[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS zone file audit tool

On October 29, 2002 08:30 am, the fabulous I. Forbes wrote:

> Particularly I need something that checks that their are still
> upstream NS records pointing to our server for each domain that we
> host. Also I would like to check that our NS records point to valid
> name servers (particularly with secondary nameservers) and that our
> reverse DNS PTR records point to domains with valid A records.
> I am looking for a Debian friendly utility to help with this. I have
> had a look at nslint but it does not seem to do what we need it to
> do.

I wrote a simple perl script that did most of the things you're looking for 
just wrapping around the nslookup command (or perhaps it was host).  My 
checks (from memory) went something like this:

- find nameservers for domain, this involves working right to left through the
  hostname until no NS records are returned, it might look something like

      fraser@shieldaig:~$ host -t NS ca.
      ca                      NS      ns1cira.ca
      ca                      NS      ns2.uunet.ca
      ca                      NS      rs0.netsol.com
      ca                      NS      merle.cira.ca
      ca                      NS      relay.cdnnet.ca
      ca                      NS      clouso.risq.qc.ca
      fraser@shieldaig:~$ host -t NS gc.ca.
      gc.ca                   NS      ns1.drenet.dnd.ca
      gc.ca                   NS      relay.srv.gc.ca
      gc.ca                   NS      relay.cdnnet.ca
      gc.ca                   NS      rusty.srv.gc.ca
      fraser@shieldaig:~$ host -t NS ec.gc.ca.
      ec.gc.ca                NS      castor.cmc.ec.gc.ca
      ec.gc.ca                NS      pollux.cmc.ec.gc.ca
      ec.gc.ca                NS      dowsv01.tor.ec.gc.ca
      ec.gc.ca                NS      dns1.cmc.ec.gc.ca
      ec.gc.ca                NS      dns2.cmc.ec.gc.ca
- at each step along the way confirm that all nameservers contain the same
  zone information and are authoritative

The exact things you want to check should be pretty easy to wrap into a script 
as well.  It's hard to find canned scripts that do everything you want so 
it's usually easier to roll your own.

If you like I can try and track down my script for you.  I've never checked 
for a canned solution to this problem mostly because I wanted to really 
understand and analyse every detail myself ... there might be something out 


Reply to: