3 # Sleuth -- A Simple DNS Checking Tool
5 # (c) 1999--2001 Martin Mares <mj@ucw.cz>
8 # Load configuration file and all modules we need
11 if (-f "/etc/sleuth.conf") {
12 require "/etc/sleuth.conf";
14 require __FILE__ . ".conf";
19 use Net::DNS::Resolver;
23 getopts('vmhp', \%opts) && (@ARGV >= 1 && @ARGV <= 3 || @ARGV == 5) || do {
25 Usage: sleuth [-hmpv] <domain> [<server> [<server-IP> [<secondary> <secondary-ip>]]]
27 -h Produce HTML output
28 -m Produce machine-readable output
29 -p Private network mode (avoid public accessibility checks)
35 $domain = norm_name($ARGV[0]);
36 $mode_submit = @ARGV == 5;
37 $check_ns = defined($ARGV[1]) ? norm_name($ARGV[1]) : "";
38 $check_ns_ip = defined($ARGV[2]) ? $ARGV[2] : "";
39 $our_name = defined($ARGV[3]) ? norm_name($ARGV[3]) : "";
40 $our_ip = defined($ARGV[4]) ? $ARGV[4] : "";
42 $verbose = $opts{"v"};
43 $private = $opts{"p"};
44 if ($opts{"m"}) { $output = \&plain_output; }
45 elsif ($opts{"h"}) { $output = \&html_output; }
46 else { $output = \&fancy_output; }
48 # Initialize reliable resolver using our local nameserver.
50 $rres = new Net::DNS::Resolver;
54 # FIXME: Net::DNS doesn't implement persistent vc's yet
58 # And do the checks...
60 info("Starting zone checks for $domain");
67 check_zone() || msg("noserv", "No zone data available, giving up");
72 foreach my $nsvr (@check_servers) {
73 $nsvr =~ /(.*) = (.*)/;
76 info("Decided to use $check_ns ($check_ns_ip) for zone check");
77 init_resolver($check_ns_ip);
84 $global_okay || msg("noserv", "No name server available for checking");
86 info("Summary: $err_cnt errors, $warn_cnt warnings");
96 $ref = (defined $ref) ? " [RFC$ref]" : "";
97 print "$type $msg$ref\n";
105 my %msg_types = %{{ 'W' => '### Warning: ',
106 'E' => '### Error: ',
107 'F' => '### Fatal error: ',
112 $mmsg = $msg_types{$type};
113 $ref = (defined $ref) ? " [RFC$ref]" : "";
114 print "$mmsg$msg$ref\n";
121 if ($type =~ /[>*]/) {
122 if (!$is_pre) { print "<PRE>"; $is_pre=1; }
123 print " ", ($type eq ">") ? "" : "-> ", $msg;
125 if (!defined $is_pre) { print "<P>"; $is_pre=0; }
126 elsif ($is_pre) { print "</PRE>"; $is_pre=0; }
127 else { print "<BR>"; }
128 if ($type =~ /[WEF]/) {
129 my $map = {'W'=>'Warning', 'E'=>'Error', 'F'=>'Fatal error'};
130 print "<em class=msg$type>### ", ${$map}{$type}, ": $msg", "</em>";
131 } elsif ($type eq "." && $msg =~ /^Summary: /) {
132 if ($msg !~ / 0 errors,/) { $msg =~ s/ (\d+) errors,/ <em class=msgE>$1 errors,<\/em>/; }
133 if ($msg !~ / 0 warnings/) { $msg =~ s/ (\d+) warnings/ <em class=msgW>$1 warnings<\/em>/; }
135 } else { print $msg; }
138 print " [see";
139 foreach my $z (split(/,\s*/, $ref)) {
141 $comma++ && print ",";
142 if ($z =~ /(\d+)\/(.*)/) {
144 $url = eval $rfc_sec_url;
145 } elsif ($z =~ /(\d+)/) {
147 $url = eval $rfc_url;
148 } else { die "Bad RFC reference"; }
149 print " <A HREF=\"$url\">RFC$rfc</A>";
151 print " for details]";
158 my ($id, $msg, $ref) = @_;
159 defined $sev{$id} or die "Internal error: unknown message code <$id>";
160 my $type = $sev{$id};
161 return if $type eq "";
163 if ($type =~ /[.>]/) { @msg_buffer = (); }
164 elsif ($type =~ /[EWF]/ && @msg_buffer) {
165 foreach my $m (@msg_buffer) { &{$output}('*', $m); }
167 } elsif ($type eq '*') { push @msg_buffer, $msg; return; }
