DNS Tools

Useful, free, hosted or open source tools

These are a few of the DNS-related tools, websites, and books we have heard of. Please visit our ISC DHCP tools and Kea/IPv6 tools pages if those are relevant to your needs.

Please note that it is your responsibility to check the licensing terms of any software you download. We have not tried all of these; many of them have simply been added on the suggestion of some of our users, so we can’t make any specific claims about suitability or quality. Some of the information is quite old, but may still be generally useful.

We welcome notifications for additions, deletions, or broken links; please let us know if something we are linking to is inaccurate. Send any suggestions or corrections to web-request at isc dot org.

The tools are sorted into four categories:

  1. Diagnostic tools
  2. Provisioning tools
  3. Testing tools, monitoring
  4. Miscellaneous other things
  5. Useful guides, books, and how-to articles

1. Diagnostic tools

  • Zonemaster - Zonemaster, developed by IIS and AFNIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it). Zonemaster will save the history from prior scans, useful for troubleshooting problems.
  • DNS Viz - Highly recommended. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
  • Verisign DNSSEC Debugger - A DNSSEC debugger.
  • DIG tool for Apple iOS - Free, on the App Store. Created by Ray Bellis of ISC, this tool is a port of the dig tool included with the BIND distribution to the Apple iOS platforms (iPhone and iPad). Sadly this is no longer maintained, and is based on BIND 9.14.2, before we implemented DOH and DOT, so these features are not supported.
  • dig on the web - an implementation of ISC’s dig tool hosted on a web page.
  • dig GUI - another implementation of dig hosted on a web page. No idea who operates this.
  • ISC DNS Checker - Free, on the App Store. Also by Ray Bellis, this is a resolver protocol-conformance tester for Apple IOS. This is not actively maintained.
  • EDNS Compatibility Tester - BIND developer Mark Andrews created this site and monitors the on-going scanning of the DNS root, top-level domains, and several lists of top Internet domains. Check your own domain or see the historical performance of the domains we monitor.
  • BIND 9 rndc module for NodeJS - Ray Bellis of ISC published this library for communicating with BIND 9.9 and later versions via the rndc interface.
  • DNS OARC software tools - multiple tools here, some of which are listed separately below
  • dns_parse takes as input a pcap of DNS data and produces a complete, trivially parsable, human readable ASCII version of the same data. Last updated in 2016.
  • Capture DNS - A simple program to capture and show DNS queries
  • DNS client - DNS Client is an ASP.NET Core web application hosted on https://dnsclient.net/. It can also be downloaded as a portable web app and run locally on Windows, Linux and MacOS. Supports DoH and DoT.
  • DNS Looking Glass - This site, maintained by Frederic Cambus, enables you to see what people querying your site from different locations (different resolvers) would see. This tool is updated to issue queries via DNS over HTTP.
  • DNS Traversal checker - IPv4 only, but we find it a very useful tool.
  • dnstop - traffic analyzer - Written by Duane Wessels, published by The Measurement Factory. dnstop is a libpcap application that parses either a live capture or tcpdump saved file and displays your DNS traffic in table form, showing source, destination, query types, response codes, etc.
  • Shodoflo - Python listener for dnstap - Stream your BIND query logs via dnstap to this Python listener from Fred Morris
  • NLNET Labs Drill - Drill is a useful debugging/query tool for DNSSEC.
  • Passive DNS - Passive DNS is a tool to collect DNS records passively to aid incident handling, Network Security Monitoring (NSM), and general digital forensics.
  • Cycle Hunter - Zone checker tool that detects cyclic dependencies in DNS zones. From SIDN.

