This story appeared on Network World athttp://www.networkworld.com/newsletters/...
DNSstuff, diagnoses DNS, er, stuff
Be ready to head off those ugly DNS problems with DNSstuff
Web Applications Alert By Mark Gibbs , Network World , 08/18/2008
Have you ever had your Web site just drop off the face of the 'Net even though you know that the server was running? One of the most common causes of this problem is a misconfigured or damaged DNS set up and if you've ever tried to get seriously under the hood with DNS you'll know just how complicated this can be.
Given how crucial DNS is to keeping your presence visible on the Internet there?s an obvious need for sophisticated diagnostic services and that?s the niche that DNSstuff.com fills.
DNSstuff has taken pretty much every DNS tool and diagnostic in existence, re-written them, and integrated the results into a hosted Web application. The company explained to me that the rewriting of the standard tools was done so they could extract more information from the interrogation and response processes giving them deeper diagnostic insight.
What prompted me to take a look at DNSstuff was a letter from a Network World reader, Art Grater (Pebble Beach, Calif.) who was interested in what the company had to offer. He used DNSstuff?s ?check out your own site? feature and was amused to find when he entered dnsstuff.com as the target the domain was reported to have two critical errors!
Unfortunately before you get an account (you can register for a free 21 day trial), you can?t see the details. The ironic aspect of this meant that I just had to find out what was going on ?
I had a discussion with DNSstuff?s CTO, Paul Parisi, and he explained that one of the two errors is caused by their diagnostic server being on the same network as their mail server and therefore the mail server is being seen as an open relay from inside their network. He pointed out that obviously this isn?t the case from the outside.
The other error is apparently in their use of CNAMEs to identify their servers so that the F5 load balancing they use can work. Paul told me that the reason this is shown as an error is that while it doesn?t cause a problem, this technique isn?t defined in the relevant RFCs and therefore by omission is a potential problem. Paul also told me that they checked the technical issues with one of their advisers (a god of DNS), Criket Liu, who told them that what they are doing is OK despite its dubious status. This rather underlines just how complex DNS actually is!
DNSstuff offers a broad range of diagnostics. The most useful diagnostic is their comprehensive DNSreport that examines and reports on the key attributes and errors of a DNS configuration. You can e-mail the results of this or any other DNSstuff tool to other people ? to see the DNSreport results for my domain click here.
DNSstuff?s other diagnostics include 55 tools broken into groups: The Standard Tools include DNS timing; spam blacklist checking; whois; advanced traceroute; URL deobfuscator; ping; forward and reverse DNS lookups, etc. The Advanced Tools include reporting on Top Level Domain Lookup; Standardized WHOIS Lookup; SSL Examination; Web Site HTTP Headers; ASN Information; Find Nearby IPs; SPF; MAC Address; ASN WHOIS; NANAS Search; What Is?; and Zone File Dump.
DNSstuff also provides Merchant Tools that includes Merchant Category Code Lookup; Chargeback Reason Code Lookup; Phone Lookup; Area Code and ZIP Lookup; BIN lookup; SSN Data; and Date Info. (Actually the Phone Lookup is misleading ? I entered my office phone and it was correctly geo-located, but identified as a landline even though the number was transferred to Vonage a few years ago).
Finally, DNSstuff also provides IPV6 Tools and a number of free tools, which you can use without having an account.
DNSstuff also offers access to their Dev Lab tools ? tools that are still in development ? which currently include VectorTrace, a multipoint traceroute diagnostic; DNS Traversal, which verifies whether all of the Internet?s DNS root servers see your DNS data the same; and a speed test for your connection (with AT&T DSL I currently have a download speed of 312Kbps and an upload speed of 51.4Kbps with a latency of 89 ms. If only Verizon would get FIOS into my area!).
The detailed diagnostic reports are very interesting and can reveal some surprising problems. Below are the sections labeled as errors from a DNSreport on my domain, gibbs.com. My Web site is hosted by EasyCGI, which I?ve had very good service from and I?ll be referring these issues to their management to see what they have to say and when the problems will get fixed.
You can get access to the DNSreport service only with a 3-day pass for $19.95 while a yearlong subscription to the Professional Tool Set which includes DNSreport along with all of the other diagnostics and access to advice from DNS experts is priced at $79 per user (volume discounts are offered).
Access to only the standard tools (which does not include DNSreport, but does include access to DNS experts) is priced at $49 per user per year (again, volume discounts are offered).
DNSstuff also supplies a customizable, continuous automatic reporting service, DNSalerts, that detects and reports on changes in the results of all 55 tests and is priced at $99 per domain per year and RBLalerts, a service that warns you of your domain?s inclusion in any of 130 Real Time Blacklists for $42 per annum (both services also offer volume discounts).
Finally DNSstuff offers API access to its services allowing for integration with third party applications and services as well as network management systems. This is priced at $600 per year for 2,000 queries per month or $1,020 per year for 4,000 queries per month.
If you are in charge of the service integrity of your Web applications and you want to be ready to head off those ugly DNS problems I?d advise taking a serious look at making DNSstuff part of your diagnostic toolkit.
Extract from DNSstuff.com DNSreport
ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
Server 184.108.40.206 reports that it will do recursive lookups. [test] Server 220.127.116.11 reports that it will do recursive lookups. [test] See this page for info on closing open DNS servers.
FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNSreport will not query these servers, so you need to be very careful that they are working properly.
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).
Thank's to Mr. WORLDVET for the source;
DON'T FORGET TO RATE..