Jeder DNS Server-Administrator sollte sicherstellen, dass der DNS Resolver nicht offen zum Internet hin ist.

Wenn für DNS auf Bind zurückgegriffen wird, ist die einfachste Lösung das Recursive Resolving zu deaktivieren zum Beispiel so:

options { recursion no; };

Im Anschluss sollten auch das Beantworten von Anfragen aus dem internen Netz eingeschränkt werden zum Beispiel so:

options {    allow-query {;};};

Wird hingegen ein externer Resolver bei einem Provider verwendet, muss der diese Aufgaben übernehmen.

DNS test coverage

  • Requirements for Internet Hosts --Application and Support - RFC 1123
  • Incremental Zone Transfer in DNS - RFC 1995
  • A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY) - RFC 1996
  • Clarifications to the DNS Specification - RFC 2131
  • Negative Caching of DNS Queries (DNS NCACHE)RFC3425Obsoleting IQUERY - RFC 2308


  • Extension Mechanisms for DNS (EDNS0) - RFC 2782
  • A DNS RR for specifying the location of services (DNS SRV) - RFC 2671
  • Dynamic Delegation Discovery System (DDDS) Part One: TheComprehensive DDDS - RFC 3401
  • Dynamic Delegation Discovery System (DDDS) Part Two: TheAlgorithm - RFC 3402
  • Dynamic Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database - RFC 3403
  • Dynamic Delegation Discovery System (DDDS) Part Four: The Uniform Resource Identifiers (URI) Resolution Application - RFC 3404
  • Dynamic Delegation Discovery System (DDDS) Part Five: URI.ARPA Assignment Procedures - RFC 3405
  • DNS Extensions to Support IP Version 6 - RFC 3596
  • Security Introduction and Requirements - RFC 4033
  • Resource Records for the DNS Security Extensions - RFC 4034
  • Protocol Modifications for the DNS Security Extensions - RFC 4035

DNS Conformance Test Tool -

This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used.  Optionally it can also verify all digital       signature RRs within a zone against the zone key.  If you do not know what DNSSEC is, please refer to:

The tool support both the old DNSSEC according to RFC 2535 (i.e., KEY/SIG) and the latest DNSSEC version according to RFC 4033 (i.e., DNSKEY/RRSIG).

Web-Link: DNSSec-Walker

fpns is a program that remotely determines DNS server versions. It does this by sending a series of borderline DNS queries which are compared against a table of responses and server versions. False positives or incorrect versions may be reported when trying to identify a set of servers residing behind a load-balancing apparatus where the servers are of different implementations, when a specific implementation behaves like a forwarder, behind a firewall without statefull inspection or without Application Intelligence.

DNS fingerprinting Tool - Download: DNS-Fingerprint


We use series of "borderline" query-response messages to identify implementations. Series of query-response messages form a sequence. As mentioned, responses to a "borderline" query is used in this method. To be somewhat efficient, a tree can be constructed which consists of queries (nodes) and responses (branches), where the leave nodes identify the implementation.

Every path, from the root node (initial query) to a leave node (final query) is a sequence or "strain". The strains are used to distinguish between, and as said, ultimately identify implementations.

dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump, but has a number of features tailored to DNS transactions and protocol options.

Some of its features include:

  • Understands both IPv4 and IPv6
  • Captures UDP, TCP, and IP fragments.
  • Collect only queries, responses, or both (-s option)
  • Collect for only certain source/destination addresses (-a -z -A -Z options)
  • Periodically creates new pcap files (-t option)
  • Spawns an upload script after closing a pcap file (-k option)
  • Will start and stop collecting at specific times (-B -E options)

Zum Seitenanfang