What DNS checkers should people use?

hi @schoen

I thought that was the whole premise behind this tool that @jsha referenced a couple of times when troubleshooting CAA records

https://unboundtest.com/

The Go Code is provided as well https://github.com/jsha/unboundtest if people need to run it internally

Andrei

I noticed that @jsha happened to announce his tester right at the same time that I was asking this question. Unfortunately, I don’t believe that that tester provides a clear and concise enough summary for very inexperienced users to use it as their first-pass diagnostic tool. The cases that that tester will find are rather subtle and the process of interpreting them is also rather subtle. Since I’m really thinking of advocating using testing tools as a first pass before posting on the forum at all, I think what I would suggest would be a tool that does a lot more interpretation on the user’s behalf.

I think the target audience for @jsha’s tool is relatively sophisticated network administrators who have a good general understanding of DNS (like some of the people on the recent CAA threads!).

yup I get what you mean

I am writing a pre-flights python script that will check a domain and make suggestions for the user based on a domain discovery. (you shared common issue with mean a few months back)

The idea would be that users can run the script and it will have an obfuscate function as well so they can share the output and everyone can standardize troubleshooting

Unfortunately if users aren’t technical enough to understand how DNS works then my feeling is that most of the tools mentioned would be of limited use (in my humble opinion) as they tend to spit out technical results.

Andrei

FWIW, I’ve been meaning to set up this tool for the use of beginner users debugging “it works for me”-style DNS errors, but since the problem that finally spurred me to do it was being debugged by relatively sophisticated admins, that’s who I wound up having in mind when I wrote the verbiage. I would definitely welcome a pull request to make the tool more broadly understandable!

that will be the idea

I am thinking a slight interface redesign as well

maybe a “I am not sure it’s not working button” for those who don’t know.

had a look at your code and it’s pretty straight forward (in a good way)

Andrei

IMHO, the only DNS checker that’s going to make sense for Let’s Encrypt is going to be one that’s maintained by Let’s Encrypt, or by someone who is in close consultation with Let’s Encrypt and able to change in sync with changes Let’s Encrypt makes. Subtle nuances in how Let’s Encrypt handles DNS lookups can clearly have outsized impacts on the results; expecting a third-party checker that doesn’t take into account Let’s Encrypt’s specific circumstances to provide reliable results in the long term seems doomed to failure to me.

For example, let’s look at how CAA has been rolled out. Up to a week ago, CAA SERVFAILs were no big thing – they were ignored. If a DNS checker said “WHOOP! WHOOP! Your CAA records are failing!”, that would have confused people because their certificates were being issued Just Fine. So a Let’s Encrypt-“compatible” DNS checker should have been, at most, mildly dissuading of a CAA SERVFAIL. Then, a week ago, the situation changed, and the reverse is now true – a Let’s Encrypt-“compatible” DNS checker should have been waving the red flag about the same situation. Unless this Let’s Encrypt-“compatible” DNS checker was aware of (and cared enough about) these changes in Let’s Encrypt, they wouldn’t have made the appropriate change at the appropriate moment, and they’d be giving bad advice. This is why I say that any Let’s Encrypt-recommended DNS checker really needs to be built and maintained in very close collaboration with the Let’s Encrypt engineering team, preferably with heads-up of any changes which could conceivably have an impact on DNS.

I’m not sure that a motivated third-party with an inside line on upcoming changes is even enough, though. Take this PowerDNS bug that’s causing a bit of heartburn – it only appears because LE is using a fairly obscure security-oriented configuration option (so-called “0x20 bit”). I’m sure there are a bunch of other things that Let’s Encrypt are doing behind the scenes, for all manner of very good reasons, that nobody outside knows about, and I’d say it’s unlikely that a third-party DNS checker is going to get all of the knobs in exactly the right places without being told exactly how Let’s Encrypt does DNS checking – a level of detail which I doubt is achievable by anything other than access to the infrastructure, or at least the complete configuration management system data to build it. Maybe a third-party could be trusted with all that, but I don’t think there’s too many people who are both (a) sufficiently trustworthy to be given that level of access, and (b) have enough spare time to be able to reverse-engineer the Let’s Encrypt resolution environment and build and maintain such a system – and I can’t imagine such a service gaining enough revenue or donations to be able to pay someone to do all that.

Thus, at the end of the day, I think that if Let’s Encrypt wants a DNS checker that’s anything more than either “one of these seven services might give you a hint” or “this thing over here works sometimes, but gives false (positives|negatives) in this list of cases”, Let’s Encrypt is going to have to build it – or at least fund it (which amounts to essentially the same thing).

3 Likes

Thanks for that analysis, @mpalmer. I think you’re probably right.

I would still love to have something to suggest as an interim measure because, especially for DNSSEC, I have definitely seen third-party testers resolve a significant number of people’s problems. But I’ll have to recognize that it’s kind of a stop-gap.

