DNS Report for helenflavelfoundation.info
Generated by www.DNSreport.com at 09:00:40 GMT on 06 Jun 2007.
|Parent ||PASS||Missing Direct Parent check||OK.
Your direct parent zone exists, which is good. Some domains (usually
third or fourth level domains, such as example.co.us) do not have a
direct parent zone ('co.us' in this example), which is legal but can
|INFO||NS records at parent servers||Your NS records at the parent servers are:|
ns4.serversaustralia.com.au. [22.214.171.124 (NO GLUE)] [AU][These were obtained from c9.info.afilias-nst.info]
ns3.serversaustralia.com.au. [126.96.36.199 (NO GLUE)] [AU]
|PASS||Parent nameservers have your nameservers listed||OK.
When someone uses DNS to look up your domain, the first step (if it
doesn't already know about your domain) is to go to the parent servers.
If you aren't listed there, you can't be found. But you are listed
|WARN||Glue at parent nameservers||WARNING.
The parent servers (I checked with c9.info.afilias-nst.info.) are not
providing glue for all your nameservers. This means that they are
supplying the NS records (host.example.com), but not supplying the A
records (192.0.2.53), which can cause slightly slower connections, and
may cause incompatibilities with some non-RFC-compliant programs. This
is perfectly acceptable behavior per the RFCs. This will usually occur
if your DNS servers are not in the same TLD as your domain (for
example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain.|
|PASS||DNS servers have A records||OK.
All your DNS servers either have A records at the zone parent servers,
or do not need them (if the DNS servers are on other TLDs). A records
are required for your hostnames to ensure that other DNS servers can
reach your DNS servers. Note that there will be problems if your DNS
servers do not have these same A records.|
|NS ||INFO||NS records at your nameservers||Your NS records at your nameservers are:|
|PASS||Open DNS servers||OK.
Your DNS servers do not announce that they are open DNS servers.
Although there is a slight chance that they really are open DNS
servers, this is very unlikely. Open DNS servers increase the chances
that of cache poisoning, can degrade performance of your DNS, and can
cause your DNS servers to be used in an attack (so it is good that your
DNS servers do not appear to be open DNS servers).
The DNS report did not detect any discrepancies between the glue
provided by the parent servers and that provided by your authoritative
|PASS||No NS A records at nameservers||OK.
Your nameservers do include corresponding A records when asked for your
NS records. This ensures that your DNS servers know the A records
corresponding to all your NS records.|
|PASS||All nameservers report identical NS records||OK. The NS records at all your nameservers are identical. |
|PASS||All nameservers respond||OK. All of your nameservers listed at the parent nameservers responded.|
|PASS||Nameserver name validity||OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).|
|PASS||Number of nameservers||OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.|
|PASS||Lame nameservers||OK. All the nameservers listed at the parent servers answer authoritatively for your domain.|
|FAIL||Missing (stealth) nameservers||FAIL:
You have one or more missing (stealth) nameservers. The following
nameserver(s) are listed (at your nameservers) as nameservers for your
domain, but are not listed at the parent nameservers (therefore, they
may or may not get used, depending on whether your DNS servers return
them in the authority section for other requests, per RFC2181
5.4.1). You need to make sure that these stealth nameservers are
working; if they are not responding, you may have serious problems! The
DNS Report will not query these servers, so you need to be very careful
that they are working properly.|
ns2.jumba.net.au.This is listed
as an ERROR because there are some cases where nasty problems can occur
(if the TTLs vary from the NS records at the root servers and the NS
records point to your own domain, for example).
|FAIL||Missing nameservers 2||ERROR:
One or more of the nameservers listed at the parent servers are not
listed as NS records at your nameservers. The problem NS records are:|
|PASS||No CNAMEs for domain||OK. There are no CNAMEs for helenflavelfoundation.info. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.|
|PASS||No NSs with CNAMEs||OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.|
|WARN||Nameservers on separate class C's||WARNING:
We cannot test to see if your nameservers are all on the same Class C
(technically, /24) range, because the root servers are not sending
glue. We plan to add such a test later, but today you will have to
manually check to make sure that they are on separate Class C ranges.
Your nameservers should be at geographically dispersed locations. You
should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.|
|PASS||All NS IPs public||OK.
