Querying the health of your domain and DNS

Sunday, November 30th, 2008 at 5:42 pm | 3,799 views | trackback url
Tags:

I run a lot of domains for clients, Open Source projects and my own pet projects… and keeping them all registered, updated and proper zone files for forward and reverse DNS can be complicated. I run my own DNS, and would never trust a third-party to do it again. I used to use a third-party to manage my DNS, but their web-based system was clunky and wasn’t as fast as I needed it to be.

But checking the quality of your DNS records is another matter entirely. For example, there’s a huge difference between writing HTML, and writing valid HTML. This is why HTML validation exists.

Likewise, there is also a need for “DNS validation”. Enter DNS health and checking tools.

Previously, I used a free service called “DNS Report” from DNS Stuff, and it worked great… but decided to go non-free, and requires subscription to get to the same report data that they used to provide gratis. Seems that whenever someone feels they can charge for something, they do.

I’ve been seeking out another alternative, something free and full-featured. There are quite a few, and some are shady… but here’s the list I’ve found, along with my personal review of their “quality”:

CheckDNS

http://www.checkdns.net/

This is a no-frills DNS checking service. It basically gives you a quick rundown of your domain through the root servers, your local nameservers, the version correlation (making sure the serial in your zone file matches), your webserver and your mail server.

Pros: It just works, plain-jane simple. I wish it had more detail like the ability to check reverse DNS, traceroute, check route status, rate the speed to resolve DNS queries and so on.

Cons: No suggestions for resolving anything marked as an issue or conflict. If you know DNS inside and out, the errors are obvious, but if you don’t… it can be cryptic. For example, my mailserver is greylisting all incoming connections, so it will return a 421 response instead of the expected 250 response. Their incoming probe looks like the following to my DNS server:

Nov 30 15:53:15 neptune sm-mta[11904]: mAUKrEPP011904: Milter: from=, reject=421 4.3.2 graylisted - please try again later

intoDNS

http://www.intodns.com/

Pros: Simple and fast. The results it returns are very similar and almost identical to the ones provided by DNSReport. Here is one example against one of my most heavily-hit domains; plkr.org.

Cons: No real details on how to fix the issues it reports. It may report that your SOA refresh is not correct, but lacks any recommendations on how to fix it (i.e. increase/decrease the timeout, etc.)

ZoneCheck

http://www.zonecheck.fr/

Pros: Fast, clean and tests a lot of various bits about your DNS: SOA, coherence, serial, illegal characters, ip-to-ns matching and so on. Very thorough.

Cons: While it is powerful, the resulting report isn’t exactly the most user-friendly, and the initial interface is… well, clunky as well.

Here’s a sample of the output from one of my domains:

     Testing: misused '@' characters in SOA contact name (IP=72.36.135.42)
     Testing: illegal characters in SOA contact name (IP=72.36.135.42)
     Testing: serial number of the form YYYYMMDDnn (IP=72.36.135.42)
     Testing: SOA 'expire' between 1W and 6W (IP=72.36.135.42)
     Testing: SOA 'minimum' between 3M and 1W (IP=72.36.135.42)
     Testing: SOA 'refresh' between 1H and 2D (IP=72.36.135.42)
     Testing: SOA 'retry' between 15M and 1D (IP=72.36.135.42)
     Testing: SOA 'retry' lower than 'refresh' (IP=72.36.135.42)
     Testing: SOA 'expire' at least 7 times 'refresh' (IP=72.36.135.42)
     Testing: SOA master is not an alias (IP=72.36.135.42)
     Testing: behaviour against AAAA query (IP=67.126.192.9)
     Testing: coherence between SOA and ANY records (IP=72.36.135.42)
     Testing: SOA record present (IP=67.126.192.9)
     Testing: SOA authoritative answer (IP=67.126.192.9)
     Testing: coherence of serial number with primary nameserver (IP=72.36.135.42)
     Testing: coherence of administrative contact with primary nameserver (IP=72.36.135.42)
     Testing: coherence of master with primary nameserver (IP=72.36.135.42)
     Testing: coherence of SOA with primary nameserver (IP=72.36.135.42)
     Testing: NS record present (IP=72.36.135.42)
     Testing: NS authoritative answer (IP=72.36.135.42)
     Testing: given primary nameserver is primary (IP=67.126.192.9)

