DNS Health Report
Back to summary report
Company: Example, Inc.
B
Good
Scan Date: October 05, 2017
Description: The DNS Health report is generated from 40+ control items which are collected from online services like IntoDNS, Robtex, Netcraft, and HackerTarget. Since DNS queries are recursive, it is almost impossible to detect a hacker’s footprints from the DNS servers.
This report category has 6% effect on total scan score.
Contents:
  • NormShield Scan Results

DNS Conrol List Overview

# Asset # of Finding(s)
Passed Info Warning Failed
204045 example.com 34 11 8 1

DNS Conrol List for example.com (54)

example.com DNS Map
Category Finding Status

NS Tests

DNS Name Servers are on Different Subnets High

RFC2182 section 3.1 states that all of your nameservers should be in geographically and topologically dispersed locations for redundancy purposes.
Name Servers are on the Same Subnet
192.168.16.
Having multiple nameservers in the same subnet can cause all your nameservers to be disabled if there is an error in the subnet.
Failed

DNS DNSSEC Record Medium

In the near future, major institutions and government agencies are planning to switch to DNSSEC configuration.For more information ,see RFC4033 and RFC4641
DNSSEC  record not found.

References

Warning

DNS Your Nameservers Glue Records Low

This isn't important error. But this may lead to an extra A lookup that will increase the download time of your site.<br/>Check out the 'DNS NS Records from Your Nameservers' section.
Your(local) nameserver  isn't sending out GLUE for nameservers. 
Warning

DNS Whois Registry Lock

Your Whois is missing these fields:
serverTransferProhibited
serverUpdateProhibited
serverDeleteProhibited

Mitigation

Missing fields in Whois records should be corrected.
Warning

DNS Whois Registrar Lock

Your Whois is missing these fields:
clientUpdateProhibited
clientDeleteProhibited
clientTransferProhibited

Mitigation

Missing fields in Whois records should be corrected.
Warning

DNS NS Records from Your Nameservers

NS records were found on your local servers.
lion.state.example.org [192.168.16.131] [NO GLUE] [TTL=86400]
puma.state.example.org [192.168.16.99] [NO GLUE] [TTL=86400]
This information was kindly provided by lion.state.example.org
Passed

DNS Same Glue Record

Look at the nameservers that are causing the differences. Also check out the 'DNS NS Records from Your Nameservers','DNS Parent Servers NS Record Lists','DNS Local Parent Mismatch' and 'Stealth Nameservers' sections.
The GLUE records of the parent and your(local) nameservers are the same. 
Info

DNS A Records of Nameservers

Check out the 'DNS NS Records from Your Nameservers' section.
Your Nameservers(from the local server) has A records.
Passed

DNS Domain A Record

Please check domain A records
Domain(example.com) a record found:
10.241.205.31
192.168.32.19
Passed

DNS Name of Nameservers are Valid

Name server name should be a valid host name, no partial name or IP address.
All names are valid.
Passed

DNS Check All Nameservers Respond

All nameservers respond to DNS requests  
Passed

DNS Same NS Records at Each Local Nameserver

In addition, ip addresses of name servers that do not respond to DNS requests are not evaluated in this section. So please check the 'DNS Check All Nameservers Respond' section.
 All your local nameservers have identical NS records for your domain. 
Passed

DNS No Servers Responding

At least one name server  responded
Passed

DNS Local Parent Mismatch

Local NS lists match Parent NS lists:
lion.state.example.org was reported parent and local
puma.state.example.org was reported parent and local
Passed

DNS At Least Two Servers

RFC 2182(Section 5),states that a domain must have at least 3 nameservers. But if you have 2 name servers, that's enough.
At least two nameservers were found. 
Passed

DNS All Servers Authoritative

RFC 1034 describes what name servers are and defines what Authority means.<br/>In addition, ip addresses of name servers that do not respond to DNS requests are not evaluated in this section. So please check the 'DNS Check All Nameservers Respond' section.
All of the name servers are Authoritative
Passed

