These are a few of the tools we use, and a few web sites that document many more tools. At the bottom is a list of books and other information resources. Please note that it is your responsibility to check the licensing terms of any software you download. We welcome suggestions for additions, or deletions (let us know if something we are linking to is inaccurate), or broken links. Send any suggestions or corrections to web-request at isc dot org.
DNS Tools
DNS Traversal checker
IPv4 only, but we find it a very useful tool. http://dns.squish.net
BIND9.net Tools Directory
Jacco Tunnissen’s http://www.bind9.net site has a huge list of related tools and resources
The Measurement Factory tools
The Measurement Factory offers several tools for DNS, including dnsdump, a Perl script like tcpdump, and several applications for collecting and displaying DNS statistics; dnstop, DSC (DNS Statistics Collector), and Traffic Gist.
DNSCheck
DNSCheck is a web site where you can submit a domain name, and the tool will run a number of checks, and report on delegation, consistency, connectivity, and DNSSEC signing. (This is being replaced by a new tool in development, called ZoneMaster)
DNSdist
Traffic distributor/load balancer written specifically for DNS traffic by Bert Hubert of PowerDNS. http://dnsdist.org/. Described in this blog post.
DNSPERF
This open source tool from Nominum is the classic DNS performance testing utility. It is also included in the BIND contribs directory.
DNSstuff
Web-based tools for domain checking, TLD look-up, DNS caching look-up from DNSstuff.com
SPF Record Testing
Web-based tool recommended on BIND-users, http://www.kitterman.com/spf/validate.html. “These tools are meant to help you deploy SPF records for your domain. They use an actual RFC 7208 compliant library (pyspf) for tests and will dynamically test for processing limit errors (no other testers I’m aware of do this).”
Gadmin-bind, GUI for BIND
From the Debian package description “gadmin-bind is an easy to use GTK+ frontend for ISC BIND. It handles multiple domains and can switch from master to slave domain in three clicks. It can change the domain name for entire domains and subdomains, including domain resources such as MX, A, AAAA, CNAME, and NS. gadmin-bind can also generate and set up secret keys for rndc, construct a chroot environment, and handle DDNS operations.”
On-line domain checker. You enter the domain name and IntoDNS performs some checks on the glue, NS records, server health, SOA/TTLS, MX and WWW records.
Kloth.net
Kloth.net has half a dozen or so networking tools, including the ability to find your IP, query WHOIS, DNS lookup, ping, traceroute, or translate/convert an IP V4 address between dotted quad, decimal, hex and binary, do a PTR reverse lookup in the DNS, and search for location information, among others.
Microsoft ccTLD Registry Security Scan
At the DNS-OARC Spring 2014 workshop in Warsaw, Microsoft presented on a new free service they are offing to ccTLDs. Microsoft is offering a scan of ccTLD registry sites for a range of common security vulnerabilities. Since launching this, they have scanned 7 ccTLDs already and found over 130 serious security problems. The results are reported privately to the ccTLD requesting the scan. Apply via email. Read about this program here.
Net::DNS
“Net::DNS is a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script.”
nsdiff
Posted on BIND-users: “My program nsdiff (http://dotat.at/prog/nsdiff) is useful for copying dynamic zones from from an existing master to a new master without faffing around with `rndc freeze`. On the new master, run nsdiff -m oldmaster -s localhost myzone | nsupdate -l
and it will axfr the zone from the oldmaster and copy it into the new.” – Tony Finch
nslint
NS lint is a utility written by Craig Leres of the Lawrence Berkeley National Laboratory, University of California, that checks your BIND zone files for errors. The current version is available via anonymous ftp: ftp://ftp.ee.lbl.gov/nslint.tar.gz
Passive DNS
Passive DNS is a tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics.
Query-loc
query-loc: a program to retrieve and display the location information in the DNS. From Stéphane Bortzmeyer. It uses the algorithms described in RFC 1876 (and RFC 1101 to get the network names). You can find examples of networks wchich implement this scheme in the ADDRESSES file. Its official home is <http://github.com/bortzmeyer/query-loc/>.
ZSU
From the Comprehensive Perl Archive Network, a Zone Serial Update tool by Andras Salamon.
Zonemaster.se
Zonemaster, developed by IIS and AFRINIC, is a web-based zone checker. It will run a number of health checks on a domain, including DNSSEC but also basic checks for accessibility, consistency, delegation and basic security. Zonemaster can also be used to test an undelegated domain (for example, prior to registering it). Zonemaster will save the history from prior scans, useful for troubleshooting problems.
