DNS Spy
Knowledge Base
DNS Spy Security Checks
Nameserver Subnet Distribution

Nameserver Subnet Distribution

What This Check Does

The Nameserver Subnet Distribution check verifies that your domain's active nameserver IPv4 addresses are spread across more than one /24 subnet. If all nameservers reside in the same /24 subnet (e.g., 192.168.1.0/24), a single network issue could take them all offline simultaneously.

DNS Spy examines the IPv4 addresses of each active nameserver and groups them by /24 subnet. If all addresses fall within the same subnet, this check fails.

Why It Matters

Network outages often affect entire subnets or IP ranges. If all your nameservers share the same /24 subnet, a routing issue, DDoS attack, or data center failure targeting that subnet will take down your entire DNS infrastructure. Distributing nameservers across different subnets provides resilience against localized network failures.

NIST SP 800-81, Section 3.3, recommends diversifying nameserver placement to avoid single points of failure. Subnet distribution is a fundamental aspect of this diversification strategy.

NIST SP 800-81 Compliance

Section 3.3 of the NIST Secure DNS Deployment Guide explicitly addresses nameserver architecture and recommends avoiding concentration of nameservers in a single network segment. DNS Spy automates this compliance check, ensuring your nameserver infrastructure meets NIST guidelines for network diversity.

Good vs. Bad Configuration

Bad Configuration

ns1.example.com resolves to 198.51.100.1 and ns2.example.com resolves to 198.51.100.2 — both in the same /24 subnet (198.51.100.0/24). A single network event could disable both nameservers.

Good Configuration

ns1.example.com resolves to 198.51.100.1 and ns2.example.com resolves to 203.0.113.1 — different /24 subnets, providing resilience against subnet-level failures.

How DNS Spy Monitors This

DNS Spy resolves all active nameserver IPv4 addresses and analyzes their subnet distribution. If all addresses fall within a single /24 subnet, an alert is triggered. This check runs continuously, so you are notified if nameserver IP changes inadvertently reduce your subnet diversity.