lstewart at superb
Mar 20, 2012, 1:53 PM
Post #1 of 4
(158 views)
Permalink
|
|
Looking for advice - Auditing zones on a set of name servers
|
|
Hi Everyone,
I'm looking for some advice here. I'm attempting to clean up a set of name
servers and have a list of domain names that should not actually be hosted
on those name servers. In some cases there are issues where there are
actually no NS records in a domain but it should be hosted on those name
servers. In some cases the name servers just aren't authoritative and the
domain should be removed. The name servers are all djbdns, not that it
matters a whole lot.
I'm wondering if anyone knows of some tools that I can use other than
homegrown ones that are a little more robust in terms of thinking of every
little possible issue for or against a domain than I can think of. Of a
list of domains that I marked for deletion some of them simply had little
problems but should not be deleted (rather just have their NS records
fixed). I also don't' want to pound on someone else's recursive name
servers or even the root name servers trying to audit ours since that's not
very nice. If anything I guess I could spread out the queries if I had the
right tools.
I wrote a quick script that looks up the NS records for a zone, then the A
records for those NS records and checks the resulting IP addresses against
a list of IP addresses that are our name servers. It's not quite doing all
I need it to do since sometimes we are authoritative but there are no NS
records or they are wrong. I'm also not sure beating on google's name
servers is a good idea either so you should fill in your OWN recursive name
servers instead f 8.8.8.8 and 8.8.4.4.
Thanks for reading! :-D
#!/usr/bin/perl
# No warranty or guarantee of fitness for any purpose or use. Do not use
# if you don't know what it does.
#
use strict;
use Net::Nslookup;
die ("Usage: $0 <zone list file>\n") if !$ARGV[0];
# Array of the IP addresses of YOUR name servers
my @goodns = (
"10.10.0.5",
"10.10.1.5",
);
open(F,"<$ARGV[0]") or die("Cannot open file: $ARGV[0]\n");
my @zonelist = <F>;
close(F);
chomp(@zonelist);
#####
# Cycle through each zone to find out if we are authoritative on one of the
IPs listed
# above in @goodns.
#####
foreach my $zone (@zonelist) {
# Sub 8.8.8.8 and 8.8.4.4 for your own recursive name server IP addresses
to
# avoid being rude to google's name servers if you are doing a lot of
lookups.
#
# Find the NS records for the zone
my @pns = nslookup(domain => $zone, type => "NS", server => [ '8.8.8.8',
'8.8.4.4'] );
# Cycle through each NS record and store an IP address for each
my @dns_a_records = ();
foreach my $ns (@pns) {
my $arr = nslookup(domain => $ns, type => "A", server => [ '8.8.8.8',
'8.8.4.4'] );
push(@dns_a_records,$arr);
}
#####
# If @dns_a_records contains stuff that's also in @goodns then it means
# we are probably authoritative in some way.
#####
my %goodns=map{$_ =>1} @goodns;
my %dns_a_records=map{$_=>1} @dns_a_records;
my @isect = grep( $goodns{$_}, @dns_a_records );
if (!@isect) {
@dns_a_records[0] = "NONE" if (!@dns_a_records);
# We are not authoritative - print the zone and ns record information
with a -
print "-:$zone: ".join(",",@pns)."\[".join(",", @dns_a_records)."\]\n";
} else {
# We are authoritative print it with a +
print "+:$zone: ".join(",",@pns)."\[".join(",", @dns_a_records)."\]\n";
}
}
# END
---
Landon Stewart <lstewart [at] superb <mailto"LStewart [at] Superb>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": www.superb.net
|
