Free Tools and Resources

For DNS and DHCP system administrators

These are a few of the tools we use, and a few web sites that document many more tools. At the bottom is a list of books and other information resources.  Please note that it is your responsibility to check the licensing terms of any software you download.  We have not tried all of these, many of them have simply been added on the suggestion of some of our users, so we can’t make any specific claims about suitability or quality.

We welcome suggestions for additions, or deletions (let us know if something we are linking to is inaccurate), or broken links.  Send any suggestions or corrections to web-request at isc dot org.


DNS Tools

DIG tool for Apple iOS

Created by Ray Bellis of ISC, this tool is a port of the dig tool included with the BIND distribution to the Apple iOS platforms (iPhone and iPad). Free, on iTunes.

Resolver protocol conformance tester for Apple IOS

Also by Ray Bellis of ISC, this is a cli app for IOS. Free, on iTunes.

On-line EDNS Compatibility Check tool

BIND developer Mark Andrews created this site and monitors the on-going scanning of the DNS root, top level domains, and several lists of top Internet domains. Check your own domain or see the historical performance of the domains we monitor.

BIND 9 rndc module for NodeJS

Ray Bellis of ISC published this library for communicating with BIND 9.9 and later versions via the rndc interface.

DNS Looking Glass

This site maintained by Frederic Cambus enables you to see what people querying your site from different locations (different resolvers) would see.

Managing DNS records at multiple providers

Octodns and dnscontrol These two open source tools (both on github) help you manage DNS records across multiple providers (including standard BIND zone files).

DNS Traversal checker

IPv4 only, but we find it a very useful tool.

DNS Bajaj – checks for zone cuts

The software for this hosted tool can be found at (that link downloads the software immediately). Tools Directory

Jacco Tunnissen’s site has a huge list of related tools and resources

The Measurement Factory tools

The  Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdumpand several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.

DNS Top – dns traffic analyzer

New tool written by Duane Wessels, published by The Measurement Factory. dnstop is a libpcap application that parses either a live capture or tcpdump saved file and displays your dns traffic in table form, showing source, destination, query types, response codes, etc.


Traffic distributor/load balancer written specifically for DNS traffic by Bert Hubert of PowerDNS. Described in this blog post.


These open source tools from Nominum are classic DNS performance testing utilities. DNSPERF is also included in the BIND contribs directory.


Web-based tools for domain checking, TLD look-up, DNS caching look-up from

SPF Record Testing

Web-based tool recommended on BIND-users, “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”

Gadmin-bind, GUI for BIND

From the Debian package description gadmin-bind is an easy to use GTK+ frontend for ISC BIND. It handles multiple domains and can switch from master to slave domain in three clicks. It can change the domain name for entire domains and subdomains, including domain resources such as MX, A, AAAA, CNAME, and NS.  gadmin-bind can also generate and set up secret keys for rndc, construct a chroot environment, and handle DDNS operations.”

Grafana dashboard for BIND 9

Posted by Christian Calin, ~ 2017.


On-line domain checker. You enter the domain name and IntoDNS performs some checks on the glue, NS records, server health, SOA/TTLS, MX and WWW records. has half a dozen or so networking tools, including the ability to find your IP, query WHOIS, DNS lookup, ping, traceroute, or translate/convert an IP V4 address between dotted quad, decimal, hex and binary, do a PTR reverse lookup in the DNS, and search for location information, among others.

Microsoft ccTLD Registry Security Scan

At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented on a new free service they are offing to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems.  The results are reported privately to the ccTLD requesting the scan. Apply via email. Read about this program here.


Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.”


Posted on BIND-users: “My program nsdiff ( is useful for copying dynamic zones from from an existing master to a new master without faffing around with `rndc freeze`. On the new master, run  nsdiff -m oldmaster -s localhost myzone | nsupdate -l
and it will axfr the zone from the oldmaster and copy it into the new.” – Tony Finch


NS lint is a utility written by Craig Leres of the Lawrence Berkeley National Laboratory, University of California, that checks your BIND zone files for errors.  The current version is available via anonymous ftp:

Passive DNS on github

Passive DNS is a tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics.

Prometheus exporter for BIND 9 stats

Published by Digital Ocean in 2016


query-loc: a program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks which implement this scheme in the ADDRESSES file. Its official home  is <>.


From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon.

Zonemaster, developed by IIS and AFRINIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it).  Zonemaster will save the history from prior scans, useful for troubleshooting problems.



On-line tool to see which DNSSEC-signing algorithms your resolver can validate.

An on-line test tool from Andrew Quarton.

Verisign DNSSEC debugger


Actively maintained resource with videos, how-to’s and deployment data.


A comprehensive listing of DNSSEC-related tools is available from DNSSEC.Net.

DNSSEC Zone Key Tool

ZKT is a tool to manage keys and signatures for DNSSEC-zones. More details are available at


Highly recommended. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.


Drill is a very useful tool from NLNet Labs. It was designed with DNSSEC in mind and is a useful debugging/query tool for DNSSEC.


At the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS.  This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM.

DNSSEC validator from cz.NIC

Browser plug-in that does DNSSEC validation from your desktop. This is simple to install, simple to use and it gives you feedback right in your browser telling you whether the site you are connected to is DNSSEC signed.  Currently supports Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Apple Safari browsers. Download from Mozilla or from cz.NIC.


DHCP and IPv6

DHCPlb – Load Balancer

Engineers at Facebook wrote this dhcpv4/v6 load balancer to use with Kea dhcp server as an anycasted DHCP service.

Glass – ISC DHCP GUI Monitoring and Alerting

Written by Chris Miles in NodeJS, this new application supports DHCPv4 only (at the moment). MIT licensed. On Github.

Kea ‘Run Script’ Hook

This generic hook will call an external script at any/all of the hook points supported by Kea. Written by Baptiste Jonglez.

ISC DHCP Lease Analysis

Tool for shared network and pool range usage analysis, designed for high performance with a lot of leases. Written in C by Sami Kerola. On Sourceforge.

ISC DHCP Lease Filter

This Python library provides a filter on top of python-isc-dhcp-leases. Martijn Braam.

ISC DHCP SNMP pool tracker

dhcpd-snmp is an extension for the Net-SNMP agent and the ISC DHCP server. It allows you to monitor and track the address usage of your dynamic IP address pools through SNMP. On Github.

BT Diamond IP IPv6 resources

DHCP Probe

dhcp probe attempts to discover DHCP and BootP servers on a directly-attached Ethernet network. A network administrator can use this tool to locate unauthorized DHCP and BootP servers.

ISC Forge

This is an open source validation environment for fully automated validation of  DHCPv4 and  DHCPv6 protocols compliance using Python, Lettuce and Scapy.  The project is hoted on GitHub.

Kea Exporter

Exports Kea metrics in the Prometheus Exposition Format.

Kea ‘show leases’ script

Supports Kea 1.1.

DHCP Resources page from

How-To Guides


Hard to Classify

Last modified: August 7, 2018 at 4:46 pm