This is a sample only of what I hope the page can do.
|
Category |
Status |
Test Name |
Information |
|
Parent |
PASS |
Missing Direct Parent check |
OK. Your direct parent zone exists, which is good. Some domains (usually third or
fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us'
in this example), which is legal but can cause confusion. |
|
INFO |
NS records at parent servers |
Your NS records at the parent servers are:
ns1.domain.com. [0.0.0.0] [TTL=172800] [US]
ns2.domain.com. [0.0.0.0] [TTL=172800] [US]
[These were obtained from d.gtld-servers.net] |
|
PASS |
Parent nameservers have your nameservers listed |
OK. When someone uses DNS to look up your domain, the first step (if it doesn't
already know about your domain) is to go to the parent servers. If you aren't listed
there, you can't be found. But you are listed there. |
|
PASS |
Glue at parent nameservers |
OK. The parent servers have glue for your nameservers. That means they send out
the IP address of your nameservers, as well as their host names. |
|
PASS |
DNS servers have A records |
OK. All your DNS servers either have A records at the zone parent servers, or do
not need them (if the DNS servers are on other TLDs). A records are required for
your hostnames to ensure that other DNS servers can reach your DNS servers. Note
that there will be problems if your DNS servers do not have these same A records. |
|
NS |
INFO |
NS records at your nameservers |
Your NS records at your nameservers are:
ns2.domain.com. [0.0.0.0] [TTL=86400]
ns1.domain.com. [0.0.0.0] [TTL=86400]
|
|
PASS |
Open DNS servers |
OK. Your DNS servers do not announce that they are open DNS servers. Although there
is a slight chance that they really are open DNS servers, this is very unlikely.
Open DNS servers increase the chances that of cache poisoning, can degrade performance
of your DNS, and can cause your DNS servers to be used in an attack (so it is good
that your DNS servers do not appear to be open DNS servers).
|
|
PASS |
Mismatched glue |
OK. The DNS report did not detect any discrepancies between the glue provided by
the parent servers and that provided by your authoritative DNS servers. |
|
PASS |
No NS A records at nameservers |
OK. Your nameservers do include corresponding A records when asked for your NS records.
This ensures that your DNS servers know the A records corresponding to all your
NS records. |
|
PASS |
All nameservers report identical NS records |
OK. The NS records at all your nameservers are identical.
|
|
PASS |
All nameservers respond |
OK. All of your nameservers listed at the parent nameservers responded. |
|
PASS |
Nameserver name validity |
OK. All of the NS records that your nameservers report seem valid (no IPs or partial
domain names). |
|
PASS |
Number of nameservers |
OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182
section 5 recommends at least 3 nameservers), and preferably no more than 7. |
|
PASS |
Lame nameservers |
OK. All the nameservers listed at the parent servers answer authoritatively for
your domain. |
|
PASS |
Missing (stealth) nameservers |
OK. All 2 of your nameservers (as reported by your nameservers) are also listed
at the parent servers. |
|
PASS |
Missing nameservers 2 |
OK. All of the nameservers listed at the parent nameservers are also listed as NS
records at your nameservers.
|
|
PASS |
No CNAMEs for domain |
OK. There are no CNAMEs for domain.com.
RFC1912 2.4 and RFC2181 10.3 state
that there should be no CNAMEs if an NS (or any other) record is present. |
|
PASS |
No NSs with CNAMEs |
OK. There are no CNAMEs for your NS records.
RFC1912 2.4 and RFC2181 10.3 state
that there should be no CNAMEs if an NS (or any other) record is present. |
|
PASS |
Nameservers on separate class C's |
OK. You have nameservers on different Class C (technically, /24) IP ranges. You
must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more
detail about secondary nameserver location. |
|
PASS |
All NS IPs public |
OK. All of your NS records appear to use public IPs. If there were any private IPs,
they would not be reachable, causing DNS delays. |
|
WARN |
TCP Allowed |
WARNING: One or more of your DNS servers does not accept TCP connections. Although
rarely used, TCP connections are occasionally used instead of UDP connections. When
firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
The problem servers are:
0.0.0.0: Error [Connection refused (10061)]. 0.0.0.0: Error [Connection
refused (10061)].
|
|
WARN |
Single Point of Failure |
WARNING: Although you have at least 2 NS records, they may both point to the same
server (one of our two tests shows them being the same, the other does not), which
would result in a single point of failure. You are required to have at least 2 nameservers
per RFC 1035 section 2.2.
|
|
INFO |
Nameservers versions |
[For security reasons, this test is limited to members] |
|
PASS |
Stealth NS record leakage |
Your DNS servers do not leak any stealth NS records (if any) in non-NS requests. |
|
SOA |
INFO |
SOA record |
Your SOA record [TTL=86400] is:
Primary nameserver: ns2.domain.com.
