Threat intelligence API Docs Pricing Blog Contact us

Threat intelligence analysis docs

Name servers

Check name servers configuration.

NS records

Type: Info

Recursively query name servers, starting from the root zone, until get authoritative servers - to retrieve the domain's NS records.

Sample output
NS records successfully fetched from the parent name server: <Name server>.

Unable to fetch domain's NS records. The last checked server: <Name server>.

Field
Sample output
What it means?
NS server ns2.google.com Name server's domain name
IPv4 216.239.34.10 Name server's IPv4 address
IPv6 ? Name server's IPv6 address
TTL 172800 NS record's Time to Live (TTL) in seconds

SOA record

Type: Info

Start of Authority (SOA) is a significant part of a zone file in the domain name system. It contains important management information about the zone, especially regarding the zone transfer. The SOA record is specified in RFC 1035.

Field
Sample output
What means?
Primary name server ns4.google.com

Primary master for this zone. It defines the server dynamic updates should be sent to and to which no notifies should be sent.

Hostmaster (e-mail) dns-admin.google.com

Email address of the party responsible for this zone.

@ is replaced with a dot (".").

Dots before @ are replaced with "\.".

E.g., "john\.doe.example.com" for the email address "john.doe@example.com".

Serial 169873387

Is increased at every change. Common naming scheme: YYYYMMDDVV. Hints when the zone was last updated.

Refresh 900

An interval in seconds after which secondary name servers should request the serial number from the primary one, to detect zone changes. RIPE's recommended value for small and stable zones is 86400 (24 hours).

Retry 900 An interval in seconds after which secondary name servers should retry requesting the serial number from the master if it doesn't respond. It must be less than Refresh. RIPE NCC recommends setting this to 7200 (2 hours) for small and stable zones.
Expire 1800 An interval in seconds after which secondary name servers should stop answering to requests for this zone if the master does not respond. This value must be bigger then the sum of Refresh and Retry. Recommendation of RIPE NCC for small and stable zones is 3600000 (1000 hours).
Minimum TTL 60 Time to Live for negative caching. RIPE's recommended value for small and stable zones is 172800 or 2 days. Originally this field had the meaning of a minimum TTL value for all resource records of this zone and was used in the field if no TTL was specified. It has been deprecated by RFC 2308.

Configuration check

Type: Analysis

Check NS records and the corresponding Name Server's configurations.

Glue check

Check glue on the parent and authoritative name servers.

Glue is an IP address mentioned in the additional section of the DNS record. Glue records are needed when configuring a domain's name servers to a hostname that is a subdomain of the domain itself.

The glue provided by the parent and authoritative name servers should match.

Glue can be IPv4 or IPv6. At least IPv4 glue should be provided.

Tag
What it means?
Skipped Glue is not required.
OK Glue is required and provided. Glue returned by the authoritative name servers matches the one provided by the parent name servers.
Failed

Glue is required, but not provided. No IPv4/IPv6 glue found on the authoritative or parent name servers: <list of name servers with missing glue>.

Allow recursive queries

Check if recursive queries are allowed.

Running name server 'open' is a security risk since it answers recursive queries from both inside and outside of the network. RA flag should not be set in the name server's configuration.

Tag
What it means?
OK Name servers don't allow recursive queries.
Failed

The listed name servers allow recursive queries: <Name servers list>.

Identical NS records

Check if NS records returned by different name servers are identical.

Tag
What it means?
OK All name servers returned identical NS records.
Failed NS records are different on different name servers.

LAME name servers

Check if all name servers provide A record for the domain name.

Name server which gives a non-authoritative answer is called lame. Every domain must have at least 2 name servers returning authoritative answers if they have domain zone information. Otherwise it's called lame delegation: RFC 1912 section 2.8.

Tag
What it means?
OK All name servers provide A record for the domain.
Failed Found name servers which don't provide A record for the domain.

Valid domain names

Check if all name server's domain names are valid.

Tag
What it means?
OK All name servers have valid domain names.
Failed/td> Name servers with invalid domain names found: <List>.

Stealth name servers

Compare NS provided by the authoritative and parent name servers.

Stealth name servers (or hidden name servers) are present on the authoritative name servers, but not on the root (parent) level.

Tag
What it means?
OK All name servers listed by parent name servers are listed by the authoritative ones as well.
Failed Found name servers which are listed by the authoritative servers, but not by the parent ones: <List>.

Missing name servers

Check if there are NS records missing on the authoritative name servers.

Tag
What it means?
OK All name servers are listed by the authoritative name servers.
Failed Found name servers which are not listed by the authoritative name servers: <List>.

No CNAME in NS records

Check if CNAME is not used in NS records.

RFC 2181: Host name must map directly to one or more address records (A or AAAA) and must not point to any CNAME records.

RFC 1034: If a name appears in the right-hand side of RR (Resource Record) it should not appear in the left-hand name.

Despite this restriction, there are many working configurations using CNAME with NS records.

Tag
What it means?
OK No NS records with CNAME found.
Failed NS records with CNAME found: <List>.

