Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement checks #1

Closed
34 tasks done
42wim opened this issue May 2, 2017 · 1 comment
Closed
34 tasks done

Implement checks #1

42wim opened this issue May 2, 2017 · 1 comment

Comments

@42wim
Copy link
Owner

42wim commented May 2, 2017
edited
Loading

#Based on farrokhi/dnsdiag#16

base

  • if the domain provided resolves

glue check:

  • exist
  • match

dnssec check:

  • validate DNSKEY
  • validate DNSSEC chain

spam check:

  • spf exists
  • spf is restrictive
  • dmarc exists
  • dmarc policy

NS check:

  • if there are enough NS records
  • have distinct IP addresses
  • and no CNAMEs
  • different subnets
  • different ASNs
  • that all NS records respond to requests
  • that NS servers are not recursive
  • that all NS servers are authoritative
  • that NS records match parent zone
  • no stealth records present
  • that all NS servers respond with the same lists of NS
  • that all NS servers IPs are reachable (e.g. non RFC 1918)

SOA check:

  • present
  • valid (cf RFC 1912 for ranges, including email)
  • MNAME entry is in NS list
  • all fields match across NS servers

MX check:

  • that MX records are present
  • and more than one
  • and point to different IPs
  • no CNAME
  • matching reverse DNS for MX records
  • routable MX records

web check

  • www exists
  • @ exists (and not a CNAME)
  • routable
@42wim
Copy link
Owner Author

42wim commented May 4, 2017
edited
Loading

Possible future checks

MX connection check

  • port 25 open
  • SMTP banner
  • RFC5321-compliant SMTP greeting
  • accepts mails from NULL (for DSN etc)
  • accepts mail to postmaster ( RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1)
  • accepts mail to abuse (RFC2142 Section 2)
  • accepts mail to IP (RFC1123 section 5.2.17)
  • not an open relay

Web connection check

  • responds
  • version number (hidden, shown, outdated?)
  • supports SSL

Dns connection check

  • that UDP (regular) and TCP (e.g. zone transfers) both works
  • version numbers (hidden, shown, outdated?)

@42wim 42wim closed this as completed Nov 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@42wim