Control: Name servers should be on different subnets

Description

Having more than 1 name server in the same class C subnet is not recommended, as this increases the likelihood of a single failure disabling all of your name servers.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.dns_ns_on_different_subnets

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.dns_ns_on_different_subnets --share

Steampipe Tables

net_dns_record

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

with domain_ns_records as (
  select
    domain,
    type,
    target
  from
    net_dns_record
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
    and type = 'NS'
),
ns_ips as (
  select
    domain,
    type,
    host(ip) as ip_text
  from
    net_dns_record
  where
    domain in (
      select
        target
      from
        domain_ns_records
    )
),
check_ips as (
  select
    distinct array_to_string(
      array_remove(
        string_to_array(ns_ips.ip_text, '.'),
        split_part(ns_ips.ip_text, '.', 4)
      ),
      '.'
    ),
    domain_ns_records.domain as domain
  from
    domain_ns_records
    inner join ns_ips on domain_ns_records.target = ns_ips.domain
  where
    ns_ips.type = 'A'
)
select
  domain as resource,
  case
    when count(*) = 1 then 'alarm'
    else 'ok'
  end as status,
  case
    when count(*) = 1 then domain || ' name servers are on the same subnet.'
    else domain || ' name servers are on different subnets.'
  end as reason
from
  check_ips
group by
  domain;