Threat intelligence analysis docs
Name servers
Check name servers configuration.
NS records
Recursively query name servers, starting from the root zone, until get authoritative servers - to retrieve the domain's NS records.
|
Tag
|
What it means?
|
|---|---|
| OK | NS records successfully fetched from the parent name server: <Name server>. |
| Failed | Unable to fetch domain's NS records. The last checked server: <Name server>. |
|
Field
|
Sample output
|
What it means?
|
|---|---|---|
| NS server | ns2.google.com | Name server's domain name |
| IPv4 | 216.239.34.10 | Name server's IPv4 address |
| IPv6 | ? | Name server's IPv6 address |
| TTL | 172800 | NS record's Time to Live (TTL) in seconds |
SOA record
Start of Authority (SOA) is a significant part of a zone file in the domain name system. It contains important management information about the zone, especially regarding the zone transfer. The SOA record is specified in RFC 1035.
|
Field
|
Sample output
|
What means?
|
|---|---|---|
| Primary name server | ns4.google.com | Primary master for this zone. It defines the server dynamic updates should be sent to and to which no notifies should be sent. |
| Hostmaster (e-mail) | dns-admin.google.com | Email address of the party responsible for this zone. @ is replaced with a dot ("."). Dots before @ are replaced with "\.". E.g., "john\.doe.example.com" for the email address "john.doe@example.com". |
| Serial | 169873387 | Is increased at every change. Common naming scheme: YYYYMMDDVV. Hints when the zone was last updated. |
| Refresh | 900 | An interval in seconds after which secondary name servers should request the serial number from the primary one, to detect zone changes. The recommended value for small and stable zones is 43200 (12 hours). |
| Retry | 900 | An interval in seconds after which secondary name servers should retry requesting the serial number from the master if it doesn't respond. It must be less than Refresh. RIPE NCC recommends setting this to 7200 (2 hours) for small and stable zones. |
| Expire | 1800 | An interval in seconds after which secondary name servers should stop answering to requests for this zone if the master does not respond. This value must be bigger then the sum of Refresh and Retry. It's recommended to set it to 2-4 weeks (1209600 - 2419200). |
| Minimum TTL | 60 | Time to Live for negative caching. RIPE's recommended value for small and stable zones is 172800 or 2 days. Originally this field had the meaning of a minimum TTL value for all resource records of this zone and was used in the field if no TTL was specified. It has been deprecated by RFC 2308. |
Configuration check
Check NS records and the corresponding Name Server's configurations.
Glue check
Check glue on the parent and authoritative name servers.
Glue is an IP address mentioned in the additional section of the DNS record. Glue records are needed when configuring a domain's name servers to a hostname that is a subdomain of the domain itself.
The glue provided by the parent and authoritative name servers should match.
Glue can be IPv4 or IPv6. At least IPv4 glue should be provided.
|
Tag
|
What it means?
|
|---|---|
| Skipped | Glue is not required. |
| OK | Glue is required and provided. Glue returned by the authoritative name servers matches the one provided by the parent name servers. |
| Failed | Glue is required, but not provided. No IPv4/IPv6 glue found on the authoritative or parent name servers: <list of name servers with missing glue>. |
Allow recursive queries
Check if recursive queries are allowed.
Running name server 'open' is a security risk since it answers recursive queries from both inside and outside of the network. RA flag should not be set in the name server's configuration.
|
Tag
|
What it means?
|
|---|---|
| OK | Name servers don't allow recursive queries. |
| Failed | The listed name servers allow recursive queries: <Name servers list>. |
Identical NS records
Check if NS records returned by different name servers are identical.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers returned identical NS records. |
| Failed | NS records are different on different name servers. |
LAME name servers
Check if all name servers provide A record for the domain name.
Name server which gives a non-authoritative answer is called lame. Every domain must have at least 2 name servers returning authoritative answers if they have domain zone information. Otherwise it's called lame delegation: RFC 1912 section 2.8.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers provide A record for the domain. |
| Failed | Found name servers which don't provide A record for the domain. |
Valid domain names
Check if all name server's domain names are valid.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers have valid domain names. |
| Failed | Name servers with invalid domain names found: <List>. |
Stealth name servers
Compare NS provided by the authoritative and parent name servers.
Stealth name servers (or hidden name servers) are present on the authoritative name servers, but not on the root (parent) level.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers listed by parent name servers are listed by the authoritative ones as well. |
| Failed | Found name servers which are listed by the authoritative servers, but not by the parent ones: <List>. |
Missing name servers
Check if there are NS records missing on the authoritative name servers.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers are listed by the authoritative name servers. |
| Failed | Found name servers which are not listed by the authoritative name servers: <List>. |
No CNAME in NS records
Check if CNAME is not used in NS records.
RFC 2181: Host name must map directly to one or more address records (A or AAAA) and must not point to any CNAME records.
RFC 1034: If a name appears in the right-hand side of RR (Resource Record) it should not appear in the left-hand name.
Despite this restriction, there are many working configurations using CNAME with NS records.
|
Tag
|
What it means?
|
|---|---|
| OK | No NS records with CNAME found. |
| Failed | NS records with CNAME found: <List>. |
Name servers respond
Name servers have A record
Check if A record is set for all the name servers. This is needed to make the name server reachable via IPv4.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers have A record. |
| Failed | Name servers with no A record found: <List>. |
Name servers have AAAA record
Check if AAAA record is set for all the name servers. This is needed to make the name server reachable via IPv6.