169 &{$output}($type, $msg, $ref);
170 if ($type eq "E") { $err_cnt++; }
171 elsif ($type eq "W") { $warn_cnt++; }
172 elsif ($type eq "F") { exit 1; }
175 sub info { msg('.', shift @_); }
176 sub rr_echo { my $rr=shift @_; msg('*', $rr->string); }
178 # Our interface to the resolver
184 my $need_aa = shift @_;
185 my $q = $rver->send($name, $type, "IN") or do {
186 msg("reserr", $res->errorstring);
189 my $hdr = $q->header;
190 $hdr->tc && msg("dnserr", "Truncated response received");
191 my $rc = $hdr->rcode;
192 $rc eq "NXDOMAIN" and return undef;
193 $rc eq "NOERROR" or do { msg("reserr", "Unable to resolve $name: $rc"); return undef; };
194 $hdr->ancount || return undef;
195 !$need_aa || $hdr->aa || msg("needaa", "Answer is not authoritative");
202 my $allow_cnames = shift @_;
203 my $check_rev = shift @_;
204 my $need_aa = shift @_;
206 check_name($name) || return ();
207 if ($cache{$name}{$type}) {
208 @answer = @{$cache{$name}{$type}};
210 my $q = try_resolve($res, $name, $type, $need_aa);
212 @answer = $q->answer;
213 $cache{$name}{$type} = \@answer;
217 foreach my $r (@answer) {
219 $r->class ne "IN" and next;
220 if ($r->type eq "A") {
221 # If it's an A record, automatically check it maps back.
222 $check_rev && check_reverse($r->name, $r->address, "");
224 if ($r->type eq "CNAME") {
225 if (!$allow_cnames) { msg("pcname", "DNS records must not point to CNAMEs", "1034/3.6, 1912/2.4, 2181/10.2-3"); }
226 if ($cname_cnt) { msg("rcname", "CNAMEs must not point to CNAMEs", "1034/3.6, 1912/2.4, 2181/10.2-3"); }
229 if ($r->type eq $type || $type eq "ANY") {
230 # We shouldn't check minimum TTL here as we might have got a cached value
231 ($r->ttl > 4*7*86400) && msg("suspttl", "Suspicious TTL value");
233 } elsif ($r->type ne "CNAME") {
234 msg("unxtype", "Expected $type, got " . $r->type);
240 # Normalization and comparison of host names and IP addresses
258 return norm_name($x) eq norm_name($y);
261 # Checks of reverse mapping
265 $addr =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ or fatal("Unable to parse IP address $addr");
266 return "$4.$3.$2.$1.in-addr.arpa.";
272 my $allow_domain = shift @_;
273 my $rn = reverse_name($addr);
277 $did_reverse_check{$addr} && return;
278 $did_reverse_check{$addr} = 1;
279 ($addr =~ /^(192\.168|10|172\.(1[6-9]|2\d|3[01]))\./) && !$private &&
280 msg("privadr", "Private addresses shouldn't occur in public zones", "1918");
281 foreach my $q (resolve("$rn", "PTR", 1, 0)) {
282 my $dname = $q->ptrdname;
283 if (same_name($dname, $name)) { $found_exact++; }
286 foreach my $a (resolve("$dname", "A", 1, 0)) {
287 same_ipa($a->address, $addr) && ($matched = 1);
291 msg("badrev", "$name maps to $dname which doesn't point back", "1912/2.1");
297 if ($maps_back eq "") { msg("norev", "$name ($addr) has no reverse record", "1912/2.1"); }
298 elsif ($name ne $allow_domain && !$warned) {
299 msg("inexrev", "$addr for $name points back to $maps_back", "1912/2.1");
304 # Check of e-mail address
308 $e =~ /@/ && do { msg("soamail", "'\@' in e-mail addresses should be encoded as '.'", "1912/2.2"); return; };
309 $e =~ /^(([^.\\]|\\.)+)\.(.*)$/ || do { msg("soamail", "Invalid e-mail address syntax"); return; };
311 my $host = norm_name($3);
312 $user =~ s/\\(.)/$1/g;
