3 # Sleuth -- A Simple DNS Checking Tool
5 # (c) 1999--2001 Martin Mares <mj@ucw.cz>
8 # Load configuration file and all modules we need
11 if (-f "/etc/sleuth.conf") {
12 require "/etc/sleuth.conf";
14 require __FILE__ . ".conf";
19 use Net::DNS::Resolver;
23 getopts('vmhp', \%opts) && (@ARGV >= 1 && @ARGV <= 3 || @ARGV == 5) || do {
25 Usage: sleuth [-hmpv] <domain> [<server> [<server-IP> [<secondary> <secondary-ip>]]]
27 -h Produce HTML output
28 -m Produce machine-readable output
29 -p Private network mode (avoid public accessibility checks)
35 $domain = norm_name($ARGV[0]);
36 $mode_submit = @ARGV == 5;
37 $check_ns = defined($ARGV[1]) ? norm_name($ARGV[1]) : "";
38 $check_ns_ip = defined($ARGV[2]) ? $ARGV[2] : "";
39 $our_name = defined($ARGV[3]) ? norm_name($ARGV[3]) : "";
40 $our_ip = defined($ARGV[4]) ? $ARGV[4] : "";
42 $verbose = $opts{"v"};
43 $private = $opts{"p"};
44 if ($opts{"m"}) { $output = \&plain_output; }
45 elsif ($opts{"h"}) { $output = \&html_output; }
46 else { $output = \&fancy_output; }
48 # Initialize reliable resolver using our local nameserver.
50 $rres = new Net::DNS::Resolver;
54 # FIXME: Net::DNS doesn't implement persistent vc's yet
58 # And do the checks...
60 info("Starting zone checks for $domain");
67 check_zone() || msg("noserv", "No zone data available, giving up");
72 foreach my $nsvr (@check_servers) {
73 $nsvr =~ /(.*) = (.*)/;
76 info("Decided to use $check_ns ($check_ns_ip) for zone check");
77 init_resolver($check_ns_ip);
84 $global_okay || msg("noserv", "No name server available for checking");
86 info("Summary: $err_cnt errors, $warn_cnt warnings");
96 $ref = (defined $ref) ? " [RFC$ref]" : "";
97 print "$type $msg$ref\n";
105 my %msg_types = %{{ 'W' => '### Warning: ',
106 'E' => '### Error: ',
107 'F' => '### Fatal error: ',
112 $mmsg = $msg_types{$type};
113 $ref = (defined $ref) ? " [RFC$ref]" : "";
114 print "$mmsg$msg$ref\n";
121 if ($type =~ /[>*]/) {
122 if (!$is_pre) { print "<PRE>"; $is_pre=1; }
123 print " ", ($type eq ">") ? "" : "-> ", $msg;
125 if (!defined $is_pre) { print "<P>"; $is_pre=0; }
126 elsif ($is_pre) { print "</PRE>"; $is_pre=0; }
127 else { print "<BR>"; }
128 if ($type =~ /[WEF]/) {
129 my $map = {'W'=>'Warning', 'E'=>'Error', 'F'=>'Fatal error'};
130 print "<em class=msg$type>### ", ${$map}{$type}, ": $msg", "</em>";
131 } elsif ($type eq "." && $msg =~ /^Summary: /) {
132 if ($msg !~ / 0 errors,/) { $msg =~ s/ (\d+) errors,/ <em class=msgE>$1 errors,<\/em>/; }
133 if ($msg !~ / 0 warnings/) { $msg =~ s/ (\d+) warnings/ <em class=msgW>$1 warnings<\/em>/; }
135 } else { print $msg; }
138 print " [see";
139 foreach my $z (split(/,\s*/, $ref)) {
141 $comma++ && print ",";
142 if ($z =~ /(\d+)\/(.*)/) {
144 $url = eval $rfc_sec_url;
145 } elsif ($z =~ /(\d+)/) {
147 $url = eval $rfc_url;
148 } else { die "Bad RFC reference"; }
149 print " <A HREF=\"$url\">RFC$rfc</A>";
151 print " for details]";
158 my ($id, $msg, $ref) = @_;
159 defined $sev{$id} or die "Internal error: unknown message code <$id>";
160 my $type = $sev{$id};
161 return if $type eq "";
163 if ($type =~ /[.>]/) { @msg_buffer = (); }
164 elsif ($type =~ /[EWF]/ && @msg_buffer) {
165 foreach my $m (@msg_buffer) { &{$output}('*', $m); }
167 } elsif ($type eq '*') { push @msg_buffer, $msg; return; }
