Appendix C: Tools and Resources
DNS tools organized by use case: query/debugging, monitoring, security, email auth, portfolio management, IaC, and reference books.
Appendix C: Tools and Resources
Organized by what you're trying to do.
Query and Debugging
dig The standard. Available on every Linux/macOS system, available for Windows. If you learn one DNS tool, learn this one.
# Basic A record lookup
dig example.com A
# Query a specific nameserver
dig @8.8.8.8 example.com A
# Trace the full resolution chain
dig +trace example.com A
# Short output only
dig +short example.com A
# Check all records
dig example.com ANY
# Reverse DNS lookup
dig -x 203.0.113.10
# Check MX records
dig example.com MX
# Check SOA
dig example.com SOA
drill
Part of the ldns toolkit. Cleaner output than dig for some use cases, better at DNSSEC-specific queries. drill -D follows the DNSSEC chain.
# DNSSEC-aware lookup
drill -D example.com A
doggo Modern, human-readable output. Color-coded, table format, JSON output option. Doesn't replace dig for scripting but is much easier to read interactively.
doggo example.com A @8.8.8.8
dnsviz.net Visual DNSSEC analysis. Submit a domain and get a graphical representation of the DNSSEC chain of trust, highlighting any validation errors. Essential when debugging DNSSEC issues — the visualization shows you exactly where the chain breaks.
MXToolbox SuperTool Web-based multi-check tool. Useful for quick one-off checks: MX lookup, blacklist check, DMARC check, SPF record validation. The email-specific checks are particularly good. https://mxtoolbox.com/SuperTool.aspx
IntoDNS Quick zone health check: authoritative server configuration, SOA consistency, glue records, common configuration errors. Good starting point for auditing a zone you're not familiar with. https://intodns.com
dnschecker.org Checks DNS propagation from multiple geographic locations simultaneously. Useful for confirming that a record change has propagated globally (or hasn't). https://dnschecker.org
whois / rdap.org
whois domain.com on the command line for registrar and registration data. https://rdap.org for structured RDAP queries (the modern WHOIS replacement).
Monitoring
Prometheus + dns_exporter or coredns metrics
For infrastructure-level DNS monitoring. CoreDNS exposes Prometheus metrics natively. dns_exporter is a standalone exporter for querying authoritative nameservers and recording response times and RCODE rates.
- CoreDNS metrics: available at
:9153/metricsby default - dns_exporter: https://github.com/miekg/dns (includes example configurations)
Datadog DNS monitoring Commercial monitoring with DNS synthetic tests, resolution latency from multiple global locations, and NXDOMAIN/SERVFAIL alerting. The DNS integration is part of the broader Datadog infrastructure monitoring. https://www.datadoghq.com
Catchpoint Enterprise-grade synthetic monitoring with DNS-specific tests. Particularly good for multi-location resolution timing and authoritative server health checks. Used by large enterprises and DNS providers themselves. https://www.catchpoint.com
Uptime Robot Lower-cost monitoring option. Supports DNS monitoring (checks that a record resolves to a specific value). Not as granular as Catchpoint but sufficient for small-to-mid setups. https://uptimerobot.com
crt.sh Certificate Transparency log search. Find all TLS certificates issued for a domain or subdomain pattern. Useful for detecting unexpected certificate issuance (which can signal subdomain takeover or phishing infrastructure). https://crt.sh
Security and Threat Intelligence
DNSDB (Farsight Security) The deepest passive DNS database. Historical records of what IP addresses a hostname resolved to, what hostnames were at an IP address, and when. Subscription-based. Essential for threat intelligence and incident investigation. https://www.dnsdb.info
SecurityTrails DNS history, WHOIS history, subdomain enumeration, IP-to-domain mapping. Good API. Used by security researchers and brand protection teams. https://securitytrails.com
PassiveTotal (RiskIQ / Microsoft Defender) Passive DNS plus associated threat intelligence: malware associations, hosting history, WHOIS data, certificate data. Integrated into Microsoft Defender for threat hunting. https://community.riskiq.com
Shodan Indexes internet-facing services by IP address. Useful for mapping your own attack surface: find all services associated with your IP ranges, check what's exposed. Also used to locate infrastructure associated with known threat actors. https://www.shodan.io
DomainTools Iris Domain intelligence platform with passive DNS, WHOIS, threat scoring, and brand monitoring. Used heavily in brand protection and UDRP case preparation. https://www.domaintools.com/products/iris
VirusTotal Submit a domain to check its reputation across multiple threat intelligence databases. Useful for quick triage of newly discovered suspicious domains. https://www.virustotal.com
Email Authentication
MXToolbox Email Health DMARC check, SPF record validation, DKIM lookup, blacklist check — all in one place. The go-to for quick email auth diagnosis. https://mxtoolbox.com/emailhealth
dmarcian DMARC reporting and analysis platform. Takes the aggregate XML reports (which are unreadable raw) and turns them into usable dashboards showing SPF/DKIM alignment rates, sending source inventory, and policy enforcement progress. https://dmarcian.com
Postmark DMARC Digest
Free DMARC aggregate report processing. Send your rua= reports here and get a weekly digest. Good starting point before committing to a paid DMARC platform.
https://dmarc.postmarkapp.com
mail-tester.com Send a test email to the address provided, get a score and detailed report: SPF, DKIM, DMARC, content analysis, blacklist check. The fastest way to verify your email auth setup is working end-to-end. https://www.mail-tester.com
DKIM Core Generate DKIM key pairs and validate DKIM DNS records. Also validates your DKIM selector configuration. https://dkimcore.org
SPF Record Testing Tool (Kitterman) Validates SPF records, checks for syntax errors, verifies that your sending IPs are covered. http://www.kitterman.com/spf/validate.html
Domain Portfolio Management
DomainTools WHOIS history, domain expiry monitoring, registrant research, domain valuation. The go-to platform for domain portfolio intelligence. https://www.domaintools.com
Whoxy API WHOIS data API with historical records and reverse WHOIS (find all domains registered by an email address or registrant name). Affordable compared to enterprise alternatives. https://www.whoxy.com
Sedo Domain marketplace for buying and selling domains. Also offers brokerage for outbound acquisition (if you need to buy a domain that's currently registered to someone else). https://sedo.com
Afternic (GoDaddy) Domain marketplace, particularly strong for .com domains. Integrated with most major registrars for immediate transfer. https://www.afternic.com
WIPO UDRP eFiling WIPO is the most common UDRP provider. Their online filing system for submitting UDRP complaints. https://www.wipo.int/amc/en/domains/filing/
Infrastructure as Code and DNS Automation
Terraform AWS Route 53 Provider Official Terraform provider for Route 53. Manages zones, records, health checks. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record
Terraform Cloudflare Provider Official Terraform provider for Cloudflare DNS. Manages zones, records, page rules. https://registry.terraform.io/providers/cloudflare/cloudflare/latest
OctoDNS Manage DNS records as code, sync to multiple providers. Supports Route 53, Cloudflare, NS1, PowerDNS, and others. The right tool for multi-provider DNS from a single source of truth. https://github.com/octodns/octodns
external-dns Kubernetes operator that creates DNS records from Kubernetes Service and Ingress resources. Supports most major DNS providers. https://github.com/kubernetes-sigs/external-dns
dnspython Python DNS library. Useful for scripting DNS checks, zone validation, passive monitoring. https://www.dnspython.org
octodns-validate
OctoDNS's validation mode — checks zone configurations for common errors before applying.
Built into OctoDNS: octodns-sync --dry-run
Reference Books
DNS and BIND — Cricket Liu and Paul Albitz (O'Reilly) The definitive reference. Heavy, but if you want the complete picture of DNS operations and BIND administration, this is it.
DNS Security: Defending the Domain Name System — Allan Liska and Geoffrey Stowe (Syngress) Focused on DNS from a security practitioner's perspective. Covers attack taxonomy, defensive architecture, monitoring, incident response. Practical rather than academic.
DNS Security Management — Michael Dooley and Timothy Rooney (Wiley / IEEE Press) Enterprise DNS security management. Covers policy, process, and technical controls for organizations managing DNS at scale. More governance-oriented than technical, useful for security program design.
Managing Mission-Critical Domains and DNS — Mark E. Carson (Prentice Hall) Operational focus: how to manage DNS for organizations where availability matters. Covers continuity planning, migration strategies, vendor management.
The Hidden Potential of DNS in Security — Jan Kopriva (SANS Reading Room) A SANS paper rather than a book, but worth the read: how DNS telemetry can be used for security monitoring, threat hunting, and incident detection. Good framework for building DNS-aware security monitoring.
Cricket Liu's DNS & BIND Cookbook — Cricket Liu (O'Reilly) Problem/solution format. Good companion to the main DNS and BIND reference for specific operational tasks.