Domains

Verifying Domains

Overview

After adding a domain to your project, you must verify ownership using a DNS TXT record. This verification proves you control the domain and authorizes Pensar to perform security testing.

The verification dialog opens automatically after creating a domain, showing your unique TXT record and verification instructions.

Why Domain Verification?

Domain verification is a critical security measure that:

  • Proves Ownership: Ensures you control the domain before testing begins
  • Prevents Abuse: Protects others from unauthorized security testing
  • Legal Protection: Provides evidence of authorization for penetration testing
  • Compliance: Demonstrates due diligence for security assessments

Verification Process

When you create a domain, a verification dialog automatically opens with your unique DNS TXT record.

1

View Your TXT Record

The verification dialog displays:

  • Your unique verification record (format: pensar=<token>)
  • A copy button for easy copying
  • Instructions for adding the record
  • A verify button to check verification status
2

Copy the Record

Click the Copy icon next to the TXT record to copy it to your clipboard. This ensures you don’t make any typos when adding it to your DNS.

3

Add to Your DNS Provider

Log in to your DNS provider and add a new TXT record:

  • Type: TXT
  • Host/Name: _pensar.<your-domain> (or just _pensar for some providers)
  • Value: Paste the copied record (format: pensar=<token>)
  • TTL: 3600 seconds (or your provider’s default)
4

Wait for DNS Propagation

DNS changes take time to propagate globally:

  • Fast providers (Cloudflare, Vercel): 1-5 minutes
  • Most providers: 10-30 minutes
  • Maximum: Up to 48 hours (rare)
5

Click Verify

Return to the Pensar Console and click the Verify button in the dialog. This triggers a DNS lookup to check for your TXT record.

6

Successful Verification

When verification succeeds:

  • You’ll see: “Domain verified successfully”
  • The dialog closes automatically
  • Blackbox reconnaissance is automatically queued
  • Your domain is ready for penetration testing

DNS TXT Record Format

Your verification TXT record follows this specific format:

Record Type: TXT
Host: _pensar.<your-domain>
Value: pensar=<unique-verification-token>
TTL: 3600

Examples by Domain Type

Domain: app.example.com

Host: _pensar.app.example.com
Value: pensar=a1b2c3d4e5f6...
TTL: 3600

Some DNS providers want just the subdomain part:

Host: _pensar.app
Value: pensar=a1b2c3d4e5f6...
TTL: 3600

DNS Provider Guides

Step-by-step instructions for popular DNS providers:

Adding TXT Record in Cloudflare:

  1. Log in to your Cloudflare dashboard
  2. Select the domain you’re verifying
  3. Click DNS in the sidebar, then Records
  4. Click Add record
  5. Configure the record:
    • Type: TXT
    • Name: _pensar (Cloudflare automatically appends your domain)
    • Content: Paste your full record value (e.g., pensar=abc123...)
    • TTL: Auto (or 3600)
    • Proxy status: DNS only (gray cloud)
  6. Click Save
  7. Wait 1-5 minutes for propagation
  8. Return to Pensar Console and click Verify

Cloudflare typically propagates DNS changes within 1-2 minutes, making it one of the fastest providers for verification.

Adding TXT Record in Route 53:

  1. Open the Route 53 console
  2. Click Hosted zones in the sidebar
  3. Select the hosted zone for your domain
  4. Click Create record
  5. Configure the record:
    • Record name: _pensar.example.com. (include the trailing dot)
    • Record type: TXT
    • Value: "pensar=<token>" (enclose in double quotes)
    • TTL (seconds): 300 or 3600
    • Routing policy: Simple routing
  6. Click Create records
  7. Wait 5-10 minutes for propagation
  8. Return to Pensar Console and click Verify

Route 53 requires:

  • TXT values enclosed in double quotes
  • Record names ending with a trailing dot
  • Format: "pensar=token" not pensar=token

Adding TXT Record in Google Cloud DNS:

  1. Open the Cloud DNS console
  2. Click on your DNS zone
  3. Click Add record set at the top
  4. Configure the record:
    • DNS name: _pensar.example.com. (include trailing dot)
    • Resource record type: TXT
    • TTL: 3600 seconds
    • TXT data: pensar=<token> (no quotes needed)
  5. Click Create
  6. Wait 5-10 minutes for propagation
  7. Return to Pensar Console and click Verify

Google Cloud DNS requires the trailing dot in the DNS name but doesn’t require quotes around the value.

