Here’s a quick script I wrote last year which I forgot about until today. I thought I should share it since it works fairly well with some modifications – it could be refined/improved quite a bit; I’m not the best bash/shell scripter. Be prepared to get your hands dirty with mods if you want to use this. Here’s a quick run down & description of what’s going on.
The script’s input is the bind9 file containing all zone entries you want to confirm are pointed to your server, I suggest making a copy – not working with any live configs. The script will run an lookup using `host -t ns
` on google’s DNS server to find out what the outside world thinks the domains’ name servers are; I tried `whois
` in the past but it was too unreliable due to timeouts & limits on the number of calls per minute. Then it checks the results of that host lookup against the hostnames, all capitalized hostnames, and IP addresses of your DNS servers (3 in my case). If any one of the DNS servers matches than we know the domain is still using our DNS. The other options are 1) it doesn’t find any DNS servers that are ours 2) it finds the phrase ‘not found’ which host returns if the domain is expired or there are no ‘NS’ type records in DNS. The script echos to shell what DNS servers match as it runs, but it only logs the DNS servers that don’t have any matches (so they can be removed by automation or manually later).
With the zone-audit.log output I then can remove the domains that aren’t using our DNS since they’re no longer in use. Please leave feedback in the comments if you think of a good improvement.
Code after the jump or Here
#!/bin/bash # domains=`sed -n 's/^zone\s*\"\([^\"]*\)\"\s* {[^\r]*/\1/p' /root/confirm-dns-zones/named.master` date > /root/confirm-dns-zones/zone-audit.log for i in $domains do echo "Checking $i" domain_ns=`host -t ns $i 8.8.8.8 | grep "$i"` echo $domain_ns if [[ $domain_ns =~ 'NS1.EXAMPLE' || $domain_ns =~ 'ns1.example' || $domain_ns =~ '4.3.2.1' ]]; then echo "$i contains DNS1 (4.3.2.1)" match_dns1=TRUE else #echo "DNS1 NOT FOUND" match_dns1=FALSE fi; if [[ $domain_ns =~ 'NS2.EXAMPLE' || $domain_ns =~ 'ns2.example' || $domain_ns =~ '4.3.2.2' ]]; then echo "$i contains DNS2 (4.3.2.2)" match_dns2=TRUE else #echo "DNS2 NOT FOUND" match_dns2=FALSE fi; if [[ $domain_ns =~ 'NS3.EXAMPLE' || $domain_ns =~ 'ns3.example' || $domain_ns =~ '4.3.2.3' ]]; then echo "$i contains DNS3 (4.3.2.3)" match_dns3=TRUE else #echo "DNS3 NOT FOUND" match_dns3=FALSE fi; if [[ $match_dns1 == FALSE && $match_dns2 == FALSE && $match_dns3 == FALSE ]]; then echo "* ERROR: $i - None of our DNS found for this domain using 8.8.8.8" echo $i >> /root/confirm-dns-zones/zone-audit.log fi; if [[ $domain_ns =~ 'not found' ]]; then echo "* Possible script error or missing DNS / Expired domain" echo "* ERROR: $i - Possible script error or missing DNS / Expired domain" >> /root/confirm-dns-zones/zone-audit.log fi echo echo "----------------" echo sleep 1 done |
Can you provide an example of a zone so I can more easily see what sed is doing ? thanks.
Sure, here’s my 2 formatting styles that I tested with:
zone “companyabc.com” { type master; file “bind.companyabc.com”; };
zone “businessxyz.com” {
type master;
file “bind.businessxyz.com”;
};
I try to make my matching regexes as loose as possible to match multiple formatting but obviously I may not be able to cover every single possibility. Also note that my zones are segregated in their own file rather than mixed with other bind9 configuration parameters.