DNS Security Analysis

NS records are properly configured.

An NS record (or nameserver record) is a DNS record that contains the name of the authoritative name server within a domain or DNS zone. Without these records, your domain won't work because other servers won't know where to look for information. Every domain must have at least one NS record.

Found proper A records for IPv4 connectivity on all name servers:

A records connect your domain names to IPv4 addresses. Without these records, other systems cannot reach your name servers. Each name server must have an A record to be accessible on the internet.

Name servers lack IPv6 support. This only matters if you need IPv6 access:

AAAA records enable IPv6 connectivity. This is optional but recommended for future-proofing your domain as more networks move to IPv6.

Could not complete this test due to connection issues

Recursive queries allow DNS servers to process requests for other domains for users. If this feature is enabled, attackers can exploit your server for DDoS attacks or cache poisoning. To increase security, it is recommended to disable recursive queries for external users.

Name servers use public IP addresses as required for internet access.

This check determines whether name servers use public or private IP addresses. If private IP (such as 192.168.x.x or 10.x.x.x) is used, the server will not be accessible from the internet. According to RFC 1918, private addresses are not suitable for public services.

Number of nameservers is within the recommended range of 2 to 8.

This review evaluates the number of DNS servers that manage the domain. Too few servers reduces domain stability, while too many may cause synchronization problems. According to RFC 2182, for optimal performance, a domain should have at least 2 and at most 8 name servers

Could not complete this test due to connection issues

This feature allows other servers to copy all of your DNS records. If not properly restricted, attackers can extract all your DNS information by performing a Zone Transfer and misuse it. It's best to enable this feature only for authorized servers.

DNSSEC is not enabled. Enabling it would protect against DNS spoofing.

DNSSEC uses encrypted signatures to verify the authenticity of DNS data. This feature prevents DNS response forgery and prevents users from being directed to fake websites. According to RFC 4033, DNSSEC is an important security standard for protecting DNS information.

TXT records have been published

TXT records in DNS are used to store arbitrary text information related to a domain. These records are typically used for domain ownership verification purposes (such as Google Search Console or SPF records) and email authentication (such as DKIM or DMARC). Ensuring that your domain's TXT records are set up correctly helps improve security and validates your domain's identity. TXT records can also be used to store miscellaneous information like security policies or ownership proof for various services.

Found required MX records for mail delivery:

This record specifies which servers are responsible for receiving emails for your domain. Without an MX record, receiving email for the domain is not possible. According to RFC 5321, each domain must have at least one valid MX record.

All mail servers have required A records for IPv4 connectivity:

A record specifies the IPv4 address of the email server. Without it, other servers cannot connect to your email server via IPv4, which may cause problems with sending and receiving email. Each server defined in the MX record should have at least one A record.

Mail servers lack IPv6 support. This only matters if you need IPv6 access:

AAAA records let your mail servers receive email over IPv6. This is optional but helps future-proof your email setup.

Mail servers use public IP addresses, which is essential for correct email delivery

This verifies mail servers use public IP addresses. Private IPs prevent external email delivery. RFC 1918 defines which IPs are private and unsuitable for internet mail servers.

Some or all mail servers have misconfigured reverse DNS entries, which may impact email delivery.

PTR records provide reverse DNS lookup for mail server IPs. Many email providers reject messages from servers without valid PTR records. RFC 1912 requires PTR records for each mail server IP.

The SPF record is missing or misconfigured, making your domain vulnerable to email spoofing.

SPF records list authorized email senders for your domain. This prevents others from sending fake emails from your domain. RFC 7208 defines SPF as a standard email authentication method.

SOA record is set up and contains information needed for domain management, server synchronization, and DNS update control

The SOA record contains core information about your DNS zone. It defines the primary name server, contact email, and update parameters. RFC 1035 requires every DNS zone to have exactly one SOA record.

Administrator email is set in the SOA record, which is essential for Zone management and receiving important notifications

The RNAME field in SOA record specifies the domain administrator's email. This contact is used for technical issues with your domain. RFC 2142 recommends using hostmaster@{domain.com} format.

Could not complete this test due to connection issues

The serial number tracks DNS zone updates. Different serial numbers indicate servers have inconsistent information. RFC 1912 requires serial numbers to increment with each zone change.