Re: DNS zone file audit tool
On October 29, 2002 08:30 am, the fabulous I. Forbes wrote:
> Particularly I need something that checks that their are still
> upstream NS records pointing to our server for each domain that we
> host. Also I would like to check that our NS records point to valid
> name servers (particularly with secondary nameservers) and that our
> reverse DNS PTR records point to domains with valid A records.
>
> I am looking for a Debian friendly utility to help with this. I have
> had a look at nslint but it does not seem to do what we need it to
> do.
I wrote a simple perl script that did most of the things you're looking for
just wrapping around the nslookup command (or perhaps it was host). My
checks (from memory) went something like this:
- find nameservers for domain, this involves working right to left through the
hostname until no NS records are returned, it might look something like
this:
fraser@shieldaig:~$ host -t NS ca.
ca NS ns1cira.ca
ca NS ns2.uunet.ca
ca NS rs0.netsol.com
ca NS merle.cira.ca
ca NS relay.cdnnet.ca
ca NS clouso.risq.qc.ca
fraser@shieldaig:~$ host -t NS gc.ca.
gc.ca NS ns1.drenet.dnd.ca
gc.ca NS relay.srv.gc.ca
gc.ca NS relay.cdnnet.ca
gc.ca NS rusty.srv.gc.ca
fraser@shieldaig:~$ host -t NS ec.gc.ca.
ec.gc.ca NS castor.cmc.ec.gc.ca
ec.gc.ca NS pollux.cmc.ec.gc.ca
ec.gc.ca NS dowsv01.tor.ec.gc.ca
ec.gc.ca NS dns1.cmc.ec.gc.ca
ec.gc.ca NS dns2.cmc.ec.gc.ca
- at each step along the way confirm that all nameservers contain the same
zone information and are authoritative
The exact things you want to check should be pretty easy to wrap into a script
as well. It's hard to find canned scripts that do everything you want so
it's usually easier to roll your own.
If you like I can try and track down my script for you. I've never checked
for a canned solution to this problem mostly because I wanted to really
understand and analyse every detail myself ... there might be something out
there.
Fraser
Reply to: