NSE:dns-check-zone

 

Let's talk about analyzing DNS zone configuration against best practices. 

Generally if you are running a DNS server you should be monitoring it frequently.  There are so many attacks out there that abuse DNS that this is a technology that should never be left on it's own just because it "works."  Audit your DNS regularly.  

A quick test you can do with NSE is "dns-check-zone"  It will give you some quick info on what areas are not quite up to par.

...The real question you should be asking yourself is this.  

"Who else is checking this?"

I digress.

Below I go through a useful NSE script to check your zones.  I have two examples one that failed a couple tests and one that failed 

A LOT.

Before we go ahead and do this we need to find the name server of a particular domain.

Let's use #nslookup

the image below will give you you some details about using #nslookup

With this information we can feed more specific information into NSE

#nmap -sn -Pn <name of name server> --script dns-check-zone --script-args='dns-check-zone.domain=<domain name in question>'

The two images below are the the same as above.

In the above image the name server did fail the SOA Expire check.  Let us look at another server that failed a lot more

1)"FAIL" -->Missing nameservers reported by your nameservers 

At the registrar for your domain name you need to point your domain name too a specific set of name servers.

When you do this the registrar tells the TLD server(parent).

Your NS records need to match the name servers your domain name is pointed to.

The FAIL means that TLD server is not pointing to all the name servers that exist in your DNS zone.

2)"FAIL"-->SOA Refresh not within recommended range

If we take a look at the first NS it's refresh was set to 28800s this second NS is set to 600s.

Curious.

 

Hope you enjoyed!

 

Reference:

[1] https://nmap.org/nsedoc/scripts/dns-check-zone.html

[2] https://www.youtube.com/watch/UVNmby8rLz4

[3] https://www.cloudns.net/wiki/article/203/