Re: DNS zone file audit tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 31 October 2002 09:37, Emile van Bergen wrote: > Have you also looked at djbdns' dnstrace tool? there is also dlint, dnswalk and dnstracer. there are some online zone checkers: http://zonecheck.ipsec.se/ http://www.ripe.net/cgi-bin/nph-dc.cgi http://www.dnsstuff.com/ http://www.dnsreport.com/tools/dnsreport.ch?domain=domain.org and if you are listed here http://www.cymru.com/DNS/lame.html then you are lame. :) - -- "We should not be trying to use technical solutions to solve a social problem." [Thomas R. Stephenson ("about SPAM" - Pegasus list 16.12.1999)] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9x8nMEyTmlrVpUvwRAkzCAJ0Ss4suSMWvdN1yizxl4jFWBXHQaACfV0pg YphcMXDIIOiOWWWa5gL984s= =1eue -END PGP SIGNATURE-
Re: DNS zone file audit tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 31 October 2002 09:37, Emile van Bergen wrote: > Have you also looked at djbdns' dnstrace tool? there is also dlint, dnswalk and dnstracer. there are some online zone checkers: http://zonecheck.ipsec.se/ http://www.ripe.net/cgi-bin/nph-dc.cgi http://www.dnsstuff.com/ http://www.dnsreport.com/tools/dnsreport.ch?domain=domain.org and if you are listed here http://www.cymru.com/DNS/lame.html then you are lame. :) - -- "We should not be trying to use technical solutions to solve a social problem." [Thomas R. Stephenson ("about SPAM" - Pegasus list 16.12.1999)] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9x8nMEyTmlrVpUvwRAkzCAJ0Ss4suSMWvdN1yizxl4jFWBXHQaACfV0pg YphcMXDIIOiOWWWa5gL984s= =1eue -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DNS zone file audit tool
Hi, On Wed, Oct 30, 2002 at 09:34:48PM -0500, Fraser Campbell wrote: > On October 29, 2002 08:30 am, the fabulous I. Forbes wrote: > > > Particularly I need something that checks that their are still > > upstream NS records pointing to our server for each domain that we > > host. Also I would like to check that our NS records point to valid > > name servers (particularly with secondary nameservers) and that our > > reverse DNS PTR records point to domains with valid A records. > > > > I am looking for a Debian friendly utility to help with this. I have > > had a look at nslint but it does not seem to do what we need it to > > do. > > I wrote a simple perl script that did most of the things you're looking for > just wrapping around the nslookup command (or perhaps it was host). My > checks (from memory) went something like this: [SNIP] > If you like I can try and track down my script for you. I've never checked > for a canned solution to this problem mostly because I wanted to really > understand and analyse every detail myself ... there might be something out > there. Have you also looked at djbdns' dnstrace tool? It "searches for all DNS servers that can affect the resolution of records of type t under the domain name fqdn, starting from the root server r. You can list more than one root server.", and follows all possible paths. See http://cr.yp.to/djbdns/debugging.html Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info
Re: DNS zone file audit tool
Hi, On Wed, Oct 30, 2002 at 09:34:48PM -0500, Fraser Campbell wrote: > On October 29, 2002 08:30 am, the fabulous I. Forbes wrote: > > > Particularly I need something that checks that their are still > > upstream NS records pointing to our server for each domain that we > > host. Also I would like to check that our NS records point to valid > > name servers (particularly with secondary nameservers) and that our > > reverse DNS PTR records point to domains with valid A records. > > > > I am looking for a Debian friendly utility to help with this. I have > > had a look at nslint but it does not seem to do what we need it to > > do. > > I wrote a simple perl script that did most of the things you're looking for > just wrapping around the nslookup command (or perhaps it was host). My > checks (from memory) went something like this: [SNIP] > If you like I can try and track down my script for you. I've never checked > for a canned solution to this problem mostly because I wanted to really > understand and analyse every detail myself ... there might be something out > there. Have you also looked at djbdns' dnstrace tool? It "searches for all DNS servers that can affect the resolution of records of type t under the domain name fqdn, starting from the root server r. You can list more than one root server.", and follows all possible paths. See http://cr.yp.to/djbdns/debugging.html Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DNS zone file audit tool