314 info("Hostmaster e-mail address is $e");
315 if (my @mx = resolve($host, "MX", 1, 0)) {
316 foreach my $r (@mx) {
317 resolve($r->exchange, "A", 0, 1) or msg("soammxa", "No A record for MX " . $r->exchange);
319 } elsif (resolve($host, "A", 1, 0)) {
320 msg("soaamx", "MX records should be used for mail routing");
322 msg("soammx", "No MX record for $host");
326 # Check of name syntax
331 if ($n !~ /[^0-9.]/) {
332 if ($n =~ /^(\d+\.){3}\d+$/) { msg("ipaname", "IP address found instead of name", "1912/2.1"); }
333 else { msg("alldig", "All-digit names are not allowed", "1912/2.1"); }
336 if ($n =~ /^(.*)\.in-addr\.arpa$/i) {
338 if ($m !~ /^(\d+-\d+|\d+)(\/\d+)?(\.(\d+-\d+|\d+)(\/\d+)?)*$/) {
339 msg("badrn", "Invalid name of reverse domain $n", "1035/3.5"); return 0;
340 } elsif ($m =~ /(^|\.|-|\/)0[0-9]/) {
341 msg("badrn", "Reverse names should not contain leading zeros", "1035/3.5"); return 0;
345 foreach my $q (split(/\./, $n)) {
347 msg("badname", "Name $n has empty components", "1912/2.1"); return 0;
348 } elsif ($q !~ /^[0-9a-zA-Z_-]*$/) {
349 msg("badname", "Name $n contains invalid characters", "1912/2.1"); return 0;
355 # Generic checks of nameserver configuration
357 sub check_ns_sanity {
358 # Check whether the nameserver is able to resolve its own address forth and back.
360 info("Checking whether $check_ns knows an A record for its own name");
362 foreach $r (resolve($check_ns, "A", 0, 0)) {
363 if (same_ipa($check_ns_ip, $r->address)) { $ns_a++; }
365 $ns_a || msg("selfa", "no matching A record found");
367 info("Checking whether $check_ns is able to reverse-map its own IP address");
368 check_reverse($check_ns, $check_ns_ip, "");
370 # General nameserver functionality checks
373 info("Checking connectivity with other nameservers");
374 foreach $name (@test_hosts) {
375 resolve($name, "A", 1, 1) or
376 msg("recchk", "$check_ns is unable to resolve $name (maybe it's non-recursive)");
380 info("Checking mapping of localhost");
382 if (@lh = resolve("localhost", "A", 1, 0, 1)) {
383 (@lh != 1 || !same_ipa($lh[0]->address, "127.0.0.1")) &&
384 msg("badloc", "Invalid resource records for localhost at $check_ns", "1912/4.1");
385 } else { msg("nolocal", "$check_ns is unable to resolve localhost", "1912/4.1"); }
386 resolve("1.0.0.127.in-addr.arpa", "PTR", 1, 0, 1) or msg("revloc", "Reverse mapping of 127.0.0.1 at $check_ns doesn't work", "1912/4.1");
392 sub check_zone_name {
393 info("Checking zone name");
395 if ($domain =~ /^(.*)\.in-addr\.arpa$/) {
397 if ($rev =~ /(^|\.)(\d+(\.\d+){2})$/) {
398 $rev_net = join('.', reverse split (/\./, $2)) . '.';
399 info("Switched to reverse zone check mode for network $rev_net");
401 msg("unkrevz", "Switched to reverse mode, but unable to find network number in zone name", "1035/3.5");
407 # Checks done for zone submission
410 # Test for bogus and forbidden names
412 ($domain =~ /(^|\.)([^.]+)\.([^.]+)$/) || msg("rtoplev", "Registration of top-level domains not supported");
415 try_resolve($rres, $l1, "SOA") || msg("utoplev", "Top level domain $l1 doesn't exist");
416 if (length($l2) <= 4 && ($q = try_resolve($rres, $l2, "SOA"))) {
418 msg("xtoplev", "Second-level domains must not use names of top-level domains");
421 # Test whether our NS is not already authoritative.
