DNS tools and resources

Please note that it is your responsibility to check the licensing terms of any software you download.  We have not tried all of these, many of them have simply been added on the suggestion of some of our users, so we can’t make any specific claims about suitability or quality.

We welcome suggestions for additions, or deletions (let us know if something we are linking to is inaccurate), or broken links.  Send any suggestions or corrections to web-request at isc dot org. Tools are sorted into 4 categories:

  1. Diagnostic tools
  2. Provisioning tools
  3. Other tools (performance testing, monitoring)
  4. Useful guides, books and how-to articles

Diagnostic Tools

[/trow]  
Tool Link Description
DIG tool for Apple iOS Free, on iTunes. Created by Ray Bellis of ISC, this tool is a port of the dig tool included with the BIND distribution to the Apple iOS platforms (iPhone and iPad).
ISC DNS Checker Free, on iTunes. Also by Ray Bellis, this is another cli tool, a resolver protocol conformance tester for Apple IOS.

EDNS Compatibility Tester https://ednscomp.isc.org BIND developer Mark Andrews created this site and monitors the on-going scanning of the DNS root, top level domains, and several lists of top Internet domains. Check your own domain or see the historical performance of the domains we monitor.

BIND 9 rndc module for NodeJS

https://www.npmjs.com/package/bind9-rndc

Ray Bellis of ISC published this library for communicating with BIND 9.9 and later versions via the rndc interface.
DNSSEC-test

DNSSEC-test.net

An on-line test tool from Andrew Quarton.
Verisign DNSSEC Debugger http://dnssec-debugger.verisignlabs.com DNSSEC debugger
DNS Looking Glass

dns-lg.com This site maintained by Frederic Cambus enables you to see what people querying your site from different locations (different resolvers) would see.

DNS Traversal checker

http://dns.squish.net IPv4 only, but we find it a very useful tool.

DNS Bajaj

http://allanon.elfhame.net/dnsbajaj-0.9.6.tar.gz. (that link downloads the software immediately). Checks for zone cuts
dnstop – traffic analyzer http://dns.measurement-factory.com/tools/dnstop/ New tool written by Duane Wessels, published by The Measurement Factory. dnstop is a libpcap application that parses either a live capture or tcpdump saved file and displays your dns traffic in table form, showing source, destination, query types, response codes, etc.
Zonemaster https://zonemaster.iis.se Zonemaster, developed by IIS and AFRINIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it).  Zonemaster will save the history from prior scans, useful for troubleshooting problems.
DNS Viz http://dnsviz.net Highly recommended. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
NLNET Labs DRIll http://www.nlnetlabs.nl/projects/ldns/ Drill is a useful debugging/query tool for DNSSEC.
 Passive DNS   

Passive DNS is a tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics.

 

Provisioning Tools

Tool Link Description
Vinyl DNS https://www.vinyldns.io VinylDNS manages millions of DNS records supporting thousands of engineers in production at Comcast. The platform provides fine-grained access controls, auditing of changes, a self-service user interface, secure RESTful API, and integration with infrastructure automation tools like Ansible and Terraform.
DNS Control https://github.com/StackExchange/dnscontrol DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, CloudFlare, and Gandi. It can talk to Microsoft ActiveDirectory and it generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows).
OctoDNS https://github.com/github/octodns  OctoDNS helps manage DNS records across multiple providers, including Dyn (Oracle), and AWS. Records are stored in a git repository.
Denominator https://github.com/Netflix/denominator Denominator from Netflix “is a portable Java library for manipulating DNS clouds. Denominator has pluggable back-ends, including AWS Route53, Neustar Ultra, DynECT, Rackspace Cloud DNS, OpenStack Designate, and a mock for testing.”
GAdmin https://packages.debian.org/sid/gadmin-bind From the Debian package description gadmin-bind is an easy to use GTK+ frontend for ISC BIND. It handles multiple domains and can switch from master to slave domain in three clicks. It can change the domain name for entire domains and subdomains, including domain resources such as MX, A, AAAA, CNAME, and NS.

gadmin-bind can also generate and set up secret keys for rndc, construct a chroot environment, and handle DDNS operations.

SPF Record Validation http://www.kitterman.com/spf/validate.html Web-based tool recommended on BIND-users, . “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”
ZSU http://www.cpan.org/authors/id/A/AZ/AZS/zsu/
From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon.
nsdiff http://dotat.at/prog/nsdiff Posted on BIND-users: “My program nsdiff (http://dotat.at/prog/nsdiff) is useful for copying dynamic zones from from an existing master to a new master without faffing around with `rndc freeze`. On the new master, run  nsdiff -m oldmaster -s localhost myzone | nsupdate -l
and it will axfr the zone from the oldmaster and copy it into the new.” – Tony Finch
NS Lint ftp://ftp.ee.lbl.gov/nslint.tar.gz NS lint is a utility written by Craig Leres of the Lawrence Berkeley National Laboratory, University of California, that checks your BIND zone files for errors.

Other Tools

 
Tool Link Description

DNSdist

 http://dnsdist.org/ Traffic distributor/load balancer written specifically for DNS traffic by Bert Hubert of PowerDNS.   Described in this blog post.

DNSPERF & RESPERF

https://www.akamai.com/us/en/products/network-operator/measurement-tools.jsp These open source tools from Nominum are classic DNS performance testing utilities. DNSPERF is also included in the BIND contribs directory.

Grafana dashboard for BIND 9

https://grafana.com/dashboards/1666

Posted by Christian Calin, ~ 2017.

Prometheus exporter for BIND 9 stats

 https://github.com/digitalocean/bind_exporter Published by Digital Ocean in 2016
The Measurement Factory tools  http://dns.measurement-factory.com/tools/index.html

The  Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdumpand several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.

 Net::DNS

    Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.”
 Query-loc

https://github.com/bortzmeyer/query-loc query-loc: a program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks which implement this scheme in the ADDRESSES file. Its official home  is <http://github.com/bortzmeyer/query-loc/>.
Root Canary RootCanary.org On-line tool to see which DNSSEC-signing algorithms your resolver can validate.
 Microsoft ccTLD Registry Security Scan Apply via email to https://www.microsoft.com/en-us/msrc?rtc=1    At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented on a new free service they are offing to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems.  The results are reported privately to the ccTLD requesting the scan.
DNSSEC Zone Key Tool http://www.hznet.de/dns/zkt/ ZKT is a tool to manage keys and signatures for DNSSEC-zones.
GetDNS http://getdnsapi.net At the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS.  This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM.

How-To Guides

Books

Hard to Classify

Last modified: December 3, 2018 at 10:54 am