search

dns-violations / dnsflagday

DNS flag day
https://dnsflagday.net/
146 stars 40 forks source link

Testing multiple domains #29

Closed frnkblk closed 5 years ago

frnkblk commented 5 years ago

I'd like to test all my customer's and partner's domains -- is there an online tool that I can use to dump a long list and have them tested?

pspacek commented 5 years ago

Yes we have tool for this: https://gitlab.labs.nic.cz/knot/edns-zone-scanner/

Input has form of zone file, so you can create a "fake root" zone with delegations you want to test. Example:

.           18000   IN  SOA . . 0 0 0 0 0
.           18000   IN  NS  l.root-servers.net.
example.com.        18000   IN  NS  a.iana-servers.net.
example.com.        18000   IN  NS  b.iana-servers.net.
example.net.        18000   IN  NS  a.iana-servers.net.
example.net.        18000   IN  NS  b.iana-servers.net.

You have to list NS records for each delegation you want to test in the zone file. It is a bit inconvenient but it makes the test much more reliable and gets around bunch of problems with unreliable NS queries.

Documentation is here: https://gitlab.labs.nic.cz/knot/edns-zone-scanner/tree/master/doc

Let me know if you encounter any problem with using the tool, preferably using https://gitlab.labs.nic.cz/knot/edns-zone-scanner/issues . Have fun!

frnkblk commented 5 years ago

Sorry, I should have been more clear -- we don't host most of these customer's zones, but we want to test them, as a courtesy.

pspacek commented 5 years ago

If you want you can use this procedure on any zone - the only thing needed is to find out NS records for these. You can just use whatever is produced by dig zone NS + the header listed in my previous comment.

Procedure using dig assumes you want to test child-side NS records. Obtaining parent-side NS records is more complicated.

Unfortunately there is no simple answer or recommendation how to obtain NS records because it depends on what you want to test, and de-synchronized NS records between parent and child zones make things complicated.

frnkblk commented 5 years ago

Thanks. What about a form on the dnsflagday site where we can submit a bunch of domains to get tested and we are shown or emailed the results?

pspacek commented 5 years ago

I can see your ask but we do not have resources to do that ourselves. If anyone has capacity to provide such service I will happily add link to it.