423 info("Checking for zone duplicity for $domain");
424 init_resolver($our_ip);
426 $q = try_resolve($res, $domain, "SOA");
427 ($q && $q->header->aa) && msg("alknown", "$domain already known at $our_name");
429 # Test whether the NS is authoritative for the zone.
431 init_resolver($check_ns_ip);
432 info("Checking for authoritative data for $domain");
434 $q = try_resolve($res, $domain, "SOA");
435 $q || msg("snauth", "SOA record for $domain not found");
436 $q->header->aa || msg("snauth", "$check_ns is not authoritative for $domain");
439 # Check number of name servers and whether we are one of them.
441 info("Checking list of nameservers");
442 @q = resolve($domain, "NS", 0, 1) or msg("missns", "No NS records for $domain found");
443 @q >= 2 || msg("twons", "Each domain should have at least 2 nameservers", "1912/2.8");
444 if (defined($our_name)) {
447 same_name($r->nsdname, $our_name) && ($found_us = 1);
449 $found_us || msg("nosecns", "$our_name is not listed in NS records of $domain");
453 # Zone transfer and check
457 info("Fetching zone data for $domain");
458 if (!(@zone = $res->axfr($domain))) {
459 msg("axfer", "Zone transfer failed");
463 info("Parsing zone data");
466 $records{norm_name($r->name)}{$rcnt++} = $r;
469 info("Checking consistency of zone records");
472 foreach $name (sort { ($a eq $domain) ? -1 : ($b eq $domain) ? 1 : ($a cmp $b) } keys %records) {
475 foreach $z (keys %{$records{$name}}) {
476 $r = $records{$name}{$z};
477 my $txt = $r->string;
479 defined $seen{$txt} && msg("duprec", "Duplicate record");
482 ($r->ttl < 3600 || $r->ttl > 4*7*86400) && msg("suspttl", "Suspicious TTL value");
484 $name =~ /(^|\.)$domain$/ || msg("outzone", "Out-of-zone record");
487 # Wildcard SRV's are a useful thing
488 } elsif ($t eq "A" || $t eq "CNAME") {
489 msg("wildac", "Wildcard A and CNAME records are likely to be very confusing", "1912/2.7");
491 msg("wild", "Wildcard names are generally considered bad practice", "1912/2.7");
495 ($name =~ /^(0|[1-9]\d*)\.$domain$/ && ($num = $1) < 256) ||
496 ($name eq $domain && $t ne "CNAME" && $t ne "PTR") ||
497 msg("badrevn", "Reverse zones should contain only numeric names");
498 if ($t =~ /^(MX|WKS)$/) {
499 msg("badrevr", "Illegal record in reverse zone");
500 } elsif ($t eq "A") {
501 msg("arev", "A records in reverse zones are valid, but considered bad practice", "1912/2.3");
505 msg("ptrfwd", "PTR records in forward zones are valid, but considered bad practice");
510 $d = norm_name($r->cname);
511 # a.b.c -> a.b.c is wrong
512 if (same_name($d, $name)) { msg("reccn", "Recursive CNAME", "1034/3.6"); }
514 # a.b.c -> x.a.b.c and a.b.c -> b.c are probably wrong as well, but not forbidden
515 if ($name =~ /(^|\.)$d/i || $d =~ /(^|\.)$name/) {
516 msg("suspcn", "Possibly incorrect overlapping CNAME");
518 if (!resolve($d, "ANY", 0, 1)) {
