DNS auditing script

For some time (going back to before Sympl forked) there’s been a problem checking what DNS is actually public, versus what Sympl thinks it should have.

I’ve spent some time and built a script which you can run against a domain, and it will check the domain health in general (nameservers are consistent), then iterate through the current DNS templates in /srv/example.com/config/dns/*.txt and compare their contents against public results.

It’s very early, and may well have some interesting bugs, but it do have a go and see what you think.

The script itself is available here, and part of the the sympl-scripts repository.

As an example…

root@sympl:~# ./sympl-dns-audit sympl.host
Detecting authoritative DNS servers... ok
  Nameserver 1: ns1.mythic-beasts.com
  Nameserver 2: ns2.mythic-beasts.com

Checking authoritative servers are in-sync... ok, will use 'ns1.mythic-beasts.com' for queries

ok	sympl.host	A
ok	ftp.sympl.host	A
ok	www.sympl.host	A
ok	mail.sympl.host	A
ok	mx.sympl.host	A
ok	sympl.host	AAAA	2a00:1098:88::3:1
ok	ftp.sympl.host	AAAA	2a00:1098:88::3:1
ok	www.sympl.host	AAAA	2a00:1098:88::3:1
ok	mail.sympl.host	AAAA	2a00:1098:88::3:1
ok	mx.sympl.host	AAAA	2a00:1098:88::3:1
ok	sympl.host	MX	mx.sympl.host.

warn	sympl.host	TXT
	expected		"v=spf1 +a +mx -all"
	got			"v=spf1 a mx ip6:2a00:1098:88::3:2 a:sympl.host -all"

ok	default._domainkey.sympl.host	TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5d846+Kwm/+Wo5k8Y1SyV2uFHZaGETpPLeFcTV5vu9cVoP2OFnOFVVtAPQ1J8MLSVpH0mJX27sw2RGGImFWvlIVFmhX4bhk3rIwEUBuL4+jwEmk5LjIpwdZtzUVxJzJfCsE/rEdXTPohmOJI6DxDaVciVPF1UBTGFbFsUJV9tJ3FCsbbi+lGmZBtMJn9NNlfcM2uPHY2urwUKiKNi/UrrBP0fHwOlVjLGOyG1ugxbC1jsS37cpRQ8kxLoIVxJ/un4cZo3tWDqkytLDXM11DSrF/TWbS3ENCsuxHvOMuuin+AJFN3P1KIiGrGynH3f6tOEgTcS3MQ0CNPP/HuJuP+QIDAQAB"
ok	_dmarc.sympl.host	TXT	"v=DMARC1; p=quarantine; sp=none"

Give it a go and let me know how it works.