All of your NS records appear to use public IPs. If there were any
private IPs, they would not be reachable, causing DNS delays.|
All your DNS servers allow TCP connections. Although rarely used, TCP
connections are occasionally used instead of UDP connections. When
firewalls block the TCP DNS connections, it can cause hard-to-diagnose
|WARN||Single Point of Failure||WARNING:
Although you have at least 2 NS records, there is a chance that they
may both point to the same server (one of our two tests shows them
being different, the other is unsure; it appears that there are one or
more firewall(s) that intercept and alter DNS packets (some versions of
Linux reportedly have a built-in firewall that does this, too)), which
would result in a single point of failure. You are required to have at
least 2 nameservers per RFC 1035 section 2.2.|
|INFO||Nameservers versions||[For security reasons, this test is limited to members]|
|FAIL||Stealth NS record leakage||Your DNS servers leak stealth information in non-NS requests:|
Stealth nameservers are leaked [ns2.jumba.net.au.]!
Stealth nameservers are leaked [ns1.jumba.net.au.]!
can cause some serious problems (especially if there is a TTL
discrepancy). If you must have stealth NS records (NS records listed at
the authoritative DNS servers, but not the parent DNS servers), you
should make sure that your DNS server does not leak the stealth NS
records in response to other queries.
|SOA ||INFO||SOA record||Your SOA record [TTL=14400] is:|
Primary nameserver: ns1.jumba.net.au.
Hostmaster E-mail address: admin.serversaustralia.com.au.
Serial #: 2007052000
Default TTL: 14400
|PASS||NS agreement on SOA serial #||OK.
All your nameservers agree that your SOA serial number is 2007052000.
That means that all your nameservers are using the same data (unless
you have different sets of data with the same serial number, which
would be very bad)! Note that the DNS Report only checks the NS records
listed at the parent servers (not any stealth servers).|
|WARN||SOA MNAME Check||WARNING: Your SOA (Start of Authority) record states that your master (primary) name server is: ns1.jumba.net.au..
However, that server is not listed at the parent servers as one of your
NS records! This is legal, but you should be sure that you know what
you are doing.
|PASS||SOA RNAME Check||OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: firstname.lastname@example.org. (techie note: we have changed the initial '.' to an '@' for display purposes).
|PASS||SOA Serial Number||OK. Your SOA serial number is: 2007052000.
This appears to be in the recommended format of YYYYMMDDnn, where 'nn'
is the revision. So this indicates that your DNS was last updated on 20
May 2007 (and was revision #0). This number must be incremented every time you make a DNS change.|
|PASS||SOA REFRESH value||OK. Your SOA REFRESH interval is : 14400 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912
2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12
hours)). This value determines how often secondary/slave nameservers
check with the master for updates.|
|PASS||SOA RETRY value||OK. Your SOA RETRY interval is : 7200 seconds.
This seems normal (about 120-7200 seconds is good). The retry value is
the amount of time your secondary/slave nameservers will wait to
contact the master nameserver again if the last attempt failed.|
|PASS||SOA EXPIRE value||OK. Your SOA EXPIRE time: 1600000 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912
suggests 2-4 weeks. This is how long a secondary/slave nameserver will
wait before considering its DNS data stale if it can't reach the
|PASS||SOA MINIMUM TTL value||OK. Your SOA MINIMUM TTL is: 14400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308
suggests a value of 1-3 hours. This value used to determine the default
(technically, minimum) TTL (time-to-live) for DNS entries, but now is
used for negative caching.|
|MX ||INFO||MX Record||Your 1 MX record is:|
0 helenflavelfoundation.info. [TTL=1001] IP=188.8.131.52 [TTL=1001] [AU]
|PASS||Low port test||OK.
Our local DNS server that uses a low port number can get your MX
record. Some DNS servers are behind firewalls that block low port
numbers. This does not guarantee that your DNS server does not block
low ports (this specific lookup must be cached), but is a good
indication that it does not.|
|PASS||Invalid characters||OK. All of your MX records appear to use valid hostnames, without any invalid characters.|
|PASS||All MX IPs public||OK.
All of your MX records appear to use public IPs. If there were any
private IPs, they would not be reachable, causing slight mail delays,
extra resource usage, and possibly bounced mail.|
|PASS||MX records are not CNAMEs||OK.
Looking up your MX record did not just return a CNAME. If an MX record
query returns a CNAME, extra processing is required, and some mail
servers may not be able to handle it.|
|PASS||MX A lookups have no CNAMEs||OK.
There appear to be no CNAMEs returned for A records lookups from your
MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).|
|PASS||MX is host name, not IP||OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).|
|INFO||Multiple MX records||NOTE:
You only have 1 MX record. If your primary mail server is down or
unreachable, there is a chance that mail may have troubles reaching
you. In the past, mailservers would usually re-try E-mail for up to 48
hours. But many now only re-try for a couple of hours. If your primary
mailserver is very reliable (or can be fixed quickly if it goes down),
having just one mailserver may be acceptable.|
|PASS||Differing MX-A records||OK.
