GithubHelp home page GithubHelp logo

42wim / dt Goto Github PK

View Code? Open in Web Editor NEW
352.0 18.0 25.0 5.98 MB

DNS tool - display information about your domain

License: Apache License 2.0

Go 100.00%
dns dnssec information-extraction golang scanning diagnostics

dt's Introduction

dt

DNS tool that displays information about your domain.

Features

  • common records scanning (use -scan)
  • validate DNSSEC chain (use -debug to see more info)
  • change query speed for scanning (default 10 queries per second)
  • diagnostic of your domain (similar to intodns.com, dnsspy.io)
  • For implemented checks see #1

Feedback, issues and PR's are welcome.

Installing

Binaries

Binaries can be found here

Building

Go 1.17+ is required.

go install github.com/42wim/dt@master

You should now have dt binary in the bin directory:

$ ls ~/go/bin/
dt

Usage

Usage:
        dt [FLAGS] domain

Example:
        dt icann.org
        dt -debug ripe.net
        dt -debug -scan yourdomain.com

Flags:
  -debug
        enable debug
  -json
        output in JSON
  -qps int
        queries per seconds (per nameserver) (default 10)
  -resolver string
        use this resolver for initial domain lookup (default "8.8.8.8")
  -scan
        scan domain for common records
  -showfail
        only show checks that fail or warn

Running

./dt ripe.net
NS                      |IP                     |LOC |ASN        |ISP                                      |rtt          |Serial     |DNSSEC |ValidFrom    |ValidUntil
a3.verisigndns.com.     |69.36.145.33           |US  |ASN 36617  |AGTLD - VeriSign Global Registry Service |6.312503ms   |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2001:502:cbe4::33      |US  |ASN 36622  |IGTLD - VeriSign Global Registry Service |12.844157ms  |1492613104 |valid   |10 hours ago |4 weeks from now
a1.verisigndns.com.     |209.112.113.33         |US  |ASN 36617  |AGTLD - VeriSign Global Registry Service |8.993407ms   |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2001:500:7967::2:33    |US  |ASN 36622  |IGTLD - VeriSign Global Registry Service |12.03051ms   |1492613104 |valid   |10 hours ago |4 weeks from now
a2.verisigndns.com.     |209.112.114.33         |US  |ASN 36619  |CGTLD - VeriSign Global Registry Service |103.03539ms  |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2620:74:19::33         |US  |ASN 36619  |CGTLD - VeriSign Global Registry Service |104.154197ms |1492613104 |valid   |10 hours ago |4 weeks from now
sns-pb.isc.org.         |192.5.4.1              |US  |ASN 3557   |ISC-AS - Internet Systems Consortium, In |5.563089ms   |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2001:500:2e::1         |US  |ASN 3557   |ISC-AS - Internet Systems Consortium, In |11.509454ms  |1492613104 |valid   |10 hours ago |4 weeks from now
sec3.apnic.net.         |202.12.28.140          |AU  |ASN 4777   |APNIC-NSPIXP2-AS Asia Pacific Network In |253.352975ms |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2001:dc0:1:0:4777::140 |AU  |ASN 4777   |APNIC-NSPIXP2-AS Asia Pacific Network In |266.28428ms  |1492613104 |valid   |10 hours ago |4 weeks from now
manus.authdns.ripe.net. |193.0.9.7              |NL  |ASN 197000 |RIPE-NCC-AUTHDNS-AS Reseaux IP Europeens |5.493287ms   |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2001:67c:e0::7         |NL  |ASN 197000 |RIPE-NCC-AUTHDNS-AS Reseaux IP Europeens |11.403502ms  |1492613104 |valid   |10 hours ago |4 weeks from now
tinnie.arin.net.        |199.212.0.53           |US  |ASN 393225 |ARIN-PFS-IAD - ARIN Operations, US       |94.890834ms  |1492613104 |valid   |10 hours ago |4 weeks from now
                        |2001:500:13::c7d4:35   |US  |ASN 53535  |ARIN-PFS-ANYCAST - ARIN Operations, US   |96.854587ms  |1492613104 |valid   |10 hours ago |4 weeks from now
DNSSEC
         OK: DNSKEY validated. Chain validated
NS
         OK  : NS of all nameservers are identical
         OK  : Multiple nameservers found
         OK  : Your nameservers are in different subnets.
         OK  : Nameservers are spread over multiple AS
         OK  : IPv4 and IPv6 nameservers found.
         OK  : All nameservers are authoritative.
         OK  : All nameservers report they are not allowing recursive queries.
         OK  : Your nameservers are also listed as NS at the parent nameservers
         OK  : Your parent nameservers are also listed as NS at your nameservers
         OK  : No CNAMEs found for your NS records
GLUE
         WARN: no glue records found for [2001:500:2e::1 192.5.4.1] in NS of parent net.
         WARN: no glue records found for [2620:74:19::33 2001:500:2e::1 199.212.0.53 2001:502:cbe4::33 2001:dc0:1:0:4777::140 209.112.113.33 69.36.145.33 202.12.28.140 2001:500:7967::2:33 $09.112.114.33 192.5.4.1 2001:500:13::c7d4:35] in NS of ripe.net.
SOA
         OK  : SOA of all nameservers are identical
         WARN: Serial is not in the recommended format of YYYYMMDDnn.
         OK  : MNAME manus.authdns.ripe.net. is listed at the parent servers.
         OK  : Your nameservers have public / routable addresses.
MX
         OK  : MX of all nameservers are identical
         OK  : Multiple MX records found
         OK  : Your MX records have public / routable addresses.
         OK  : Your MX records resolve to different ips.
         OK  : No CNAMEs found for your MX records
         OK  : All MX records have reverse PTR records
Web
         OK  : Found a www record
         OK  : Found a root record
         OK  : Didn't find a CNAME for the root record
         OK  : Your www record has a public / routable address.
Spam
         WARN: No DMARC records found. Along with DKIM and SPF, DMARC helps prevent spam from your domain.
         WARN: No SPF records found. Along with DKIM and DMARC, SPF helps prevent spam from your domain.

