DNS Security Analysis

NS records are properly configured.

An NS record (or nameserver record) is a DNS record that contains the name of the authoritative name server within a domain or DNS zone. Without these records, your domain won't work because other servers won't know where to look for information. Every domain must have at least one NS record.

Found proper A records for IPv4 connectivity on all name servers:

A records connect your domain names to IPv4 addresses. Without these records, other systems cannot reach your name servers. Each name server must have an A record to be accessible on the internet.

Name servers lack IPv6 support. This only matters if you need IPv6 access:

AAAA records enable IPv6 connectivity. This is optional but recommended for future-proofing your domain as more networks move to IPv6.

Name servers are configured to prevent recursive queries, improving security.

Recursive queries allow DNS servers to look up other domains on behalf of anyone who asks. If enabled, attackers can use your servers for denial of service attacks or cache poisoning. Best practice is to disable recursive queries for external users.

Name servers use public IP addresses as required for internet access.

This check verifies if name servers use public IP addresses. Using private IPs (like 192.168.x.x or 10.x.x.x) will make your servers unreachable from the internet. RFC 1918 defines which IPs are private and shouldn't be used for public services.

Number of nameservers is within the recommended range of 2 to 8.

This verifies the number of name servers hosting your domain. Having too few creates reliability risks, while too many cause synchronization problems. RFC 2182 recommends having at least 2 name servers, with a maximum of 8 for optimal operation.

Zone transfers are disabled, keeping your DNS data secure.

Zone transfers let other servers copy all your DNS records. This should be restricted to prevent attackers from getting a complete map of your network.

DNSSEC is not enabled. Enabling it would protect against DNS spoofing.

DNSSEC adds cryptographic signatures to DNS records. This prevents attackers from forging DNS responses and redirecting traffic. RFC 4033 defines DNSSEC as a security standard for DNS.

Found TXT records.

TXT records are used to store arbitrary text data associated with a domain. These are often used for domain verification purposes (e.g., for Google Search Console or SPF records) and email authentication (e.g., DKIM or DMARC). Ensuring the correct TXT records are set up for your domain helps improve security and validation of your domain's identity.

Found required MX records for mail delivery:

MX records specify which servers handle email for your domain. Without valid MX records, no one can send email to your domain. RFC 5321 requires at least one MX record for email delivery.

All mail servers have required A records for IPv4 connectivity:

A records are essential for connecting mail servers to IPv4 addresses. Without these records, email delivery will fail, as other servers won’t be able to locate your mail server. Ensure that each mail server listed in your MX records has a corresponding A record to enable proper communication and delivery.

Mail servers lack IPv6 support. This only matters if you need IPv6 access:

AAAA records let your mail servers receive email over IPv6. This is optional but helps future-proof your email setup.

Mail servers use public IP addresses as required for email delivery.

This verifies mail servers use public IP addresses. Private IPs prevent external email delivery. RFC 1918 defines which IPs are private and unsuitable for internet mail servers.

Some mail servers have incorrect reverse DNS entries, affecting email delivery:

PTR records provide reverse DNS lookup for mail server IPs. Many email providers reject messages from servers without valid PTR records. RFC 1912 requires PTR records for each mail server IP.

An SPF record is present and properly configured to mitigate email spoofing.

SPF records list authorized email senders for your domain. This prevents others from sending fake emails from your domain. RFC 7208 defines SPF as a standard email authentication method.

SOA record exists and contains required domain information

The SOA record contains core information about your DNS zone. It defines the primary name server, contact email, and update parameters. RFC 1035 requires every DNS zone to have exactly one SOA record.

Administrator contact email exists in SOA record for Zone management

The RNAME field in SOA record specifies the domain administrator's email. This contact is used for technical issues with your domain. RFC 2142 recommends using hostmaster@{domain.com} format.

Name servers are properly synchronized with matching serial numbers

The serial number tracks DNS zone updates. Different serial numbers indicate servers have inconsistent information. RFC 1912 requires serial numbers to increment with each zone change.