Home Marketing Design Hosting Support About Contacts

Sample of a Full DNS Report

This is just a sample report generated for amazon.com. It reflects the depth of analysis provided in the full DNS Report available only with the Premium Business Web Site Evaluation. There is a lot of valuable technical information contained in this report and we can help you understand what actions, if any, are required to remedy problems and improve your web site.
Generated at 22:58:33 GMT on 01 Apr 2008.

Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

udns1.ultradns.net. [204.69.234.1] [TTL=172800] [US]
udns2.ultradns.net. [204.74.101.1] [TTL=172800] [US]
[These were obtained from g.gtld-servers.net]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

pdns2.ultradns.net. [204.74.109.1] [TTL=86400]
pdns1.ultradns.net. [204.74.108.1] [TTL=86400]
pdns6.ultradns.co.uk. [204.74.115.1] [TTL=86400]
pdns5.ultradns.info. [204.74.114.1] [TTL=86400]
pdns4.ultradns.org. [199.7.69.1] [TTL=86400]
pdns3.ultradns.org. [199.7.68.1] [TTL=86400]
PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
FAIL Missing (stealth) nameservers FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNSreport will not query these servers, so you need to be very careful that they are working properly.

pdns2.ultradns.net.
pdns1.ultradns.net.
pdns6.ultradns.co.uk.
pdns5.ultradns.info.
pdns4.ultradns.org.
pdns3.ultradns.org.
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).
FAIL Missing nameservers 2 ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:
udns1.ultradns.net.
udns2.ultradns.net.
PASS No CNAMEs for domain OK. There are no CNAMEs for amazon.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
INFO Nameservers versions [For security reasons, this test is restricted to customers.]
FAIL Stealth NS record leakage Your DNS servers leak stealth information in non-NS requests:

Stealth nameservers are leaked [pdns6.ultradns.co.uk.]!
Stealth nameservers are leaked [pdns5.ultradns.info.]!
Stealth nameservers are leaked [pdns4.ultradns.org.]!
Stealth nameservers are leaked [pdns3.ultradns.org.]!
Stealth nameservers are leaked [pdns2.ultradns.net.]!
Stealth nameservers are leaked [pdns1.ultradns.net.]!

This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.
SOA INFO SOA record Your SOA record [TTL=7200] is:

Primary nameserver: udns1.ultradns.net.
Hostmaster E-mail address: hostmaster.amazon.com.
Serial #: 2008040100
Refresh: 28800
Retry: 3600
Expire: 1209600
Default TTL: 3600
PASS NS agreement on SOA Serial # OK. All your nameservers agree that your SOA serial number is 2008040100. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNS Report only checks the NS records listed at the parent servers (not any stealth servers).
PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: udns1.ultradns.net.. That server is listed at the parent servers, which is correct.

PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: hostmaster@amazon.com. (techie note: we have changed the initial '.' to an '@' for display purposes).
PASS SOA Serial Number OK. Your SOA serial number is: 2008040100. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. So this indicates that your DNS was last updated on 01 Apr 2008 (and was revision #0). This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 28800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 1209600 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 3600 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 5 MX records are:

20 smtp-fw-6101.amazon.com. [TTL=7200] IP=72.21.208.25 [TTL=86400] [US]
20 smtp-fw-2102.amazon.com. [TTL=7200] IP=72.21.196.223 [TTL=86400] [US]
10 smtp-fw-2101.amazon.com. [TTL=7200] IP=72.21.196.25 [TTL=86400] [US]
20 smtp-fw-0102.amazon.com. [TTL=7200] IP=207.171.190.55 [TTL=86400] [US]
10 smtp-fw-9101.amazon.com. [TTL=7200] IP=207.171.184.25 [TTL=7200] [US]
PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
PASS Multiple MX records OK. You have multiple MX records. This means that if one is down or unreachable, the other(s) will be able to accept mail for you.
PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here.. The reverse DNS entries are:

25.208.21.72.in-addr.arpa smtp-fw-6101.amazon.com. [TTL=3]
223.196.21.72.in-addr.arpa smtp-fw-2102.amazon.com. [TTL=65843]
25.196.21.72.in-addr.arpa smtp-fw-2101.amazon.com. [TTL=65843]
55.190.171.207.in-addr.arpa smtp-fw-0102.amazon.com. [TTL=3]
25.184.171.207.in-addr.arpa smtp-fw-9101.amazon.com. [TTL=5650]
Mail FAIL Connect to mail servers ERROR: I could not complete a connection to one or more of your mailservers:
smtp-fw-9101.amazon.com: Timed out [Last data sent: [Did not connect]]
PASS Mail server host name in greeting OK: All of your mailservers have their host name in the greeting:

smtp-fw-6101.amazon.com:<br />    220 smtp-fw-6101.amazon.com ESMTP <br />smtp-fw-2101.amazon.com:<br />    220 smtp-fw-2101.amazon.com ESMTP <br />smtp-fw-0102.amazon.com:<br />    220 smtp-fw-0102.amazon.com ESMTP <br />smtp-fw-2102.amazon.com:<br />    220 smtp-fw-2102.amazon.com ESMTP <br />
PASS Acceptance of NULL <> sender OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
PASS Acceptance of postmaster address OK: All of your mailservers accept mail to postmaster@amazon.com (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).
PASS Acceptance of abuse address OK: All of your mailservers accept mail to abuse@amazon.com.
INFO Acceptance of domain literals WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

smtp-fw-6101.amazon.com's postmaster@[72.21.208.25] response:<br /> >>> RCPT TO:<postmaster@[72.21.208.25]><br /> <<< 550 #5.1.0 Address rejected. <br /> smtp-fw-2101.amazon.com's postmaster@[72.21.196.25] response:<br /> >>> RCPT TO:<postmaster@[72.21.196.25]><br /> <<< 550 #5.1.0 Address rejected. <br /> smtp-fw-0102.amazon.com's postmaster@[207.171.190.55] response:<br /> >>> RCPT TO:<postmaster@[207.171.190.55]><br /> <<< 550 #5.1.0 Address rejected. <br /> smtp-fw-2102.amazon.com's postmaster@[72.21.196.223] response:<br /> >>> RCPT TO:<postmaster@[72.21.196.223]><br /> <<< 550 #5.1.0 Address rejected. <br />
PASS Open relay test OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a more thorough one here.

smtp-fw-6101.amazon.com OK: 550 #5.1.0 Address rejected. <br />smtp-fw-2101.amazon.com OK: 550 #5.1.0 Address rejected. <br />smtp-fw-0102.amazon.com OK: 550 #5.1.0 Address rejected. <br />smtp-fw-2102.amazon.com OK: 550 #5.1.0 Address rejected. <br />
PASS SPF record You have an SPF record. This is very good, as it will help prevent spammers from abusing your domain. Your SPF record (I don't check to see if it is well designed!) is:
"v=spf1 ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.197.0/24 ip4:72.21.196.0/24 ip4:72.21.208.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28 ip4:194.7.41.152/28 ~all" [TTL=7200]
WWW INFO WWW Record You have one or more A records for www.amazon.com. I can't test further, however, since www.amazon.com is in its own zone.
Legend:
  • Rows with a FAIL indicate a problem that in most cases really should be fixed.
  • Rows with a WARN indicate a possible minor problem, which often is not worth pursuing.
  • Note that all information is accessed in real-time (except where noted), so this is the freshest information about your domain.

 

Free Web Site Evaluation
Basic Web Site Elements
If your business doesn't have a great web site with reliable hosting and a solidly branded domain name with email...it should.
more...
Better Communications
Build better communications with your customers and prospects. Gather input and share information effectively and efficiently.
Web Site Analytics
Take the next step. Help customers find you, add more functionality to your site or just expand on the information that's there already.