Staging server. Your account won't work here. Build: dev@Dec/20-16:26
Hardenize has joined Red Sift! Find out more in our blog post.

Blog

Welcome to the Hardenize blog. This is where we will document our journey as we make the Internet a more secure place and have some fun and excitement along the way.

13 Oct
2021

Introducing DNS Inspection

by Ivan Ristić

It's our great pleasure to announce that we have added support for DNS inspection to Hardenize. This new functionality is now available in beta as part of our public report and for all our customers. In our first release we've focused on the inspection of DNS zone configuration and delegation, the parts that are necessary to provide highly available and consistent name resolution.

DNS is everywhere; it's one of several core technologies that power the Internet. Although it appears relatively simple at the surface, the simplicity of DNS is deceiving and there are great complexities hiding underneath. To understand DNS, one may need to read hundreds of RFCs and thousands of pages of documentation.

Our first release focuses on inspection of DNS zone configuration and the involved nameservers. The recursive nature of DNS lookups and the hierarchical organisation make it difficult to troubleshoot configuration and understand why the results are as they are. A single incorrectly configured nameserver can introduce breakage that's difficult to understand and troubleshoot. This is an ideal problem to solve with automation.

In short, we currently focus on verifying the configuration of authoritative name servers, in spirit similar to IANA's technical requirements.

  • Minimum number of name servers
  • Valid hostnames
  • Name server reachability
  • Answer authoritatively
  • Consistency between glue and authoritative data
  • Consistency between delegation and zone
  • Consistency between authoritative name servers
  • No prohibited networks
  • No open recursive name service
  • IPv4 and IPv6 connectivity checks
  • Reverse name configuration
  • Server software version and payload size checks

As this is our first release of a big chunk of new functionality, in the following period we will focus on monitoring its operation and tweaking our recommendations in response to real-life situations. After that we're planning to further expand our coverage with a variety of further recommendations and checks, as well as add comprehensive DNSSEC inspection.