Hostmaster E-mail address: hostmaster.domain.com.
Serial #: 149041129
Refresh: 7200
Retry: 3600
Expire: 604800
Default TTL: 3600
|
|
FAIL |
NS agreement on SOA Serial # |
ERROR: Your nameservers disagree as to which version of your DNS is the latest (149041107
versus 149041129). This is OK if you have just made a change recently, and your
secondary DNS servers haven't yet received the new information from the master.
I will continue the report, assuming that 149041129 is the correct serial #. The
serial numbers reported by each DNS server are:
0.0.0.0: 149041107
0.0.0.0: 149041129
|
|
PASS |
SOA MNAME Check |
OK. Your SOA (Start of Authority) record states that your master (primary)
name server is: ns2.domain.com.. That server is listed at the parent servers,
which is correct.
|
|
PASS |
SOA RNAME Check |
OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address
is: hostmaster@domain.com. (techie note: we have changed the initial '.'
to an '@' for display purposes).
|
|
WARN |
SOA Serial Number |
WARNING: Your SOA serial number is: 149041129. That is OK, but the recommended
format (per RFC1912 2.2)
is YYYYMMDDnn, where 'nn' is the revision. For example, if you are making the 3rd
change on 02 May 2006, you would use 2006050203. This number must be incremented
every time you make a DNS change. |
|
PASS |
SOA REFRESH value |
OK. Your SOA REFRESH interval is : 7200 seconds. This seems normal (about
3600-7200 seconds is good if not using DNS NOTIFY;
RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes
to 12 hours)). This value determines how often secondary/slave nameservers check
with the master for updates. |
|
PASS |
SOA RETRY value |
OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200
seconds is good). The retry value is the amount of time your secondary/slave nameservers
will wait to contact the master nameserver again if the last attempt failed. |
|
PASS |
SOA EXPIRE value |
OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600
to 2419200 seconds (2-4 weeks) is good).
RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver
will wait before considering its DNS data stale if it can't reach the primary nameserver. |
|
PASS |
SOA MINIMUM TTL value |
OK. Your SOA MINIMUM TTL is: 3600 seconds. This seems normal (about 3,600
to 86400 seconds or 1-24 hours is good).
RFC2308 suggests a value of 1-3 hours. This value used to determine the
default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used
for negative caching. |
|
MX |
INFO |
MX Record |
Your 2 MX records are:
10 mail.domain.com. [TTL=86400] IP=0.0.0.0 [TTL=86400] [US]
20 mx2.domain.com. [TTL=86400] IP=0.0.0.0 [TTL=86400] [US]
|
|
PASS |
Low port test |
OK. Our local DNS server that uses a low port number can get your MX record. Some
DNS servers are behind firewalls that block low port numbers. This does not guarantee
that your DNS server does not block low ports (this specific lookup must be cached),
but is a good indication that it does not. |
|
PASS |
Invalid characters |
OK. All of your MX records appear to use valid hostnames, without any invalid characters. |
|
PASS |
All MX IPs public |
OK. All of your MX records appear to use public IPs. If there were any private IPs,
they would not be reachable, causing slight mail delays, extra resource usage, and
possibly bounced mail. |
|
PASS |
MX records are not CNAMEs |
OK. Looking up your MX record did not just return a CNAME. If an MX record query
returns a CNAME, extra processing is required, and some mail servers may not be
able to handle it. |
|
PASS |
MX A lookups have no CNAMEs |
OK. There appear to be no CNAMEs returned for A records lookups from your MX records
(CNAMEs are prohibited in MX records, according to
RFC974, RFC1034 3.6.2,
RFC1912 2.4, and RFC2181 10.3). |
|
PASS |
MX is host name, not IP |
OK. All of your MX records are host names (as opposed to IP addresses, which are
not allowed in MX records). |
|
PASS |
Multiple MX records |
OK. You have multiple MX records. This means that if one is down or unreachable,
the other(s) will be able to accept mail for you. |
|
PASS |
Differing MX-A records |
OK. I did not detect differing IPs for your MX records (this would happen if your
DNS servers return different IPs than the DNS servers that are authoritative for
the hostname in your MX records). |
|
PASS |
Duplicate MX records |
OK. You do not have any duplicate MX records (pointing to the same IP). Although
technically valid, duplicate MX records can cause a lot of confusion, and waste
resources. |
|
PASS |
Reverse DNS entries for MX records |
OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries.
