Use nmap to check DNS configuration best practices

By | 2012/12/03

A new NSE script in nmap 6.25 checks DNS zone configuration best practices. I’ll show you how it works!

First, you will need nmap 6.25 (or later) installed:

Now with nmap 6.25 installed, run the below command against a DNS server. In this example, I am checking the configuration of the zone from Google’s public DNS server (

The NSE script to use is called: dns-check-zone

  Checks DNS zone configuration against best practices, including RFC 1912.
  The configuration checks are divided into categories which each have a number
  of different tests.

$ nmap -sn -Pn --script dns-check-zone --script-args=''

Starting Nmap 6.25 ( ) at 2012-12-03 08:10 EST
Nmap scan report for (
Host is up.

Host script results:
| dns-check-zone: 
| DNS check results for domain:
|   NS
|     PASS - Recursive queries
|       None of the servers allow recursive queries.
|     PASS - Multiple name servers
|       Server has 4 name servers
|     PASS - DNS name server IPs are public
|       All DNS IPs were public
|     PASS - DNS server response
|       All servers respond to DNS queries
|     PASS - Missing nameservers reported by parent
|       All DNS servers match
|     PASS - Missing nameservers reported by your nameservers
|       All DNS servers match
|   SOA
|       SOA REFRESH was within recommended range (7200s)
|       SOA RETRY was within recommended range (1800s)
|       SOA EXPIRE was within recommended range (1209600s)
|     PASS - SOA MNAME entry check
|       SOA MNAME record is listed as DNS server
|     PASS - Zone serial numbers
|       Zone serials match
|   MX
|     PASS - Reverse MX A records
|_      All MX records have PTR records

Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds