A new NSE script in nmap 6.25 checks DNS zone configuration best practices. I’ll show you how it works!
First, you will need nmap 6.25 (or later) installed: http://nmap.org/download.html
Now with nmap 6.25 installed, run the below command against a DNS server. In this example, I am checking the configuration of the zone google.com from Google’s public DNS server (184.108.40.206).
The NSE script to use is called: dns-check-zone
dns-check-zone http://nmap.org/nsedoc/scripts/dns-check-zone.html Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.
$ nmap -sn -Pn 220.127.116.11 --script dns-check-zone --script-args='dns-check-zone.domain=google.com' Starting Nmap 6.25 ( http://nmap.org ) at 2012-12-03 08:10 EST Nmap scan report for google-public-dns-a.google.com (18.104.22.168) Host is up. Host script results: | dns-check-zone: | DNS check results for domain: google.com | NS | PASS - Recursive queries | None of the servers allow recursive queries. | PASS - Multiple name servers | Server has 4 name servers | PASS - DNS name server IPs are public | All DNS IPs were public | PASS - DNS server response | All servers respond to DNS queries | PASS - Missing nameservers reported by parent | All DNS servers match | PASS - Missing nameservers reported by your nameservers | All DNS servers match | SOA | PASS - SOA REFRESH | SOA REFRESH was within recommended range (7200s) | PASS - SOA RETRY | SOA RETRY was within recommended range (1800s) | PASS - SOA EXPIRE | SOA EXPIRE was within recommended range (1209600s) | PASS - SOA MNAME entry check | SOA MNAME record is listed as DNS server | PASS - Zone serial numbers | Zone serials match | MX | PASS - Reverse MX A records |_ All MX records have PTR records Nmap done: 1 IP address (1 host up) scanned in 4.05 seconds