

Domain expiry

442 days

July 31, 2027

SSL certificate

143 days

Issued by Internet2

Domain age

41 years, 2 months

Registered October 7, 1985

DNSSEC

Status unknown

Protects against DNS spoofing

Hosting

Unknown

2a06:98c1:58::25

Registrar

Registrar unknown

Lock status unknown 4 NS records

Expiry timeline

Today

+1 year

Domain expiry SSL expiry Danger zone (≤30 days)

Registrar

Created October 7, 1985 (41 years, 2 months ago)

Expires July 31, 2027 (1 years, 2 months)

Last Updated February 11, 2026

Name Servers dns1.itd.umich.edu, dns2.itd.umich.edu, dns4.umich.org, dns3.umich.org

Registrant University of Michigan -- ITD

Hosting

IP Address 2a06:98c1:58::25

Data source: whois (0.9s)