./dt -debug ripe.net
DEBU[0000] validating ripe.net.
DEBU[0000] Asking NS (69.36.145.33) DNSKEY of ripe.net.
DEBU[0000] Trying validation RRSIG with DNSKEY AwEAAYXio3PIYXe4PqLmPGgemH52ZvUIDSdx+HkyoJW6SKuh82UFguzGh0xlbz5Dm5KenD2GG229/lSmU/+NvYeC+AFFB11dcoGr/5EZfb3kn+T+oaPbDyk6+tOcGJm8zHFVEP6lHi/hee5IbLQlngFpG5sf702/z5z/rQbm4OkuGPIz (flag 256, keytag 35431)
DEBU[0000] Validation failed
DEBU[0000] Trying validation RRSIG with DNSKEY AwEAAdYl56Gx3At/GI42bu2RmeQYWp3Y3WzjzYnM2h9c/twCjNa2bJPeIw2F9q+rOZhPugCn0+8X99XEmmJBvdBzaLTAZ3UsxXD1hKo1gwlpA0UUkJsUcgx51gqREEzEgUOLSB0oIwSopPpVOZRb9nfv2oNV1TvfXvAGmXLY+BnewBY5296Q/sEk8LhlkRAQuR1x25fjwxdyR+d2GC9+bjH+rXU54bOplRtTr7wCXMVV8CRkEaPRAuJpRNtUAX/IqpS3+A07BXPMHbvZAckmT1tuLNh4TG5auxxJ6a2ERj71FH7fbQODKuIWEL8oZgQB6Y3vevAUKAwjqjJsdGHt2oCpqn8= (flag 257, keytag 29740)
DEBU[0000] Validation succeeded
DEBU[0000] RRSIG validated (2017-04-29 11:02:59 +0200 CEST -> 2017-05-29 12:02:59 +0200 CEST)
DEBU[0000] Finding NS of parent: net.
DEBU[0000] Asking parent 192.43.172.30 (net.) DS of ripe.net.
DEBU[0000] parent DS digest: 570004384bf50cf787714ceb9e73de912d48cfc0e5c637785772d84bb50f85ae (keytag 29740)
DEBU[0000] child DS digest 570004384bf50cf787714ceb9e73de912d48cfc0e5c637785772d84bb50f85ae (keytag 29740)
DEBU[0000] ripe.net. validated

