Wednesday, November 14, 2007

Checking Huge Amounts of DNS Zones Easily

Most of the places I've ever worked, where I needed to manage Bind and DNS, it was a few little things at a slow pace. You had your main zone, maybe a few subzones and it all boiled down to a few files to manage in a relatively small setup. I'm talking about the kind of setup that a Sun Ultra5 could eat for lunch. The NIC was almost always the bottleneck.

However, some places (like ISP's and other service providers) will have gigantic amounts of zones that they serve. In those sorts of instances, doing things on the fly doesn't much cut it, unless you can afford to spend the majority of your work life doting over your DNS setup.

One of the main things that you need to worry about, after the initial setup and any time you do a migration or merge DNS zone depots, is making sure you didn't screw the pooch in the process. Thankfully, Bind comes with a few programs to make your life easy.

Given an unlimited amount of zones, you can use the named_checkzone command to verify them all while you surf the web ...or work really really hard ;). Its syntax is simple:

named_checkzone the_zone_name the_zone_filename

And, if you wrap that in a simple loop, iterating over the files in your DNS directory, you'll end up with a simple-to-analyze report in minutes. Consider the following:

#!/bin/ksh

chao=$$
date=`date +%m%d%y`

for x in `ls -1d /var/named/*`
do
file_name=$x
zone_name=`echo $x|sed s'/\/var\/named\/\(.*\).*\.db/\1/`
./named-checkzone $zone_name $file_name |tee -a confstate.$date.$chao
done


Above, very simply, we've taken every zone file (like most folks who like to keep things simple when they don't have to be complicated) and checked it, using Bind's own checker (how much better could that get?). In this case, I named my zone files using the convention ZoneName.db. To create the_zone_name variable, I use a simple sed command to capture every part of the filename except for the tailing ".db" - That output all gets dumped into the confstate file using tee.

You can do the same thing with your named.conf (using Bind's named_checkconf), but there's almost no reason to script that. Hopefully you've only got one configuration file and you can check that as simply as typing:

named_checkconf /etc/named.conf

or whatever you named your conf file and wherever it is.

Enjoy your snooze. Hopefully all of your zone files are in compliance :)

, Mike