On October 29, 2002 08:30 am, the fabulous I. Forbes wrote: > Particularly I need something that checks that their are still > upstream NS records pointing to our server for each domain that we > host. Also I would like to check that our NS records point to valid > name servers (particularly with secondary nameservers) and that our > reverse DNS PTR records point to domains with valid A records. > > I am looking for a Debian friendly utility to help with this. I have > had a look at nslint but it does not seem to do what we need it to > do. I wrote a simple perl script that did most of the things you're looking for just wrapping around the nslookup command (or perhaps it was host). My checks (from memory) went something like this: - find nameservers for domain, this involves working right to left through the hostname until no NS records are returned, it might look something like this: [EMAIL PROTECTED]:~$ host -t NS ca. ca NS ns1cira.ca ca NS ns2.uunet.ca ca NS rs0.netsol.com ca NS merle.cira.ca ca NS relay.cdnnet.ca ca NS clouso.risq.qc.ca [EMAIL PROTECTED]:~$ host -t NS gc.ca. gc.ca NS ns1.drenet.dnd.ca gc.ca NS relay.srv.gc.ca gc.ca NS relay.cdnnet.ca gc.ca NS rusty.srv.gc.ca [EMAIL PROTECTED]:~$ host -t NS ec.gc.ca. ec.gc.caNS castor.cmc.ec.gc.ca ec.gc.caNS pollux.cmc.ec.gc.ca ec.gc.caNS dowsv01.tor.ec.gc.ca ec.gc.caNS dns1.cmc.ec.gc.ca ec.gc.caNS dns2.cmc.ec.gc.ca - at each step along the way confirm that all nameservers contain the same zone information and are authoritative The exact things you want to check should be pretty easy to wrap into a script as well. It's hard to find canned scripts that do everything you want so it's usually easier to roll your own. If you like I can try and track down my script for you. I've never checked for a canned solution to this problem mostly because I wanted to really understand and analyse every detail myself ... there might be something out there. Fraser
Re: DNS zone file audit tool
On October 29, 2002 08:30 am, the fabulous I. Forbes wrote: > Particularly I need something that checks that their are still > upstream NS records pointing to our server for each domain that we > host. Also I would like to check that our NS records point to valid > name servers (particularly with secondary nameservers) and that our > reverse DNS PTR records point to domains with valid A records. > > I am looking for a Debian friendly utility to help with this. I have > had a look at nslint but it does not seem to do what we need it to > do. I wrote a simple perl script that did most of the things you're looking for just wrapping around the nslookup command (or perhaps it was host). My checks (from memory) went something like this: - find nameservers for domain, this involves working right to left through the hostname until no NS records are returned, it might look something like this: fraser@shieldaig:~$ host -t NS ca. ca NS ns1cira.ca ca NS ns2.uunet.ca ca NS rs0.netsol.com ca NS merle.cira.ca ca NS relay.cdnnet.ca ca NS clouso.risq.qc.ca fraser@shieldaig:~$ host -t NS gc.ca. gc.ca NS ns1.drenet.dnd.ca gc.ca NS relay.srv.gc.ca gc.ca NS relay.cdnnet.ca gc.ca NS rusty.srv.gc.ca fraser@shieldaig:~$ host -t NS ec.gc.ca. ec.gc.caNS castor.cmc.ec.gc.ca ec.gc.caNS pollux.cmc.ec.gc.ca ec.gc.caNS dowsv01.tor.ec.gc.ca ec.gc.caNS dns1.cmc.ec.gc.ca ec.gc.caNS dns2.cmc.ec.gc.ca - at each step along the way confirm that all nameservers contain the same zone information and are authoritative The exact things you want to check should be pretty easy to wrap into a script as well. It's hard to find canned scripts that do everything you want so it's usually easier to roll your own. If you like I can try and track down my script for you. I've never checked for a canned solution to this problem mostly because I wanted to really understand and analyse every detail myself ... there might be something out there. Fraser -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
DNS zone file audit tool
Hello All I am looking for a means to audit our DNS zone files. Particularly I need something that checks that their are still upstream NS records pointing to our server for each domain that we host. Also I would like to check that our NS records point to valid name servers (particularly with secondary nameservers) and that our reverse DNS PTR records point to domains with valid A records. I am looking for a Debian friendly utility to help with this. I have had a look at nslint but it does not seem to do what we need it to do. Any other suggestions? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa -
DNS zone file audit tool
Hello All I am looking for a means to audit our DNS zone files. Particularly I need something that checks that their are still upstream NS records pointing to our server for each domain that we host. Also I would like to check that our NS records point to valid name servers (particularly with secondary nameservers) and that our reverse DNS PTR records point to domains with valid A records. I am looking for a Debian friendly utility to help with this. I have had a look at nslint but it does not seem to do what we need it to do. Any other suggestions? Thanks Ian - Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]