Using DNSLint
If our little lecture has convinced you of the importance of maintaining correct delegation, you’ll be eager to learn how to use DNSLint to ensure that you don’t join the ranks of the miscreants.
The first step is to use nslookup to look up your zone’s NS records on a name server for your parent zone and make sure they’re correct. Here’s how we’d check the fx.movie.edu NS records on one of the movie.edu name servers:
C:\> nslookup -type=ns fx.movie.edu. terminator.movie.edu.
If everything’s okay with the NS records, we’ll simply see the NS records in the output:
fx.movie.edu nameserver = bladerunner.fx.movie.edu fx.movie.edu nameserver = outland.fx.movie.edu
This tells us that all the NS records delegating fx.movie.edu from terminator.movie.edu are correct.
Next, we’ll use DNSLint’s “lame delegation check” mode to query each of the name servers in the NS records for the fx.movie.edu zone’s SOA record. This will also check whether the response was authoritative:
C:\> dnslint /d fx.movie.edu. -s 192.249.253.2
We have to use the /s switch to tell DNSLint the IP address of one of the authoritative name servers for fx.movie.edu. Normally it would get this from whois, but whois doesn’t contain information about zones as far down in the namespace as fx.movie.edu.
This command produces HTML output that tells us the status of the fx.movie.edu name servers. Here’s the text equivalent of that output (which you get by using DNSLint’s /t switch):
DNSLint Report System Date: Sat Jul 05 ...
Get DNS on Windows Server 2003, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
