Please note that it is your responsibility to check the licensing terms of any software you download. We have not tried all of these; many of them have simply been added on the suggestion of some of our users, so we can’t make any specific claims about suitability or quality. Some of the information is quite old, but may still be generally useful.
We welcome notifications for additions, deletions, or broken links; please let us know if something we are linking to is inaccurate. Send any suggestions or corrections to web-request at isc dot org.
The tools are sorted into four categories:
- Diagnostic tools
- Provisioning tools
- Testing tools, monitoring
- Miscellaneous other things
- Useful guides, books, and how-to articles
- Zonemaster - Zonemaster, developed by IIS and AFNIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it). Zonemaster will save the history from prior scans, useful for troubleshooting problems.
- DNS Viz - Highly recommended. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
- Verisign DNSSEC Debugger - A DNSSEC debugger.
- DIG tool for Apple iOS - Free, on the App Store. Created by Ray Bellis of ISC, this tool is a port of the dig tool included with the BIND distribution to the Apple iOS platforms (iPhone and iPad).
- dig on the web - an implementation of ISC’s dig tool hosted on a web page.
- dig GUI - another implementation of dig hosted on a web page.
- ISC DNS Checker - Free, on the App Store. Also by Ray Bellis, this is a resolver protocol-conformance tester for Apple IOS.
- EDNS Compatibility Tester - BIND developer Mark Andrews created this site and monitors the on-going scanning of the DNS root, top-level domains, and several lists of top Internet domains. Check your own domain or see the historical performance of the domains we monitor.
- BIND 9 rndc module for NodeJS - Ray Bellis of ISC published this library for communicating with BIND 9.9 and later versions via the rndc interface.
- DNS OARC software tools - multiple tools here, some of which are listed separately below
- dns_parse takes as input a pcap of DNS data and produces a complete, trivially parsable, human readable ASCII version of the same data.
- Capture DNS - A simple program to capture and show DNS queries
- DNS client - DNS Client is an ASP.NET Core web application hosted on https://dnsclient.net/. It can also be downloaded as a portable web app and run locally on Windows, Linux and MacOS. Supports DoH and DoT.
- DNS Looking Glass - This site, maintained by Frederic Cambus, enables you to see what people querying your site from different locations (different resolvers) would see.
- DNS Traversal checker - IPv4 only, but we find it a very useful tool.
- DNS Bajaj - this link downloads the software immediately
- dnstop - traffic analyzer - Written by Duane Wessels, published by The Measurement Factory. dnstop is a libpcap application that parses either a live capture or tcpdump saved file and displays your DNS traffic in table form, showing source, destination, query types, response codes, etc.
- Python listener for dnstap - Stream your BIND query logs via dnstap to this Python listener from Fred Morris
- NLNET Labs Drill - Drill is a useful debugging/query tool for DNSSEC.
- Passive DNS - Passive DNS is a tool to collect DNS records passively to aid incident handling, Network Security Monitoring (NSM), and general digital forensics.
- Cycle Hunter - Zone checker tool that detects cyclic dependencies in DNS zones. From SIDN.
- Vinyl DNS - VinylDNS manages millions of DNS records supporting thousands of engineers in production at Comcast. The platform provides fine-grained access controls, auditing of changes, a self-service user interface, secure RESTful API, and integration with infrastructure automation tools like Ansible and Terraform.
- DNS Control - DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, CloudFlare, and Gandi. It can talk to Microsoft ActiveDirectory and it generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows).
- OctoDNS - OctoDNS helps manage DNS records across multiple providers, including Dyn (Oracle), and AWS. Records are stored in a git repository.
- VIM editor syntax highlighter - This tool was recently updated (September 2020) and re-announced on the bind-users mailing list. From Steve Egbert.
- Denominator - Denominator from Netflix “is a portable Java library for manipulating DNS clouds.” Denominator has pluggable back-ends, including AWS Route53, Neustar Ultra, DynECT, Rackspace Cloud DNS, OpenStack Designate, and a mock for testing.
- SPF Record Validation - A web-based tool recommended on BIND-users. “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”
- ZSU - From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon.
- nsdiff - Posted on BIND-users: “My program nsdiff is useful for copying dynamic zones from from an existing master to a new master without faffing around with
rndc freeze. On the new master, run nsdiff -m oldmaster -s localhost myzone | nsupdate -l and it will axfr the zone from the oldmaster and copy it into the new.” - Tony Finch
DNS Shotgun - This realistic DNS benchmarking tool supports multiple transport protocols (including encrypted DNS).
DNSPERF & RESPERF - These open source tools from Nominum are classic DNS performance testing utilities. DNSPERF is now being maintained by DNS-OARC.