Adding TXT Record in GoDaddy:

  1. Log in to your GoDaddy account
  2. Navigate to My Products > All Products and Services
  3. Find your domain and click DNS
  4. Scroll to the Records section
  5. Click Add and select TXT
  6. Configure the record:
    • Name: _pensar (subdomain part only, GoDaddy adds the domain automatically)
    • Value: Paste your full record value
    • TTL: 3600 seconds (or 1 hour)
  7. Click Save
  8. Wait 10-30 minutes for propagation (GoDaddy can be slower)
  9. Return to Pensar Console and click Verify

GoDaddy DNS propagation can take 10-30 minutes or longer. If verification fails, wait a bit longer and try again.

Adding TXT Record in Namecheap:

  1. Log in to your Namecheap account
  2. Navigate to Domain List
  3. Click Manage next to your domain
  4. Go to the Advanced DNS tab
  5. Click Add New Record in the Host Records section
  6. Configure the record:
    • Type: TXT Record
    • Host: _pensar (subdomain part only)
    • Value: Paste your full record value
    • TTL: Automatic (or select a specific value)
  7. Click the checkmark to save
  8. Wait 10-30 minutes for propagation
  9. Return to Pensar Console and click Verify

Adding TXT Record in DigitalOcean:

  1. Log in to your DigitalOcean account
  2. Navigate to Networking > Domains
  3. Click on your domain
  4. Scroll to the Add a record section
  5. Configure the record:
    • Type: TXT
    • Hostname: _pensar (subdomain part)
    • Value: Paste your full record value
    • TTL (seconds): 3600
  6. Click Create Record
  7. Wait 5-10 minutes for propagation
  8. Return to Pensar Console and click Verify

Adding TXT Record in Vercel:

  1. Log in to your Vercel dashboard
  2. Navigate to your project
  3. Go to Settings > Domains
  4. Click on your domain
  5. Scroll to DNS Records
  6. Click Add and select TXT
  7. Configure the record:
    • Name: _pensar
    • Value: Paste your full record value
    • TTL: Default (automatic)
  8. Click Save
  9. Wait 1-5 minutes for propagation (Vercel is very fast)
  10. Return to Pensar Console and click Verify

Adding TXT Record in Netlify:

  1. Log in to your Netlify dashboard
  2. Navigate to Domains
  3. Select your domain
  4. Click DNS settings
  5. Scroll to DNS records
  6. Click Add new record
  7. Configure the record:
    • Record type: TXT
    • Name: _pensar
    • Value: Paste your full record value
    • TTL: 3600
  8. Click Save
  9. Wait 5-10 minutes for propagation
  10. Return to Pensar Console and click Verify

Checking DNS Propagation

Before clicking verify, you can check if your TXT record has propagated:

Online DNS Checker Tools

DNS Checker

Check DNS propagation from multiple global locations. Enter _pensar.yourdomain.com and select TXT record type.

What's My DNS

View your DNS records from servers around the world. Shows propagation status per region.

Google DNS

Query Google’s public DNS servers. Fast and reliable for checking if records are live.

MX Toolbox

Comprehensive DNS lookup tool. Check TXT records and other DNS information.

Command Line Tools

You can also check from your terminal:

Using dig (Linux/Mac):

$# Check for TXT record
>dig _pensar.example.com TXT
>
># Show only the answer
>dig +short _pensar.example.com TXT
>
># Query a specific DNS server (Google's DNS)
>dig @8.8.8.8 _pensar.example.com TXT

Expected output:

_pensar.example.com. 3600 IN TXT "pensar=abc123xyz789..."