I did not detect differing IPs for your MX records (this would happen
if your DNS servers return different IPs than the DNS servers that are
authoritative for the hostname in your MX records).|
|PASS||Duplicate MX records||OK.
You do not have any duplicate MX records (pointing to the same IP).
Although technically valid, duplicate MX records can cause a lot of
confusion, and waste resources.|
|PASS||Reverse DNS entries for MX records||OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912
2.1 says you should have a reverse DNS for all your mail servers. It is
strongly urged that you have them, as many mailservers will not accept
mail from mailservers with no reverse DNS entry. Note that this
information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are:|
184.108.40.206.in-addr.arpa 36-110-14-210.serversaustralia.com.au. [TTL=86400]
|Mail ||PASS||Connect to mail servers||OK: I was able to connect to all of your mailservers.|
|WARN||Mail server host name in greeting||WARNING:
One or more of your mailservers is claiming to be a host other than
what it really is (the SMTP greeting should be a 3-digit code, followed
by a space or a dash, then the host name). If your mailserver sends out
E-mail using this domain in its EHLO or HELO, your E-mail might get
blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821
4.3.1). Note that the hostname given in the SMTP greeting should have
an A record pointing back to the same server. Note that this one test
may use a cached DNS record.|
helenflavelfoundation.info claims to be host
zeus.serversaustralia.com.au [but that host is at 220.127.116.11 (may be
cached), not 18.104.22.168].
|PASS||Acceptance of NULL <> sender||OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).|
|PASS||Acceptance of postmaster address||OK: All of your mailservers accept mail to email@example.com (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).|
|PASS||Acceptance of abuse address||OK: All of your mailservers accept mail to firstname.lastname@example.org.|
|INFO||Acceptance of domain literals||WARNING:
One or more of your mailservers does not accept mail in the domain
literal format (email@example.com). Mailservers are technically required RFC1123
5.2.17 to accept mail to domain literals for any of its IP addresses.
Not accepting domain literals can make it more difficult to test your
mailserver, and can prevent you from receiving E-mail from people
reporting problems with your mailserver. However, it is unlikely that
any problems will occur if the domain literals are not accepted
(mailservers at many common large domains have this problem).|
helenflavelfoundation.info's firstname.lastname@example.org response:
>>> RCPT TO:<email@example.com>
<<< 501 <firstname.lastname@example.org>: domain literals not allowed
|PASS||Open relay test||OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.|
helenflavelfoundation.info OK: 550-(test.DNSreport.com) [22.214.171.124] is currently not permitted to relay
550-through this server. Perhaps you have not logged into the pop/imap server
550-in the last 30 minutes or do not have SMTP Authentication turned on in your
550 email client.
domain does not have an SPF record. This means that spammers can easily
send out E-mail that looks like it came from your domain, which can
make your domain look bad (if the recipient thinks you really sent it),
and can cost you money (when people complain to you, rather than the
spammer). You may want to add an SPF record
ASAP, as 01 Oct 2004 was the target date for domains to have SPF
records in place (Hotmail, for example, started checking SPF records on
01 Oct 2004). |
|WWW ||INFO||WWW Record||Your www.helenflavelfoundation.info A record is:|
www.helenflavelfoundation.info. CNAME helenflavelfoundation.info. [TTL=1001]
helenflavelfoundation.info. A 126.96.36.199 [TTL=1001] [AU]
|PASS||All WWW IPs public||OK.
All of your WWW IPs appear to be public IPs. If there were any private
IPs, they would not be reachable, causing problems reaching your web
You do have a CNAME record for www.helenflavelfoundation.info, which
can cause some confusion. However, this is legal. Your CNAME entry also
returns the A record for the CNAME entry, which is good -- otherwise,
it would require an extra DNS lookup, which slightly delays the initial
access to the website and use extra bandwidth. Note that if the CNAME
points to another CNAME, it will likely cause problems.|
|INFO||Domain A Lookup||Your helenflavelfoundation.info A record is:|
helenflavelfoundation.info. A 188.8.131.52 [TTL=1001]
- Rows with a FAIL indicate a problem that in most cases really should be fixed.
- Rows with a WARN indicate a possible minor problem, which often is not worth pursuing.
- Note that all information is accessed in real-time (except where noted), so this is the freshest information about your domain.
- Note that automated usage is not tolerated; please only view the DNS report directly with your web browser.