NSE:dns-check-zone
Let's talk about analyzing DNS zone configuration against best practices.
Generally if you are running a DNS server you should be monitoring it frequently. There are so many attacks out there that abuse DNS that this is a technology that should never be left on it's own just because it "works." Audit your DNS regularly.
A quick test you can do with NSE is "dns-check-zone" It will give you some quick info on what areas are not quite up to par.
...The real question you should be asking yourself is this.
"Who else is checking this?"
I digress.
Below I go through a useful NSE script to check your zones. I have two examples one that failed a couple tests and one that failed
A LOT.
Before we go ahead and do this we need to find the name server of a particular domain.
Let's use #nslookup
the image below will give you you some details about using #nslookup
At the registrar for your domain name you need to point your domain name too a specific set of name servers.
When you do this the registrar tells the TLD server(parent).
Your NS records need to match the name servers your domain name is pointed to.
The FAIL means that TLD server is not pointing to all the name servers that exist in your DNS zone.
2)"FAIL"-->SOA Refresh not within recommended range
If we take a look at the first NS it's refresh was set to 28800s this second NS is set to 600s.
Curious.
Hope you enjoyed!
Reference:
[1] https://nmap.org/nsedoc/scripts/dns-check-zone.html