Name-server restrictions
The Name-server restrictions checker verifies that the authoritative name servers of a zone are properly locked down. For each declared name server it resolves the host name, then runs a set of DNS probes against every returned IPv4 and IPv6 address (IPv6 targets are skipped gracefully when the host has no IPv6 connectivity). The goal is to catch common misconfigurations that leak data or turn a name server into an abuse vector: open zone transfers, open recursion, and unbounded ANY responses.
This checker is service-level: it targets an Origin or NS-only Origin service (abstract.Origin, abstract.NSOnlyOrigin) and is configured from that service’s Checks tab.
What it checks
Each rule emits one finding per probed name-server address, with a stable code.
| Rule | Verifies | Severity on failure |
|---|---|---|
ns_resolution |
Every NS host name declared in the delegation resolves to at least one IP address. | Critical |
ns_axfr_refused |
AXFR zone transfers are refused by every authoritative name server. |
Critical |
ns_ixfr_refused |
IXFR zone transfers are refused by every authoritative name server. |
Warning |
ns_no_recursion |
Authoritative name servers do not advertise recursion (RA bit unset). | Warning |
ns_any_handled |
ANY queries are handled per RFC 8482 (HINFO or a minimal answer rather than the full zone contents). |
Warning |
ns_is_authoritative |
Name servers answer authoritatively (AA bit set) for the zone. | Info |
Why these matter
An open AXFR lets anyone download the entire zone, exposing your internal naming. Open recursion turns your authoritative server into an amplification relay and cache-poisoning target. Unbounded ANY responses are a classic amplification vector that RFC 8482 was written to neutralise.
Options
This checker has no user-tunable options: it runs a fixed set of probes against each resolved name-server address.
In happyDomain
Enable the Name-server restrictions checker from the Checks tab of an Origin service. See /en/pages/checks/ for the full workflow. For the broader health and agreement of those same authoritative servers, see /en/reference/checkers/authoritative-consistency/.