DNSSEC
Verisign DNSSEC debuggerISOC DNSSEC ResourcesActively maintained resource with videos, how-to’s and deployment data. DNSSEC.NetA comprehensive listing of DNSSEC-related tools is available from DNSSEC.Net. DNSSEC Zone Key ToolZKT is a tool to manage keys and signatures for DNSSEC-zones. More details are available at http://www.hznet.de/dns/zkt/ DNSVizDNSViz provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool. DRILLDrill is a very useful tool from NLNet Labs. It was designed with DNSSEC in mind and is a useful debugging/query tool for DNSSEC. GetDNSAt the Spring 2014 DNS-OARC workshop, NLNet Labs introduced their new DNS API, GetDNS. This API, and the library that implements it, are intended to provide access to DNSSEC validation to higher-level (non-DNS) applications, such as, for example, DKIM. RIPE NCCDNS key management tools for BIND 9 from RIPE NCC DNSSEC validator from cz.NICBrowser plug-in that does DNSSEC validation from your desktop. This is simple to install, simple to use and it gives you feedback right in your browser telling you whether the site you are connected to is DNSSEC signed. Currently supports Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Apple Safari browsers. Download from Mozilla or from cz.NIC. |
DHCP and IPv6
BT Diamond IP IPv6 resources
- Excellent article posted on the Internet Society web site, “IPv6 Address Planning: Guidelines for IPv6 Address Allocation”, by Tim Rooney
- Simple on-line subnet calculator.
- IPv6 Address planner
DHCP Probe
dhcp probe attempts to discover DHCP and BootP servers on a directly-attached Ethernet network. A network administrator can use this tool to locate unauthorized DHCP and BootP servers.
ISC Forge
This is an open source validation environment for fully automated validation of DHCPv4 and DHCPv6 protocols compliance using Python, Lettuce and Scapy. The project is hoted on GitHub.
Kea ‘show leases’ script
Supports Kea 1.0. https://archive.mgm51.com/sources/kea-scripts.html
BIND9.net/dhcp
DHCP Resources page from BIND9.net
How-To Guides
- Secure Domain Name System (DNS) Deployment Guide from the US Department of Commerce, National Institute of Standards and Technology (NIST), September, 2013
- Team Cymru Secure BIND Template, updated August 2012
- DNSSEC Troubleshooting tutorial (using dig), delivered at NANOG52 by Michael Sinatra, Energy Sciences Network (ESNET)
- How to configure your BIND resolvers to lie using Response Policy Zones (RPZ), by Jan-Piet Mens, April 2011
- DNS Best Practices, Network Protection, and Attack Identification, from the Cisco Systems web site, undated but refers to BIND 9.5
- NZOG 2013 DNSSEC Workshop. Joe Abley and Phil Regnauld taught this, and someone helpfully posted several how-tos from the class.
- BIND-users FAQ, by Doug Barton. How to get the most from this resource.
- Unofficial comp.protocols.tcp-ip.domains FAQ.
- Seung-young Kim of OpenBIRD, Inc has written a DNS guide in Korean.
- “Running BIND9 in a chroot cage using NetBSD 1.6.2“, by Tim Roden
- Article on Installing A Bind9 Master/Slave DNS System on Debian (from 2006)
- Article from the GnuDIP project “Having Your Own Domain Name with a Dynamic IP Address”
- Article (in French) from Nicholas Cuissard about issues arising from the conflict between DHCPv4 client-identifier and DHCPv6 DUID.
- “RFC 2317 Delegations for IPv4 Blocks Less Than /24“, by Doug Barton
Books
- Cricket Liu’s classics, DNS and BIND, DNS and BIND Cookbook and DNS and BIND on IPv6 on Amazon.com (Kindle edition)
- Ron Aitchison’s DNS book “ProDNS and BIND” and DNS from Rocket Scientists
- Michael W. Lucas’s DNSSEC Mastery, which was recommended on bind-users.
- The DHCP Handbook, 2nd Edition, by Ralph Droms and Ted Lemon
Hard to Classify
- Rick Lamb’s DNSSEC Deployment Report
- APNIC Chief Scientist Geoff Huston’s presentations on his research, quite a bit of which is on the DNS.
- List of Free Public DNS Servers (possibly useful when troubleshooting your own) from About.com
- DNS-BH Malware domain blocklist. This is an open source list of bad domains you can use, e.g. with RPZ.
- LDAP driver for BIND from the Fedora team. We are working with them to accept this as a contribution, but in the mean time, here it is.
- Council of European Top-Level Domains, note the handy summaries of all of the IETF and ICANN meetings you didn’t manage to attend
- IANA DNS Parameters
