All scripts
analysis
Advanced
~4 min

DNS Security Analyzer

DNS security audit: DNSSEC chain of trust validation, zone transfer attempt detection, DNS tunneling signature detection via query entropy analysis, recursive resolver abuse, and cache poisoning indicators.

cisco-ios
juniper
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in โ†’

Capabilities

  • DNS
  • DNSSEC
  • Tunneling
  • Zone transfer
  • Entropy
  • DNSSEC chain validate

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
Check DNSSEC
check_dnssec
booltrueโ€”

Hint 1 โ€” Name your vendors and OS versions

Mention the exact platforms you run (cisco-ios, juniper) so the generated analysis logic uses the right CLI/NETCONF syntax.

Hint 2 โ€” State your real thresholds

Provide concrete values for Check DNSSEC instead of the defaults โ€” they shape what counts as a fault.

Hint 3 โ€” Prioritize the checks you need

This tool can dNS and dNSSEC. Ask for the subset relevant to your incident to keep output focused.

Hint 4 โ€” Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.

Expected output

Reference terminal output the script should produce โ€” used as a stylistic and structural target.

terminal
[INFO] Resolved 250 A/AAAA records across 4 resolvers
[CRIT] resolver-2: DNSSEC validation DISABLED
[WARN] Open recursion detected on 10.0.0.53
[CRIT] NXDOMAIN flood: 1.4k/min from 10.20.5.0/24 โ€” possible DGA
[OK]   No cache poisoning indicators in 1h sample