169 &{$output}($type, $msg, $ref);
170 if ($type eq "E") { $err_cnt++; }
171 elsif ($type eq "W") { $warn_cnt++; }
172 elsif ($type eq "F") { exit 1; }
175 sub info { msg('.', shift @_); }
176 sub rr_echo { my $rr=shift @_; msg('*', $rr->string); }
178 # Our interface to the resolver
184 my $need_aa = shift @_;
185 my $q = $rver->send($name, $type, "IN") or do {
186 msg("reserr", $res->errorstring);
189 my $hdr = $q->header;
190 $hdr->tc && msg("dnserr", "Truncated response received");
191 my $rc = $hdr->rcode;
192 $rc eq "NXDOMAIN" and return undef;
193 $rc eq "NOERROR" or do { msg("reserr", "Unable to resolve $name: $rc"); return undef; };
194 $hdr->ancount || return undef;
195 !$need_aa || $hdr->aa || msg("needaa", "Answer is not authoritative");
202 my $allow_cnames = shift @_;
203 my $check_rev = shift @_;
204 my $need_aa = shift @_;
206 check_name($name) || return ();
207 if ($cache{$name}{$type}) {
208 @answer = @{$cache{$name}{$type}};
210 my $q = try_resolve($res, $name, $type, $need_aa);
212 @answer = $q->answer;
213 $cache{$name}{$type} = \@answer;
217 foreach my $r (@answer) {
219 $r->class ne "IN" and next;
220 if ($r->type eq "A") {
221 # If it's an A record, automatically check it maps back.
222 $check_rev && check_reverse($r->name, $r->address, "");
224 if ($r->type eq "CNAME") {
225 if (!$allow_cnames) { msg("pcname", "DNS records must not point to CNAMEs", "1034/3.6, 1912/2.4, 2181/10.2-3"); }
226 if ($cname_cnt) { msg("rcname", "CNAMEs must not point to CNAMEs", "1034/3.6, 1912/2.4, 2181/10.2-3"); }
229 if ($r->type eq $type || $type eq "ANY") {
230 # We shouldn't check minimum TTL here as we might have got a cached value
231 ($r->ttl > 4*7*86400) && msg("suspttl", "Suspicious TTL value");
233 } elsif ($r->type ne "CNAME") {
234 msg("unxtype", "Expected $type, got " . $r->type);
240 # Normalization and comparison of host names and IP addresses
258 return norm_name($x) eq norm_name($y);
261 # Checks of reverse mapping
265 $addr =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ or fatal("Unable to parse IP address $addr");
266 return "$4.$3.$2.$1.in-addr.arpa.";
272 my $allow_domain = shift @_;
273 my $rn = reverse_name($addr);
277 $did_reverse_check{$addr} && return;
278 $did_reverse_check{$addr} = 1;
279 ($addr =~ /^(192\.168|10|172\.(1[6-9]|2\d|3[01]))\./) && !$private &&
280 msg("privadr", "Private addresses shouldn't occur in public zones", "1918");
281 foreach my $q (resolve("$rn", "PTR", 1, 0)) {
282 my $dname = $q->ptrdname;
283 if (same_name($dname, $name)) { $found_exact++; }
286 foreach my $a (resolve("$dname", "A", 1, 0)) {
287 same_ipa($a->address, $addr) && ($matched = 1);
291 msg("badrev", "$name maps to $dname which doesn't point back", "1912/2.1");
297 if ($maps_back eq "") { msg("norev", "$name ($addr) has no reverse record", "1912/2.1"); }
298 elsif ($name ne $allow_domain && !$warned) {
299 msg("inexrev", "$addr for $name points back to $maps_back", "1912/2.1");
304 # Check of e-mail address
308 $e =~ /@/ && do { msg("soamail", "'\@' in e-mail addresses should be encoded as '.'", "1912/2.2"); return; };
309 $e =~ /^(([^.\\]|\\.)+)\.(.*)$/ || do { msg("soamail", "Invalid e-mail address syntax"); return; };
311 my $host = norm_name($3);
312 $user =~ s/\\(.)/$1/g;
314 # Don't touch! This string is exactly matched by check.cgi!
