Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.DTLS Certificate Expiry & RecommendationsAction2 days until leaf cert expires — 4 issues to addressFIX
Certificate validity
Recommended actions
- Renew certificate — 2 days remaining
- Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
DCDN & DeliveryActionNo CDN detectedFIX
Consider using a CDN to improve global delivery speed and reduce origin load.
BDNS Records16 A records, 31 ms lookupREVIEW
| A | 151.242.228.62, 154.85.94.15, 154.85.94.14, 151.242.228.54, 151.242.228.56, 151.242.228.85, 154.85.94.13, 154.85.94.18, 151.242.228.61, 154.85.94.11, 151.242.228.60, 151.242.228.58, 154.85.94.16, 154.85.94.12, 151.242.228.59, 154.85.94.17 |
| AAAA | 2407:2440:e00f::14, 2407:2440:e00f::17, 2407:2440:e00f::13, 2407:2440:e00f::11, 2407:2440:e00f::16, 2407:2440:e00f::15, 2407:2440:e00f::18, 2407:2440:e00f::12 |
| CNAME | www.gov.cn.bsgslb.cn |
| NS | — |
| MX | — |
| TXT | — |
| CAA | Lookup not available with standard resolver |
A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.
CNAME at the apex (example.com) breaks every other apex record (MX, TXT, NS) — DNS-protocol violation per RFC 1034.
Learn more ▾ ▴
RFC 1034 forbids CNAME alongside other records at the same name. Some DNS providers offer ALIAS / ANAME / flattened-CNAME records that work around this — use those instead. Otherwise apex-level CNAME breaks email (no MX), domain ownership verification (no TXT), and more.
Source: RFC 1034
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.
Learn more ▾ ▴
SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.
Source: RFC 7208 (SPF)
A+Redirect ChainNo redirects — direct accessPASS
https://www.gov.cn
74 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://www.gov.cn | 200 | 74 ms | HTTP/1.1 |
A+IPv6 ReadinessIPv6 reachable (25 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 100 URLsPASS
User-agent: *
Allow: /1
Sitemap:http://www.gov.cn/baidu.xml
Sitemap:http://www.gov.cn/google.xml
Sitemap:http://www.gov.cn/bing.xml
Sitemap:http://www.gov.cn/sogou.xml
Disallow:/2016gov/
Disallow:/2016shuju/
Disallow:/2016guoqing/
Disallow:/2016zhengce/
Disallow:/2016hudong/
Disallow:/2016fuwu/
Disallow:/2016xinwen/
Disallow:/premier/
Disallow:/2016guowuyuan/
Disallow:/2016public/
Disallow:/2016ducha/
Disallow:/guowuyuan/yangjing/
Disallow:/guowuyuan/yj.htm
Disallow:/c16629/gwyld_yj.htm
Disallow:/guowuyuan/yj_hy.htm
Disallow:/guoqing/2013-03/16/content_2583121.htm
Disallow:/guowuyuan/2015-12/24/content_5027563.htm
Disallow:/zhuanti/2014-04/02/content_2823336.htm
Disallow:/zmyw201202b/
Disallow:/zmyw201212c/
Disallow:/ldhd/wjb/tp.htm
Disallow:/guowuyuan/zl_gallery03.htm
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
HTTP → HTTPS
Consistent
A+Domain Intelligencewww.gov.cn — via 北京国旭网络科技有限公司, 27 years, 9 months oldPASS
427 days
September 14, 2027
2 days
Issued by China Financial Certification Authority
27 years, 9 months
Registered December 4, 1998
Status unknown
Protects against DNS spoofing
Unknown
2407:2440:e00f::16
北京国旭网络科技有限公司
Expiry timeline
Recommended actions
- Renew the TLS certificate or verify auto-renewal is working
Domain cannot be transferred without explicit unlock from the registrar. This protects against unauthorized transfers.
Registrar lock (clientTransferProhibited et al.) prevents unauthorized domain transfers — strongest defense against domain hijacking.
Source: ICANN / domain-security best practice