LinuxCommandLibrary

dnswalk

Debug and verify DNS zone data

TLDR

Debug a DNS pathway for a Fully Qualified Domain Name (FQDN)

$ dnswalk [domain].
copy

Process sub-domains [r]ecursively
$ dnswalk -r [domain].
copy

Only perform a dnswalk if the zone has been [m]odified since the last run
$ dnswalk -m [domain].
copy

Print [d]ebugging and status information to stderr instead of stdout
$ dnswalk -d [domain].
copy

Suppress the check for [i]nvalid characters in the domain name
$ dnswalk -i [domain].
copy

Enable duplicate A record warnings
$ dnswalk -a [domain].
copy

Enable "[F]ascist checking" to compare the A record PTR name with the forward name and report mismatches
$ dnswalk -F [domain].
copy

Enable "[l]ame delegation" to test whether the listed host is returning authoritative answers
$ dnswalk -l [domain].
copy

SYNOPSIS

dnswalk [-a] [-c checkname] [-d domain] [-f configfile] [-h] [-s] [-w] fqdn

PARAMETERS

-a
    Also check A records (PTR checks implied)

-c checkname
    Check CNAME chain resolution for checkname

-d domain
    Specify domain to check (overrides FQDN arg)

-f configfile
    Use alternate config file

-h
    Display help and exit

-s
    Slave mode: perform zone transfer only

-w
    Enable wildcard record checks

DESCRIPTION

dnswalk is a Perl-based tool designed to audit and validate DNS zones by recursively walking through the namespace starting from a given domain. It identifies common issues such as missing glue records, CNAME loops, wildcard problems, invalid MX records, and delegation errors. The tool performs zone transfers (AXFR) from authoritative nameservers and checks consistency across NS records.

Primarily used by DNS administrators to ensure zone integrity and security, it reports anomalies in a human-readable format, highlighting potential vulnerabilities like lame delegations or subdomain mismatches. While effective for basic validation, it focuses on IPv4 and lacks native DNSSEC support.

Usage involves specifying a fully qualified domain name (FQDN), and it supports slave mode for automated checks. Output includes warnings for problems like non-responsive NS servers or mismatched SOA records, aiding in proactive maintenance.

CAVEATS

Outdated tool; slow on large zones, limited IPv6/DNSSEC support, requires zone transfer access (may be blocked), not actively maintained.

OUTPUT EXAMPLE

Reports issues like: PROBLEM: NS example.com has no A record or LOOP: CNAME chain loops

INSTALLATION

Install via apt install dnswalk (Debian) or compile from source on SourceForge.

HISTORY

Developed by David Ranch in the late 1990s as a Perl script for DNS troubleshooting. Widely used in early 2000s for zone audits but largely superseded by modern tools like dnsviz or Zonemaster.

SEE ALSO

dig(1), host(1), nslookup(1), named-checkzone(8)

Copied to clipboard