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers have AAAA record. |
| Warning | Name servers with no AAAA record found: <List>. |
All name servers responded
Check if all the name servers responded.
|
Tag
|
Sample output
|
|---|---|
| OK | All name servers responded. |
| Failed | No response from the listed name servers: <List>. |
All IPs are public
Name servers should have public IPs to be reachable over the Internet.
|
Tag
|
What it means?
|
|---|---|
| OK | All name server's IPs are public. |
| Failed | Name servers with private IPs found: <List>. |
TCP connections allowed
Check if all the name servers are reachable via TCP connection (port 53).
|
Tag
|
What it means?
|
|---|---|
| OK | All name servers allow TCP connections. |
| Failed | Name servers not allowing TCP connections found: <List>. |
Configuration meets best practices
Name servers count
Check if there are from 2 to 7 name servers.
RFC 2182 recommends to have at least 3 authoritative name servers.
|
Tag
|
Sample output
|
|---|---|
| OK | Domain has 3 name servers. |
| Warning | Domain has 1 name server. Recommended to be between 2 and 7. |
| Warning | Domain has 9 name servers. Recommended to be between 2 and 7. |
Distributed over multiple networks
Check if name servers' IPv4 addresses are distributed over different /24 networks.
The whole purpose of DNS is for name servers to be spread over different geographical locations so that if one DNS failed the other would work. Although it is very common practice to run both name servers on the same server or subnet, it would not provide fault tolerance.
|
Tag
|
Sample output
|
|---|---|
| OK | Name servers are distributed over different networks. |
| Warning | Some name servers are located in the same network. |
Distributed over multiple ASNs
Check if name servers' IPv4 addresses are distributed over multiple ASNs.
RFC 2182: name servers should be dispersed (topologically and geographically) across the Internet to avoid having a single point of failure.
|
Tag
|
Sample output
|
|---|---|
| OK | Name servers are distributed over multiple ASNs. |
| Warning | Some name servers are located on a single ASN. |
Versions are hidden
Check if the name server's versions are not publicly available.
|
Tag
|
What it means?
|
|---|---|
| OK | All the name servers' versions are hidden. |
| Warning | Version is exposed for the listed name servers: <List>. |
SOA record configuration check
Check SOA record against RFC 1912.
Name servers agreement on serial number
Check if all the name servers have the same serial number.
Different serial numbers may indicate inconsistencies between name servers' configuration (multiple masters), or communication errors (ACL and firewall issues).
SOA records returned by the name servers should be identical.
|
Tag
|
Sample output
|
|---|---|
| OK | All name servers have the same serial number: <Value>. |
| Failed | Some name servers have different serial numbers: <List>. |
Serial number format
Check if the serial number format meets general convention.
The recommended format is YYYYMMDDnn, where YYYY is a four-digit year number, MM is the month, DD is the day and nn is the sequence number in case the zone file is updated more frequently than once per day.
|
Tag
|
What it means?
|
|---|---|
| OK | The serial number format meets the general convention. |
| Warning | Although the serial number is valid, it's not following the general convention. |
RNAME
Check if zone's administrative email is set.
The DNS specification explicitly states that RNAME is to publish an email address of a person or role account dealing with this zone.
RFC 2142 recommends using hostmaster email for this purpose.
|
Tag
|
What it means?
|
|---|---|
| OK | Zone's administrative contact email is <Email>. |
| Failed | Zone's administrative contact email is not set. |
Refresh
Check if the value is within the recommended range [1200 .. 43200] (20 min .. 12 hours).
Refresh field defines how quickly zone changes are propagated from master to slave.
|
Tag
|
What it means?
|
|---|---|
| OK | The value is within the recommended range. |
| Warning | The refresh interval is <Value>. Recommended range is [1200 .. 43200]. |
Retry
Check if the value is within the recommended range [600 .. 3600] (10 minutes .. 1 hour).
Retry field defines how often the slave should retry contacting the master if connections to it failed during refresh.
|
Tag
|
What it means?
|
|---|---|
| OK | The value is within the recommended range. |
| Warning | The retry interval is <Value>. Recommended range is [120 .. 7200]. |
Expire
Check if the value is within the recommended range [1209600 .. 2419200] (2 week .. 4 weeks).
Expiry field defines zone expiration time in seconds after which the slave must re-validate the zone file, if contacting the master fails then the slave will stop responding to any queries.
|
Tag
|
What it means?
|
|---|---|
| OK | The value is within the recommended range. |
| Warning | The expire interval is <Value>. Recommended range is [604800 .. 1209600]. |
Minimum TTL
Check if the value is within the recommended range [3600 .. 86400] (1 hour .. 1 day).
Minimum TTL was redefined in RFC 2308, now it defines the period of time used by slaves to cache negative responses.
|
Tag
|
What it means?
|
|---|---|
| OK | The value is within the recommended range. |
| Warning | The minimum TTL is <Value>. Recommended range is [3600 .. 86400]. |
Have questions?
We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.
For a quick response, please select the request type that best suits your needs.
Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.