Please note that it is your responsibility to check the licensing terms of any software you download. We have not tried all of these, many of them have simply been added on the suggestion of some of our users, so we can’t make any specific claims about suitability or quality.
We welcome suggestions for additions, or deletions (let us know if something we are linking to is inaccurate), or broken links. Send any suggestions or corrections to web-request at isc dot org. Tools are sorted into 4 categories:
- Diagnostic tools
- Provisioning tools
- Other tools (performance testing, monitoring)
- Useful guides, books and how-to articles
|DIG tool for Apple iOS||Free, on iTunes.||Created by Ray Bellis of ISC, this tool is a port of the dig tool included with the BIND distribution to the Apple iOS platforms (iPhone and iPad).|
|ISC DNS Checker||Free, on iTunes.||Also by Ray Bellis, this is another cli tool, a resolver protocol conformance tester for Apple IOS.|
|EDNS Compatibility Tester||https://ednscomp.isc.org||BIND developer Mark Andrews created this site and monitors the on-going scanning of the DNS root, top level domains, and several lists of top Internet domains. Check your own domain or see the historical performance of the domains we monitor.|
|Ray Bellis of ISC published this library for communicating with BIND 9.9 and later versions via the rndc interface.||DNSSEC-test||An on-line test tool from Andrew Quarton.[/trow]|
|Verisign DNSSEC Debugger||http://dnssec-debugger.verisignlabs.com||DNSSEC debugger|
|DNS Looking Glass||dns-lg.com||This site maintained by Frederic Cambus enables you to see what people querying your site from different locations (different resolvers) would see.|
|http://dns.squish.net||IPv4 only, but we find it a very useful tool.|
|http://allanon.elfhame.net/dnsbajaj-0.9.6.tar.gz. (that link downloads the software immediately).||Checks for zone cuts|
|dnstop – traffic analyzer||http://dns.measurement-factory.com/tools/dnstop/||New tool written by Duane Wessels, published by The Measurement Factory. dnstop is a libpcap application that parses either a live capture or tcpdump saved file and displays your dns traffic in table form, showing source, destination, query types, response codes, etc.|
|Zonemaster||https://zonemaster.iis.se||Zonemaster, developed by IIS and AFRINIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it). Zonemaster will save the history from prior scans, useful for troubleshooting problems.|
|DNS Viz||http://dnsviz.net||Highly recommended. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.|
|NLNET Labs DRIll||http://www.nlnetlabs.nl/projects/ldns/||Drill is a useful debugging/query tool for DNSSEC.|
Passive DNS is a tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics.
|Vinyl DNS||https://www.vinyldns.io||VinylDNS manages millions of DNS records supporting thousands of engineers in production at Comcast. The platform provides fine-grained access controls, auditing of changes, a self-service user interface, secure RESTful API, and integration with infrastructure automation tools like Ansible and Terraform.|
|DNS Control||https://github.com/StackExchange/dnscontrol||DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, CloudFlare, and Gandi. It can talk to Microsoft ActiveDirectory and it generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows).|
|OctoDNS||https://github.com/github/octodns||OctoDNS helps manage DNS records across multiple providers, including Dyn (Oracle), and AWS. Records are stored in a git repository.|
|Denominator||https://github.com/Netflix/denominator||Denominator from Netflix “is a portable Java library for manipulating DNS clouds. Denominator has pluggable back-ends, including AWS Route53, Neustar Ultra, DynECT, Rackspace Cloud DNS, OpenStack Designate, and a mock for testing.”|
|GAdmin||https://packages.debian.org/sid/gadmin-bind||From the Debian package description “gadmin-bind is an easy to use GTK+ frontend for ISC BIND. It handles multiple domains and can switch from master to slave domain in three clicks. It can change the domain name for entire domains and subdomains, including domain resources such as MX, A, AAAA, CNAME, and NS.
