Report for ltt.ly

Report created on: Sat, 21 Sep 2024 08:58:47 GMT
Parent
100
NS
91
SOA
100
MX
100
Mail
60
Web
100
Parent
NS Records at Parent Servers
We have successfully fetched domain's NS records from parent name server (pch.ltt.ly.).
Domain NS records:
  • dns.lttnet.net. TTL=86400 [NO GLUE4] [NO GLUE6]
  • dns1.lttnet.net. TTL=86400 [NO GLUE4] [NO GLUE6]
Name Servers Have A Records
OK. Found A records for all name servers.
  • Libya dns.lttnet.net. → 62.240.36.9
  • Libya dns1.lttnet.net. → 62.68.42.9
To reach your name servers via IPv4 an A record is needed for each name server.
Name Servers Have AAAA Records
NOTICE: While reading domain NS records at parent name servers, we found name servers without AAAA records.
  • dns.lttnet.net. → ?
  • dns1.lttnet.net. → ?
To reach your name servers via IPv6 an AAAA record is needed for each name server.
NS
NS Records
Your name servers returned 2 NS records:
  • dns.lttnet.net. TTL=300 [62.240.36.9] [NO GLUE6]
  • dns1.lttnet.net. TTL=300 [62.68.42.9] [NO GLUE6]
All Name Servers Responded
OK. All your name servers responded. We queried domain's records from all of your name servers and we received them successfully.
Glue Check
OK. No differences found. The glue provided by the parent name servers has to match the data provided by the authoritative name servers.
Allow Recursive Queries
OK. Domain name servers are not allowing recursive queries. On all name servers which acts as caching name servers recursive queries should be restricted to local networks. Having open DNS servers can lead to abuses such as cache poisoning and DOS (denial of service) attacks. Cache poisoning attacks allows under certain conditions to redirect legitimate web traffic, email and other traffic to malicious hosts compromising security.
Check Name Servers Count
OK. Domain has 2 name servers. Recommended number, between 2 and 7 name servers (RFC 2182 recommends to have at least 3 authoritative name servers for domains).
Identical NS Records
OK. All your name servers reported identical NS records. Each name server should return identical NS records.
Check for Lame Name servers
OK. No lame name servers found. All of your name servers are configured to be either master or slave for your domain.
Check All IPs are Public
OK. No private IPs found. Name servers using private IPs can't be reached from the Internet causing DNS delays.
Name Servers Have A Records
OK. Found A records for each name servers.
  • Libya dns.lttnet.net. → 62.240.36.9
  • Libya dns1.lttnet.net. → 62.68.42.9
To reach your name servers via IPv4 an A record is needed for each name server.
Name Servers Have AAAA Records
NOTICE: We found name servers without AAAA records.
  • dns.lttnet.net. → ?
  • dns1.lttnet.net. → ?
To reach your name servers via IPv6 an AAAA record is needed for each name server.
Name Servers Have Valid Names
OK. All names are valid. Name server name should be a valid host name, no partial name or IP address.
Check for Stealth Name Servers
OK. No stealth name servers found. All name servers returned by domain name servers should be listed at parent servers.
Check for Missing Name Servers
OK. No missing name servers found. All name servers returned by the parent name servers should have an NS record at your name servers.
No CNAME in NS Records
OK. No CNAMEs found in NS records. RFC 2181, section 10.3 says that host name must map directly to one or more address record (A or AAAA) and must not point to any CNAME records. RFC 1034, section 3.6.2 says if a name appears in the right-hand side of RR (Resource Record) it should not appear in the left-hand name of CNAME RR, thus CNAME records should not be used with NS and MX records. Despite this restrictions, there are many working configuration using CNAME with NS and MX records.
Allow TCP connections
WARNING: Couldn't connect using TCP protocol:
  • tcp4:62.68.42.9
  • tcp4:62.240.36.9
Check your name server's configurations and firewall rules. When response to a DNS query exceeds 512 bytes, TCP is negotiated and used, all name servers should allow TCP connections (port 53).
Name Servers Distributed on Multiple Networks
OK. Name servers are dispersed on 2 different C class networks:
  • 62.240.36.0/24:
    • dns.lttnet.net.
  • 62.68.42.0/24:
    • dns1.lttnet.net.
Name servers should be dispersed (topologically and geographically) across the Internet to avoid risk of single point of failure (RFC 2182).