And the results from that:

Test results
  ---- warning ----
   w: Reverse for the nameserver IP address doesn't match
     * ns.plkr.org./72.36.135.42
     * ns2.plkr.org./67.126.192.9

   w: [TEST delegated domain is not an open relay]: Mail error (Unexpected closing of connection)
     * generic

   w: [TEST can deliver email to 'postmaster']: Mail error (Unexpected closing of connection)
     * generic

   w: [TEST domain of the hostmaster email is not an open relay]: Mail error (Unexpected closing of connection)
     * generic

  ---- fatal ----

   f: [TEST can deliver email to hostmaster]: Mail error (Unexpected closing of connection)
     * generic

Final status

   FAILURE (and 5 warning(s))

Network Tools

http://network-tools.com/

Pros: You get what you get. Just information, in a raw, unstructured way.

Cons: Clunky, inconsistent GUI, information returned is returned haphazardly, in a very unstructured and unintuitive way.

iptools

http://www.iptools.com/

Pros: Lots of tools to check the health of your domain, dns, dns records, IP, routing and so on.

Cons: Bad colors and an unstructured user experience.

The UI could use a bit of work and the blue and white is a bit painful on the eyes, but you get what you get. They’re basically using OSS and other tools under the hood to make this work (dig, in at least one case). This could leave them subject to some interesting exploits.

DNS Tools from Domain Tools

http://dns-tools.domaintools.com/

Pros: It is what it is, another plain-jane DNS query service. It allows you to ping, traceroute and report on the zone records for the domain you enter.

Cons: Too basic, not very useful above and beyond what I can do on my own from my own server.

This one, like some of the others, just wraps common OSS tools to query DNS records, and presents them in an unstructured, “raw” format. No attempts to make any suggestions or recommendations to any issues that are reported.

Free DNS Report

http://www.dnscolos.com/dnsreport.php

This looks suspiciously-similar to DNS Report’s older UI. Some have suggested that this is a scam site, harvesting domains for parking or hijacking by poisoning the DNS of misconfigured domains. Mine domains are fine and secured, so I don’t mind testing them through this.

Pros: They actually do provide some basic recommendations to help resolve issues that are reported.

Cons: Not enough detail or depth on the DNS, zone, MX or domain itself. It is about 1/4 of what dnsreport was.

You Get Signal

http://www.yougetsignal.com/

Pros: Positive marks for the most-unique and humorous domain name. You can do ping, visual traceroute, reverse domain lookups, port-forwarding tester and so on. Not as full-featured as some of the others, but the information provided is somewhat structured in nature.

Cons: They made some good attempts at structure and visual appeal. They could use a bit more polish and more tools to round out the “suite” they provide, but it is what it is. The interface does “overlap” in places, tucking the output underneath other bits of the HTML and the maps, but you can select the text in your browser and paste it elsewhere to read it if you want.

Conclusions

While a lot of the tools make attempts to provide what you need to make sure your domains, MX, IP, routing and so on is correct, none of them really match what dnsreport used to provide for free. If I had to choose one out of the list above, I would choose intoDNS for First Place and CheckDNS for a close Second Place.

Ultimately, I may just write my own to do this, and make it spiffy. That’s the worst part about being in “First Place” (as dnsreport was): It’s easy to see where you missed the market, and open up a field for competition to dive in and take it from you.

I did something similar for my SEO keyword analysis tool. I was so frustrated with the inferior, broken alternatives out there… that I just wrote my own. Free, gratis, go play and have fun. It works for me and that’s why I wrote it.

Last Modified: Sunday, November 30th, 2008 @ 17:42

2 Responses to “Querying the health of your domain and DNS”

  1. Don’t forget http://www.ultratools.com – Neustar has a free Domain Health Report you can run, plus free IP tools, too.

  2. Anything that says “free” and requires me to create an account or provide an email address, contact information or other demographic/identifying information, is not free. I tried to use this, but it won’t work without that requirement. Yuck.


Leave a Reply

You must be logged in to post a comment.

Bad Behavior has blocked 491 access attempts in the last 7 days.