315 info("Hostmaster e-mail address is $e");
316 if (my @mx = resolve($host, "MX", 1, 0)) {
317 foreach my $r (@mx) {
318 resolve($r->exchange, "A", 0, 1) or msg("soammxa", "No A record for MX " . $r->exchange);
320 } elsif (resolve($host, "A", 1, 0)) {
321 msg("soaamx", "MX records should be used for mail routing");
323 msg("soammx", "No MX record for $host");
327 # Check of name syntax
332 if ($n !~ /[^0-9.]/) {
333 if ($n =~ /^(\d+\.){3}\d+$/) { msg("ipaname", "IP address found instead of name", "1912/2.1"); }
334 else { msg("alldig", "All-digit names are not allowed", "1912/2.1"); }
337 if ($n =~ /^(.*)\.in-addr\.arpa$/i) {
339 if ($m !~ /^(\d+-\d+|\d+)(\/\d+)?(\.(\d+-\d+|\d+)(\/\d+)?)*$/) {
340 msg("badrn", "Invalid name of reverse domain $n", "1035/3.5"); return 0;
341 } elsif ($m =~ /(^|\.|-|\/)0[0-9]/) {
342 msg("badrn", "Reverse names should not contain leading zeros", "1035/3.5"); return 0;
346 foreach my $q (split(/\./, $n)) {
348 msg("badname", "Name $n has empty components", "1912/2.1"); return 0;
349 } elsif ($q !~ /^[0-9a-zA-Z_-]*$/) {
350 msg("badname", "Name $n contains invalid characters", "1912/2.1"); return 0;
356 # Generic checks of nameserver configuration
358 sub check_ns_sanity {
359 # Check whether the nameserver is able to resolve its own address forth and back.
361 info("Checking whether $check_ns knows an A record for its own name");
363 foreach $r (resolve($check_ns, "A", 0, 0)) {
364 if (same_ipa($check_ns_ip, $r->address)) { $ns_a++; }
366 $ns_a || msg("selfa", "no matching A record found");
368 info("Checking whether $check_ns is able to reverse-map its own IP address");
369 check_reverse($check_ns, $check_ns_ip, "");
371 # General nameserver functionality checks
374 info("Checking connectivity with other nameservers");
375 foreach $name (@test_hosts) {
376 resolve($name, "A", 1, 1) or
377 msg("recchk", "$check_ns is unable to resolve $name (maybe it's non-recursive)");
381 info("Checking mapping of localhost");
383 if (@lh = resolve("localhost", "A", 1, 0, 1)) {
384 (@lh != 1 || !same_ipa($lh[0]->address, "127.0.0.1")) &&
385 msg("badloc", "Invalid resource records for localhost at $check_ns", "1912/4.1");
386 } else { msg("nolocal", "$check_ns is unable to resolve localhost", "1912/4.1"); }
387 resolve("1.0.0.127.in-addr.arpa", "PTR", 1, 0, 1) or msg("revloc", "Reverse mapping of 127.0.0.1 at $check_ns doesn't work", "1912/4.1");
393 sub check_zone_name {
394 info("Checking zone name");
396 if ($domain =~ /^(.*)\.in-addr\.arpa$/) {
398 if ($rev =~ /(^|\.)(\d+(\.\d+){2})$/) {
399 $rev_net = join('.', reverse split (/\./, $2)) . '.';
400 info("Switched to reverse zone check mode for network $rev_net");
402 msg("unkrevz", "Switched to reverse mode, but unable to find network number in zone name", "1035/3.5");
408 # Checks done for zone submission
411 # Test for bogus and forbidden names
413 ($domain =~ /(^|\.)([^.]+)\.([^.]+)$/) || msg("rtoplev", "Registration of top-level domains not supported");
416 try_resolve($rres, $l1, "SOA") || msg("utoplev", "Top level domain $l1 doesn't exist");
417 if (length($l2) <= 4 && ($q = try_resolve($rres, $l2, "SOA"))) {
419 msg("xtoplev", "Second-level domains must not use names of top-level domains");
422 # Test whether our NS is not already authoritative.
