It has been 37 years since RFC 1034 and RFC 1035 laid down the concept, format, and protocols of the Domain Name System (DNS). Since then, we have added components, new standards, and considerable advances in capabilities. We use DNS for load balancing, geographic affinity to specific datacenters, integrity controls using the Domain Name System Security Extensions (DNSSEC), and even to validate email servers using SPF. And then to top it all off, many organizations own thousands of domains between marketing campaigns, mergers and acquisitions, country-specific entities, mistyping redirects, and anti-phishing and anti-typosquatting measures. In short, DNS started as a simple service and has gotten increasingly complex over time.
This complexity is why Neustar Security Services created a professional services engagement for our customers built around assessing their DNS zones to identify misconfigurations, traffic management nuances, and security vulnerabilities. NSS does this with a combination of automation and staff to give customers an extensive and exhaustive view of their zones. I have sat in on the briefs of these service engagements and was amazed at the level of detail that we provide.
And then we had an idea: why not extend the automation that our services folks are using and make it available to customers in a periodic assessment that they can either get from the UltraDNS portal or emailed on a recurring basis? We all agreed that this was a great idea and created the UltraDNS Health feature for UltraDNS. Over the past 12 months, we have been taking the data points that the services folks check and included them in the Health Check report. We released UltraDNS Health Check to all our UltraDNS customers earlier this year.
We then extended the idea: why not make a public resource like the Qualys SSL Labs for the public to get an assessment of their own domains based on queries of their authoritative DNS servers. Granted, it is a subset of the data points that we check for customers in UltraDNS Health Check because we do not have full access to all the records of the zone. However, we provide this as a free service to anybody who wants it. You can go test your domains today at UltraDNS Health Check.
We test for a variety of data points on the public UltraDNS Health Check today such as:
The delegations (glue records) from the parent zone match the NS records in the zone
The nameservers for the zone are available
The nameservers for the zone respond to queries for the domain
The nameservers for the zone do not announce open recursion
Start of Authority (SOA) Validations:
The zone has a SOA record
The zone has a SOA REFRESH and it is valid
The zone has a SOA RETRY and it is valid
The zone has a SOA EXPIRE and it is valid
The zone has a SOA MINIMUM and it is valid
Mail Exchange (MX) Records:
The zone has Mail Exchange records
Domain Name System Security Extensions (DNSSEC):
The zone is signed
The DNSSEC signatures are valid
The Delegation Signers at the parent zone are valid
The zone is signed correctly
The Zone Itself:
There is no CNAME at the apex (top) of the domain
Make sure your DNS is working at its peak. The public UltraDNS Health Check is free and allows you to assess yourself. This tool is available as one of many free features for UltraDNS, contact us to learn how UltraDNS can help your business thrive online with peace of mind.