Hi malware fighters,
A DNS-server with a wrong configuration could mean a serious security risk.
But checking manually to establish whether your server meets all demands, is not an easy task to perform.
Fortunately there are tools like DNSKnife and ZoneCheck that for the greater part perform this analysis
automattically. DNSKnife is an online tool to check on a server's DNS-setup:
http://www.dnsknife.com/The tool will check whether your nameservers are know to the parent servers, whether nameservers can be reached, whether they are authoritative for your domain, whether there are more nameservers etc. etc.
DNSKnife also warns against a couple of security risks or misconfigurations like an open DNS relay,
an illegit value for EXPIRE or MINIMUM TTL, or just one single MX-server.
These warnings should be taken “cum granis salis”: DNSKnife sees a domain without MX-record as illegit,
while not everyone is in need of an MX-domain.
Another handy dandy checktool is ZoneCheck, you could try out online
http://www.zonecheck.fr/ or use it like a commandline program inside your favourite Linux-distribution.
This program even links to the right RFC's for info about failing tests.
ZoneCheck also has a batch mode and can generate reports per host or will launch warnings per type.
With the following command you can read out domains from stdin,
and ZoneCheck will show how many tests there are still to go
and generates a short report:
zonecheck -v c -1 -B – polonus
