NS.tools documentation

This page will explain every tests that are done on ns.tools. The tests are categorized in 7 sections. Ns.tools will analyze your IP or domain with no less than 93 tests.

Dns

BIND version is hidden
The Bind version should not be visible otherwise it will be possible to search for potential security vulnerabilities of the version.
Domain have at least 2 DNS servers
In order for the availability rate of DNS servers to be at its highest, it is vital and recommended by the RFC to have at least 2 servers.
All Dns servers are responding
Every DNS servers should be accessible and accept public query.
All servers return success
It's important that all servers returned a "success" code.
Responses are not CNAME or A
The answers should not be a CNAME or A type.
DNS servers IP are differents
IPs for DNS servers must be different in order to have high availability.
DNS servers IP are in different class C
The class C of each IP must be different so that the servers are not found on the same bay and therefore there is a risk of unavailability.
DNS servers are synchronized
The synchronization of the DNS servers must be perfect in order to avoid any dns resolution error. The servers must therefore give the same answer when asked "what are the DNS servers for the domain?".
SOA are synchronized
The SOA answered by the DNS servers must be identical for each servers. The most important information is the master server and the contact email address.
SOA email is valid
An email address must respect some conditions to be valid, accordding to the RFC 5322.
SOA refresh is valid
The refresh value be must between 1200 and 43200.
SOA retry, refresh and expire values are correct
The Retry, Refresh and Expire values musth follow this path : retry
DNS servers are not open relay
DNS resolvers that allow queries from all IP addresses and are exposed to the Internet can be attacked and used to conduct Denial of Service (DoS) attacks on behalf of the hacker.
Transfer zone is disable
An attacker can use a zone transfer that contains a malicious code or an inappropriate format that crashes a DNS server vulnerable to this type of attack, which results in a DoS that destabilizes the DNS services. It is possible to test it manually with this commands: #host -T axfr or #dig axfr.
Recursive query is disable
Having a dns server that allow recursive queries is a security risk, DDOS attack can be performed.
Same MX are returned
It is extremely important that each DNS return the same MX records in order to avoid contacting an SMTP server that no longer exists.
GLUE record are set for NS in domain
If the DNS is a host of its domain, it is mandatory to define the GLUE. This then avoids circular references.
DNS servers are not CNAME
The CNAME record, other than being required to point to a name instead of an IP, has another important limitation: a CNAME record is not allowed to coexist with any other data.
DNS servers IP are not private
It is strictly forbidden to have private IP in DNS
Is the BIND version visible from Nmap?
The Bind version should not be visible otherwise it will be possible to search for potential security vulnerabilities of the version.