Name Servers Distributed on Multiple ASNs
WARNING: All name servers are located in one Autonomous System:
  • AS21003:
    • dns.lttnet.net.
    • dns1.lttnet.net.
Name servers should be dispersed (topologically and geographically) across the Internet to avoid risk of single point of failure (RFC 2182).
Name Servers Versions
WARNING: Name servers software versions are exposed:
  • 62.240.36.9: "9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.14"
  • 62.68.42.9: "9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16"
Exposing name server's versions may be risky, when a new vulnerability is found your name servers may be automatically exploited by script kiddies until you patch the system. Learn how to hide version.
SOA
Check SOA Record
Domain SOA Record:
  • Primary nameserver: dns.lttnet.net.
  • Hostmaster (e-mail): hostmaster.lttnet.net.
  • Serial: 2024070101
  • Refresh: 10800
  • Retry: 3600
  • Expire: 1209600
  • Minimum TTL: 21600
Name Servers Agreement on Serial Number
OK. All name servers (2) have the same serial number [2024070101]. Having different serials on your name servers may show inconsistencies between name servers configuration (multiple masters), or communication errors (ACL and firewall issues).
SOA Number Format
OK. Serial number format OK [2024070101]. Your serial number is following general convention for serial number YYYYMMDDnn, where YYYY is four-digit year number, MM is the month, DD is the day and nn is the sequence number in case zone file is updated more than once per day.
SOA Mname
OK. Primary name server is dns.lttnet.net. and is listed at the parent name servers. The MNAME field defines the Primary Master name server for the zone, this name server should be found in your NS records.
SOA Rname
OK. Contact email for DNS problems is hostmaster@lttnet.net. (hostmaster.lttnet.net.). RNAME field defines an administrative email for your zone. RFC2142 recommends using hostmaster e-mail for this purpose, but any valid e-mail address can be used.
SOA Refresh
OK. Refresh interval is 10800. Recommended values [1200 .. 43200] (20 min ... 12 hours). Refresh field from SOA record determines how quickly zone changes are propagated from master to slave.
SOA Retry
OK. Retry interval is 3600. Recommended values [120 .. 7200] (2 minutes .. 2 hours). Retry field from SOA record defines how often slave should retry contacting master if connection to master failed during refresh.
SOA Expire
OK. Expire interval is 1209600. Recommended values [604800 .. 1209600] (1 week ... 2 weeks). Expiry defines zone expiration time in seconds after which slave must re-validate zone file, if contacting master fails then slave will stop responding to any queries.
SOA Minimum TTL
OK. Minimum TTL value is 21600. Recommended values [3600 .. 86400] (1 hour ... 1 day). Minimum TTL was redefined in RFC 2308, now it defines the period of time used by slaves to cache negative responses.
MX
MX Records
Your name servers returned 1 MX records. Your MX records sorted by priority (lower numbers have higher priority):
  • 10 ltt-ly.mail.protection.outlook.com. TTL=14400
Identical MX Records
OK. All name servers returned identical MX records.
Mail Servers Have A Records
OK. Found A records for all mail servers.
  • United States ltt-ly.mail.protection.outlook.com. → 52.101.68.15, 52.101.68.5, 52.101.68.3, 52.101.73.26
To reach your mail servers via IPv4 an A record is needed for each mail server.
Mail Servers Have AAAA Records
NOTICE: While reading domain NS records at parent mail servers, we found mail servers without AAAA records.
  • ltt-ly.mail.protection.outlook.com. → ?
To reach your mail servers via IPv6 an AAAA record is needed for each mail server.
Reverse Entries for MX records
OK. All mail servers have reverse DNS entries configured correctly.
Server IP PTR (Reverse) IPs
ltt-ly.mail.protection.outlook.com. 52.101.68.15 mail-db6pr03cu00107.inbound.protection.outlook.com. 52.101.68.15
ltt-ly.mail.protection.outlook.com. 52.101.68.5 mail-du2pr03cu00105.inbound.protection.outlook.com. 52.101.68.5
ltt-ly.mail.protection.outlook.com. 52.101.68.3 mail-db7pr03cu00403.inbound.protection.outlook.com. 52.101.68.3
ltt-ly.mail.protection.outlook.com. 52.101.73.26 mail-as9pr05cu01302.inbound.protection.outlook.com. 52.101.73.26