520 msg("dangcnr", "Unable to resolve CNAME destination (probably due to classless delegation)");
521 } else { msg("dangcn", "Unable to resolve CNAME destination"); }
524 } else { $seen_other++; }
525 if (same_name($name, "localhost.$domain")) {
526 if ($t eq "A" && same_ipa($r->address, "127.0.0.1")) { $seen_localhost++; next; }
527 else { msg("badloc", "Invalid localhost record"); }
530 check_reverse($name, $r->address, $domain);
531 } elsif ($t eq "NS") {
533 resolve($dest, "A", 0, 1) || msg("missa", "Nameserver $dest doesn't have any valid A records");
534 } elsif ($t =~ /^(MD|MF|MB|MG|MR)$/) {
535 msg("obsrec", "MD/MF/MB/MG/MR records are obsolete and should not be used");
536 } elsif ($t eq "SOA") {
537 (same_name($name, $domain)) || do {
538 msg("supsoa", "Superfluous SOA record");
541 resolve($r->mname, "A", 0, 1) || msg("soaorg", "No A record for zone origin");
542 check_email($r->rname);
543 ($r->expire < 2*7*86400 || $r->expire > 4*7*86400) &&
544 msg("suspexp", "Expire time should be between 2 and 4 weeks", "1912/2.2");
545 ($r->minimum < 3600) && msg("suspmtl", "Suspicious minimum TTL", "2308/4");
546 } elsif ($t eq "WKS") {
547 msg("wks", "WKS record is obsolete and should not be used", "1912/2.6.1");
548 } elsif ($t eq "PTR") {
549 if (@dd = resolve($r->ptrdname, "A", 0, 0)) {
550 if (defined $rev_net) {
553 (same_ipa($rr->address, $rev_net . $num)) && ($found=1);
555 $found || msg("ptrbada", "No corresponding A record found", "1912/2.4");
557 } else { msg("ptrnoa", "PTR doesn't point to an A record", "1912/2.4"); }
558 } elsif ($t eq "MX") {
559 ($r->preference >= 0 && $r->preference < 65536) || msg("mxpref", "Invalid MX preference", "1035/3.3.9");
560 $dest = $r->exchange;
561 resolve($dest, "A", 0, 1) || msg("missa", "Mail exchanger $dest doesn't have any valid A records", "1035/3.3.9");
562 } elsif ($t eq "SRV") {
563 ($name =~ /^(\*|_[0-9a-zA-Z]+)\.(\*|_[a-zA-Z]+)\./) || msg("srvnam", "Invalid service name", "2782");
564 ($r->priority >= 0 && $r->priority < 65536) || msg("srvpar", "Invalid SRV preference", "2782");
565 ($r->weight >= 0 && $r->weight < 65536) || msg("srvpar", "Invalid SRV weight", "2872");
566 ($r->port >= 0 && $r->port < 65536) || msg("srvpar", "Invalid SRV port number", "2872");
567 $r->target eq "" || $r->target eq "." || resolve($r->target, "A", 0, 1) ||
568 msg("srvdest", "Service provider has no valid A record");
571 if ($seen_cname > 1) {
572 msg("cnclash", "Multiple CNAMEs for one name", "1912/2.4");
573 } elsif ($seen_cname && $seen_other) {
574 msg("cnclash", "CNAME is not allowed to coexist with any other data", "1912/2.4");
580 # Initialize resolver library, but point it to the nameserver given
584 $res = new Net::DNS::Resolver;
585 $res->nameservers($name);
590 # FIXME: Net::DNS doesn't implement persistent vc's yet
595 # Basic zone checks -- existence, matching SOA versions and lame delegations
596 # returns @check_servers