Mail

MX records are FQDN
MX must be a domain, not an IP.
MX records are not CNAME
According to the RFC 1034 and 2181 CNAME records should not be used with NS and MX
SMTP server number
Domain should have at least 2 SMTP servers according to the RFC
MX servers are accessibles
Smtp servers that are listed in DNS area must be accessible, otherwise, there is a risk that emails may be lost
MX IPs are differents
The IP of the SMTP servers must be different if it is no longer reachable.
MX IPs are in different class C
The class C of every IPs should be differents
MX IPs have reverse
When a sending server makes a connection to the recipient server, the recipient server notes the sending IP address and performs a reverse lookup, called a PTR lookup, named after the type of DNS record used. If the result of the reverse lookup matches the result of a forward DNS Lookup, then it's much more likely that the message is legitimate. If the IP address doesn't match, it's much more likely that the sending address was spoofed and therefore much more likely that it's unwanted and could be considered spam.
HELO command is accepted
According to the RFC 2181, smtp server should accept HELO command
EHLO command is accepted
According to the RFC 2181, smtp server should accept EHLO command
STARTTLS command is accepted
STARTTLS turns an unencrypted connection into a secure connection.
EXPN command is refused
EXPN command is now considered to be a security risk, spammers being able to harvest valid e-mail addresses via each mailing list.
VRFY command is refused
As the EXPN command, VRFY is used by spammers to verify an address.
MX servers are not open relay
If a server is open relay, there is a risk that spammers use your server to send illegitimate mail.
MX servers accept abuse@ address
According to the RFC 2142, SMTP server should accept abuse@yourDomain as a recipient.
MX servers accept postmaster@ address
According to the RFC 5321, SMTP server should accept postmaster@yourDomain as a recipient.
Banner return 2xx or 4xx code
The banner must return (2xx) a valid (4xx) or temporary code.
Banner return server name
Banner must contain the name of the server
SMTP server type is hidden
There is a risk to display the type and the version of the server, because people can find a breach for a specific version and use it
SPF is configured for domain
To avoid identity theft, it is strongly recommended to configure SPF.
SPF record is TXT type
SPF record is no longer used, SPF must be into TXT record because many servers do not support SPF record. If SPF record exist, it should be the same as TXT
Domain have only 1 SPF record
To avoid issue with SPF, it is strongly recommended to configure only one.
SPF records of type TXT & SPF are the same
SPF record has become obselete, if it is configured then it must be the same as the one present in the TXT record
SPF version exists
According to the RFC, the SPF version must be specified.
SPF version at first position
SPF has to start with version's tag.
SPF "all" exists
According to the RFC, the mecanism "all" must be specified in the SPF record, except if there is a Redirect tag.
SPF "all" at last position
The mecanism "All" has to be the last tag in SPF record. Be sure you don't have any dupplicates entry in your field.
IPv4 & IPv6 syntaxes are corrects in SPF
IPs must be valid, otherwise the SPF will be useless.
SPF haven't PTR
PTR has become obselete in SPF, should not be found in it.
SPF "Redirect" at last position
The mecanism "Redirect" has to be the last tag in SPF record. Be sure you don't have any dupplicates entry in your field.
DMARC is configured for domain
To avoid identity theft, it is strongly recommended to configure DMARC.
Domain have only 1 DMARC record
To avoid issue with DMARC, it is strongly recommended to configure only one.
DMARC validity
If the DMARC is misconfigured there is a risk that the recipient servers will not accept your mails.
DMARC version exist
According to the RFC 7489 section 6.3, the DMARC version is required.
DMARC version at first position
According to the RFC 7489 section 6.3, the DMARC version must be the first tag in the list.
DMARC procedure exists
According to the RFC 7489 section 6.3, the procedure is required.
DMARC "p" field is valid
According to the RFC 7489 section 6.3, the procedure value must be none, quarantine or reject.
DMARC "sp" field is valid
According to the RFC 7489 section 6.3, the subdomain procedure value must be none, quarantine or reject.
DMARC "pct" field is valid
According to the RFC 7489 section 6.3, the percentage's value must be between 0 and 100.
DMARC "adkim" field is valid
According to the RFC 7489 section 6.3, the adkim tag value must be the letter R or S.
DMARC "aspf" field is valid
According to the RFC 7489 section 6.3, the aspf tag value must be the letter R or S.
DMARC "rf" field is valid
According to the RFC 7489 section 6.3, the RF tag's value must be afrf or iodef.
DMARC "ri" field is valid
According to the RFC 7489 section 6.3, the RI tag's value must be an integer.
DMARC "ruf" field is valid
According to the RFC 7489 section 6.3, the RUF tag's value must be a valid email.
DMARC "rua" field is valid
According to the RFC 7489 section 6.3, the RUA tag's value must be a valid email.
DKIM is configured for domain
It is strongly recommended to configure DKIM.
DKIM version exist
According to the RFC 6376 section 3.6.1, the DKIM version is required.
DKIM Service Type is valid
This Tag is optionnal but when use, it must be equal to "*" or "email".
DKIM Testing flag is valid
This Tag is optionnal but when use, it must be equal to "s", "y" or "y:s".
DKIM public key is valid
According to the RFC 6376 section 3.6.1, the public key is required and must be valid.
DKIM public key is secure
The size of the public key must be bigger than 1024 bits.

Domain

DNS servers are same in dns tree and whois
The dns servers given in the domain whois must be the same as those returned by a dns resolution request.
Domain is not blacklisted
A domain must not be blacklisted or it will be penalized for referencing and deliverability of emails.
Domain is not listed in VirusTotal
Virus Total analyze your domain or IP address with 66 antivirus.
Domain is not listed in Google Safe Browsing
Google safe browsing categorizes a domain as bad if something suspicious is detected.
Domain have good reputation on Web of Trust
Web Of Trust rates thousands of websites and find threats if they exist.

Ip

Ip is not blacklisted
An ip must not be blacklisted or it will be penalized for referencing and deliverability of emails.

Web

Domain have "A" field
The domain must have an A field in order for the website to be accessible.
Domain have "AAAA" field
It is highly recommended to have an IPv6 for the website.
Host "www" have "A" field
WWW host is not required for a website, but it's better to have one.
Host "www" have "AAAA" field
If you configure a WWW host for your website, it is recommended to have an IPv6.
HTTP port (80) is open
This test verifies the presence of a website for the given IP or domain. Then scans port 80. If the domain or IP is pointing to a website then port 80 must be open so that it can be accessed from a browser. Otherwise port 80 must be closed.
HTTPS port (443) is open
This test verifies the presence of a website for the given IP or domain. Then scans port 443. If the domain or IP is pointing to a website then port 443 must be open so that it can be accessed from a browser. Otherwise port 443 must be closed.
Web server version is hidden
To avoid giving details to malicious people, the version of the server should not be visible.
Web application technology is hidden
To avoid giving details to malicious people, the technology that supports the application should not be visible.
Cookies are secure
Using "HttpOnly" instruction prevents someone to access to cookies via Javascript. The secure flag will allow you to prevent a cookie from ever being communicated in simple HTTP. (RFC 6265 section 8.3)
X-XSS-Protection header is present
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Content Security Policy header is present
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
Content Type Options header is present
The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.

Whois

Are the dns the same as those of a dns query?
The dns servers given in the domain whois must be the same as those returned by a dns resolution request.