424 info("Checking for zone duplicity for $domain");
425 init_resolver($our_ip);
427 $q = try_resolve($res, $domain, "SOA");
428 ($q && $q->header->aa) && msg("alknown", "$domain already known at $our_name");
430 # Test whether the NS is authoritative for the zone.
432 init_resolver($check_ns_ip);
433 info("Checking for authoritative data for $domain");
435 $q = try_resolve($res, $domain, "SOA");
436 $q || msg("snauth", "SOA record for $domain not found");
437 $q->header->aa || msg("snauth", "$check_ns is not authoritative for $domain");
440 # Check number of name servers and whether we are one of them.
442 info("Checking list of nameservers");
443 @q = resolve($domain, "NS", 0, 1) or msg("missns", "No NS records for $domain found");
444 @q >= 2 || msg("twons", "Each domain should have at least 2 nameservers", "1912/2.8");
445 if (defined($our_name)) {
448 same_name($r->nsdname, $our_name) && ($found_us = 1);
450 $found_us || msg("nosecns", "$our_name is not listed in NS records of $domain");
454 # Zone transfer and check
458 info("Fetching zone data for $domain");
459 if (!(@zone = $res->axfr($domain))) {
460 msg("axfer", "Zone transfer failed");
464 info("Parsing zone data");
467 $records{norm_name($r->name)}{$rcnt++} = $r;
470 info("Checking consistency of zone records");
473 foreach $name (sort { ($a eq $domain) ? -1 : ($b eq $domain) ? 1 : ($a cmp $b) } keys %records) {
476 foreach $z (keys %{$records{$name}}) {
477 $r = $records{$name}{$z};
478 my $txt = $r->string;
480 defined $seen{$txt} && msg("duprec", "Duplicate record");
483 ($r->ttl < 3600 || $r->ttl > 4*7*86400) && msg("suspttl", "Suspicious TTL value");
485 $name =~ /(^|\.)$domain$/ || msg("outzone", "Out-of-zone record");
488 # Wildcard SRV's are a useful thing
489 } elsif ($t eq "A" || $t eq "CNAME") {
490 msg("wildac", "Wildcard A and CNAME records are likely to be very confusing", "1912/2.7");
492 msg("wild", "Wildcard names are generally considered bad practice", "1912/2.7");
496 ($name =~ /^(0|[1-9]\d*)\.$domain$/ && ($num = $1) < 256) ||
497 ($name eq $domain && $t ne "CNAME" && $t ne "PTR") ||
498 msg("badrevn", "Reverse zones should contain only numeric names");
499 if ($t =~ /^(MX|WKS)$/) {
500 msg("badrevr", "Illegal record in reverse zone");
501 } elsif ($t eq "A") {
502 msg("arev", "A records in reverse zones are valid, but considered bad practice", "1912/2.3");
506 msg("ptrfwd", "PTR records in forward zones are valid, but considered bad practice");
511 $d = norm_name($r->cname);
512 # a.b.c -> a.b.c is wrong
513 if (same_name($d, $name)) { msg("reccn", "Recursive CNAME", "1034/3.6"); }
515 # a.b.c -> x.a.b.c and a.b.c -> b.c are probably wrong as well, but not forbidden
516 if ($name =~ /(^|\.)$d/i || $d =~ /(^|\.)$name/) {
517 msg("suspcn", "Possibly incorrect overlapping CNAME");
519 if (!resolve($d, "ANY", 0, 1)) {
