Full list of Zone Scan Errors¶
ID |
Error_id |
Code |
Severity |
Description |
---|---|---|---|---|
561 |
46 |
ZONE:FATAL_DELEGATION |
critical |
No name servers found at child or at parent. No further testing can be performed. |
577 |
47 |
ADDRESS:PRIVATE_IPV4 |
error |
A private IP address should normally not be exposed in the public DNS, since it’s not reachable from the Internet. |
581 |
48 |
ADDRESS:RESERVED_IPV4 |
error |
Reserved IPv4 addresses should not be used on the public Internet. |
548 |
49 |
ADDRESS:RESERVED_IPV6 |
error |
Reserved IPv6 addresses should not be used on the public Internet. |
583 |
2 |
CONSISTENCY:SOA_DIGEST_DIFFERENT |
error |
The other fields in the SOA record are not the same among all name servers. This is usually due to misconfiguration. |
551 |
4 |
DELEGATION:BROKEN_BUT_FUNCTIONAL |
error |
Not enough nameserver information was found to test the zone, but an IP address lookup succeeded |
543 |
6 |
DELEGATION:EXTRA_NS_PARENT |
error |
A name server listed at the parent, but not at the child, was found. This is most likely an administrative error. You should update the parent to match the name servers at the child as soon as possible. |
572 |
7 |
DELEGATION:GLUE_MISSING_AT_CHILD |
error |
The IP address of the name server was not found at the child. This is a configuration error and should be corrected as soon as possible. |
539 |
8 |
DELEGATION:INCONSISTENT_GLUE |
error |
The address of a name server differed between the child and the parent. This is a configuration error and should be corrected as soon as possible. |
532 |
9 |
DELEGATION:INZONE_NS_WITHOUT_GLUE |
error |
Nameserver is listed for zone without address information. |
537 |
11 |
DELEGATION:NO_COMMON_NS_NAMES |
error |
The parent lists name servers that the child doesn’t know about; see details in advanced. This configuration could actually work but breaks very easily if one of these zones changes slightly. |
559 |
10 |
DELEGATION:NOT_FOUND_AT_CHILD |
error |
No name servers could be found at the child. This usually means that the child is not configured to answer queries about the zone. |
534 |
12 |
DELEGATION:NS_IS_CNAME |
error |
Nameserver has a CNAME record, which is forbidden |
550 |
13 |
DNS:NO_CHILD_NS |
error |
Failed to find name server records |
562 |
14 |
DNS:NO_EDNS |
error |
EDNS is an extension to the DNS protocol. The major change is that the 512-byte size limit of the query/answer packet has been removed, which allows more information to be provided. EDNS is essential for newer protocols and technologies (such as DNSSEC and IPv6) that requires larger packet sizes. |
552 |
50 |
DNS:SOA_SERVFAIL |
error |
DNS SERVFAIL when querying for SOA |
542 |
15 |
DNSSEC:DNSKEY_NO_VALID_SIGNATURES |
error |
No valid signatures for the DNSKEY RRset for the zone was found - make sure the zone is signed with a valid and published key. |
533 |
18 |
DNSSEC:INCONSISTENT_SECURITY |
error |
The parent has a secure delegation to the child (indicated by DS RRset at the parent), but the child has no DNSKEY records. This is probably due to a previously signed zone that became unsigned without requesting the parent to remove the secure delegation. |
560 |
20 |
DNSSEC:NO_SIGNATURES |
error |
No DNSSEC signatures were found when querying the zone. Perhaps the zone isn’t signed? |
576 |
21 |
DNSSEC:NO_VALID_DS |
error |
The zone has published DS records, but none of them work. |
541 |
24 |
DNSSEC:SOA_NO_VALID_SIGNATURES |
error |
No valid signatures for the SOA RRset for the zone was found - make sure the zone is signed with a valid and published key. |
578 |
52 |
HOST:CNAME_FOUND |
error |
The host name is an alias (CNAME), which is not allowed. Host names must be published with an A or AAAA record. |
567 |
53 |
HOST:ILLEGAL_NAME |
error |
The hostname is not syntactially correct according to RFC 952. A common error is to begin the hostname with a non-letter (a-z) or use invalid characters (only a-z, 0-9 and - are allowed). |
546 |
51 |
HOST:NOT_FOUND |
error |
No IPv4 or IPv6 address was found for the host name. |
570 |
25 |
MAIL:ADDRESS_SYNTAX |
error |
Zone contains an invalid email address. |
574 |
26 |
MAIL:DOMAIN_NOT_FOUND |
error |
No mail exchanger was found for the domain. This makes it impossible to deliver email to any recipient within the domain. |
544 |
31 |
NAMESERVER:HOST_ERROR |
error |
The specified host name is not a valid host name or the host name points to an invalid IP address, e.g. a private or reserved IP address. |
553 |
35 |
NAMESERVER:NO_TCP |
error |