Troubleshooting Verification

If verification fails, follow these troubleshooting steps:

Problem: The DNS lookup can’t find your TXT record.

Solutions:

  1. Wait longer: DNS propagation can take 10-30 minutes (sometimes longer)
  2. Check the record exists: Log back into your DNS provider and verify the record is saved
  3. Check the host name: Ensure you used _pensar as the subdomain prefix
  4. Verify the format: Make sure the host is _pensar.example.com or just _pensar
  5. Check DNS propagation: Use online tools to see if the record is visible globally

If your DNS provider’s interface shows the record but verification fails, it usually means the record hasn’t propagated yet. Wait 5-10 more minutes and try again.

Problem: The record exists but doesn’t match the expected format.

Common mistakes:

  • ❌ Missing _pensar prefix in the host name
  • ❌ Missing pensar= in the value (just the token)
  • ❌ Extra quotes added when they shouldn’t be
  • ❌ Spaces or line breaks in the value
  • ❌ Wrong subdomain (e.g., _verify instead of _pensar)

Correct format:

Host: _pensar.example.com (or _pensar)
Value: pensar=abc123xyz789...

Action: Delete the record and re-add it, carefully copying the value from the Pensar verification dialog using the Copy button.

Problem: Different DNS providers have different formatting requirements.

Provider-specific tips:

Route 53 (AWS):

  • Requires double quotes: "pensar=token"
  • Requires trailing dot: _pensar.example.com.

Google Cloud DNS:

  • Requires trailing dot: _pensar.example.com.
  • No quotes needed

Cloudflare:

  • Just use _pensar as the name
  • No trailing dot needed
  • No quotes needed

GoDaddy/Namecheap:

  • Use just _pensar (they append the domain automatically)
  • No quotes needed

Check your provider’s documentation for TXT record formatting requirements.

Problem: Your domain already has other TXT records and there may be conflicts.

Solution:

  • Multiple TXT records for the same host are allowed
  • DNS returns all TXT records for a host
  • The Pensar verification looks specifically for the pensar= prefix
  • Having other TXT records (like SPF, DKIM, etc.) won’t interfere

If you have issues:

  • Ensure your new record is actually saved and visible
  • Check that the pensar= value is correct
  • Try querying the DNS to see all TXT records returned

Problem: It’s been over 30 minutes and the record still isn’t visible.

Possible causes:

  1. DNS provider is slow: Some providers take longer (GoDaddy, some regional providers)
  2. Caching: Your local DNS may be caching old results
  3. DNS not saved: The record might not have been saved properly

Actions to take:

  1. Clear your local DNS cache:
    • Mac: sudo dscacheutil -flushcache
    • Windows: ipconfig /flushdns
    • Linux: sudo systemd-resolve --flush-caches
  2. Check from a different network or device
  3. Use an online DNS checker to see global propagation
  4. Verify the record is actually saved in your DNS provider’s interface
  5. If it’s been over 2 hours, contact your DNS provider’s support

Common error messages and solutions:

“TXT record not found”

  • The DNS query couldn’t find any TXT record at _pensar.yourdomain.com
  • Solution: Check the record exists and wait for propagation

“Invalid TXT record format”

  • The record was found but doesn’t match pensar=<token>
  • Solution: Check the value starts with pensar=

“Verification token mismatch”

  • A pensar TXT record was found but the token doesn’t match
  • Solution: Ensure you’re adding the correct record for this specific domain
  • You may have copied an old token - get the current one from the verification dialog

“DNS query failed”

  • Temporary DNS resolution issue
  • Solution: Wait a minute and try again

Re-Verifying Domains

You can re-verify a domain at any time:

1

Open Domain Menu

In the Domains list, click the menu (⋮) next to the unverified domain.

2

Click Verify

Select Verify from the dropdown menu.
3

Verification Dialog Opens

The verification dialog opens showing the same TXT record value. The token remains the same for each domain.

