We did a quick audit of 1069 delegated domain names found within 13 TLDs under the alternative DNS root OpenNIC. These TLDs are: bbs, chan, cyb, epic, geek, gopher, indy, libre, neo, null, oss, oz, and pirate. (We didn't analyze names directly under dyn, free, o, nor parody.) Our tool is an exhaustive recursive DNS checker / auditing suite with over 105 tests based on IETF/RFC standards, registry policies, government mandates, and vendor best practices, including for IPv6 and DNSSEC.
This analysis identified 58 unique DNS problems or anomalies for the 1069 domain names analyzed. By checking different authoritative nameservers and protocols, this totaled 39588 issues. Of these domain names in the list, 1 domain didn't exist where delegated. This summary highlights some of the interesting problems.
Seven domains did not have working TCP (over IPv4). This included 7 TCP failures via 3 nameservers and 1 TCP timeout.
Two-hundred-fifty domains had a nameserver delegation that didn't have an A address. (Our OpenNIC testing wasn't complete, due to resolving NS records that didn't have records under this alternate root, but this only effected four domains of which two didn't have domains under the new root and one had a NS with an IP of one of the roots resulting in a loop. So most of these failures were for missing names or addresses in standard DNS.)
Three-hundred-fifty-eight domains had nameservers that returned a Recursion Available (RA) flag. This was for 14 nameserver IP addresses. (We didn't check for open resolvers in this run.)
Seventy-seven domains had multiple delegations re-using the same IPv4 address. Seventy-seven domains also had repeated IPv6 nameserver addresses.
One-hundred-five domains only had one working nameserver over IPv4 with UDP. For IPv4/TCP, 103 domains only had one working nameserver. One-hundred-seven domains only had one working nameserver over IPv6 with UDP. For IPv6/TCP, 116 domains only had one working nameserver.
Nine-hundred-thirty-two domains didn't have working IPv6 nameservers that provided an answer for the domain (over UDP). One-hundred-thirteen of the domains did have working DNS over IPv6/UDP.
Fifty-eight domains were served from IPv4 nameservers only in one topological network. For IPv6, 73 domains were served from only one topological network.
For DNSSEC, 11 domains had signatures. Two of these domains were set to expire in less than three days. Two of the domains were set to expire in less than one day. Two of the TLDs were actually DNSSEC expired: parody and epic.
We also saw 52 SERVFAILs in addition to many the issues above which also may cause SERVFAILs. This is only a small snapshot of the thousands of anomalies detected. If you'd like to see a report for your domain name or if you run a TLD, contact us to see how we can help proactively identify and remediate DNS vulnerabilities and misconfigurations and ensure compliance.
Gab
Twitter