Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/net_insights
Overview
7Dashboards
54Controls
26Queries
2Variables
GitHub
Loading controls...

Control: DNS should not contain CNAME records if an NS (or any other) record is present

Description

A CNAME record is not allowed to coexist with any other data. This is often attempted by inexperienced administrators as an obvious way to allow your domain name to also be a host. However, DNS servers like BIND will see the CNAME and refuse to add any other resources for that name. Since no other records are allowed to coexist with a CNAME, the NS entries are ignored.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.dns_ns_dns_no_cname_with_other_record

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.dns_ns_dns_no_cname_with_other_record --share

Steampipe Tables

net_dns_record
Net plugin

Params

ArgsNameDefaultDescriptionVariable
$1domain_names
["github.com","microsoft.com"]
DNS domain names.

SQL

with domain_list as (
  select
    distinct domain
  from
    net_dns_record
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  order by
    domain
),
dns_record_count as (
  select
    domain,
    count(*)
  from
    net_dns_record
  where
    domain in (
      select
        domain
      from
        domain_list
    )
  group by
    domain
),
dns_cname_count as (
  select
    domain,
    count(*)
  from
    net_dns_record
  where
    domain in (
      select
        domain
      from
        domain_list
    )
    and type = 'CNAME'
  group by
    domain
),
count_stats as (
  select
    domain,
    (
      select
        count
      from
        dns_record_count
      where
        domain = domain_list.domain
    ) as all_record_count,
    (
      select
        count
      from
        dns_cname_count
      where
        domain = domain_list.domain
    ) as cname_record_count
  from
    domain_list
)
select
  domain as resource,
  case
    when all_record_count > 0
    and (
      cname_record_count is null
      or cname_record_count < 1
    ) then 'ok'
    when cname_record_count > 0
    and all_record_count = cname_record_count then 'ok'
    else 'alarm'
  end as status,
  case
    when all_record_count > 0
    and (
      cname_record_count is null
      or cname_record_count < 1
    ) then domain || ' has no CNAME record.'
    when cname_record_count > 0
    and all_record_count = cname_record_count then domain || ' has CNAME records: [' || (
      select
        string_agg(target, ', ')
      from
        net_dns_record
      where
        domain = count_stats.domain
    ) || '].'
    else domain || ' has CNAME record along with NS (or any other) records.'
  end as reason
from
  count_stats;