DEBU[0000] validating net.
DEBU[0000] Asking NS (192.26.92.30) DNSKEY of net.
DEBU[0000] Trying validation RRSIG with DNSKEY AQOYBnzqWXIEj6mlgXg4LWC0HP2n8eK8XqgHlmJ/69iuIHsa1TrHDG6TcOra/pyeGKwH0nKZhTmXSuUFGh9BCNiwVDuyyb6OBGy2Nte9Kr8NwWg4q+zhSoOf4D+gC9dEzg0yFdwT0DKEvmNPt0K4jbQDS4Yimb+uPKuF6yieWWrPYYCrv8C9KC8JMze2uT6NuWBfsl2fDUoV4l65qMww06D7n+p7RbdwWkAZ0fA63mXVXBZF6kpDtsYD7SUB9jhhfLQE/r85bvg3FaSs5Wi2BaqN06SzGWI1DHu7axthIOeHwg00zxlhTpoYCH0ldoQz+S65zWYi/fRJiyLSBb6JZOvn (flag 257, keytag 35886)
DEBU[0000] Validation succeeded
DEBU[0000] RRSIG validated (2017-04-20 18:33:57 +0200 CEST -> 2017-05-05 18:38:57 +0200 CEST)
DEBU[0000] Finding NS of parent: .
DEBU[0001] Asking parent 192.58.128.30 (.) DS of net.
DEBU[0001] parent DS digest: 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee (keytag 35886)
DEBU[0001] child DS digest 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee (keytag 35886)
DEBU[0001] net. validated

NS                      |IP                     |LOC |ASN        |ISP                                      |rtt          |Serial     |DNSSEC |ValidFrom    |ValidUntil
manus.authdns.ripe.net. |193.0.9.7              |NL  |ASN 197000 |RIPE-NCC-AUTHDNS-AS Reseaux IP Europeens |4.909712ms   |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2001:67c:e0::7         |NL  |ASN 197000 |RIPE-NCC-AUTHDNS-AS Reseaux IP Europeens |11.205698ms  |1493390344 |valid  |12 hours ago |4 weeks from now
sns-pb.isc.org.         |192.5.4.1              |US  |ASN 3557   |ISC-AS - Internet Systems Consortium, In |4.502391ms   |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2001:500:2e::1         |US  |ASN 3557   |ISC-AS - Internet Systems Consortium, In |11.525774ms  |1493390344 |valid  |12 hours ago |4 weeks from now
a3.verisigndns.com.     |69.36.145.33           |US  |ASN 36617  |AGTLD - VeriSign Global Registry Service |5.308344ms   |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2001:502:cbe4::33      |US  |ASN 36623  |HGTLD - VeriSign Global Registry Service |12.050853ms  |1493390344 |valid  |12 hours ago |4 weeks from now
a1.verisigndns.com.     |209.112.113.33         |US  |ASN 26134  |BROAD-RUN-BORDER-AS - VeriSign Infrastru |5.11017ms    |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2001:500:7967::2:33    |US  |ASN 36625  |KGTLD - VeriSign Global Registry Service |12.374661ms  |1493390344 |valid  |12 hours ago |4 weeks from now
a2.verisigndns.com.     |209.112.114.33         |US  |ASN 36619  |CGTLD - VeriSign Global Registry Service |10.563235ms  |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2620:74:19::33         |US  |ASN 36625  |KGTLD - VeriSign Global Registry Service |16.876504ms  |1493390344 |valid  |12 hours ago |4 weeks from now
tinnie.arin.net.        |199.212.0.53           |US  |ASN 393225 |ARIN-PFS-IAD - ARIN Operations, US       |84.877944ms  |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2001:500:13::c7d4:35   |US  |ASN 53535  |ARIN-PFS-ANYCAST - ARIN Operations, US   |83.173795ms  |1493390344 |valid  |12 hours ago |4 weeks from now
sec3.apnic.net.         |202.12.28.140          |AU  |ASN 4777   |APNIC-NSPIXP2-AS Asia Pacific Network In |257.939304ms |1493390344 |valid  |12 hours ago |4 weeks from now
                        |2001:dc0:1:0:4777::140 |AU  |ASN 4777   |APNIC-NSPIXP2-AS Asia Pacific Network In |258.446349ms |1493390344 |valid  |12 hours ago |4 weeks from now

