DNS domains and servers testing

DNS domains and servers
testing
Slavko
Sl
k Gajin
G ji
slavko.gajin@rcub.bg.ac.rs
AMRES – Academic Network of Serbia
RCUB - Belgrade University Computer Center
ETF – Faculty of Electrical Engineering
Motivation
DNS – first and still basic infrastructural network service
Must be always up and running
Multi-redundant
DNS is “boring” for netadmins, comparing to other newer services
Usuallyy works well,, at least nobodyy complains…
p
Do ALL our serves work well or work at all?
DIG can give all the answers…
… but highly difficult to cross-check and analyze lot of textual
data
Solution
DNS testing tools: DNS Squish,
Squish DNS Sleuth
Sleuth, DNS Stuff,
Stuff DNSgoodies
ICmyNet.DNS
Automaticaly test all DNS serves involved in resolution for specified
domain,
do
a , including
clud g all se
servers
ve s on
o all parent
pa e t domains
do a s
Free online service (beta) – live.icmynet.com/icmynet-dns
TF-NOC, 11.10.2011
ICmyNet.DNS Checks
More then 35 different checks at domain and server level
Reported levels
Notification – information about normal conditions
Warning – minor errors, non-compliant with the standards and
recommendations
E
Error
– serious
i
b
butt nott critical
iti l errors – services
i
iis still
till working
ki
Critical – critical errors which cause service misbehavior or
interruption
TF-NOC, 11.10.2011
Warnings
SOA syntax and parameters
SOA record has invalid syntax: primary nameserver name is invalid.
Refresh interval is not in the recommended range (1200 - 43200s).
Retry interval is not in the recommended range (900 - 7200s).
Expire time is not in the recommended range (1209600 - 2678400s).
Minimum TTL is not in the recommended range (3600 - 10800s).
CNAME, A record, PTR record
DNS/Mail server server-name has CNAME record.
server-name server does not have an A record on the primary server.
There is no PTR record for name server name.
Reverse name reverse name for server server name has CNAME record.
record
Mail servers mail server 1 and mail server 2 … and mail server N have
the same IP address.
AS, subnets, public address
All DNS servers are in
i th
the same AS
AS.
All DNS servers are in the same subnet.
All DNS servers have the same C class.
Mail server does not have p
public IP address.
NS
NS records of the primary server do not match the list of authoritative
servers.
TF-NOC, 11.10.2011
Errors
Public zone transfer – security risk
Server supports public zone transfer for domain domain.
Recursion
Server supports recursion for domain domain.
No mail servers
No mail servers found.
A record
d
server-name server does not have an A record on the primary server.
A Records for servers name1, name2, … , nameN have the same IP
address.
There is no A Record on the primary DNS server for mail server mail
server.
Server does not have a public IP address.
Consistency with the parent servers
Server server-name is authoritative and parents are referring to it but it
is not defined on the primary server (Stealth server).
SOA
Unable to determine primary DNS server.
server
NS TTL
Time to live (TTL) differs from the primary server.
TF-NOC, 11.10.2011
Critical errors
UDP/TCP response
Server did not respond over the UDP protocol.
Server did not respond
p
over the TCP p
protocol.
SOA
SOA version number is different from the primary server.
Authority
S
Server
is
i nott authoritative
th it ti ffor d
domain
i domain.
d
i
Consistency with the parent servers
There is no A Record (Glue Record) for server name at the parent zone.
Server server-name is not authoritative but p
parents are referring
g to it.
Server server-name is authoritative but parents are not referring to it
(Stealth server).
A Records from parents and zone for server name do not match.
Mail server
MX record has invalid syntax.
A Record for mail server differs from the A Record of the server-domain
domain's primary server.
L
Loop
number loop(s) found.
TF-NOC, 11.10.2011
Example – Healthy domain
TF-NOC, 11.10.2011
Example - Stealth servers
TF-NOC, 11.10.2011
Example - Unsynchronized SOA
TF-NOC, 11.10.2011
Example - Server is not responding
TF-NOC, 11.10.2011
Example – non authoritative server
TF-NOC, 11.10.2011
Example - Loops
TF-NOC, 11.10.2011
What next?
Receive and analyze the feedbacks
Clean up some bugs
I
Improve
ffunctionality
ti
lit - new tests
t t
New research PhD project – DNS testing portal
Testing as many domains as possible
Report warnings/errors/critical errors to DNS admins
Portal for DNS admins
change settings, schedule tests, specify reporting
check out from the reporting
Goals
spread awareness about DNS problems before they appear
initiate wide DNS clean-up
Target group – NREN members
support the project by providing a list of domains of NREN members
TF-NOC, 11.10.2011
Questions
slavko.gajin@rcub.bg.ac.rs
TF-NOC, 11.10.2011