Featured Image

Keep Your DNS Happy with UltraDNS Health Check

By Michael Smith

It has been 37 years since RFC 1034 and RFC 1035 laid down the concept, format, and protocols of the Domain Name System (DNS). Since then, we have added components, new standards, and considerable advances in capabilities. We use DNS for load balancing, geographic affinity to specific datacenters, integrity controls using the Domain Name System Security Extensions (DNSSEC), and even to validate email servers using SPF. And then to top it all off, many organizations own thousands of domains between marketing campaigns, mergers and acquisitions, country-specific entities, mistyping redirects, and anti-phishing and anti-typosquatting measures. In short, DNS started as a simple service and has gotten increasingly complex over time.

This complexity is why Neustar Security Services created a professional services engagement for our customers built around assessing their DNS zones to identify misconfigurations, traffic management nuances, and security vulnerabilities. NSS does this with a combination of automation and staff to give customers an extensive and exhaustive view of their zones. I have sat in on the briefs of these service engagements and was amazed at the level of detail that we provide.

And then we had an idea: why not extend the automation that our services folks are using and make it available to customers in a periodic assessment that they can either get from the UltraDNS portal or emailed on a recurring basis? We all agreed that this was a great idea and created the UltraDNS Health feature for UltraDNS. Over the past 12 months, we have been taking the data points that the services folks check and included them in the Health Check report. We released UltraDNS Health Check to all our UltraDNS customers earlier this year.

We then extended the idea: why not make a public resource like the Qualys SSL Labs for the public to get an assessment of their own domains based on queries of their authoritative DNS servers. Granted, it is a subset of the data points that we check for customers in UltraDNS Health Check because we do not have full access to all the records of the zone. However, we provide this as a free service to anybody who wants it. You can go test your domains today at UltraDNS Health Check.

We test for a variety of data points on the public UltraDNS Health Check today such as:

Nameserver Validations:

  • The delegations (glue records) from the parent zone match the NS records in the zone
  • The nameservers for the zone are available
  • The nameservers for the zone respond to queries for the domain
  • The nameservers for the zone do not announce open recursion

Start of Authority (SOA) Validations:

  • The zone has a SOA record
  • The zone has a SOA REFRESH and it is valid
  • The zone has a SOA RETRY and it is valid
  • The zone has a SOA EXPIRE and it is valid
  • The zone has a SOA MINIMUM and it is valid

Mail Exchange (MX) Records:

  • The zone has Mail Exchange records

Domain Name System Security Extensions (DNSSEC):

  • The zone is signed
  • The DNSSEC signatures are valid
  • The Delegation Signers at the parent zone are valid
  • The zone is signed correctly

The Zone Itself:

  • There is no CNAME at the apex (top) of the domain

Make sure your DNS is working at its peak. The public UltraDNS Health Check is free and allows you to assess yourself. This tool is available as one of many free features for UltraDNS, contact us to learn how UltraDNS can help your business thrive online with peace of mind.


Under DDoS Attack? Relief Begins Here!