dnswalk

Debug a DNS pathway for a Fully Qualified Domain Name (FQDN)

$ dnswalk [domain].

$ dnswalk -r [domain].

$ dnswalk -m [domain].

$ dnswalk -d [domain].

$ dnswalk -i [domain].

$ dnswalk -a [domain].

$ dnswalk -F [domain].

$ dnswalk -l [domain].

dnswalk [options] domain

-r
    Perform reverse lookups on A records to check for corresponding PTR records.

-l
    Check all hosts listed in the local /etc/hosts file in addition to DNS.

-m
    Verify that Mail Exchanger (MX) records point to valid A records.

-s
    Check for Start of Authority (SOA) record consistency across all authoritative nameservers.

-i
    Suppress SOA record serial number checks.

-F
    Check the forwarders configuration for validity and reachability.

-D level
    Set the debug output level (higher numbers provide more detailed output).

-p
    Suppress the printing of all found hosts; only errors are displayed.

-A
    Do not check A (Address) records. This can speed up the scan if only other record types are of interest.

-n
    Do not check NS (Nameserver) records for consistency.

-t
    Use TCP for zone transfers (AXFR) instead of UDP for queries.

-v
    Enable verbose output, showing more details about the checks being performed.

-e email_address
    Email error reports to the specified address.

-o
    Output all records found, including SOA and NS records, not just errors.

-x type
    Exclude specific record types from checks (e.g., '-x CNAME').

-Z
    Perform AXFR (zone transfer) checks to ensure the server allows transfers and data is consistent.

dnswalk is a command-line utility designed for debugging and profiling DNS zones. It conducts a comprehensive traversal of a specified DNS domain, identifying common errors and inconsistencies. This includes verifying host records, detecting CNAME loops, ensuring correct delegation, finding unresolvable addresses, and checking for missing or incorrect reverse DNS (PTR) records. It's an invaluable tool for network administrators to maintain the health and accuracy of their DNS configurations, thereby preventing prevalent DNS-related problems such as broken links or unresolvable services. The command can be executed interactively or integrated into scripts for automated DNS integrity checks.

dnswalk's comprehensive checks often rely on zone transfers (AXFR), which many DNS servers block for security reasons. If AXFR is not permitted, the utility's ability to perform a full zone audit will be limited. It can generate significant network traffic on large zones. Some reported 'errors' might be intentional configurations, requiring administrative discretion to interpret.

For dnswalk to perform its most thorough analysis, it ideally requires the target DNS server to allow zone transfers (AXFR). If AXFR is denied, dnswalk can still perform checks based on standard queries, but its ability to detect all inconsistencies across the entire zone will be significantly reduced.

The command provides categorized error reports, such as BAD A (A record issues), BAD MX (MX record issues), MISSING PTR (missing reverse records), and SOA SERIAL (SOA serial number inconsistencies). This categorization helps administrators quickly identify and address specific types of DNS problems.

dnswalk was initially developed by Simon Parsons and became a valuable tool within the DNS community. While its development peaked in the late 1990s and early 2000s, it remains a robust utility for static DNS zone analysis and pre-deployment verification, demonstrating its enduring utility for network administrators.

dig(1), nslookup(1), host(1), named-checkzone(8)