All mail servers should have a reverse DNS (PTR) entry for each IP address (RFC 1912). Missing reverse DNS entries will make many mail servers to reject your e-mails or mark them as SPAM.

All IP's reverse DNS entries should resolve back to IP address (IP → PTR → IP). Many mail servers are configured to reject e-mails from IPs with inconsistent reverse DNS configuration.

Check MX Records for Invalid Chars
OK. No invalid characters found. Name field from MX records should be a valid host name.
Check MX Records IPs are Public
OK. No private IPs found. Mail servers using private IPs can't be reached from the Internet causing mail delivery delays.
Check MX Records for Duplicates
OK. No MX records duplicates (same IP addresses) found. Although technically valid, duplicate MX records have no benefits and can cause confusion.
Only Host Names in MX Records
OK. No IPs found in MX records. IP addresses are not allowed in MX records, only host names.
No CNAME in MX Records
OK. No CNAMEs found in MX records. RFC 2181, section 10.3 says that host name must map directly to one or more address record (A or AAAA) and must not point to any CNAME records. RFC 1034, section 3.6.2 says if a name appears in the right-hand side of RR (Resource Record) it should not appear in the left-hand name of CNAME RR, thus CNAME records should not be used with NS and MX records. Despite this restrictions, there are many working configuration using CNAME with NS and MX records.
RBL Check
OK. Mail servers IPs are not blacklisted.
Mail
Connect to Mail Servers
OK. Successfully connected to all mail servers.
  • ltt-ly.mail.protection.outlook.com.:
    220 DU2PEPF00028D03.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Sat, 21 Sep 2024 08:58:49 +0000 [08DCD19144C2A34A]
To receive emails, mail servers should allow TCP connections on port 25.
Mail Greeting
NOTICE: I've found differences between mail server host names and greeting host name. The following mail servers claims to be other hosts (reverse DNS checks may be wrong):
  • ltt-ly.mail.protection.outlook.com.du2pepf00028d03.mail.protection.outlook.com
Accepts Postmaster Address
OK. All mail servers are accepting emails to postmaster@ltt.ly address:
  • ltt-ly.mail.protection.outlook.com.
    >> MAIL FROM: <postmaster@dnscheck.pro>
    << 250 2.1.0 Sender OK
    >> RCPT TO: <postmaster@ltt.ly>
    << 250 2.1.5 Recipient OK
    
RFC 822, RFC 1123 and RFC 2821 requires that all domain's mail servers should accept e-mails to postmaster. To be compliant you can create an alias and forward all postmaster's e-mails to a valid mailbox.
Accepts Abuse Address
OK. All mail servers are accepting emails to abuse@ltt.ly address:
  • ltt-ly.mail.protection.outlook.com.
    >> MAIL FROM: <postmaster@dnscheck.pro>
    << 250 2.1.0 Sender OK
    >> RCPT TO: <abuse@ltt.ly>
    << 250 2.1.5 Recipient OK
    
Check SPF record
OK. Found SPF record:
  • MS=ms74179118
  • v=spf1 include:spf.protection.outlook.com ip4:41.208.70.31 mx a:mail.ltt.ly a:mail2.lttnet.net a:mail1.lttnet.net a:mail8.ltt.ly -all
SPF (Sender Policy Framework) record is designed to prevent e-mail spoofing. Typical SPF record would be:
v=spf1 a mx ~all or v=spf1 a mx include:_spf.google.com ~all if you are using Google Apps.
Identical TXT records
OK. Name servers returned identical TXT records. Only SPF records are compared, all name servers should return identical SPF records.
Check DMARC record
FAIL: Domain doesn't have DMARC record.

The DMARC uses DKIM keys published in the DNS or IP addresses specified in the SPF record to authenticate emails to protect domain from fraudulent emails.

You can specify a policy how to deal with emails which fails authentication. A typical policy would be to reject, this applies to the domain and all its subdomains without an explicit policy. The DMARC policy has precedence over SPF policy. If you are more conservative, you can start with quarantine.

Example DMARC record:
v=DMARC1; p=quarantine
The authenticated emails will be delivered in the Inbox and others in the Spam/Junk folder.
Web
Resolve Domain Name
OK. Domain ltt.ly. resolves to:
  • Libya 62.240.36.51
Domain Name IPs are Public
OK. No private IPs found for ltt.ly.. Web servers using private IPs can't be reached from the Internet.
Resolve WWW
OK. Domain www.ltt.ly. resolves to:
  • Libya 62.240.36.51
WWW IPs are Public
OK. No private IPs found for www.ltt.ly.. Web servers using private IPs can't be reached from the Internet.

Report completed in 2.81 seconds.

Recent reports: dugalic.com dugalic.com veksleracademy.com therenewedmarriage.com portaldedenuncias.pt