The name server failed to answer queries sent over TCP. This is probably due to the name server not correctly set up or due to misconfgured filtering in a firewall. It is a rather common misconception that DNS does not need TCP unless they provide zone transfers - perhaps the name server administrator is not aware that TCP usually is a requirement. |
580 |
36 |
NAMESERVER:NO_UDP |
error |
The name server failed to answer queries sent over UDP. This is probably due to the name server not correctly set up or due to misconfigured filtering in a firewall. |
569 |
32 |
NAMESERVER:NOT_AUTH |
error |
The name server does not answer authoritatively to queries for the tested domain. This is probably due to misconfiguration where the name server is not set up to serve the tested domain. |
563 |
41 |
SOA:MULTIPLE_SOA |
error |
Multiple SOA records found when querying the name servers. This is a serious error and definitely due to misconfiguration. |
556 |
42 |
SOA:NOT_FOUND |
error |
No SOA record was found when querying the name server. This is most probably due to misconfiguration at the name server - a zone must have a SOA record. |
575 |
43 |
SOA:RNAME_SYNTAX |
error |
The email address specified in SOA RNAME is specified incorrectly. A common error is to use @ in the address field - an address like hostmaster@example.com must be specified as hostmaster.example.com. |
535 |
16 |
DNSSEC:DS_KEYREF_INVALID |
info |
The DS RRset must refer to a valid DNSKEY at the child, or the chain of trust between the parent and the child will be broken and validating resolver will not be able to validate answers from the child. |
579 |
5 |
DELEGATION:EXTRA_NS_CHILD |
notice |
A name server listed at the child, but not at the parent, was found. This is most likely a configuration error, but there are sometimes reasons for setting up a zone this way. |
573 |
17 |
DNSSEC:DS_TO_NONSEP |
notice |
The DS RRset refers to a DNSKEY at the child, but the key is not marked as a secure entry point. |
565 |
27 |
MAIL:HOST_ERROR |
notice |
The hostname for the mail exchanger is invalid. A common error is to point the mail exchanger to an alias (CNAME) or directly to an IP address. |
566 |
29 |
MX:RECORDS_NOT_FOUND |
notice |
No MX records found for zone |
568 |
30 |
NAMESERVER:AXFR_OPEN |
notice |
This name server accepts zone transfer requests from any party. |
547 |
40 |
SOA:MNAME_STEALTH |
notice |
The name server listed as the SOA MNAME is not listed as a name server. |
555 |
1 |
CONSISTENCY:MULTIPLE_NS_SETS |
warning |
The listed nameservers for the domain don’t all report the same set of nameservers |
531 |
3 |
CONSISTENCY:SOA_SERIAL_DIFFERENT |
warning |
The SOA serial is not the same on all name servers. This is usually due to misconfiguration, but can sometimes be the result of slow zone propagation to secondary name servers. |
536 |
19 |
DNSSEC:MISSING_DS |
warning |
The child seems to use DNSSEC, but the parent has no secure delegation. The chain of trust between the parent and the child is broken and validating resolvers will not be able to validate answers from the child. |
571 |
22 |
DNSSEC:RRSIG_EXPIRED |
warning |
Expired signatures will be ignored by validating resolvers. |
538 |
23 |
DNSSEC:RRSIG_FAILS_VERIFY |
warning |
DNSSEC signature fails to validate the RR set. |
549 |
28 |
MX:HOST_ERROR |
warning |
Hostname is invalid |
545 |
33 |
NAMESERVER:NOT_AUTH_TCP |
warning |
Nameserver is not authoritative over TCP. |
554 |
34 |
NAMESERVER:NOT_AUTH_UDP |
warning |
Nameserver is not authoritative over UDP. |
557 |
37 |
NAMESERVER:RECURSIVE |
warning |
The name server answers recursive queries for 3rd parties (such as DNSCheck). By making a recursive query to a name server that provides recursion, an attacker can cause a name server to look up and cache information contained in zones under their control. Thus the victim name server is made to query the attacker’s malicious name servers, resulting in the victim caching and serving bogus data. |
558 |
38 |
SOA:MNAME_ERROR |
warning |
The SOA MNAME is not a valid host name. |
564 |
39 |
SOA:MNAME_NOT_AUTH |
warning |
The name server listed as the original or primary source of data for this zone does not answer authoriatively. This is probably due to misconfiguration; perhaps the SOA MNAME is not set up as a name server for the zone. |
582 |
44 |
SOA:RNAME_UNDELIVERABLE |
warning |
DNSCheck failed to deliver email to the email address listed as the one responsible for the zone. |
540 |
45 |
SOA:SERIAL_IS_ZERO |
warning |
The serial number in the SOA record should not be zero. |