public-l AT list.denic.de

Subject: Public DENIC mailinglist

List archive

Re: [DENICpublic-l] Denic-NS-Check

From: Florian Weimer <Weimer AT CERT.Uni-Stuttgart.DE>
To: "Frank Loewe" <loewe AT dotcom-service.net>
Cc: <public-l AT denic.de>
Subject: Re: [DENICpublic-l] Denic-NS-Check
Date: Tue, 17 Jun 2003 15:31:15 +0200

"Frank Loewe" <loewe AT dotcom-service.net> writes:

> Mal eine Frage an die Programmier Profis.
>
> Wie lässt sich der DENIC NS Check auf einer normalen Unix/Linux Kiste
> per Script machen?

Meines Wissens sind die Prüfungen, die das DENIC durchführt, nicht
sauber dokumentiert.

Wenn die Regeln bekannt sind, kann man sicherlich auch Sachen wie den
SOA-Check nachimplementieren. Subnetz-Regeln und AS-Verteilung kann
man z.B. so prüfen (vorsicht, das BGP-DNS-Gateway ist nur temporär
in Betrieb!).

# NS distribution check.
# WARNING: ASN lookup will work only temporarily.

use warnings;
use strict;

use Socket;
use Net::DNS;

my $res = Net::DNS::Resolver->new;

my $Domain = shift;
my $query = $res->search($Domain, 'NS') or die;

my $AS_Suffix = ".ipv4.asn.beta.bgpdns.enyo.de";
sub asn ($) {
my $IP = shift;
my @Components = split /\./, $IP;

my ($name,$aliases,$addrtype,$length,@addrs)
= gethostbyname (join (".", reverse (@Components)) . $AS_Suffix);
return 0 unless defined $addrtype;
return 0 unless $addrtype == AF_INET;
return 0 unless $length == 4;
return 0 unless @addrs > 0;

my ($d1, $d2, $ASN) = unpack "CCn", $addrs[0];
return $ASN;
}

my %Servers = ();
my %Subnets24 = ();
my %ASNs = ();

foreach my $ns ($query->answer) {
my $dname = $ns->nsdname;
unless (exists $Servers{$dname}) {
$Servers{$dname} = {};
}
$query = $res->search($dname, 'A') or die;
foreach my $a ($query->answer) {
my $addr = $a->address;
my $asn = asn ($addr);
$Servers{$dname}->{$addr} = $asn;
$ASNs{$asn}++;
$addr =~ s/\.[^.]+$//;
$Subnets24{$addr}++;
}
}

print "Domain: $Domain\n";
foreach my $ns (sort keys %Servers) {
print "Server: $ns\n";
foreach my $addr (sort keys %{$Servers{$ns}}) {
my $asn = $Servers{$ns}->{$addr};
if ($asn) {
print " Address: $addr (AS $asn)\n";
$ASNs{$asn}++;
} else {
print " Address: $addr\n";
}
}
}

print "\nDifferent /24s: " . (+ keys %Subnets24) . "\n";
print "Different ASNs: " . (+ keys %ASNs) . "\n";

--
Florian Weimer Weimer AT CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898

[DENICpublic-l] Denic-NS-Check, Frank Loewe, 06/17/2003
- Re: [DENICpublic-l] Denic-NS-Check, Klaus Engelbertz, 06/17/2003
  - AW: [DENICpublic-l] Denic-NS-Check, Frank Loewe, 06/17/2003
    - Re: AW: [DENICpublic-l] Denic-NS-Check, Alexander Hadj Hassine, 06/17/2003
      - Re: AW: [DENICpublic-l] Denic-NS-Check, orange8++, 06/17/2003
        
        Re: [DENICpublic-l] Denic-NS-Check, Dennis Koegel, 06/17/2003
        
        Re: AW: [DENICpublic-l] Denic-NS-Check, Klaus Engelbertz, 06/17/2003
        
        Re: AW: [DENICpublic-l] Denic-NS-Check, Andreas Mallek, 06/17/2003
      - Message not available
        
        Re: AW: [DENICpublic-l] Denic-NS-Check, Andreas Mallek, 06/17/2003
    - Re: AW: [DENICpublic-l] Denic-NS-Check, Michael Tabel, 06/17/2003
- Re: [DENICpublic-l] Denic-NS-Check, Florian Weimer, 06/17/2003
- Re: [DENICpublic-l] Denic-NS-Check, Andreas Mallek, 06/17/2003
  - AW: [DENICpublic-l] Denic-NS-Check, Frank Loewe, 06/17/2003
    - Re: AW: [DENICpublic-l] Denic-NS-Check, Andreas Mallek, 06/17/2003
      - AW: AW: [DENICpublic-l] Denic-NS-Check, Frank Loewe, 06/17/2003
        
        Re: AW: AW: [DENICpublic-l] Denic-NS-Check, Andreas Mallek, 06/17/2003
        
        AW: AW: AW: [DENICpublic-l] Denic-NS-Check, Frank Loewe, 06/17/2003
        
        Re: AW: AW: AW: [DENICpublic-l] Denic-NS-Check, Andreas Mallek, 06/17/2003
        Re: AW: AW: AW: [DENICpublic-l] Denic-NS-Check, Gert Doering, Netmaster, 06/17/2003
    - Re: AW: [DENICpublic-l] Denic-NS-Check, Torsten Mueller, 06/18/2003