Please note that it is your responsibility to check the licensing terms of any software you download. We have not tried all of these; many of them have simply been added on the suggestion of some of our users, so we can’t make any specific claims about suitability or quality.
We welcome notifications for additions, deletions, or broken links; please let us know if something we are linking to is inaccurate. Send any suggestions or corrections to web-request at isc dot org.
The tools are sorted into four categories:
- Diagnostic tools
- Provisioning tools
- Other tools (performance testing, monitoring)
- Useful guides, books, and how-to articles
- DIG tool for Apple iOS - Free, on the App Store. Created by Ray Bellis of ISC, this tool is a port of the dig tool included with the BIND distribution to the Apple iOS platforms (iPhone and iPad).
- ISC DNS Checker - Free, on the App Store. Also by Ray Bellis, this is a resolver protocol-conformance tester for Apple IOS.
- EDNS Compatibility Tester - BIND developer Mark Andrews created this site and monitors the on-going scanning of the DNS root, top-level domains, and several lists of top Internet domains. Check your own domain or see the historical performance of the domains we monitor.
BIND 9 rndc module for NodeJS - Ray Bellis of ISC published this library for communicating with BIND 9.9 and later versions via the rndc interface.
Verisign DNSSEC Debugger - A DNSSEC debugger.
DNS client - DNS Client is an ASP.NET Core web application hosted on https://dnsclient.net/. It can also be downloaded as a portable web app and run locally on Windows, Linux and MacOS. Supports DoH and DoT.
DNS Looking Glass - This site, maintained by Frederic Cambus, enables you to see what people querying your site from different locations (different resolvers) would see.
DNS Traversal checker - IPv4 only, but we find it a very useful tool.
dnstop - traffic analyzer - Written by Duane Wessels, published by The Measurement Factory. dnstop is a libpcap application that parses either a live capture or tcpdump saved file and displays your DNS traffic in table form, showing source, destination, query types, response codes, etc.
Zonemaster - Zonemaster, developed by IIS and AFNIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it). Zonemaster will save the history from prior scans, useful for troubleshooting problems.
DNS Viz - Highly recommended. DNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
NLNET Labs DRIll - Drill is a useful debugging/query tool for DNSSEC.
Passive DNS - Passive DNS is a tool to collect DNS records passively to aid incident handling, Network Security Monitoring (NSM), and general digital forensics.
- Vinyl DNS - VinylDNS manages millions of DNS records supporting thousands of engineers in production at Comcast. The platform provides fine-grained access controls, auditing of changes, a self-service user interface, secure RESTful API, and integration with infrastructure automation tools like Ansible and Terraform.
- DNS Controls - DNSControl is a system for maintaining DNS zones. It has two parts: a domain specific language (DSL) for describing DNS zones plus software that processes the DSL and pushes the resulting zones to DNS providers such as Route53, CloudFlare, and Gandi. It can talk to Microsoft ActiveDirectory and it generates the most beautiful BIND zone files ever. It runs anywhere Go runs (Linux, macOS, Windows).
- OctoDNS - OctoDNS helps manage DNS records across multiple providers, including Dyn (Oracle), and AWS. Records are stored in a git repository.
- VIM editor syntax highlighter - This tool was recently updated (September 2020) and re-announced on the bind-users mailing list. From Steve Egbert.
- Denominator - Denominator from Netflix “is a portable Java library for manipulating DNS clouds.” Denominator has pluggable back-ends, including AWS Route53, Neustar Ultra, DynECT, Rackspace Cloud DNS, OpenStack Designate, and a mock for testing.
- GAdmin - From the Debian package description, “gadmin-bind is an easy to use GTK+ frontend for ISC BIND. It handles multiple domains and can switch from [primary] to [secondary] domain in three clicks. It can change the domain name for entire domains and subdomains, including domain resources such as MX, A, AAAA, CNAME, and NS. gadmin-bind can also generate and set up secret keys for rndc, construct a chroot environment, and handle DDNS operations.”
