Compare & Troubleshoot DNS Servers: dnseval

The third tool out of the DNSDiag toolkit from Babak is dnseval. “dnseval is a bulk ping utility that sends an arbitrary DNS query to a given list of DNS servers. This script is meant for comparing response times of multiple DNS servers at once”. It is not only listing the response times but also further information about the DNS responses such as the TTL and the flags. Really great for comparison and troubleshooting different DNS forwarders as well as own authoritative DNS server responses as seen by others.

This blogpost is part of a series about DNSSEC. Refer to this list for all articles.

At first I want to thank Babak for adding so many feature requests I have sent to him. (More than ten!) Also note the two other tools from him, dnsping and dnstraceroute which I covered in other blog posts.

./dnseval with own server list

When called without any options dnseval displays a short info page:

Note the -f <file>  option that uses a file which lists all the servers dnseval should query. I am always using an own list with the following entries, of course with both, IPv6 and legacy IP addresses:

  • the DNS forwarders from my ISP (Deutsche Telekom)
  • common public servers (Google Public DNS, OpenDNS)
  • my own internal recursive DNS servers (BIND, Unbound)
  • some other router/firewall/CPE DNS forwarders (Palo Alto DNS Proxy, FRITZ!Box)
  • own authoritative DNS servers (BIND).

With this big list I can check many different DNS problems as shown below:

A Picture is worth a Thousand Words

Have a look at the following sample output from dnseval and all the information you can gather out of it. (If you are not familiar with the DNS header flags, have a look here.) I queried the FQDN fg.weberdns.de  which I have on my own authoritative DNS servers. That is I can check whether all of these DNS servers are able to reach out my own authoritative ones:

You can see the following:

  • every server was reachable (0 % lost) and answered (QR = query response flag)
  • the OpenDNS server were faster than the Google Public DNS servers
  • the TTL seems to be correct by all servers (3600 seconds are configured), while the query was not in the cache in any of them because the TTLs just started decreasing from 3600
  • some servers are validating DNSSEC (AD = authentic data flag), which are the Google Public DNS servers as well as my own recursive ones
  • my own authoritative servers are correctly answering with the AA = authoritative answer flags, while they have no RA = recursion available, which is correct, too

Perfect! It seems that I have neither a problem on my own authoritative servers nor on any recursive ones.

Time Matters: TTL

From the DDoS attacks against Dyn we have learned that the TTL should not be too short. But what happens if the TTL is really high, e.g., 30 days = 2592000 seconds? Let’s have a look at the DNS forwarders. I am querying ttl-long.weberdns.de :

In fact only one reply delivered/cached the correct TTL, namely the Unbound server. All other servers have limited the TTL, e.g., my ISP and Google to 1 day or OpenDNS to 7 days.

Short TTL values such as 60 seconds seem to be ok:

 

Caching Issues

With dnseval version 1.6 the -v option displays the actual dns response. This can be used to compare the answers when you are searching for caching problems. (Though they are no real “problems” but related to the TTLs. If you want to change some DNS names, consider using short TTLs for that period.)

In the following example I queried test.weberdns.de which has the legacy IP address of 192.2.0.1. (Don’t be confused about the many DNSSEC RRSIGs.) All DNS resolvers as well as my authoritative DNS servers (the ones with the AA flag) reveal the correct IP address:

Now I change the IP address to 198.51.100.42. Due to the correct caching of all DNS resolvers, only the authoritative DNS server replied with the updated IP address. (Of course the RRSIG record changed, too.)

 

Validating DNSSEC

As already mentioned not all public DNS servers are validating DNSSEC. Google does but OpenDNS or my ISP don’t. When querying sigfail.verteiltesysteme.net , a false DNSSEC FQDN, no server should reply. But those do:

That’s it for now. Did I miss some interesting test cases? Please write a comment if so.

Featured image: “Werkzeug” by Andreas Issleib is licensed under CC BY-NC-ND 2.0.

One thought on “Compare & Troubleshoot DNS Servers: dnseval

  1. There is a similar tool with fancy graphics and ability to benchmark the DNS servers with list of predefined domain names to resolve – it was able to use the browsing history or to use top sites from Alexa. It also have an option to include in the comparison regional open DNS servers: http://www.howtogeek.com/howto/16372/find-a-faster-dns-server-with-namebench/
    The project doesn’t seem alive today: https://github.com/google/namebench/tree/master
    But the older 1.5 branch was working fine some time ago: https://github.com/google/namebench/tree/1.5

Leave a Reply

Your email address will not be published. Required fields are marked *