Tests description
From DNSdoctor
[edit]
Connectivity
[edit]
ICMP answer
- name
- icmp
- severity
- warning (it is more an help to the diagnostic)
- description
- Send an ICMP echo request to the nameserver and wait for a the echo reply.
- possible cause
- The whole host is down or not reachable. Beware, that it could also be an extremist firewall blocking ICMP echo requests.
- how to reproduce
ping ${hostip}
[edit]
UDP connectivity
- name
- udp
- severity
- fatal
- reference
- IETF RFC1035 (p.32 4.2. Transport)
- The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance.
- description
- Ask for the ANY record of the tested zone through the use of UDP datagrams; whatever is the answer, if the server answer within 8 seconds to one of the 25 queries that we try during 5 seconds, the test is successful.
- possible cause
- A server not responding generally means that the DNS daemon has not been started. It tends to happen a lot with IPv6, because peoples add AAAA records for their nameservers but forgot to start the service or don't have the IPv6 connectivity.
- how to reproduce
dig @${hostip} ${domainname}
[edit]
TCP connectivity
- name
- tcp
- severity
- fatal
- reference
- IETF RFC1035 (p.32 4.2. Transport)
- The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance.
- description
- Ask for the ANY record of the tested zone through a TCP connection; whatever is the answer, if the server answer, the test is successful.
- possible cause
- Typicall errors are "Connection refused", "Connection reset" or "Timeout", this is generally due to the presence of a misconfigured firewall disallowing connection on TCP port 53, or in some seldom case to the use of DNS daemon not listening on TCP.
- how to reproduce
dig @${hostip} ${domainname} +vc
[edit]
Root servers
[edit]
Root-servers list present
- name
- root_servers
- how to reproduce
dig @${hostip} . ns
[edit]
Root-servers list identicall to ICANN
- name
- root_servers_ns_vs_icann
- possible cause
- The DNS server contains an outdated list of root-servers that need to be updated. Another possibility is that you have explicitly chosen to use an alternative root.
- how to reproduce
- Compare answer sections for both of this output
dig @${hostip} . ns dig @m.root-servers.net . ns
[edit]
Root-servers addresses identical to ICANN
- name
- root_servers_ip_vs_icann
- possible cause
- The DNS server contains an outdated list of root-servers that need to be updated. Another possibility is that you have explicitly chosen to use an alternative root.
- how to reproduce
[edit]
SOA (Start Of Authority)
[edit]
SOA record present
[edit]
SOA authoritative answer
[edit]
Misused of '@' character in contact name
[edit]
Illegal characters in contact name
[edit]
Illegal characters in master name
[edit]
Serial number of the form YYYYMMDDnn
[edit]
'expire' field is between min and max
[edit]
Coherence between SOA and ANY records
[edit]
Coherence of the serial number between the nameservers
[edit]
Excessive drift of serial with the primary nameservers
- name
- soa_drift_serial
- severity
- fatal
- description
- Compare the serial number of the primary nameserver with the serial number of the secondary nameservers, the difference shouldn't exceed the specified threshold. Two thresholds are available the first (
soa:serial:drift_ymd
) is used when the serial use the YYYYMMDDnn format, the seconde (soa:serial:drift
) otherwise. - possible cause
- The secondary nameserver don't synchronise anymore, this is generaly due to an absolete master in the configuration of the secondary nameserver (ie: someone forgot to notify its secondary of the change).
- how to reproduce
- Compare the results of the following command and look for the serial number
dig @ns1 soa ; dig @ns2 soa
[edit]
NS records
[edit]
NS records present
[edit]
NS authoritative answer
[edit]
NS name has a valid domain/hostname syntax
[edit]
NS is not an alias
[edit]
Coherence between NS and ANY records
[edit]
NS can be resolved
[edit]
MX records
[edit]
MX record present
[edit]
MX authoritative answer
[edit]
MX syntax is valid for a hostname
[edit]
MX is not an alias
[edit]
Absence of wildcard MX
[edit]
Coherence between MX and ANY records
[edit]
Loopback
[edit]
Loopback delegation
[edit]
Loopback is resolvable
[edit]
[edit]
Can deliver email to 'postmaster'
[edit]
Can deliver email to hostmaster