Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jvns/dns-doctor

Last synced: 21 days ago
JSON representation

Host: GitHub
URL: https://github.com/jvns/dns-doctor
Owner: jvns
License: mit
Created: 2023-08-31T13:45:47.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2023-09-10T07:45:53.000Z (about 1 year ago)
Last Synced: 2024-04-15T03:01:31.685Z (7 months ago)
Language: Go
Size: 85.9 KB
Stars: 44
Watchers: 2
Forks: 2
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

## dns doctor

**PROTOTYPE, PRETTY CRAPPY, PROBABLY HAS ONE MILLION BUGS**

You give it a domain name where something is wrong, and it runs a bunch of checks to try to figure out the reason.

**Usage**: `dns-doctor your-domain.com`

You can install it with `go install github.com/jvns/dns-doctor@latest`

## How it works

It basically just runs `dig +trace` and `dig +norecurse` on your domain, parses
the output, and tries to diagnose some problems. You'll need to have `dig`
installed.

## example output

```
$ ./dns-doctor cnameroot.com
FAILURE: cname-root
Details: CNAME at root points to 'examplecat.com.'
$ /dns-doctor asdfasdf.jvns.ca
FAILURE: no-record
Details: No record found, using nameserver 'ns-2-b.gandi.net'
$ ./dns-doctor bad-ip.ring269.messwithdns.com
FAILURE: no-http
Details: Failed to connect to 203.0.113.0:80
$ ./dns-doctor example.com
All checks passed!
```

## List of checks

### **`no-record`**

Checks to see if your authoritative nameserver actually just doesn't have a record set.

#### How it's implemented

1. Look up the record with the authoritative nameserver (the equivalent of `dig +trace some.domain.com`)
2. If there's no matching record, fail this check

#### How to fix it

DNS Doctor will give you the domain name of the nameservers where your record is set. That should give you a clue about where to fix it

### **`cache-mismatch`**

Checks to see if your local resolver has an old cached version.

#### How it's implemented

1. Look up the record with the authoritative nameserver (the equivalent of `dig +trace some.domain.com`)
2. Look up the record with the local resolver (the equivalent of `dig +norecurse some.domain.com`)
3. If the record the local resolver returns is outdated (if it's not), fail this check

#### How to fix it:

You just gotta wait! `DNS Doctor` will tell you how long you have to wait. It
figures that out by looking at the TTL (time to live) of the cached record.

### **`negative-cache`**

This is a variant of `cache-mismatch` that checks specifically for negative caching (a cached "this domain does not exist" response).

#### How it's implemented:

1. Look up the domain name with the authoritative nameserver
2. If there's no result, return success
3. Otherwise, look up the domain with local resolver, (equivalent of `dig some.domain.com`) using `+norecurse`
6. If we get an empty NOERROR result, fail the check

#### How to fix it:

You just gotta wait! `DNS Doctor` will tell you how approximately you have to wait. It
figures that out by looking at the TTL (time to live) on the domain's SOA record.

### **`bad-cname`**

Checks if your domain's CNAME doesn't resolve to anything.

#### How it's implemented:

1. Look up the domain name with the local resolver (equivalent of `dig some.domain.com`)
2. Check if it returns a CNAME record. If there's no CNAME record, return success
3. If there is a CNAME record, run `dig +trace cname.otherdomain.com`
4. If `dig +trace` reports no record for `cname.otherdomain.com`, fail the check

#### How to fix it:

You might have made a typo in your CNAME record.

### **`cname-cache-mismatch`**

1. Look up the domain name with the local resolver (equivalent of `dig some.domain.com`)
2. Check if it returns a CNAME record. If there's no CNAME record, return success
3. Run the `cache-mismatch` check on the CNAME record

### **`cname-root`**

#### How `cname-root` is implemented:

1. Check if the domain has a CNAME record
2. If it does, and if it's not a subdomain (`blah.example.com` is ok, `example.com` is not), fail the check

#### How to fix `cname-root`:

This isn't **necessarily** a problem -- your site might work just fine! (todo: explain)

### **`no-http`**

Only runs if you requested an A record check. This is a heuristic to see if you
might have made a typo in the IP address.

#### How `no-http` is implemented:

1. Look up the domain with the authoritative nameserver (the equivalent of `dig +trace some.domain.com`)
2. Try to connect to each resulting IP address on port 80 and port 443
3. If we get a "connection refused" error or if it times out, fail the check

#### How to fix this

If your server isn't a HTTP server, you can ignore this one. Otherwise there's likely an issue with the configuration of your HTTP server.

### **old-nameserver**

This checks for whether your nameservers changed recently, and if they're
cached with your local resolver.

TODO: not implemented, not sure how to implement this.

#### How to fix `old-nameserver`:

You just gotta wait! Typically you'll have to wait up to 1-2 days after you
made the changes. DNS Doctor will tell you the TTL (in days) for the total
waiting time.