4

Check DNS Record

Verify the TXT record is still in your DNS (it should be if you added it earlier).

5

Click Verify

Click the Verify button to retry verification.

The verification token for a domain doesn’t change, so you only need to add the DNS TXT record once. You can verify multiple times using the same record.

After Successful Verification

Once your domain is verified:

1

Automatic Reconnaissance

Pensar automatically queues blackbox reconnaissance to discover your attack surface.

2

Status Updates

In the Domains list:

  • Verified column shows a green checkmark ✓
  • Last Analyzed shows when reconnaissance started
  • An animated radar icon appears while reconnaissance is running
3

Endpoint Discovery

The reconnaissance process discovers:

  • API endpoints
  • Web pages and routes
  • Entry points and input vectors
  • Authentication mechanisms
4

Ready for Testing

Once reconnaissance completes, your domain is ready for penetration testing. You can:

  • View discovered endpoints
  • Review pentest objectives
  • Manually trigger pentests
  • Enable automatic testing schedules

Best Practices

Recommendation: Keep your verification TXT record in your DNS permanently.

Why:

  • No security risk - the token is public and only proves ownership
  • Allows easy re-verification if needed
  • Doesn’t interfere with other DNS records
  • Takes up minimal DNS resources
  • Makes future verification instant

When to remove:

  • You permanently stop using Pensar
  • You delete the domain from your project
  • Your organization requires cleanup of unused records

Recommendation: Verify and test staging/development domains before production.

Benefits:

  • Familiarize yourself with the process
  • Ensure verification works smoothly
  • Test the security testing process in a safe environment
  • Validate that test credentials work
  • Confirm penetration testing doesn’t disrupt services

Recommendation: Keep a record of all DNS TXT records you add for services.

Why:

  • Know what each record is for
  • Makes cleanup easier later
  • Helps when troubleshooting DNS issues
  • Useful for team knowledge sharing
  • Required for some compliance frameworks

What to document:

  • Service name (Pensar)
  • Purpose (Domain verification)
  • Record host (_pensar.example.com)
  • Date added
  • Who added it

Recommendation: Check DNS propagation before clicking Verify in Pensar.

How:

  • Use online DNS checker tools
  • Run command-line queries
  • Check from multiple locations
  • Wait until you see the record globally

Benefits:

  • Avoid failed verification attempts
  • Know the record is working before testing
  • Understand propagation time for your DNS provider
  • Catch formatting errors early

Security Considerations

The DNS TXT record verification token is public information and is safe to share. It only proves domain ownership and cannot be used to access your systems or data.

Is the Verification Token Secret?

No. The verification token:

  • ✅ Proves you can add DNS records to the domain
  • ✅ Is publicly queryable by anyone via DNS lookup
  • ✅ Only authorizes Pensar to test that specific domain
  • ❌ Does NOT provide access to your application
  • ❌ Does NOT contain sensitive information
  • ❌ Cannot be used to compromise security

Can Someone Use My Token?

No. Even if someone copies your verification token:

  • They can’t add it to their DNS for your domain (they don’t control your DNS)
  • They can’t use it to verify their own domain (tokens are domain-specific)
  • They can’t gain access to your Pensar project
  • They can’t trigger tests on your domain without Pensar project access

Removing Verification Records

You can safely remove TXT records if:

  • You’re no longer using Pensar
  • You’ve deleted the domain from your project
  • You need to clean up DNS records

To remove:

  1. Log in to your DNS provider
  2. Find the TXT record with host _pensar.yourdomain.com
  3. Delete the record
  4. Wait for DNS propagation (changes take effect in 5-30 minutes)

If you remove the verification record, you’ll need to add it back if you ever want to re-verify the domain in the future. However, the token value remains the same.

Next Steps

Adding Domains

Learn how to add new domains to your project before verification.

Authentication

Configure authentication credentials to test protected endpoints.

Blackbox Testing

Start penetration testing on your verified domains.

Attack Surface Mapping

Understand how Pensar discovers endpoints on your verified domains.