598 sub check_zone_basics {
601 # In case check_ns is given, use it for initial checks, else use our local nameserver
602 if ($check_ns ne "") {
603 if ($check_ns_ip eq "") {
604 info("Resolving name-server address");
606 my @ips = resolve($check_ns, "A", 0, 0) or msg("nonsa", "$check_ns has no A record");
607 $check_ns_ip = $ips[0]->address;
609 $prefer_origin = $check_ns;
610 @check_servers = ( "$check_ns = $check_ns_ip" );
611 init_resolver($check_ns_ip);
612 $rres = $res; # This one will be the reference
618 info("Checking existence of zone");
619 resolve($domain, "CNAME", 1, 0) && msg("zcname", "$domain is a CNAME");
620 my @soa = resolve($domain, "SOA", 0, 0) or msg("znexist", "$domain doesn't exist");
621 my $real_origin = norm_name($soa[0]->mname);
622 defined $prefer_origin || ($prefer_origin = $real_origin);
624 info("Checking NS records");
625 my @ns = resolve($domain, "NS", 0, 0) or msg("missns", "$domain has no NS records");
626 (@ns >= 2) || msg("twons", "Each domain should have at least 2 nameservers", "1912/2.8");
627 @ns = map { norm_name($_->nsdname) } @ns;
628 my $nsnames = join(':', sort { $a cmp $b } @ns);
630 foreach $r (@ns) { $nshash{$r} = 1; }
631 if (!defined $nshash{$real_origin}) { msg("ornotns", "Origin server $real_origin not listed in NS records"); }
632 delete $nshash{$prefer_origin};
634 unshift @ns, $prefer_origin;
636 info("Checking nameserver authority and synchronization");
641 if (!(@nips = resolve($n, "A", 0, 1))) {
642 msg("missa", "Nameserver $n doesn't have any valid A records");
645 my $nip = $nips[0]->address;
646 info("Probing name server $n ($nip)");
649 my $q = try_resolve($res, $domain, "SOA");
651 $q && $q->header->aa || do { msg("lamer", "Lame delegation of $domain to $n", "1912/2.8"); next; };
652 my @ss = resolve($domain, "SOA", 0, 0);
653 if (!@ss) { msg("lamer", "Lame delegation of $domain to $n", "1912/2.8"); next; }
656 if ($check_ns eq "") { push @check_servers, "$n = $nip"; }
658 my $delta = $psoa->serial - $ss->serial;
659 ($delta >= 0x80000000) && ($delta -= 0x80000000);
660 ($delta <= -0x80000000) && ($delta += 0x80000000);
661 if ($delta > 0) { msg("oodsec", "$n has out of date data for $domain"); }
662 elsif ($delta < 0) { msg("oodsec", "$n has newer data for $domain than zone origin"); }
663 if ($psoa->mname ne $ss->mname ||
664 $psoa->rname ne $ss->rname ||
665 $psoa->refresh != $ss->refresh ||
666 $psoa->retry != $ss->retry ||
667 $psoa->expire != $ss->expire ||
668 $psoa->minimum != $ss->minimum) {
669 msg("oodsoa", "$n lists different SOA parameters than zone origin");
671 } else { $psoa = $ss; }
673 my $nsb = join(':', sort { $a cmp $b } map { $_->nsdname } resolve($domain, "NS", 0, 0));
674 same_name($nsnames,$nsb) || msg("diffns", "Different set of NS records reported ($nsb)");
676 # info("Continuing zone checks on " . join("/", @check_servers));