Name servers respond

Type: Analysis

Name servers have A record

Check if A record is set for all the name servers. This is needed to make the name server reachable via IPv4.

Tag
What it means?
OK All name servers have A record.
Failed Name servers with no A record found: <List>.

Name servers have AAAA record

Check if AAAA record is set for all the name servers. This is needed to make the name server reachable via IPv6.

Tag
What it means?
OK All name servers have AAAA record.
Warning Name servers with no AAAA record found: <List>.

All name servers responded

Check if all the name servers responded.

Tag
Sample output
OK All name servers responded.
Failed No response from the listed name servers: <List>.

All IPs are public

Name servers should have public IPs to be reachable over the Internet.

Tag
What it means?
OK All name server's IPs are public.
Failed Name servers with private IPs found: <List>.

TCP connections allowed

Check if all the name servers are reachable via TCP connection (port 53).

Tag
What it means?
OK

All name servers allow TCP connections.

Failed Name servers not allowing TCP connections found: <List>.

Configuration meets best practices

Type: Analysis

Name servers count

Check if there are from 2 to 7 name servers.

RFC 2182 recommends to have at least 3 authoritative name servers.

Tag
Sample output
OK Domain has 3 name servers.
Warning Domain has 1 name server. Recommended to be between 2 and 7.
Warning Domain has 9 name servers. Recommended to be between 2 and 7.

Distributed over multiple networks

Check if name servers' IPv4 addresses are distributed over different /24 networks.

The whole purpose of DNS is for name servers to be spread over different geographical locations so that if one DNS failed the other would work. Although it is very common practice to run both name servers on the same server or subnet, it would not provide fault tolerance.

Tag
Sample output
OK Name servers are distributed over different networks.
Warning Some name servers are located in the same network.

Distributed over multiple ASNs

Check if name servers' IPv4 addresses are distributed over multiple ASNs.

RFC 2182: name servers should be dispersed (topologically and geographically) across the Internet to avoid having a single point of failure.

Tag
Sample output
OK Name servers are distributed over multiple ASNs.
Warning Some name servers are located on a single ASN.

Versions are hidden

Check if the name server's versions are not publicly available.

Tag
What it means?
OK

All the name servers' versions are hidden.

Warning Version is exposed for the listed name servers: <List>.

SOA record configuration check

Type: Analysis

Check SOA record against recommendations for DNS SOA values and RFC 1912.

Name servers agreement on serial number

Check if all the name servers have the same serial number.

Different serial numbers may indicate inconsistencies between name servers' configuration (multiple masters), or communication errors (ACL and firewall issues).

SOA records returned by the name servers should be identical.

Tag
Sample output
OK All name servers have the same serial number: <Value>.
Failed

Some name servers have different serial numbers: <List>.

Serial number format

Check if the serial number format meets general convention.

The recommended format is YYYYMMDDnn, where YYYY is a four-digit year number, MM is the month, DD is the day and nn is the sequence number in case the zone file is updated more frequently than once per day.

Tag
What it means?
OK The serial number format meets the general convention.
Warning Although the serial number is valid, it's not following the general convention.

MNAME

Check if zone's primary master name server is listed on the parent name servers.

The DNS specification explicitly states that the primary master server should be named in MNAME.

Tag
Sample output
OK Primary master name server <Name server> is listed on the parent name servers.
Failed Primary master name server is not listed on the parent name servers.

RNAME

Check if zone's administrative email is set.

The DNS specification explicitly states that RNAME is to publish an email address of a person or role account dealing with this zone.

RFC 2142 recommends using hostmaster email for this purpose.

Tag
What it means?
OK Zone's administrative contact email is <Email>.
Failed Zone's administrative contact email is not set.

Refresh

Check if the value is within the recommended range [1200 .. 43200] (20 min .. 12 hours).

Refresh field defines how quickly zone changes are propagated from master to slave.

Tag
What it means?
OK The value is within the recommended range.
Warning The refresh interval is <Value>. Recommended range is [1200 .. 43200].

Retry

Check if the value is within the recommended range [120 .. 7200] (2 minutes .. 2 hours).

Retry field defines how often the slave should retry contacting the master if connections to it failed during refresh.

Tag
What it means?
OK The value is within the recommended range.
Warning The retry interval is <Value>. Recommended range is [120 .. 7200].

Expire

Check if the value is within the recommended range [604800 .. 1209600] (1 week .. 2 weeks).

Expiry field defines zone expiration time in seconds after which the slave must re-validate the zone file, if contacting the master fails then the slave will stop responding to any queries.

Tag
What it means?
OK The value is within the recommended range.
Warning The expire interval is <Value>. Recommended range is [604800 .. 1209600].

Minimum TTL

Check if the value is within the recommended range [3600 .. 86400] (1 hour .. 1 day).

Minimum TTL was redefined in RFC 2308, now it defines the period of time used by slaves to cache negative responses.

Tag
What it means?
OK The value is within the recommended range.
Warning The minimum TTL is <Value>. Recommended range is [3600 .. 86400].
Have questions?
support@threatintelligenceplatform.com
We will get back to you within a day.
Threat Intelligence Platform, LLC

California
USA

Contact us