- SPF Record Validation - A web-based tool recommended on BIND-users. “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”
- ZSU - From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon.
- nsdiff - Posted on BIND-users: “My program nsdiff is useful for copying dynamic zones from from an existing master to a new master without faffing around with
rndc freeze. On the new master, run nsdiff -m oldmaster -s localhost myzone | nsupdate -l and it will axfr the zone from the oldmaster and copy it into the new.” - Tony Finch
- DNS dist - Described in this blog post.
- DNSPERF & RESPERF - These open source tools from Nominum are classic DNS performance testing utilities. DNSPERF is now being maintained by DNS-OARC.
- Munin BIND9 Stats plug-in - Check out the other stuff in Shumon Huques Github repo while you’re there
- Grafana dashboard for BIND 9 - Posted by Christian Calin, ~2017.
- Prometheus exporter for BIND 9 - Published by Digital Ocean in 2016.
- Flamethrower - functional test tool for DNS by @NS1
- aDNS masterfile - from Tony Finch, queries the contents of a DNS zone file
- DROOL - replay PCAPS, from DNS-OARC
- zmap/zdns - cli tool for high speed dns lookups
- The DNS Measurement Factory tools - The Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdump, and several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.
- Net DNS - Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.
- Query-loc - A program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks which implement this scheme in the ADDRESSES file.
- Root Canary - An online tool to see which DNSSEC-signing algorithms your resolver can validate.
- Microsoft ccTLD Registry Security Scan - apply via email - At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented a new free service they are offering to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems. The results are reported privately to the ccTLD requesting the scan.
- DNSSEC Zone Key Tool - ZKT is a tool to manage keys and signatures for DNSSEC-zones.
- GetDNS - At the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS. This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM.
- Secure Domain Name System (DNS) Deployment Guide from the US Department of Commerce, National Institute of Standards and Technology (NIST), September, 2013.
- Team Cymru Secure BIND Template, updated August 2012.
- DNSSEC Troubleshooting tutorial (using dig), delivered at NANOG52 by Michael Sinatra, Energy Sciences Network (ESNET).
- How to configure your BIND resolvers to lie using Response Policy Zones (RPZ), by Jan-Piet Mens, April 2011.
- Installing BIND on Windows
- DNS Best Practices, Network Protection, and Attack Identification, from the Cisco Systems website, undated but refers to BIND 9.5.
- NZOG 2013 DNSSEC Workshop, taught by Joe Abley and Phil Regnauld; someone helpfully posted several how-tos from the class.
- BIND-users FAQ, by Doug Barton. How to get the most from this resource.
- Unofficial comp.protocols.tcp-ip.domains FAQ.
- “Running BIND9 in a chroot cage using NetBSD 1.6.2”, by Tim Roden.
- Article from the GnuDIP project “Having Your Own Domain Name with a Dynamic IP Address.”
- Article (in French) from Nicholas Cuissard about issues arising from the conflict between DHCPv4 client-identifier and DHCPv6 DUID.
“RFC 2317 Delegations for IPv4 Blocks Less Than /24,” by Doug Barton.
Michael W. Lucas’s DNSSEC Mastery, which was recommended on bind-users.
The DHCP Handbook, 2nd Edition, by Ralph Droms and Ted Lemon.
ISOC State of DNSSEC Deployment report (2016).
APNIC Chief Scientist Geoff Huston’s presentations on his research, quite a bit of which is on the DNS.
List of Free Public DNS Servers (possibly useful when troubleshooting your own) from Lifewire.com.
DNS-BH Malware domain blocklist. This is an open source list of bad domains you can use, e.g. with RPZ.
Council of European Top-Level Domains, note the handy summaries of all of the IETF and ICANN meetings you didn’t manage to attend.
ISOC DNSSEC Resources. Actively maintained resource with videos, how-to’s and deployment data.
A comprehensive listing of DNSSEC-related tools is available from DNSSEC.Net.