Since @jsha’s new site uses the same resolver codebase as Let’s Encrypt, I think it would be an clear choice as a future basis for a tool that does more analysis for people. :slight_smile:

Yes, @jsha’s tool is definitely the sort of thing that’s a step in the right direction. It’s not at that “point everyone at it, support requests drop by 50%” stage (yet?), but insofar as it gives more “right” answers than anything else is likely to, it’s very valuable to that subset of the community that’s able to interpret the results.

The dnsviz code is at https://github.com/dnsviz/dnsviz

Nothing should prevent LE from running their own instance with CAA enabled by default.

Not on topic of the question asked, but I saw you asking what could be used instead of dig on Windows… .well… dig :stuck_out_tongue:

[ DSKTP\Orion ] - D:\Dev\DNS\BIND9.11.0-P3.x64 > dig google.com type257

; <<>> DiG 9.11.0-P3 <<>> google.com type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27053
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN CAA

;; ANSWER SECTION:
google.com. 86400 IN CAA 0 issue "symantec.com"
google.com. 86400 IN CAA 0 issue “pki.goog”

;; Query time: 15 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Tue Jul 25 03:11:59 W. Europe Daylight Time 2017
;; MSG SIZE rcvd: 97

1 Like

Whoops! Should have been more specific. I know it exists for Windows, but appeared that you needed to install Bind. Am I to interpret that it’s included in the download without install? Or at worst, after a simple install (no Cygwin or anything.) Never tried putting Bind on Windows.

@mpalmer

That was an argument I made earlier on. Almost every DNS tool is fairly technical in nature so it’s hard to make it user friendly without educating the user first.

I don’t believe that you will ever see a 50% reduction in people writing help posts. i have seen cases where 3 people wrote the about the same problem one after the other.

CAA records are now more important as CAs will be required to check them from September 2017. As they were optional in the past I think its more a matter of DNS server writers ironing out the kinks. This is no different when IPV6 first started appearing and network vendors had to patch code.

I think it happens that CAs will feel the majority of the brunt as they are the main consumers of this record type.

Andrei

This is for the DNS and SSL. This is a great tool and a must for all users of your product.

I thought I might share this with you guys.

Sharing is caring.

https://www.ssllabs.com/ssltest/index.html

Download this tool below

https://www.nartac.com/Products/IISCrypto

Single click to secure your website using best practices
Create custom templates that can be saved and run on multiple servers
Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
Enable TLS 1.1 and 1.2
Enable forward secrecy
Reorder cipher suites
Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
Site scanner to test your configuration
Command line version

Finally, to answer you specifically regarding DNS .

https://mxtoolbox.com/SuperTool.aspx
https://www.dnssec-tools.org/
https://mxtoolbox.com

I use SimpleDNS.com for 10 years shes stable and you can do wonders with DNS.

Have Fun hope this helps.

Mike

You are correct… it can be fetched from the portable binary zipped x86 or x64 release.
All the small utilities are there, which can come in handy for when working on Windows (this horrible laptop from work) :
dig, mdig, arpaname, delv, the dnssec- & nsec-utilities etc.

Next to these binaries there’s actually also a setup of the BIND-server itself included, but I always assumed up til now, that was more like an inside joke. Right ? Yeh has to be :slight_smile:

1 Like

I see people making horrible mistakes with mx, cname, aaaa additions they make : I have to agree that this output - altho nice! - will completely overwhelm the people targeted. This will leave them with more questions than answers, or completely freeze them in fear :slight_smile:

1 Like

Thank you for the url ! :slight_smile: Nice for in the web-based toolbelt :slight_smile:

One idea might be to have a form letter reply where we say that we won’t proceed with answering the question unless the user either shares the domain name or pastes the result of some kind of diagnostic tool that did check the DNS setup. (These results could redact the domain name but might say “Yes, the DNS settings are OK for Let’s Encrypt issuance” or “No, the DNS settings have a problem that would prevent Let’s Encrypt issuance”.)

4 Likes

You’re providing a free (and valuable) service, and then providing free support for that service.

My opinion is that users asking for help should be required, at minimum, to complete a diagnostics tool that would start with entering the domain name. If any DNS issues can be automatically detected, the user should be directed to a very simple guide on correcting that issue. I might even consider requiring a minimum wait time for posting after completion.

In summary, you folks are providing so much for free, don’t hesitate to say “no” every once in a while :slight_smile:

2 Likes

I’ve always been in favour of a method like this and still like it most. “Forcing” the users gently gets them support but not before support gets the information needed. One could chose form of delivery, once is decided which output support wants, since it is/can be sensitive data… pdf to certain mailbox which is accessible to support comes to mind. Users generally like that, even not knowing how many people are “in support” :slight_smile:

Why post tools that are nothing to do with DNS on a discussion about DNS tools

They are great tools but Windows users are a minority for let’s encrypt and ssllabs is well known about. In fact certbot points you to ssllabs as a way of checking your configurations after obtaining certificates

not trying to be a downer but curious

Andrei