Checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests.
the dns zone to check
nmap -sn -Pn ns1.example.com --script dns-check-zone --script-args='dns-check-zone.domain=example.com'
| dns-check-zone: | DNS check results for domain: example.com | SOA | PASS - SOA REFRESH | SOA REFRESH was within recommended range (7200s) | PASS - SOA RETRY | SOA RETRY was within recommended range (3600s) | PASS - SOA EXPIRE | SOA EXPIRE was within recommended range (1209600s) | FAIL - SOA MNAME entry check | SOA MNAME record is NOT listed as DNS server | PASS - Zone serial numbers | Zone serials match | MX | ERROR - Reverse MX A records | Failed to retrieve list of mail servers | NS | PASS - Recursive queries | None of the servers allow recursive queries. | PASS - Multiple name servers | Server has 2 name servers | PASS - DNS name server IPs are public | All DNS IPs were public | PASS - DNS server response | All servers respond to DNS queries | PASS - Missing nameservers reported by parent | All DNS servers match | PASS - Missing nameservers reported by your nameservers |_ All DNS servers match
Author: Patrik Karlsson
License: Same as Nmap--See https://nmap.org/book/man-legal.html