dnsstuff replacement

[anarcat]

I have been looking at a commandline tool to replace commercial services like dnsstuff.com and intodns.com. The latter seemed to be open about freeing their code at some point, but it seems those efforts are going nowhere:

https://twitter.com/intodns/status/299601458456821760
https://twitter.com/intodns/status/299614785257996292
https://twitter.com/intodns/status/20614487409168384

So learning about dnsdiag, i was hoping it would provide a similar level of functionality - but it doesn't quite do that. So here's my "i want a poney" feature request. I think it would be nice to have a "dnsdiag" commandline binary that would check:

• if the domain provided resolves
• for glue records:
  • exist
  • match
• if NS records are correct:
  • if there are enough NS records (at least 2, RFC2182 section 5 recommends at least 3, RFC1912 section 2.8 recommends no more than 7)
  • have distinct IP addresses and no CNAMEs
  • different subnets
  • different ASNs
  • that all NS records respond to requests
  • that NS servers are not recursive
  • that all NS servers are authoritative
  • that NS records match parent zone
  • no stealth records present
  • that all NS servers respond with the same lists of NS
  • that all NS servers IPs are reachable (e.g. non RFC 1918)
  • that UDP (regular) and TCP (e.g. zone transfers) both works
  • version numbers (hidden, shown, outdated?)
• that SOA records are correct:
  • present
  • valid (cf RFC 1912 for ranges, including email)
  • MNAME entry is in NS list
  • all fields match across NS servers
• that mail records are correctly configured:
  • that MX records are present, and more than one, and point to different IPs, no CNAME
  • matching reverse DNS for MX records
  • routable MX records
  • port 25 open
  • SMTP banner
  • RFC5321-compliant SMTP greeting
  • accepts mails from NULL (for DSN etc)
  • accepts mail to postmaster ( RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1)
  • accepts mail to abuse (RFC2142 Section 2)
  • accepts mail to IP (RFC1123 section 5.2.17)
  • not an open relay
• that web configuration is correct:
  • www exists
  • @ exists (and not a CNAME)
  • routable
  • responds
  • version number (hidden, shown, outdated?)
  • supports SSL

The above list is partly based on the output provided by dnsstuff.com, intodns.com and testdns.com.

Two more series of checks could be done as well:

• DNSSEC checks: see for example http://www.dnssec-tools.org/
• SPF checks: see for example http://www.unifiedemail.net/Tools/SPFParser/

Would you be open to working on or merging such a tool?

[farrokhi]

It is actually a unicorn, not a pony :) But I am willing to do this. So, challenge accepted. I will start developing the basic tool based on the clear specification you provided and improve it over time (adding capabilities step by step).

[anarcat]

On 2016-05-23 09:20:49, Babak Farrokhi wrote:

It is actually a unicorn, not a pony :) But I am willing to do this. So, challenge accepted. I will start developing the basic tool based on the clear specification you provided and improve it over time (adding capabilities step by step).

I love unicorns even better than ponies anyways. ;)

Unfortunately, I won't be able to test this until june, but thanks for
being so enthusiastic about it!

A.

We must learn to live together as brothers or perish together as fools.
- Martin Luther King, Jr.

[farrokhi]

Now there is a separate tool available which implemented almost all these requirements: https://github.com/42wim/dt