DNS Domain CNAME Record

RFC 2181, section 10.3 says that host name must map directly to one or more address record and must not point to any CNAME records. RFC 1034, section 3.6.2 says if a name appears in the right-hand side of RR (Resource Record) it shouldn't appear in the left-hand name of CNAME RR, thus CNAME records shouldn't be used with NS and MX records. Despite this restrictions, there are many working configuration using CNAME with NS and MX records.
No CNAME records are present for example.com.
Passed

DNS Nameservers CNAME Record

RFC 2181, section 10.3 says that host name must map directly to one or more address record and must not point to any CNAME records. RFC 1034, section 3.6.2 says if a name appears in the right-hand side of RR (Resource Record) it shouldn't appear in the left-hand name of CNAME RR, thus CNAME records shouldn't be used with NS and MX records. Despite this restrictions, there are many working configuration using CNAME with NS and MX records.
No CNAME records are present for nameservers
Passed

DNS Name Servers Have Public IP Addresses

This issue can commonly occur if you have internal DNS name servers with Private IP Addresses that your employees use and those Private IP Addresses are accidentally published in your zone file.
Name Servers have Public IP Addresses
Passed

DNS Open Recursive Name Server

The nameservers listed below can be used to perform recursive queries. You shouldn't have nameservers that allow recursive queries as this will allow almost anyone to use your nameservers and can cause problems.
No Open Recursive Name Server Detected.
Passed

DNS Nameserver Allow TCP Connections

When response to a DNS query exceeds 512 bytes, TCP is negotiated and used, all name servers should allow TCP connections (port 53).In addition, ip addresses of name servers that do not respond to DNS requests are not evaluated in this section. So please check the 'DNS Check All Nameservers Respond' section.
All name servers are allowing TCP connections. 
Info

DNS Stealth NS Records

All name servers returned by domain name servers should be listed at parent servers
No stealth ns records.
Passed

DNS Zone Transfer

Attackers can find all subdomains or dns records of a domain by zone transfer. Therefore, zone transfer is considered as an important security issue.
No Open Zone Transfer.
Passed

DNS Server Supports to Query . Zone

. query result empty for nameserver. This query is used in dns amplification attacks.
Passed

DNS Domain Name Record Owner Mail

The domain name was not registered with the company email.

Mitigation

The company's email address should be added to Whois records.
Warning

DNS Registrar Company Overall Score

Registrar Company:    Score: --
Info

DNS NameServers Open Ports Control

Open port not found
Info

SOA Tests

DNS SOA Expire Value

This value determines how long a secondary server may keep information before it is no longer authoritive. If this value is too low, the secondary servers may stop responding authoritively too soon in the event of an outage on the primary nameserver. If it is too high, it may answer authortively for too long if it cannot reach the primary nameserver due network issues (e.g. firewall) making diagnosis difficult.
SOA Expire Value  out of the recommended range(604800 - 1209600 seconds) : 432000

Mitigation

Check out RFC 1912 section 2.2
Warning

DNS SOA Minimum TTL(NXDOMAIN) Value

This value was used to serve as a default TTL for records without a given TTL value and now is used for negative caching (indicates how long a resolver may cache the negative answer). RFC2308 recommends a value of 1-3 hours.
SOA Minimum TTL Value  out of the recommended range(3600 - 86400 seconds) : 60

Mitigation

Check out RFC 2308
Warning

DNS SOA Record

Start of Authority (SOA) record
Primary Nameserver: lion.state.example.org
Hostmaster (e-mail) dns-admin.state.example.org.
Serial: 521320179
Refresh: 3600
Retry: 300
Expire: 432000
Minimum TTL: 60
Passed

DNS SOA Serial Numbers Match

In addition, ip addresses of name servers that do not respond to DNS requests are not evaluated in this section. So please check the 'DNS Check All Nameservers Respond' section.
All name servers are the same as SOA serial numbers:
521320179
Passed

DNS Primary Server Listed At Parent

Primary Name Server Listed At Parent : lion.state.example.org
Passed

DNS SOA Serial Number Format

SOA Serial Number Format(YYYYmmddnn) is Invalid: 521320179
Info

DNS SOA Refresh Value

SOA Refresh Value is within the recommended range(less than 20 minutes or greater than 12 hours) : 3600
Passed

DNS SOA Retry Value

SOA Retry Value is within the recommended range(between 120 and 7200) : 300
Passed