Respdiff - This tool allows the tester to compare responses from two different resolver implementations or versions.
dnsjit - Tool for capturing, parsing and replaying DNS traffic.
pktvisor - “An observability agent for analyzing high volume, information dense network data streams and extracting actionable insights directly from the edge.”
Logeater - this tool from Carsten Strotmann aggregates BIND9 logs for easier analysis
Grafana dashboard for BIND 9 - Posted by Christian Calin, ~2017.
Prometheus exporter for BIND 9 - Published by Digital Ocean in 2016.
DNSWitness - includes 2 tools, DNSdelve, an active measurement framework which uses a list of domains (for instance all the subdomains of a TLD) and can query them for various things such as the presence of SPF records, the IP addresses of the name servers, etc. Also DNSmezzo, a passive measurement tool. Located in front of a name server (recursive or authoritative), it parses the data and put them in a SQL DBMS for easier analysis.
Munin BIND9 Stats plug-in - Check out the other stuff in Shumon Huques Github repo while you’re there
Flamethrower - functional test tool for DNS by @NS1
DROOL - replay PCAPS, from DNS-OARC
zmap/zdns - cli tool for high speed dns lookups
The DNS Measurement Factory tools - The Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdump, and several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.
Net DNS - Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.
Query-loc - A program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks which implement this scheme in the ADDRESSES file.
Root Canary - An online tool to see which DNSSEC-signing algorithms your resolver can validate.
Microsoft ccTLD Registry Security Scan - apply via email - At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented a new free service they are offering to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems. The results are reported privately to the ccTLD requesting the scan.
DNSSEC Zone Key Tool - ZKT is a tool to manage keys and signatures for DNSSEC-zones.
GetDNS - At the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS. This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM.
- hello-dns A significant experimental DNS implementation aimed at teaching the basic requirements of the protocol. See blogs at PowerDNS and RIPE Labs for an overview.
- DRINK An experimental authoritative DNS server intended for dynamic answers (answers depending, for instance, on the client). It is just for fun and it does not pretend to replace existing programs. But you may want to read its source code, or use its online demo, at dyn.bortzmeyer.fr.
- DNS Root Visualizer A hosted tool that displays the DNS root systems on a world map. Developed by Ray Bellis of ISC.
- Secure Domain Name System (DNS) Deployment Guide from the US Department of Commerce, National Institute of Standards and Technology (NIST), (several versions, check the dates)). Note that there is a new Secure Technical Implementation Guideline (STIG) checklist tool, search for BIND 9 (the ‘BIND DNS’ checklist appears to be older).
- Team Cymru Secure BIND Template, updated August 2012.
- DNSSEC Troubleshooting tutorial (using dig), delivered at NANOG52 by Michael Sinatra, Energy Sciences Network (ESNET).
- How to configure your BIND resolvers to lie using Response Policy Zones (RPZ), by Jan-Piet Mens, April 2011.
- NZOG 2013 DNSSEC Workshop, taught by Joe Abley and Phil Regnauld; someone helpfully posted several how-tos from the class.
- BIND-users FAQ, by Doug Barton. How to get the most from this resource.
- Unofficial comp.protocols.tcp-ip.domains FAQ.
- “Running BIND9 in a chroot cage using NetBSD 1.6.2”, by Tim Roden.
- Article from the GnuDIP project “Having Your Own Domain Name with a Dynamic IP Address.”
- Article (in French) from Nicholas Cuissard about issues arising from the conflict between DHCPv4 client-identifier and DHCPv6 DUID.
- “RFC 2317 Delegations for IPv4 Blocks Less Than /24,” by Doug Barton.
- Cricket Liu’s classics, DNS and BIND Cookbook and DNS and BIND on IPv6 on Amazon.com (Kindle edition).
- Ron Aitchison’s DNS book “ProDNS and BIND” and DNS for Rocket Scientists.
- Michael W. Lucas’s DNSSEC Mastery, which was recommended on bind-users.
- The DHCP Handbook, 2nd Edition, by Ralph Droms and Ted Lemon.
- ISOC DNSSEC Deployment Statistics.
- APNIC Chief Scientist Geoff Huston’s presentations on his research, quite a bit of which is on the DNS.
- List of Free Public DNS Servers (possibly useful when troubleshooting your own) from Lifewire.com.
- Council of European Top-Level Domains, note the handy summaries of all of the IETF and ICANN meetings you didn’t manage to attend.
- ISOC DNSSEC Resources. Actively maintained resource with videos, how-to’s and deployment data.
- A comprehensive listing of DNSSEC-related tools is available from DNSSEC.Net.
- IANA DNS Parameters.