Network Testing

Online tools for testing network settings for HTTP and mail servers

Network Layer

• Qualys SSL Labs for testing SSL/TLS settings
• DNS Checker for testing DNS settings from various locations, i.e. DNS propagation
• Rebex SSH Check for testing SSH server settings
• IPv6 Tester for testing IPv6 settings. Both for your local network as well as for servers

HTTP Settings

• Mozilla Observatory scans HTTP settings and includes third-party tests
• Security Headers for testing HTTP security headers such as CSP, HSTS, etc.
• CSP Evaluator for testing a sites CSP policy

Mail Settings

• Mail-tester for testing mail settings such as SPF, DKIM, DMARC
  • Sender Policy Framework (SPF) - tells the world what hosts or ip’s are allowed to send email for your domain
  • Domain Keys Identified Mail (DKIM) - method of email authentication that cryptographically verifies if an email is sent by trusted servers and untampered. Basically, when a server sends an email for your domain, it will calculate an encrypted hash of the email contents using a private key (that only trusted servers know) and add it to the email headers as a DKIM signature. The receiving server will verify the email contents by looking up the corresponding public key in your domain’s DNS records, decrypting the encrypted hash, and calculating a new hash based on the email contents it received to see if the decrypted hash matches the new hash.
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) - tells receiving email servers what to do if they receive mails that fail SPF or DKIM. Basically, there are three actions for receiving servers to take if BOTH SPF and DKIM checks fail: none, quarantine, and reject.
• Sikker på nettet (same testing engine as Internet.nl) - testing of email settings as well as DNSSEC, etc.

DNS Settings

• Verisign Labs - DNS Tools a collection a DNS tools
  • DNSSEC Debugger
  • DNS Visualizer - visualizing DNS security
• The Root Canary Project - DNS Resolver algorithm test
• Internet Society - DNSSEC Tools list of tools for testing DNSSEC
  • DANE - DNS-based Authentication of Named Entities - DNS records which tell other mail servers that a mail server supports TLS encryption and what certificate to expect when connecting to the sending server (only secure if DNSSEC it enabled) (Internet Society - DANE)
  • DANE vs. MTA-STS ProtonMail Security Update -> DANE and MTA-STS – thwarting active attackers. MTA-STS is HSTS for email. The sending mail server looks up and caches an MTA-STS policy, which tells it that the receiving mail server supports encryption (not effective for domains with limited mail traffic)
• DK Hostmaster -> DNSSEC
• How to test and validate DNSSEC using dig

Databreaches

• Have I been pwned? check if an email address or domain has been in a data breach