dnswalk

Overview

dnswalk is a DNS auditing and debugging tool that performs comprehensive zone data analysis. It validates DNS configuration for internal consistency, checks for missing or misconfigured records, identifies common DNS errors, and tests zone transfer capabilities. dnswalk is essential for DNS administrators, security auditors, and penetration testers who need to verify DNS infrastructure integrity and identify potential security issues.

The tool performs zone transfer attempts (AXFR) and validates SOA records, NS records, A/AAAA records, MX records, CNAME records, and other DNS record types.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install dnswalk

From source (BIND utilities)

# dnswalk is typically bundled with BIND tools
sudo apt-get install bind-tools

# Or compile from source
git clone https://github.com/DNS-OARC/dnswalk
cd dnswalk
make
sudo make install

Verify installation

dnswalk -h
dnswalk -v
which dnswalk

Basic Usage

Command	Description
`dnswalk example.com`	Audit example.com DNS configuration
`dnswalk -r example.com`	Recursive walk of zone and subdomains
`dnswalk -a example.com`	Check all record types
`dnswalk -l example.com`	List all records found

Zone Auditing Workflows

Basic zone audit

# Simple zone walk
dnswalk example.com

# Verbose output
dnswalk -v example.com

# Very verbose with detailed diagnostics
dnswalk -vv example.com

Zone transfer attempts

# Try zone transfer (AXFR) - requires zone transfer permission
dnswalk -t example.com

# Zone transfer from specific nameserver
dnswalk -t @ns1.example.com example.com

# Check against all nameservers
for ns in $(dig example.com NS +short); do
  echo "Testing $ns..."
  dnswalk -t "@$ns" example.com
done

Recursive zone auditing

# Walk zone and all subdomains
dnswalk -r example.com

# Audit with record listing
dnswalk -r -l example.com

# Verbose recursive audit
dnswalk -r -v example.com

Common Issues and Diagnostics

Check for missing records

# Audit for missing SOA records
dnswalk example.com | grep -i "soa"

# Check for missing NS records
dnswalk example.com | grep -i "ns record"

# Find missing A records for nameservers
dnswalk example.com | grep -i "a record"

Identify configuration errors

# Look for CNAME errors
dnswalk example.com | grep -i "cname"

# Find MX record issues
dnswalk example.com | grep -i "mx"

# Check for DNS glue records
dnswalk example.com | grep -i "glue"

Zone consistency checks

# Full consistency audit
dnswalk -a example.com

# Check reverse zones
dnswalk -r 10.0.0.in-addr.arpa

# Validate PTR records
dnswalk 1.0.0.10.in-addr.arpa

Advanced Options

Option	Usage	Description
`-a`	`dnswalk -a example.com`	Check all record types (default)
`-r`	`dnswalk -r example.com`	Recursively walk subdomains
`-l`	`dnswalk -l example.com`	List all records found
`-t`	`dnswalk -t example.com`	Attempt zone transfer
`-v`	`dnswalk -vv example.com`	Verbose output (stack up for more)
`-x`	`dnswalk -x example.com`	Exclude specific types

Zone Transfer Testing

AXFR (Full Zone Transfer)

# Test zone transfer capability
dnswalk -t example.com

# AXFR via dig
dig @ns1.example.com example.com AXFR

# AXFR from all nameservers
for ns in $(dig example.com NS +short); do
  echo "[*] Testing $ns"
  dig @$ns example.com AXFR | head -20
done

IXFR (Incremental Zone Transfer)

# Test incremental transfer
dig @ns1.example.com example.com IXFR=0

# Compare with full transfer
dig @ns1.example.com example.com AXFR > full.txt
dig @ns1.example.com example.com IXFR=0 > incremental.txt

Record Type Validation

SOA record checks

# Get SOA record
dig example.com SOA

# Validate SOA serial consistency
dig @ns1.example.com example.com SOA
dig @ns2.example.com example.com SOA
dig @ns3.example.com example.com SOA

# Parse SOA with dnswalk
dnswalk example.com | grep "SOA"

NS record validation

# List all nameservers
dig example.com NS +short

# Verify NS records are resolvable
for ns in $(dig example.com NS +short); do
  echo "Checking $ns..."
  dig "$ns" A +short
done

# dnswalk NS audit
dnswalk example.com | grep "NS"

MX record checking

# Get MX records
dig example.com MX

# Verify MX targets are resolvable
for mx in $(dig example.com MX +short | awk '{print $2}'); do
  echo "Testing $mx..."
  dig "$mx" A +short
done

# dnswalk MX validation
dnswalk example.com | grep "MX"

CNAME issues

# Check for CNAME problems
dnswalk example.com | grep -i "cname"

# Manual CNAME validation
dig mail.example.com CNAME
dig mail.example.com A

# Verify CNAME doesn't conflict with other records
dig example.com A
dig example.com CNAME

Real-World Scenarios

DNS infrastructure audit

# Comprehensive zone audit
echo "[*] Starting DNS audit of example.com"
dnswalk -v example.com > audit_verbose.txt
dnswalk -l example.com > audit_records.txt