dt's People

Contributors

42wim avatar jakewarren avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

clicknull awesome-golang gophersgang devopsbox pieterlexis srekdb priestd09 forging2012 sgachies hien toshywoshy tamersp25 ttys3 iamstoick rfesi hartl3y94 bertuccio isgasho gencer jakewarren icodein anarcat remarkable-guille 0xgoerlimainnet dillard-blom

dt's Issues

panic in getSelfGlue

Hello,

I'm probably doing something that dt doesn't expect, because with my domain it panics:

% dt omarpolo.com
using 8.8.8.8 as resolver
.
NS |IP |LOC |ASN |ISP |rtt |Serial

NS |IP |Version |DNSSEC |ValidFrom |ValidUntil
...panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
github.com/42wim/dt/check.(*Glue).getSelfGlue(0x1?, {0x7f7ffffd48e3?, 0x4a?})
        github.com/42wim/dt/check/glue.go:152 +0x18f
github.com/42wim/dt/check.(*Glue).CheckSelf(0x6d78d4?, {0x7f7ffffd48e3?, 0xc000129be8?})
        github.com/42wim/dt/check/glue.go:42 +0x25
github.com/42wim/dt/check.(*Glue).CreateReport(0xc0000a4140, {0x7f7ffffd48e3, 0xc})
        github.com/42wim/dt/check/glue.go:79 +0x445
main.execCheckers(0xc000050940, {0x7f7ffffd48e3, 0xc}, {0xc0000a0200, 0x2, 0x2}, 0xc0000b2000)
        github.com/42wim/dt/main.go:107 +0x4d4
main.doDomainReport(0xc000050940?, {0x7f7ffffd48e3, 0xc}, {0xc0000a0100?, 0x2?, 0x43eaa5?}, 0xc0000b2000)
        github.com/42wim/dt/main.go:125 +0x18f
main.main()
        github.com/42wim/dt/main.go:91 +0x218

With some printfs I think that's because it doesn't find the IP address for the nameservers:

g.Ns [{Name:ns1.omarpolo.com. Info:[] IP:[]} {Name:ns2.omarpolo.com. Info:[] IP:[]}]

SOA serial in unixtime should not be a warning

dt issues a warning for any serial number not in YYYYMMDDNN format. As an experienced DNS operator, I disagree with this opinion. The serial number can be in any format that allows the operator to operate the zone effectively. YYYYMMDDNN is just a recommendation, and is mainly for hand-maintained zones that don't change often. For anything else, unixtime, or a simple increment, is more useful, and it should not be flagged as a warning. I think that the check for the format of the serial format should be dropped altogether. Emitting a false warning is misleading.

Feature Request: Output to txt

It would be a great feature to be able to output to a txt file to keep a snapshot of the domain.
I have tried dt -scan example.com > example.com.txt but ended up with full cli output of waiting animation and "waiting for scan":
⠋ �� ��⠙ �� ��⠹ �� ��⠸ �� ��⠼ �� ��⠴ �� ��⠦

debian packaging: resolve fork

Hi,

I'm looking at packaging this tool for Debian. One of the problems I'm facing is that one of your dependencies is a fork of an upstream package (ipisp) without any official releases (ammario/ipisp#16).

Would you consider switching to the official upstream so that we don't have to track two different source packages in Debian? Is there any reason why you need a fork of that code?

