Testing DNS Infrastructure with Goss

In a previous post we got an introduction to "Easy Infrastructure Testing with Goss".

In this post we’ll take a look at a feature I added to Goss a while ago. Enhanced DNS validation.

Why test DNS?

DNS is easy right?! It’s just an IP address and a hostname. Easy…​ We’ve definitely never had an outage or failed to deploy a new application because of a DNS issue have we?

DNS can get a little more interesting when you start chaining CNAMEs, have multiple A records for a hostname and introduce DNSSEC.

PTR records which reverse map an IP to a hostname are often used by various server applications for security purposes (Java + SSL).

If DNS configuration is out of your control and another team forgets to add the records you need correctly you can end up wasting hours troubleshooting why various applications won’t start up, clients fail to connect and you have SSL connection errors.

Testing your DNS with Goss will solve ALL these problems! Okay, that’s a lie. It can however help you identify when DNS records aren’t quite right, have changed, or are missing before deploying a new application.

What can Goss test?

Goss can validate that any of the following record types are resolveable and can validate the values of the records.

  • A

  • AAAA

  • CAA


  • MX

  • NS

  • PTR

  • SRV

  • TXT

How do I test DNS records?

Here are a few examples of DNS record tests:

  # Validate a CAA record
    resolvable: true
    - 0 issue comodoca.com
    - 0 issue letsencrypt.org
    - 0 issuewild ;
    timeout: 2000

  # Validate a CNAME record
    resolvable: true
    - "github.map.fastly.net."

  # Validate a PTR record
    resolvable: true
    - "google-public-dns-a.google.com."

  # Validate and SRV record
    resolvable: true
    - "0 5 443 a.dnstest.io."
    - "10 10 443 b.dnstest.io."

  # Validate an MX record
    resolvable: true
    - 10 b.dnstest.io.
    - 5 a.dnstest.io.
    timeout: 2000

The above examples will query Google’s public DNS server: for results. You can remove the server parameter which will result in the system DNS resolver being used.

Combining this with the nagios output and creating a monitoring check from it could be helpful in identifying future issues or alerting when a record might have been "cleaned up".

comments powered by Disqus
Testing DNS Infrastructure with Goss
Share this