DNS Server Test Suite Data Sheet
Test Suite:
DNS Server Test Suite
Direction:
Server

Domain Name Service (DNS) is a protocol originally intended to translate Internet domain names to Internet Protocol (IP) addresses and vice versa. DNS has evolved to provide many additional types of information related to hosts, networks, and domains. Since the proper functioning of DNS is vital to many Internet application services such as WWW and email, the dependability of DNS implementations must be verified. This test application can be used to test DNS server implementations for security flaws and robustness problems.

Used specifications

Specification
Title
Notes
rfc1035
Domain Names - Implementation and Specification
rfc1183
New DNS RR Definitions
rfc1706
DNS NSAP Resource Records
rfc1712
DNS Encoding of Geographical Location
rfc1876
A Means for Expressing Location Information in the Domain Name System
rfc1995
Incremental Zone Transfer in DNS
rfc1996
A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
rfc2136
Dynamic Updates in the Domain Name System (DNS UPDATE)
rfc2163
Using the Internet DNS to Distribute MIXER Conformant Global Address Mapping (MCGAM)
rfc2230
Key Exchange Delegation Record for the DNS
rfc2535
Domain Name System Security Extensions
Anomaly only
rfc2782
A DNS RR for specifying the location of services (DNS SRV)
rfc2874
DNS Extensions to Support IPv6 Address Aggregation and Renumbering
Obsolete
rfc2930
Secret Key Establishment for DNS (TKEY RR)
rfc3123
A DNS RR Type for Lists of Address Prefixes (APL RR)
rfc3403
Dynamic Delegation Discovery System (DDDS) Part Three: The Domain Name System (DNS) Database
rfc3596
DNS Extensions to Support IP Version 6
rfc3986
Uniform Resource Identifier (URI): Generic Syntax
rfc4025
A Method for Storing IPsec Keying Material in DNS
rfc4034
Resource Records for the DNS Security Extensions
rfc4255
Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
Anomaly only
rfc4398
Storing Certificates in the Domain Name System (DNS)
rfc4431
The DNSSEC Lookaside Validation (DLV) DNS Resource Record
Obsolete (Anomaly only)
rfc4701
A DNS Resource Record (RR) for Encoding Dynamic Host Configuration Protocol (DHCP) Information (DHCID RR)
Anomaly only
rfc5001
DNS Name Server Identifier (NSID) Option
rfc5155
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
rfc5936
DNS Zone Transfer Protocol (AXFR)
rfc6376
DomainKeys Identified Mail (DKIM) Signatures
Anomaly only
rfc6672
DNAME Redirection in the DNS
rfc6698
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
Anomaly only
rfc6742
DNS Resource Records for the Identifier-Locator Network Protocol (ILNP)
rfc6891
Extension Mechanisms for DNS (EDNS(0))
rfc6975
Signaling Cryptographic Algorithm Understanding in DNS Security Extensions (DNSSEC)
rfc7043
Resource Records for EUI-48 and EUI-64 Addresses in the DNS
rfc7208
Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1
rfc7314
Extension Mechanisms for DNS (EDNS) EXPIRE Option
rfc7344
Automating DNSSEC Delegation Trust Maintenance
Anomaly only
rfc7477
Child-to-Parent Synchronization in DNS
rfc7553
The Uniform Resource Identifier (URI) DNS Resource Record
rfc7828
The edns-tcp-keepalive EDNS0 Option
Anomaly only
rfc7830
The EDNS(0) Padding Option
rfc7871
Client Subnet in DNS Queries
rfc7873
Domain Name System (DNS) Cookies
rfc7901
CHAIN Query Requests in DNS
rfc8005
Host Identity Protocol (HIP) Domain Name System (DNS) Extension
Anomaly only
rfc8145
Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
rfc8162
Using Secure DNS to Associate Certificates with Domain Names for S/MIME
Anomaly only
rfc8490
DNS Stateful Operations
rfc8659
DNS Certification Authority Authorization (CAA) Resource Record
rfc8764
Apple's DNS Long-Lived Queries Protocol
rfc8765
DNS Push Notifications
rfc8777
DNS Reverse IP Automatic Multicast Tunneling (AMT) Discovery
rfc8914
Extended DNS Errors
rfc8945
Secret Key Transaction Authentication for DNS (TSIG)
rfc8976
Message Digest for DNS Zones
Anomaly only
draft-bellis-dnsop-edns-tags-01
DNS EDNS Tags
draft-cheshire-edns0-owner-option-01
EDNS0 OWNER Option
draft-durand-doa-over-dns-03
DOA over DNS
Anomaly only
draft-eastlake-kitchen-sink-02
The Kitchen Sink Resource Record
draft-ietf-dnsop-svcb-https-02
Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs)
draft-ietf-nimrod-dns-01
DNS Resource Records for Nimrod Routing Architecture
draft-sekar-dns-ul-02
Dynamic DNS Update Leases
draft-wijngaards-dnsop-trust-history-02
DNSSEC Trust Anchor History Service
af-dans-0152.000
ATM Name System V2.0
Anomaly only
identifying-dns-traffic2
Umbrella - Identifying DNS traffic (2020)
Anomaly only
ini1999-19
Deploying DNSSEC Without a Signed Root. Technical Report 1999-19, Information Networking Institute, Carnegie Mellon University, April 2004.
Anomaly only

Tool-specific information

Tested messages
Specifications
Notes
DNS Query
rfc1035
A standard query.
DNS IQuery
rfc1035
An inverse query (Obsolete).
DNS Status
rfc1035
A server status change message (Anomaly only).
DNS Notify
rfc1996
A notify request.
DNS Update
rfc2136
A dynamic update request.
DSO
rfc8490
DNS Stateful Operations request.

Supported features
Specification
Notes
UDP Transport
rfc1035
DNS over UDP.
TCP Transport
rfc1035
DNS over TCP.
TLS Transport
rfc7858
DNS over TLS (DoT).
TSIG signature
rfc8945
Transaction Signature generation.
TKEY for TSIG
rfc2930
Partial support, including Diffie-Hellman algorithm only.

Unsupported features
Specification
Notes
GSS-TSIG algorithm
rfc3645
Suite doesn't support Generic Security Service Algorithm for Secret Key Transaction.
SIG(0) digest & validation
rfc2931
Suite doesn't support calculating or validation of DNS Request and Transaction Signatures ( SIG(0)s )
SSH key fingerprints
rfc4255
Suite doesn't support generating SSH key fingerprints.
DHCID digest & validation
rfc4701
Suite doesn't support calculating DHCID digest.
ZONEMD digest & validation
rfc8976
Suite doesn't support calculating message digest for DNS zones
DNS message specific timeout parameters
rfc7314, rfc7828, rfc8490
Defensics uses its own timeout mechanism and doesn't care about timeout values sent in DNS parameters.
DNS over DTLS
rfc8094
Suite doesn't support DTLS transport.
DNS over HTTPS
rfc8484
Suite doesn't support HTTPS transport.
DNS over QUIC
draft-huitema-quic-dnsoquic
Suite doesn't support QUIC transport.

Supported SafeGuard checks
Notes
Amplification

Amplification for UDP.

Unexpected Data

Unexpected Data for TCP.

Compressed Signer's name in RRSIG record

Compressed signer in response.

Test tool general features
  • Fully automated black-box negative testing
  • Ready-made test cases
  • Written in Java(tm)
  • GUI command line remote interface modes
  • Instrumentation (health-check) capability
  • Support and maintenance
  • Comprehensive user documentation
  • Results reporting and analysis