2. Provisioning tools

  • Vinyl DNS - VinylDNS manages millions of DNS records supporting thousands of engineers in production at Comcast. The platform provides fine-grained access controls, auditing of changes, a self-service user interface, secure RESTful API, and integration with infrastructure automation tools like Ansible and Terraform.
  • DNS Control - DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, CloudFlare, and Gandi. It can talk to Microsoft ActiveDirectory and it generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows).
  • OctoDNS - OctoDNS helps manage DNS records across multiple providers, including Dyn (Oracle), and AWS. Records are stored in a git repository.
  • VIM editor syntax highlighter - This tool was recently updated (September 2020) and re-announced on the bind-users mailing list. From Steve Egbert.
  • Send notify This Python script allows you to specify the SOA serial in the NOTIFY message as well.
  • Perl script to send notify
  • Denominator - Denominator from Netflix “is a portable Java library for manipulating DNS clouds.” Denominator has pluggable back-ends, including AWS Route53, Neustar Ultra, DynECT, Rackspace Cloud DNS, OpenStack Designate, and a mock for testing. It appears this has not been updated since 2016.
  • SPF Record Validation - A web-based tool recommended on BIND-users. “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”
  • ZSU - From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon. This tool appears to be abandoned, but it may still be useful.
  • nsdiff - Posted on BIND-users: “My program nsdiff is useful for copying dynamic zones from from an existing master to a new master without faffing around with rndc freeze. On the new master, run nsdiff -m oldmaster -s localhost myzone | nsupdate -l and it will axfr the zone from the oldmaster and copy it into the new.” - Tony Finch

3. Other tools (Testing, performance measurement, monitoring)

  • DNS Shotgun - This realistic DNS benchmarking tool supports multiple transport protocols (including encrypted DNS).

  • DNS dist - Described in this blog post.

  • DNSPERF & RESPERF - These open source tools from Nominum are classic DNS performance testing utilities. DNSPERF is now being maintained by DNS-OARC.

  • Respdiff - This tool allows the tester to compare responses from two different resolver implementations or versions. Not recommended for resolver performance testing.

  • dnsjit - Tool for capturing, parsing and replaying DNS traffic.

  • pktvisor - “An observability agent for analyzing high volume, information dense network data streams and extracting actionable insights directly from the edge.”

  • Logeater - this tool from Carsten Strotmann aggregates BIND9 logs for easier analysis

  • Stork agent - Prometheus exporter for BIND 9 See the Stork documentation at ReadTheDocs, specifically the agent installation section. Pre-built packages (look for isc-stork-agent) on Cloudsmith.

  • Grafana dashboard for BIND 9 - Posted by Christian Calin, ~2017.

  • Prometheus exporter for BIND 9 - Published by Digital Ocean in 2016.

  • DNSWitness - includes 2 tools, DNSdelve, an active measurement framework which uses a list of domains (for instance all the subdomains of a TLD) and can query them for various things such as the presence of SPF records, the IP addresses of the name servers, etc. Also DNSmezzo, a passive measurement tool. Located in front of a name server (recursive or authoritative), it parses the data and put them in a SQL DBMS for easier analysis.

  • Munin BIND9 Stats plug-in - Check out the other stuff in Shumon Huques Github repo while you’re there

  • Flamethrower - functional test tool for DNS by @NS1

  • DROOL - replay PCAPS, from DNS-OARC

  • zmap/zdns - cli tool for high speed dns lookups

  • The DNS Measurement Factory tools - The Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdump, and several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.

  • Net DNS - Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.

  • Query-loc - A program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks which implement this scheme in the ADDRESSES file.

  • Root Canary - An online tool to see which DNSSEC-signing algorithms your resolver can validate.

  • Microsoft ccTLD Registry Security Scan - apply via email - At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented a new free service they are offering to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems. The results are reported privately to the ccTLD requesting the scan.

  • DNSSEC Zone Key Tool - ZKT is a tool to manage keys and signatures for DNSSEC-zones.

  • GetDNS - At the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS. This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM.

4. Miscellaneous other interesting things.

  • hello-dns A significant experimental DNS implementation aimed at teaching the basic requirements of the protocol. See blogs at PowerDNS and RIPE Labs for an overview.
  • DRINK An experimental authoritative DNS server intended for dynamic answers (answers depending, for instance, on the client). It is just for fun and it does not pretend to replace existing programs. But you may want to read its source code, or use its online demo, at dyn.bortzmeyer.fr.
  • DNS Root Visualizer A hosted tool that displays the DNS root systems on a world map. Developed by Ray Bellis of ISC.

5. Useful guides, books, and how-to articles