DNS Server

Sorry, not available in this language yet

English
日本語
简体中文

AppSec SaaS Platform | Integrated, cloud-based AST solution optimized for development and DevSecOps teams.
AppSec IDE Plug-ins | Secure code as you write it in your IDE
Software Risk Management | Manage application security programs at enterprise scale
DevSecOps Integrations | Integrate AppSec tools into DevOps workflows

Static Analysis (SAST) | Address security and quality defects in code as it's being developed
Software Composition Analysis (SCA) | Secure and manage open source risks in applications and containers
Interactive Analysis (IAST) | Automate web security testing within your DevOps pipelines
Dynamic Analysis (DAST) | Continuous web application security testing in production.
Penetration Testing | Identify business-critical vulnerabilities with on-demand testing expertise.
Protocol Fuzzing | Identify defects and zero-day vulnerabilities in services and protocols

Program Strategy & Planning | Measure, scale, and optimize your AppSec program
Threat & Risk Assessments | Understand and address internal and external security risks
Security Training | Equip development teams with the skills they need to produce more secure software
Implementation & Deployment | Optimize utilization, management and deployment of AppSec tools
Security Testing Services | On-demand AppSec testing resources and expertise

Open Source & Security Audits | Comprehensive technical due diligence services for M&A

AI-generated code | Harness the power of AI coding assistants while managing the risks
API Security Testing | Manage software risks with a holistic API security testing program.
AppSec Consolidation | Simplify your application security program
Application Security Testing | Solutions to address security risks at all stages of the application life cycle.
DevSecOps | Solutions to help shift security left without slowing down your development teams.
Software Supply Chain Security | Solutions to identify and manage software supply chain risks end-to-end.
Manage AppSec Risk | Scale your application security program without increasing complexity or adding friction.
Cloud & Container Security | Optimize your applications for secure deployment and operation in the cloud
Open Source License Compliance | Effective solutions for ensuring open source license compliance
M&A Due Diligence | Identify software risks that could negatively impact the value of acquired IP.
Quality & Security Standards Compliance | Ensure your software complies with the standards critical to customers and regulators

Dev and DevOps Teams | Build secure software while maintaining developer productivity and pipeline velocity.
Security Teams | Align people, processes, and technology to minimize software risk and transform your business.
Legal Teams | Solutions to protect your IP and manage risk.

Financial Services | Protect sensitive customer and financial data from rapidly evolving security threats.
IoT & Embedded | Ensure your embedded and IoT devices are safe, secure, and reliable.
Automotive | Build software security & reliability into the modern connected car.
Telecommunications | Create seamless and safe mobile experiences, from silicon to software.
Aerospace & Defense | Solutions for automating mission-critical development.
Public Sector | Application security for government agencies and their suppliers.
Medical Device | Safeguard medical devices and applications.

DNS Server Test Suite Data Sheet

Test Suite:

DNS Server Test Suite

Direction:

Server

Domain Name Service (DNS) is a protocol originally intended to translate Internet domain names to Internet Protocol (IP) addresses and vice versa. DNS has evolved to provide many additional types of information related to hosts, networks, and domains. Since the proper functioning of DNS is vital to many Internet application services such as WWW and email, the dependability of DNS implementations must be verified. This test application can be used to test DNS server implementations for security flaws and robustness problems.

Used specifications

Specification

Title

Notes

rfc1035

Domain Names - Implementation and Specification

rfc1183

New DNS RR Definitions

rfc1706

DNS NSAP Resource Records

rfc1712

DNS Encoding of Geographical Location

rfc1876

A Means for Expressing Location Information in the Domain Name System

rfc1995

Incremental Zone Transfer in DNS

rfc1996

A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)

rfc2136

Dynamic Updates in the Domain Name System (DNS UPDATE)

rfc2163

Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping (MCGAM)

rfc2230

Key Exchange Delegation Record for the DNS

rfc2535

Domain Name System Security Extensions

Anomaly only

rfc2782

A DNS RR for specifying the location of services (DNS SRV)

rfc2874

DNS Extensions to Support IPv6 Address Aggregation and Renumbering

Obsolete

rfc2930

Secret Key Establishment for DNS (TKEY RR)

rfc3123

A DNS RR Type for Lists of Address Prefixes (APL RR)

rfc3403

Dynamic Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database

rfc3596

DNS Extensions to Support IP Version 6

rfc3986

Uniform Resource Identifier (URI): Generic Syntax

rfc4025

A Method for Storing IPsec Keying Material in DNS

rfc4034

Resource Records for the DNS Security Extensions

rfc4255

Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints

Anomaly only

rfc4398

Storing Certificates in the Domain Name System (DNS)

rfc4431

The DNSSEC Lookaside Validation (DLV) DNS Resource Record

Obsolete (Anomaly only)

rfc4701

A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)