RFC1912 2.1 says you should have a reverse DNS for all your mail servers.
It is strongly urged that you have them, as many mailservers will not accept mail
from mailservers with no reverse DNS entry. Note that this information is cached,
so if you changed it recently, it will not be reflected here (see the
www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS
entries are:
0.0.0.0.in-addr.arpa
x3.domain.com. [TTL=3553]
0.0.0.0.in-addr.arpa
x4.domain.com. [TTL=3553]
|
|
Mail |
PASS |
Connect to mail servers |
OK: I was able to connect to all of your mailservers. |
|
WARN |
Mail server host name in greeting |
WARNING: One or more of your mailservers is claiming to be a host other than what
it really is (the SMTP greeting should be a 3-digit code, followed by a space or
a dash, then the host name). If your mailserver sends out E-mail using this domain
in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is
also a technical violation of RFC821
4.3 (and RFC2821 4.3.1). Note that the hostname
given in the SMTP greeting should have an A record pointing back to the same server.
Note that this one test may use a cached DNS record.
mx2.domain.com claims to be host danglass.com [but that host is at 208.106.182.96
(may be cached), not 208.106.181.96]. <br /> |
|
PASS |
Acceptance of NULL <> sender |
OK: All of your mailservers accept mail from "<>". You are required (RFC1123
5.2.9) to receive this type of mail (which includes reject/bounce messages and return
receipts). |
|
PASS |
Acceptance of postmaster address |
OK: All of your mailservers accept mail to postmaster@domain.com (as required by
RFC822 6.3,
RFC1123 5.2.7, and RFC2821 4.5.1). |
|
PASS |
Acceptance of abuse address |
OK: All of your mailservers accept mail to abuse@domain.com. |
|
INFO |
Acceptance of domain literals |
WARNING: One or more of your mailservers does not accept mail in the domain literal
format (user@[0.0.0.0]). Mailservers are technically required
RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses.
Not accepting domain literals can make it more difficult to test your mailserver,
and can prevent you from receiving E-mail from people reporting problems with your
mailserver. However, it is unlikely that any problems will occur if the domain literals
are not accepted (mailservers at many common large domains have this problem).
mail.domain.com's postmaster@[208.106.182.96] response:<br /> >>>
RCPT TO:<postmaster@[208.106.182.96]><br /> <<< 550 relaying
blocked, read new mail, add 74.53.59.133 to forwarding or enable smtp authentication
in yo <br /> mx2.domain.com's postmaster@[208.106.181.96] response:<br
/> >>> RCPT TO:<postmaster@[208.106.181.96]><br /> <<<
550 No such user (danglass) Cached lookup <br />
|
|
PASS |
Open relay test |
OK: All of your mailservers appear to be closed to relaying. This is not
a thorough check, you can get a thorough one here.
mail.domain.com OK: 550 relaying blocked, read new mail, add 74.53.59.133 to forwarding
or enable smtp authentication in yo <br />mx2.domain.com OK: 550 relaying
blocked, read new mail, add 74.53.59.133 to forwarding or enable smtp authentication
in yo <br /> |
|
PASS |
SPF record |
You have an SPF record. This is very good,
as it will help prevent spammers from abusing your domain. Your SPF record (I don't
check to see if it is well designed!) is:
"v=spf1 mx a:208.106.182.96 mx:208.106.181.96 ~all" [TTL=86400] |