# Analyze results
echo "[*] Checking for errors..."
grep -i "error\|warning\|missing" audit_verbose.txt

echo "[*] Record count by type..."
grep "^[a-zA-Z]" audit_records.txt | awk '{print $3}' | sort | uniq -c

Zone transfer vulnerability assessment

# Test all nameservers for zone transfer
for ns in $(dig example.com NS +short); do
  echo "[*] Testing zone transfer from $ns..."
  if dig @$ns example.com AXFR > /dev/null 2>&1; then
    echo "[!] VULNERABLE: Zone transfer allowed from $ns"
    dig @$ns example.com AXFR | head -20
  else
    echo "[-] Zone transfer blocked from $ns"
  fi
done

Configuration consistency check

# Verify consistency across all nameservers
echo "[*] Checking SOA serial consistency..."
for ns in $(dig example.com NS +short); do
  echo "$ns: $(dig @$ns example.com SOA +short | awk '{print $3}')"
done

# Find discrepancies
echo "[*] Checking NS record consistency..."
dig @ns1.example.com example.com NS > ns1.txt
dig @ns2.example.com example.com NS > ns2.txt
diff ns1.txt ns2.txt

Subdomain auditing

# Audit subdomains recursively
dnswalk -r example.com > subdomain_audit.txt

# Extract subdomains with issues
grep -i "error\|warning" subdomain_audit.txt

# List all discovered subdomains
grep "^[a-zA-Z]" subdomain_audit.txt | awk '{print $1}' | sort -u

Debugging Common Issues

No SOA record returned

# Direct SOA query
dig example.com SOA @8.8.8.8

# Query authoritative nameserver directly
ns=$(dig example.com NS +short | head -1)
dig example.com SOA @$ns

# Check zone file directly
# (if you have server access)
sudo named-checkzone example.com /etc/bind/zones/db.example.com

NS records not responding

# Test individual nameserver
nslookup example.com ns1.example.com

# Check nameserver connectivity
ping ns1.example.com

# Verify nameserver is running DNS
nc -zv ns1.example.com 53

# Query specific nameserver
dig @ns1.example.com example.com

Zone transfer blocked

# Verify zone transfer is intentionally restricted
# This is actually a security best practice

# Check ACL on authoritative nameserver
# (requires server access)
sudo grep -A 10 "zone \"example.com\"" /etc/bind/named.conf.local | grep "allow-transfer"

# Document security posture
echo "Zone transfer restrictions:"
for ns in $(dig example.com NS +short); do
  dig @$ns example.com AXFR > /dev/null 2>&1
  if [ $? -eq 0 ]; then
    echo "$ns: ALLOWS transfer"
  else
    echo "$ns: BLOCKS transfer (secure)"
  fi
done

Integration with Other Tools

With BIND utilities

# Use dig for query validation
dig example.com ANY

# Use nslookup for interactive queries
nslookup example.com

# Use named-checkzone for zone file validation
sudo named-checkzone example.com /etc/bind/zones/db.example.com

With automation

# Automated daily audit
#!/bin/bash
DATE=$(date +%Y-%m-%d)
DOMAIN="example.com"
dnswalk -v "$DOMAIN" > "dns_audit_$DATE.txt"

# Email if errors found
if grep -q "error\|warning" "dns_audit_$DATE.txt"; then
  mail -s "DNS Audit Alert: $DOMAIN" admin@example.com < "dns_audit_$DATE.txt"
fi

With monitoring

# Monitor DNS consistency
#!/bin/bash
DOMAIN="example.com"
dnswalk "$DOMAIN" > /tmp/dns_current.txt

if ! diff /tmp/dns_previous.txt /tmp/dns_current.txt > /dev/null; then
  echo "DNS configuration changed!" | mail -s "DNS Alert" admin@example.com
fi

cp /tmp/dns_current.txt /tmp/dns_previous.txt

Best Practices

Run dnswalk regularly to catch configuration drift
Test zone transfers as part of security audits
Validate DNS across all authoritative nameservers
Document expected DNS configuration and compare to audit results
Restrict zone transfers to trusted secondaries only
Keep SOA serial numbers synchronized across nameservers
Monitor for unexpected CNAME, MX, or NS record changes
Validate reverse DNS (PTR) records for mail and services

Resources

dnswalk GitHub: https://github.com/DNS-OARC/dnswalk
BIND Tools: https://www.isc.org/bind/
DNS Best Practices: https://tools.ietf.org/html/rfc1035
Zone Transfer Security: https://tools.ietf.org/html/rfc5936