Thank you so much for your hard work!

disable rfc1918 fail info

hi,
Nice app :-)
I use it very often and it is very interesting.
I have a FR cause I use it also inside a VPN so resolution is only using rfc1918. Your app works well but it displays FAIL in SOA and MX tests while it's normal, so maybe an option will be interesting to remove these fails.

thanks

no nameservers

In using the project I receive the following message for all attempts.
"no nameservers found for "

Is there a setting to point the tool to a particular DNS?

bug: getParentGlue

installed now
go get github.com/42wim/dt

dt yandex.ru                                                                                                                                           NS             |IP              |LOC |ASN     |ISP        |rtt         |Serial     |DNSSEC   |ValidFrom |ValidUntil
ns2.yandex.ru. |93.158.134.1    |RU  |AS13238 |YANDEX, RU |32.958385ms |2017050606 |disabled |          |
ns2.yandex.ru. |2a02:6b8:0:1::1 |RU  |AS13238 |YANDEX, RU |error       |error      |error    |
ns1.yandex.ru. |213.180.193.1   |RU  |AS13238 |YANDEX, RU |31.533485ms |2017050606 |invalid  |a long while ago |a long while ago
ns1.yandex.ru. |2a02:6b8::1     |RU  |AS13238 |YANDEX, RU |error       |error      |error    |
panic: runtime error: index out of range

goroutine 1 [running]:
main.getParentGlue(0x7ffee887b434, 0x9, 0xd, 0xc4200c39a0, 0x2, 0x2, 0x0)
        /home/f1/media/data/projects/gorepo/src/github.com/42wim/dt/glue.go:93 +0x3f0
main.(*Glue).CheckParent(0xc42005fd30, 0x7ffee887b434, 0x9, 0xc420160240, 0xc420168000, 0x40, 0x0, 0x0, 0x0)
        /home/f1/media/data/projects/gorepo/src/github.com/42wim/dt/glue.go:16 +0x39
main.(*Glue).CreateReport(0xc42005fd30, 0x7ffee887b434, 0x9)
        /home/f1/media/data/projects/gorepo/src/github.com/42wim/dt/glue.go:38 +0xb7
main.main()
        /home/f1/media/data/projects/gorepo/src/github.com/42wim/dt/main.go:239 +0x70f

panic in SOACheck

hi,
great app and hope to get update soon with more features ;-)

When I check an internal domain I get a panic in soacheck

...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x40 pc=0x69e069]

goroutine 1 [running]:
github.com/42wim/dt/check.(*SOACheck).Values(0xc000198460, 0x0, 0x0, 0x0)
/root/go/src/github.com/42wim/dt/check/soa.go:154 +0xe9
github.com/42wim/dt/check.(*SOACheck).CreateReport(0xc000198460, 0x7ffeb60f3697, 0x12, 0x0, 0x0, 0x0, 0x0, 0x0)
/root/go/src/github.com/42wim/dt/check/soa.go:193 +0x13b
main.execCheckers(0xc00004a860, 0x7ffeb60f3697, 0x12, 0xc0000bee00, 0x2, 0x2, 0xc00009cd90)
/root/go/src/github.com/42wim/dt/main.go:107 +0x413
main.doDomainReport(0xc00004a860, 0x7ffeb60f3697, 0x12, 0xc0000bee00, 0x2, 0x2, 0xc00009cd90)
/root/go/src/github.com/42wim/dt/main.go:125 +0x1c0
main.main()
/root/go/src/github.com/42wim/dt/main.go:91 +0x1ea

thanks

Implement checks

#Based on farrokhi/dnsdiag#16

base

  • if the domain provided resolves

glue check:

  • exist
  • match

dnssec check:

  • validate DNSKEY
  • validate DNSSEC chain

spam check:

  • spf exists
  • spf is restrictive
  • dmarc exists
  • dmarc policy

NS check:

  • if there are enough NS records
  • have distinct IP addresses
  • and no CNAMEs
  • different subnets
  • different ASNs
  • that all NS records respond to requests
  • that NS servers are not recursive
  • that all NS servers are authoritative
  • that NS records match parent zone
  • no stealth records present
  • that all NS servers respond with the same lists of NS
  • that all NS servers IPs are reachable (e.g. non RFC 1918)

SOA check:

  • present
  • valid (cf RFC 1912 for ranges, including email)
  • MNAME entry is in NS list
  • all fields match across NS servers

MX check:

  • that MX records are present
  • and more than one
  • and point to different IPs
  • no CNAME
  • matching reverse DNS for MX records
  • routable MX records

web check

  • www exists
  • @ exists (and not a CNAME)
  • routable

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.