Automated DNS and DNSSEC Analysis and Monitoring

DNS Institute provides detailed DNS and DNSSEC analysis via an automated monitoring system. (This is in addition to our consulting services and DNS system checklist review.) The monitoring can be done frequently or periodically.

It has over 85 tests and queries against the known name servers including using TCP and via IPv6. (This page only shows a few examples.) The reports provide explanations and bibliographic citations for the test statements which are based on Internet standards and IETF RFC specifications; NIST, CERT, and US government mandates; and DNS software documented policies and best practices.

The automated monitoring checks include query response times; EDNS; RRSIG inception and expiration; cryptographic algorithms; sane SOA record data; routing diversity; approved key lengths; and much much more.

We can provide reports and graphs of aggregated results. Depending on your needs we can provide timely or delayed alerts. Contact us about monitoring your DNS as a professional service.

Random Recent DNS Checks

We currently do periodic analysis of thousands of domain names owned by Fortune 500 companies, US federal government, and the top 100 largest banks (as defined in the S&P Global Bank ranking). The following is an arbitrary snapshot out of hundreds of warnings and failures. Even more critical findings may exist currently, so don't assume these are the key issues. (The checks also generate other interesting diagnostic information.)

  • Toronto-Dominion Bank — tdwealth.us — SOA MINIMUM (negative caching TTL) recommended maximum is 1 hour (Unbound and PowerDNS Recursor default max) : WARNING
  • Japan Post Bank Co. Ltd. — japanpost.jp — Working nameservers must be in at least two topologically-separate networks (IPv6): WARNING
  • USAA — usaa.com — RRSIG algorithm RSA/SHA-1 is not recommended : WARNING
  • Nordea Bank AB — nordeabank.ru — There should be at least two working NS delegations : FAIL

Miscellaneous Examples

  • Broadcom — broadcom.com — RRSIG Expiration must not be expired: FAIL
  • United Rentals — unitedrentals.com — Authoritative test query should not return Recursion Available flag (RA): FAIL
  • Centene — centene.com — RRSIG Inception should be within one year: FAIL
  • Tech Data — techdata.com — Nameserver IPv6 should be valid (RFC3056 6to4): FAIL
  • State Street Corp. — spdrumobile.com — Authority Section referral should not be a root referral: FAIL
  • American Financial Group — gaic.com — At least two nameserver delegations are required: FAIL
  • CaixaBank SA — lacaixa.es — The nameserver must respond over TCP (TCP timeout): FAIL

Feel free to contact us about any of these random examples for bibliographic references, details, and explanations. If this is your company and you want a full report, let us know with your company contact information and a reference to your company relationship, such as LinkedIn or a company webpage (or a TXT record in DNS).