Fields A and AAAA
- Master server
- 300 (5 minutes)
- iHl3fA ==@ ovh.net
- 86400 (1 day)
- 3600 (1 hour)
- 3600000 (1 month)
- 300 (5 minutes)
The BIND version is hidden
The Bind version should not be visible because there is a risk that a malicious person will search for possible security flaws specific to the version found.
The domain has at least 2 DNS servers
To obtain very high availability, the RFC highly recommends having at least 2 servers for DNS.
All DNS servers respond
All DNS servers must be accessible and accept a public request.
All servers return a success
It is important that all servers return a success code.
The answers are not CNAME or A
The response should not be of the CNAME or A type.
The IP addresses of the DNS servers are different
The IP addresses of the DNS servers must be different to increase the availability rate so that it is at the highest level.
The IP addresses of the DNS servers are of a different class C
Class C of each IP must be different so that the servers are not in the same matrix and there is a risk of unavailability.
The SOAs are synchronized
The SOA answered by the DNS servers must be the same for each server. The most important information is the master server, the contact's email address and the serial number.
The email in the SOA is valid.
An email address must meet certain conditions to be valid, in accordance with RFC 5322.
The update value in SOA is valid
The update value must be between 1200 and 43200.
The value of retry, update and expire is correct
The value of Retry must be less than the value of Update, which in turn must be less than Override (retry <update <expires).
The DNS servers are not Open Relay
DNS resolvers that allow requests from all IP addresses and are exposed to the Internet can be attacked and used to carry out denial of service (DoS) attacks by malicious people.
Zone transfer is not enabled
An attacker can use a zone transfer that contains malicious code or an inappropriate format that blocks a DNS server that is vulnerable to this type of attack, resulting in a DoS that destabilizes DNS services. This allows the recovery of all the information in the DNS zone. The test can be done with the command: #host -T axfr or #dig axfr.
Recursive queries are disabled.
Having a DNS server that allows recursive queries is a security risk, a DDOS attack can be performed.
RFC documentation documentation
The IP addresses of the DNS servers are not private
It is strictly forbidden to have private IP addresses in your DNS
The same MX records are returned.
It is extremely important that each DNS return the same MX records to avoid contacting an SMTP server that no longer exists.
DNS servers are synchronized
The synchronization of the DNS servers must be perfect to avoid any problem of DNS resolution. Therefore, the servers must give the same answer when they are asked "what are the domain's DNS servers?".