MX Tests

DNS Number of MX Records

You should be careful about what you are doing since you have a single point of failure that can lead to mail being lost if the server is down for a long time.
Looks like you only have one MX record at your nameservers. 
Warning

DNS MX Records

Your MX records found :
10 smtp1.state.example.org. [159.121.86.220]
Passed

DNS All Nameservers MX Records

In addition, ip addresses of name servers that do not respond to DNS requests are not evaluated in this section. So please check the 'DNS Check All Nameservers Respond' section.
All Nameservers MX records same.All name servers must have the same MX records. If it is not the same, you can have serious problems getting e-mail.
Passed

DNS All MX Records Name Validity

All names are valid. MX name should be a valid host name, no partial name or IP address.
Passed

DNS MX Records Have Public IP Addresses

A private IP address should normally not be exposed in the mail servers, since it's not reachable from the Internet.
No private IPs found.
Passed

DNS MX CNAME Record

RFC 2181, section 10.3 says that host name must map directly to one or more address record and must not point to any CNAME records. RFC 1034, section 3.6.2 says if a name appears in the right-hand side of RR (Resource Record) it shouldn't appear in the left-hand name of CNAME RR, thus CNAME records shouldn't be used with NS and MX records. Despite this restrictions, there are many working configuration using CNAME with NS(and MX) records.
When querying for your MX records we didn't receive a CNAME record as a result. 
Passed

DNS Duplicate MX A Records

No duplicate IP addresses found for your MX record
Info

DNS Reverse MX A Records (PTR)

All mail servers should have a reverse DNS (PTR) entry for each IP address (RFC 1912). Missing reverse DNS entries will make many mail servers to reject your e-mails or mark them as SPAM.<br/>All IP's reverse DNS entries should resolve back to IP address (IP --> PTR --> IP). Many mail servers are configured to reject e-mails from IPs with inconsistent reverse DNS configuration.
All your MX IP addresses have reverse DNS entries:
159.121.86.220<<<>>>smtp1.state.example.org
Passed

Parent Servers Tests

DNS Parent Servers NS Record Lists

Nameserver records returned by the parent server
lion.state.example.org [192.168.16.131] [NO GLUE] [TTL=86400]
puma.state.example.org [192.168.16.99] [NO GLUE] [TTL=86400]
This information was kindly provided by b.gov-servers.net
Info

DNS NS Records Listed Parent Servers

This is a must if you want to be found as anyone that doesn't know your DNS servers will first ask the parent nameservers.
The parent server b.gov-servers.net has your nameservers listed. 
Passed

DNS Parent Servers Sent Glue

This is usually due to the different TLDs of domain and name servers.<br/>Check out the 'DNS NS Records Listed Parent Servers' section.
The TLD of your nameservers (example.org) differs from that of your domain (gov).Therefore the parent server b.gov-servers.net isn't required glue for  nameservers.
Passed

DNS A Records of Nameservers(From the parent server)

Check out the 'DNS NS Records Listed Parent Servers' section.
All Nameservers(from the parent server) has A records.
Passed

WWW Tests

DNS WWW Records

WWW A record found : www.example.com ->>> or-prd-moss.example-gl.com.(CNAME) ->>>  [63.241.205.31  ] 
Passed

DNS WWW IPs are Public

WWW A records have Public IP Addresses
Passed

DNS WWW CNAME Record

 You do have a CNAME record for www.example.com .Your CNAME entry also returns the A record for the CNAME entry, which is good.
Passed

Other Tests

DNS HINFO Record

HINFO record gives a description of the type of computer/OS a host uses.
HINFO record not found
Info

DNS NSEC Record

NSEC record not found
Info

DNS TXT Record

TXT record found
"v=spf1 a:mail1.state.example.org a:mail2.state.example.org a:mail3.state.example.org a:mail4.state.example.org a:mail5.state.example.org ip4:198.177.17.224/30 -all"
"MS=ms13446976"
Info

DNS SRV Record

SRV record found
_sip._tls.example.com SrvRecord:
 sip.example.com. port: 443
_sipfederationtls._tcp.example.com SrvRecord:
 sip.example.com. port: 0
Info


Scroll to top