docs: add checker reference pages and update homepage feature list
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Add individual reference pages for all domain health checkers (EN/FR), update the homepage feature descriptions in both languages to highlight monitoring, notifications, and domain availability checks.
This commit is contained in:
parent
c372f8409a
commit
5ccdd8892f
74 changed files with 3518 additions and 12 deletions
36
content/reference/checkers/ns-restrictions.en.md
Normal file
36
content/reference/checkers/ns-restrictions.en.md
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
date: 2026-06-11T09:00:00+02:00
|
||||
author: nemunaire
|
||||
title: Name-server restrictions
|
||||
description: "Probes every authoritative name server of a zone to confirm it is properly locked down: zone transfers refused, no open recursion, and RFC 8482 handling of ANY."
|
||||
weight: 90
|
||||
---
|
||||
|
||||
The **Name-server restrictions** checker verifies that the authoritative name servers of a zone are properly locked down. For each declared name server it resolves the host name, then runs a set of DNS probes against every returned IPv4 and IPv6 address (IPv6 targets are skipped gracefully when the host has no IPv6 connectivity). The goal is to catch common misconfigurations that leak data or turn a name server into an abuse vector: open zone transfers, open recursion, and unbounded `ANY` responses.
|
||||
|
||||
This checker is **service-level**: it targets an *Origin* or *NS-only Origin* service (`abstract.Origin`, `abstract.NSOnlyOrigin`) and is configured from that service's **Checks** tab.
|
||||
|
||||
## What it checks
|
||||
|
||||
Each rule emits one finding per probed name-server address, with a stable `code`.
|
||||
|
||||
| Rule | Verifies | Severity on failure |
|
||||
|---|---|---|
|
||||
| `ns_resolution` | Every NS host name declared in the delegation resolves to at least one IP address. | Critical |
|
||||
| `ns_axfr_refused` | `AXFR` zone transfers are refused by every authoritative name server. | Critical |
|
||||
| `ns_ixfr_refused` | `IXFR` zone transfers are refused by every authoritative name server. | Warning |
|
||||
| `ns_no_recursion` | Authoritative name servers do not advertise recursion (RA bit unset). | Warning |
|
||||
| `ns_any_handled` | `ANY` queries are handled per RFC 8482 (HINFO or a minimal answer rather than the full zone contents). | Warning |
|
||||
| `ns_is_authoritative` | Name servers answer authoritatively (AA bit set) for the zone. | Info |
|
||||
|
||||
{{% notice style="info" title="Why these matter" %}}
|
||||
An open `AXFR` lets anyone download the entire zone, exposing your internal naming. Open recursion turns your authoritative server into an amplification relay and cache-poisoning target. Unbounded `ANY` responses are a classic amplification vector that RFC 8482 was written to neutralise.
|
||||
{{% /notice %}}
|
||||
|
||||
## Options
|
||||
|
||||
This checker has no user-tunable options: it runs a fixed set of probes against each resolved name-server address.
|
||||
|
||||
## In happyDomain
|
||||
|
||||
Enable the Name-server restrictions checker from the **Checks** tab of an Origin service. See {{< relref "/pages/checks" >}} for the full workflow. For the broader health and agreement of those same authoritative servers, see {{< relref "/reference/checkers/authoritative-consistency" >}}.
|
||||
Loading…
Add table
Add a link
Reference in a new issue