Bash Script: Confirm domains in your DNS Bind server are still pointed at your address (haven’t moved to other DNS)

Here’s a quick script I wrote last year which I forgot about until today. I thought I should share it since it works fairly well with some modifications – it could be refined/improved quite a bit; I’m not the best bash/shell scripter. Be prepared to get your hands dirty with mods if you want to use this. Here’s a quick run down & description of what’s going on.

The script’s input is the bind9 file containing all zone entries you want to confirm are pointed to your server, I suggest making a copy – not working with any live configs. The script will run an lookup using `host -t ns` on google’s DNS server to find out what the outside world thinks the domains’ name servers are; I tried `whois` in the past but it was too unreliable due to timeouts & limits on the number of calls per minute. Then it checks the results of that host lookup against the hostnames, all capitalized hostnames, and IP addresses of your DNS servers (3 in my case). If any one of the DNS servers matches than we know the domain is still using our DNS. The other options are 1) it doesn’t find any DNS servers that are ours 2) it finds the phrase ‘not found’ which host returns if the domain is expired or there are no ‘NS’ type records in DNS. The script echos to shell what DNS servers match as it runs, but it only logs the DNS servers that don’t have any matches (so they can be removed by automation or manually later).

With the zone-audit.log output I then can remove the domains that aren’t using our DNS since they’re no longer in use. Please leave feedback in the comments if you think of a good improvement.

Code after the jump or Here

domains=`sed -n 's/^zone\s*\"\([^\"]*\)\"\s* {[^\r]*/\1/p' /root/confirm-dns-zones/named.master`
date > /root/confirm-dns-zones/zone-audit.log
for i in $domains
  echo "Checking $i"
  domain_ns=`host -t ns $i | grep "$i"`
  echo $domain_ns
  if [[ $domain_ns =~ 'NS1.EXAMPLE' || $domain_ns =~ 'ns1.example' || $domain_ns =~ '' ]]; then
    echo "$i contains DNS1 ("
    #echo "DNS1 NOT FOUND"
  if [[ $domain_ns =~ 'NS2.EXAMPLE' || $domain_ns =~ 'ns2.example' || $domain_ns =~ '' ]]; then
    echo "$i contains DNS2 ("
    #echo "DNS2 NOT FOUND"
  if [[ $domain_ns =~ 'NS3.EXAMPLE' || $domain_ns =~ 'ns3.example' || $domain_ns =~ '' ]]; then
    echo "$i contains DNS3 ("
    #echo "DNS3 NOT FOUND"
  if [[ $match_dns1 == FALSE && $match_dns2 == FALSE && $match_dns3 == FALSE ]]; then
   echo "* ERROR: $i - None of our DNS found for this domain using"
   echo $i >> /root/confirm-dns-zones/zone-audit.log
  if [[ $domain_ns =~ 'not found' ]]; then
    echo "* Possible script error or missing DNS / Expired domain"
    echo "* ERROR: $i - Possible script error or missing DNS / Expired domain" >> /root/confirm-dns-zones/zone-audit.log
  echo "----------------"
  sleep 1
Be Sociable, Share!
  • Google Reader
  • HackerNews
  • Reddit
  • email
  • StumbleUpon
  • Delicious
  • Posterous

2 thoughts on “Bash Script: Confirm domains in your DNS Bind server are still pointed at your address (haven’t moved to other DNS)

    • Sure, here’s my 2 formatting styles that I tested with:

      zone “” { type master; file “”; };

      zone “” {
      type master;
      file “”;

      I try to make my matching regexes as loose as possible to match multiple formatting but obviously I may not be able to cover every single possibility. Also note that my zones are segregated in their own file rather than mixed with other bind9 configuration parameters.

Leave a Reply