Anomaly only

rfc5001

DNS Name Server Identifier (NSID) Option

rfc5155

DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

rfc5936

DNS Zone Transfer Protocol (AXFR)

rfc6376

DomainKeys Identified Mail (DKIM) Signatures

Anomaly only

rfc6672

DNAME Redirection in the DNS

rfc6698

The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA

Anomaly only

rfc6742

DNS Resource Records for the Identifier-Locator Network Protocol (ILNP)

rfc6891

Extension Mechanisms for DNS (EDNS(0))

rfc6975

Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)

rfc7043

Resource Records for EUI-48 and EUI-64 Addresses in the DNS

rfc7208

Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1

rfc7314

Extension Mechanisms for DNS (EDNS) EXPIRE Option

rfc7344

Automating DNSSEC Delegation Trust Maintenance

Anomaly only

rfc7477

Child-to-Parent Synchronization in DNS

rfc7553

The Uniform Resource Identifier (URI) DNS Resource Record

rfc7828

The edns-tcp-keepalive EDNS0 Option

Anomaly only

rfc7830

The EDNS(0) Padding Option

rfc7871

Client Subnet in DNS Queries

rfc7873

Domain Name System (DNS) Cookies

rfc7901

CHAIN Query Requests in DNS

rfc8005

Host Identity Protocol (HIP) Domain Name System (DNS) Extension

Anomaly only

rfc8145

Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)

rfc8162

Using Secure DNS to Associate Certificates with Domain Names for S/MIME

Anomaly only

rfc8490

DNS Stateful Operations

rfc8659

DNS Certification Authority Authorization (CAA) Resource Record

rfc8764

Apple's DNS Long-Lived Queries Protocol

rfc8765

DNS Push Notifications

rfc8777

DNS Reverse IP Automatic Multicast Tunneling (AMT) Discovery

rfc8914

Extended DNS Errors

rfc8945

Secret Key Transaction Authentication for DNS (TSIG)

rfc8976

Message Digest for DNS Zones

Anomaly only

draft-bellis-dnsop-edns-tags-01

DNS EDNS Tags

draft-cheshire-edns0-owner-option-01

EDNS0 OWNER Option

draft-durand-doa-over-dns-03

DOA over DNS

Anomaly only

draft-eastlake-kitchen-sink-02

The Kitchen Sink Resource Record

draft-ietf-dnsop-svcb-https-02

Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)

draft-ietf-nimrod-dns-01

DNS Resource Records for Nimrod Routing Architecture

draft-sekar-dns-ul-02

Dynamic DNS Update Leases

draft-wijngaards-dnsop-trust-history-02

DNSSEC Trust Anchor History Service

af-dans-0152.000

ATM Name System V2.0

Anomaly only

identifying-dns-traffic2

Umbrella - Identifying DNS traffic (2020)

Anomaly only

ini1999-19

Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.

Anomaly only

Tool-specific information

Tested messages

Specifications

Notes

DNS Query

rfc1035

A standard query.

DNS IQuery

rfc1035

An inverse query (Obsolete).

DNS Status

rfc1035

A server status change message (Anomaly only).

DNS Notify

rfc1996

A notify request.

DNS Update

rfc2136

A dynamic update request.

DSO

rfc8490

DNS Stateful Operations request.

Supported features

Specification

Notes

UDP Transport

rfc1035

DNS over UDP.

TCP Transport

rfc1035

DNS over TCP.

TLS Transport

rfc7858

DNS over TLS (DoT).

TSIG signature

rfc8945

Transaction Signature generation.

TKEY for TSIG

rfc2930

Partial support, including Diffie-Hellman algorithm only.

Unsupported features

Specification

Notes

GSS-TSIG algorithm

rfc3645

Suite doesn't support Generic Security Service Algorithm for Secret Key Transaction.

SIG(0) digest & validation

rfc2931

Suite doesn't support calculating or validation of DNS Request and Transaction Signatures ( SIG(0)s )

SSH key fingerprints

rfc4255

Suite doesn't support generating SSH key fingerprints.

DHCID digest & validation

rfc4701

Suite doesn't support calculating DHCID digest.

ZONEMD digest & validation

rfc8976

Suite doesn't support calculating message digest for DNS zones

DNS message specific timeout parameters

rfc7314, rfc7828, rfc8490

Defensics uses its own timeout mechanism and doesn't care about timeout values sent in DNS parameters.

DNS over DTLS

rfc8094

Suite doesn't support DTLS transport.

DNS over HTTPS

rfc8484

Suite doesn't support HTTPS transport.

DNS over QUIC

draft-huitema-quic-dnsoquic

Suite doesn't support QUIC transport.

Supported SafeGuard checks

Notes

Amplification

Amplification for UDP.

Unexpected Data

Unexpected Data for TCP.

Compressed Signer's name in RRSIG record

Compressed signer in response.

Test tool general features

Fully automated black-box negative testing
Ready-made test cases
Written in Java(tm)
GUI command line remote interface modes
Instrumentation (health-check) capability
Support and maintenance
Comprehensive user documentation
Results reporting and analysis