521 msg("dangcnr", "Unable to resolve CNAME destination (probably due to classless delegation)");
522 } else { msg("dangcn", "Unable to resolve CNAME destination"); }
525 } else { $seen_other++; }
526 if (same_name($name, "localhost.$domain")) {
527 if ($t eq "A" && same_ipa($r->address, "127.0.0.1")) { $seen_localhost++; next; }
528 else { msg("badloc", "Invalid localhost record"); }
531 check_reverse($name, $r->address, $domain);
532 } elsif ($t eq "NS") {
534 resolve($dest, "A", 0, 1) || msg("missa", "Nameserver $dest doesn't have any valid A records");
535 } elsif ($t =~ /^(MD|MF|MB|MG|MR)$/) {
536 msg("obsrec", "MD/MF/MB/MG/MR records are obsolete and should not be used");
537 } elsif ($t eq "SOA") {
538 (same_name($name, $domain)) || do {
539 msg("supsoa", "Superfluous SOA record");
542 resolve($r->mname, "A", 0, 1) || msg("soaorg", "No A record for zone origin");
543 check_email($r->rname);
544 ($r->expire < 2*7*86400 || $r->expire > 4*7*86400) &&
545 msg("suspexp", "Expire time should be between 2 and 4 weeks", "1912/2.2");
546 ($r->minimum < 3600) && msg("suspmtl", "Suspicious minimum TTL", "2308/4");
547 } elsif ($t eq "WKS") {
548 msg("wks", "WKS record is obsolete and should not be used", "1912/2.6.1");
549 } elsif ($t eq "PTR") {
550 if (@dd = resolve($r->ptrdname, "A", 0, 0)) {
551 if (defined $rev_net) {
554 (same_ipa($rr->address, $rev_net . $num)) && ($found=1);
556 $found || msg("ptrbada", "No corresponding A record found", "1912/2.4");
558 } else { msg("ptrnoa", "PTR doesn't point to an A record", "1912/2.4"); }
559 } elsif ($t eq "MX") {
560 ($r->preference >= 0 && $r->preference < 65536) || msg("mxpref", "Invalid MX preference", "1035/3.3.9");
561 $dest = $r->exchange;
562 resolve($dest, "A", 0, 1) || msg("missa", "Mail exchanger $dest doesn't have any valid A records", "1035/3.3.9");
563 } elsif ($t eq "SRV") {
564 ($name =~ /^(\*|_[0-9a-zA-Z]+)\.(\*|_[a-zA-Z]+)\./) || msg("srvnam", "Invalid service name", "2782");
565 ($r->priority >= 0 && $r->priority < 65536) || msg("srvpar", "Invalid SRV preference", "2782");
566 ($r->weight >= 0 && $r->weight < 65536) || msg("srvpar", "Invalid SRV weight", "2872");
567 ($r->port >= 0 && $r->port < 65536) || msg("srvpar", "Invalid SRV port number", "2872");
568 $r->target eq "" || $r->target eq "." || resolve($r->target, "A", 0, 1) ||
569 msg("srvdest", "Service provider has no valid A record");
572 if ($seen_cname > 1) {
573 msg("cnclash", "Multiple CNAMEs for one name", "1912/2.4");
574 } elsif ($seen_cname && $seen_other) {
575 msg("cnclash", "CNAME is not allowed to coexist with any other data", "1912/2.4");
581 # Initialize resolver library, but point it to the nameserver given
585 $res = new Net::DNS::Resolver;
586 $res->nameservers($name);
591 # FIXME: Net::DNS doesn't implement persistent vc's yet
596 # Basic zone checks -- existence, matching SOA versions and lame delegations
597 # returns @check_servers
