dns-auditor

Check your DNS records for a variety of potential issues.

Checks

• CAA: Checks that extant CAA records are valid. If specified by policy, requires issue and iodef fields to be present.
• CNAME: Checks that CNAME records point to names that have resolvable A records.
• Mail: Checks that MX records point to names that have resolvable A records. Partially validates DMARC records, if present. If specified by policy, requires domains with MX records to have SPF and DMARC records.
• rDNS: Checks that reverse DNS for the IPs that A/AAAA records point to resolve to the same domain.

Supported DNS Hosts

DigitalOcean

Create a new API token in the DigitalOcean control panel: https://cloud.digitalocean.com/account/api/tokens

Note that a read-only token is sufficient.

Porkbun

Create a new API key and secret here: https://porkbun.com/account/api

Note that you must enable API access for each domain individually. See Porkbun's API docs.

Name.com

Create a new API token in Name.com Account Settings: https://www.name.com/account/settings/api

Configuration

Credentials

Credentials for supported DNS hosts are accepted via environment variables, listed below. dns-auditor will attempt to read these from the .env file in the working directory, if it exists. See .env.sample for an example.

DigitalOcean

• DIGITALOCEAN_TOKEN: your DigitalOcean API token

Porkbun

• PORKBUN_API_KEY: your Porkbun API key
• PORKBUN_SECRET_KEY: your Porkbun API secret key

Name.com

• NAMECOM_USERNAME: your Name.com username
• NAMECOM_API_TOKEN: your Name.com API token

Policies

Certain checks can be customized with a policy file. See policy.ini.sample for an example. Pass this file to dns-auditor with the --policy option.

CAA

• RequireIssue: If true, requires that the domain has a CAA record with an issue or issuewild field.
• RequireIodef: If true, requires that the domain has a CAA record with an iodef field.
• IodefAllowlist: Comma-separated list of allowed iodef addresses (email addresses or URLs). If specified, CAA iodef records must contain values from this allowlist. Leave empty or omit to allow any valid iodef address.

Mail

• RequireSPF: If true, requires that any domain that has MX records also has an SPF record.
• RequireDMARC: If true, requires that any domain that has MX records also has a DMARC record.

rDNS

• FailOnMissingPTR: If true, a missing PTR record will cause the check to fail.

Usage

CLI Options

• --domain: Domain to audit. If not given, all domains in the account will be audited. Optional.
• --host: Hosting service for your DNS records. One of: do (DigitalOcean), pb (Porkbun), nc (Name.com).
• --policy: Path to a .ini policy file. Optional.
• --verbose: Print each check that is run regardless of its result. Optional.

Non-Docker

Clone the repository and run make dev/bootstrap, which will create a virtualenv for you:

git clone https://github.com/cdzombak/dns-auditor.git
cd dns-auditor
make dev/bootstrap

Then, activate the virtualenv and run main.py:

. venv/bin/activate
./main.py --host pb --domain dzombak.com

Alternatively, run main.py via the venv's Python interpreter directly:

./venv/bin/python ./main.py --host pb --domain dzombak.com

Docker

Pre-built Docker images are available on Docker Hub. To run it:

docker run --rm -e PORKBUN_API_KEY='pk1_aaaa0000' -e PORKBUN_SECRET_KEY='sk1_0000aaaa' cdzombak/dns-auditor --host pb --domain dzombak.com

Remember that:

• You will need to provide environment variables to the container for your DNS host credentials
• Any policy file you want to use must be mounted into the container

License

GPL 3.0; see LICENSE in this repository.

Author

Chris Dzombak (dzombak.com; GitHub @cdzombak)

See Also

• DigitalOcean to Porkbun DNS Migrator
• DigitalOcean to Name.com DNS Migrator
• Name.com to DigitalOcean DNS Migrator
• DigitalOcean Dynamic DNS tool