gadmin-bind can also generate and set up secret keys for rndc, construct a chroot environment, and handle DDNS operations.“
|SPF Record Validation||http://www.kitterman.com/spf/validate.html||Web-based tool recommended on BIND-users, . “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”|
||From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon.|
|nsdiff||http://dotat.at/prog/nsdiff||Posted on BIND-users: “My program nsdiff (http://dotat.at/prog/nsdiff) is useful for copying dynamic zones from from an existing master to a new master without faffing around with `rndc freeze`. On the new master, run nsdiff -m oldmaster -s localhost myzone | nsupdate -l
and it will axfr the zone from the oldmaster and copy it into the new.” – Tony Finch
|NS Lint||ftp://ftp.ee.lbl.gov/nslint.tar.gz||NS lint is a utility written by Craig Leres of the Lawrence Berkeley National Laboratory, University of California, that checks your BIND zone files for errors.|
|http://dnsdist.org/||Traffic distributor/load balancer written specifically for DNS traffic by Bert Hubert of PowerDNS. Described in this blog post.|
|https://github.com/DNS-OARC/dnsperf||These open source tools from Nominum are classic DNS performance testing utilities. DNSPERF is now being maintained by DNS-OARC.|
Grafana dashboard for BIND 9
Posted by Christian Calin, ~ 2017.
|https://github.com/digitalocean/bind_exporter||Published by Digital Ocean in 2016|
|The Measurement Factory tools||http://dns.measurement-factory.com/tools/index.html||
The Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdump, and several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.
|Net::DNS||“Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.”|
|Query-loc||https://github.com/bortzmeyer/query-loc||query-loc: a program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks which implement this scheme in the ADDRESSES file. Its official home is <http://github.com/bortzmeyer/query-loc/>.|
|Root Canary||RootCanary.org||On-line tool to see which DNSSEC-signing algorithms your resolver can validate.|
|Microsoft ccTLD Registry Security Scan||Apply via email to https://www.microsoft.com/en-us/msrc?rtc=1||At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented on a new free service they are offing to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems. The results are reported privately to the ccTLD requesting the scan.|
|DNSSEC Zone Key Tool||http://www.hznet.de/dns/zkt/||ZKT is a tool to manage keys and signatures for DNSSEC-zones.|
|GetDNS||http://getdnsapi.net||At the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS. This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM.|
- Secure Domain Name System (DNS) Deployment Guide from the US Department of Commerce, National Institute of Standards and Technology (NIST), September, 2013
- Team Cymru Secure BIND Template, updated August 2012
- DNSSEC Troubleshooting tutorial (using dig), delivered at NANOG52 by Michael Sinatra, Energy Sciences Network (ESNET)
- How to configure your BIND resolvers to lie using Response Policy Zones (RPZ), by Jan-Piet Mens, April 2011
- DNS Best Practices, Network Protection, and Attack Identification, from the Cisco Systems web site, undated but refers to BIND 9.5
- NZOG 2013 DNSSEC Workshop. Joe Abley and Phil Regnauld taught this, and someone helpfully posted several how-tos from the class.
- BIND-users FAQ, by Doug Barton. How to get the most from this resource.
- Unofficial comp.protocols.tcp-ip.domains FAQ.
- Seung-young Kim of OpenBIRD, Inc has written a DNS guide in Korean.
- “Running BIND9 in a chroot cage using NetBSD 1.6.2“, by Tim Roden
- Article on Installing A Bind9 Master/Slave DNS System on Debian (from 2006)
- Article from the GnuDIP project “Having Your Own Domain Name with a Dynamic IP Address”
- Article (in French) from Nicholas Cuissard about issues arising from the conflict between DHCPv4 client-identifier and DHCPv6 DUID.
- “RFC 2317 Delegations for IPv4 Blocks Less Than /24“, by Doug Barton
- Cricket Liu’s classics, DNS and BIND, DNS and BIND Cookbook and DNS and BIND on IPv6 on Amazon.com (Kindle edition)
- Ron Aitchison’s DNS book “ProDNS and BIND” and DNS from Rocket Scientists
- Michael W. Lucas’s DNSSEC Mastery, which was recommended on bind-users.
- The DHCP Handbook, 2nd Edition, by Ralph Droms and Ted Lemon
Hard to Classify
- ISOC State of DNSSEC Deployment report (2016)
- APNIC Chief Scientist Geoff Huston’s presentations on his research, quite a bit of which is on the DNS.
- List of Free Public DNS Servers (possibly useful when troubleshooting your own) from About.com
- DNS-BH Malware domain blocklist. This is an open source list of bad domains you can use, e.g. with RPZ.
- Council of European Top-Level Domains, note the handy summaries of all of the IETF and ICANN meetings you didn’t manage to attend
- ISOC DNSSEC Resources.Actively maintained resource with videos, how-to’s and deployment data
- DNSSEC.Net A comprehensive listing of DNSSEC-related tools is available from DNSSEC.Net.
- IANA DNS Parameters