599 sub check_zone_basics {
602 # In case check_ns is given, use it for initial checks, else use our local nameserver
603 if ($check_ns ne "") {
604 if ($check_ns_ip eq "") {
605 info("Resolving name-server address");
607 my @ips = resolve($check_ns, "A", 0, 0) or msg("nonsa", "$check_ns has no A record");
608 $check_ns_ip = $ips[0]->address;
610 $prefer_origin = $check_ns;
611 @check_servers = ( "$check_ns = $check_ns_ip" );
612 init_resolver($check_ns_ip);
613 $rres = $res; # This one will be the reference
619 info("Checking existence of zone");
620 resolve($domain, "CNAME", 1, 0) && msg("zcname", "$domain is a CNAME");
621 my @soa = resolve($domain, "SOA", 0, 0) or msg("znexist", "$domain doesn't exist");
622 my $real_origin = norm_name($soa[0]->mname);
623 defined $prefer_origin || ($prefer_origin = $real_origin);
625 info("Checking NS records");
626 my @ns = resolve($domain, "NS", 0, 0) or msg("missns", "$domain has no NS records");
627 (@ns >= 2) || msg("twons", "Each domain should have at least 2 nameservers", "1912/2.8");
628 @ns = map { norm_name($_->nsdname) } @ns;
629 my $nsnames = join(':', sort { $a cmp $b } @ns);
631 foreach $r (@ns) { $nshash{$r} = 1; }
632 if (!defined $nshash{$real_origin}) { msg("ornotns", "Origin server $real_origin not listed in NS records"); }
633 delete $nshash{$prefer_origin};
635 unshift @ns, $prefer_origin;
637 info("Checking nameserver authority and synchronization");
642 if (!(@nips = resolve($n, "A", 0, 1))) {
643 msg("missa", "Nameserver $n doesn't have any valid A records");
646 my $nip = $nips[0]->address;
647 info("Probing name server $n ($nip)");
650 my $q = try_resolve($res, $domain, "SOA");
652 $q && $q->header->aa || do { msg("lamer", "Lame delegation of $domain to $n", "1912/2.8"); next; };
653 my @ss = resolve($domain, "SOA", 0, 0);
654 if (!@ss) { msg("lamer", "Lame delegation of $domain to $n", "1912/2.8"); next; }
657 if ($check_ns eq "") { push @check_servers, "$n = $nip"; }
659 my $delta = $psoa->serial - $ss->serial;
660 ($delta >= 0x80000000) && ($delta -= 0x80000000);
661 ($delta <= -0x80000000) && ($delta += 0x80000000);
662 if ($delta > 0) { msg("oodsec", "$n has out of date data for $domain"); }
663 elsif ($delta < 0) { msg("oodsec", "$n has newer data for $domain than zone origin"); }
664 if ($psoa->mname ne $ss->mname ||
665 $psoa->rname ne $ss->rname ||
666 $psoa->refresh != $ss->refresh ||
667 $psoa->retry != $ss->retry ||
668 $psoa->expire != $ss->expire ||
669 $psoa->minimum != $ss->minimum) {
670 msg("oodsoa", "$n lists different SOA parameters than zone origin");
672 } else { $psoa = $ss; }
674 my $nsb = join(':', sort { $a cmp $b } map { $_->nsdname } resolve($domain, "NS", 0, 0));
675 same_name($nsnames,$nsb) || msg("diffns", "Different set of NS records reported ($nsb)");
677 # info("Continuing zone checks on " . join("/", @check_servers));