Audit the consistency of zone files on DNS servers
Phil Mayers
p.mayers at imperial.ac.uk
Sat Mar 15 13:14:39 UTC 2014
On 15/03/2014 10:09, Maren S. Leizaola wrote:
> Can someone provide an answer that does not refer to zone transfers?
Your original email said:
> What I want to be able to detect are serial number errors, where a
> zone has been updated but the serial number has not changed
Then you said:
> I am paranoid and I don't think zone transfers are a good method. I
> want something that looks at the file, intelligently looks at each
> record and sends the right types of queries to all the DNS servers.
>
> We are never sure how bug free bind is. As I am using other DNS
> servers I am not sure how reliably they interactive with Bind... So
> trust I nothing until it has been provent to work time and time
> again....
To be blunt, I think you are being unreasonable - sort of a "radical
skeptic" - about the software.
If you distrust the XFR bit of your DNS servers, why trust *any* of it?
How do you know the DNS server isn't answering with garbage when it
should be answering NODATA/NXDOMAIN? Or answering with correct values to
you, but garbage 0.01% of the time to everyone else?
You don't know that, and you can never know that, so proceeding on this
basis is futile.
Do you have grounds to *reasonably doubt* the functioning of your DNS
software?
Anyway - in an attempt to be "helpful", even though I think it's a silly
thing to do, here's a suggestion which queries every record in a zone
verus a master file:
https://github.com/joemiller/dns_compare
You could also canonicalise the zone file with "trusted" (ha ha)
software then transfer it over a "trusted" protocol (ha ha), "freeze"
the zone at the slaves having "trusted" that they will write to disk
correctly, then use diff.
None of these solves the NODATA/NXDOMAIN or low-rate error problem, but
they are, in principle, unsolvable.
Good luck - I doubt you'll find what you want though! ;o)
Cheers,
Phil
More information about the bind-users
mailing list