In that respect, Men & Mice's DNS Expert is like a DNS spellchecker for network administrators. You may never need it, but it's a great comfort to know that it's there if you do. It reads your DNS tables and ensures that you have dotted the i's, crossed the t's and used cnames (canonical name references) in the proper context. DNS Expert is unique in its ability to check your entire DNS environment for configuration problems.

With version 1.2, Men & Mice offers a Lite version that is intended for small businesses with a single domain, as well as a standard package suitable for ISPs and larger corporations that manage multiple domains. Its features support private intranet DNS services that reside behind firewalls and don't participate with public-domain registry services. Version 1.3, which should be available by the time you read this, will include tests for DNS servers that are insecure and vulnerable to spoofing attacks, as well as tests for mail servers that are open to mail-relay abuse.

I tested a full shipping version of DNS Expert 1.2 in our Real-World Labs® at Syracuse University. I was impressed by the product's ability to identify a variety of configuration errors. With 24 domains, more than 20,000 host names and five different zones delegated to departmental administrators, our network was hiding a tremendous number of problems. Given only our domain names to test, DNS Expert examined our configuration and identified the errors. I was pleased with the product's high level of functionality and ease of use. Even with testing complete, I continue to use DNS Expert periodically as a security precaution.

What's in a Name? Version 1.2 offers 63 verification tests. The most common problem it encountered during our tests was the improper use of cname references. (Like telephone directory entries, cnames simply refer to a common name for a defined object.) In one instance, DNS Expert identified cnames in a chain: Name "A" referred to name "B," which, in turn, referred to name "C" and finally resolved to an IP address. This configuration had been serving a Web site for several months without any problems, so I questioned the severity of this diagnosis until DNS Expert revealed that the chaining of cnames resulted in e-mail delivery problems. Some mailers will not chase cname chains. Other cname problems that DNS Expert identified during testing included references to name definitions that had been retired and deleted. Such names cannot be resolved.

DNS Expert detected another problem involving errors in reverse lookup or pointer (PTR) records. Many administrators of e-mail, Usenet, Web and other Internet services require client machines to have correctly configured reverse lookup records; if they do not, access is denied. If the reverse pointer is missing, or if it incorrectly specifies a cname, users will not receive their requests and help-desk operators may find it difficult to identify the problem.

In the lab, DNS Expert also reported that some of our network's domains were improperly configured on the mirror (or slave) servers. As a result, the domains were exposed to a single point of failure and subtle delays in name resolutions. The source of such DNS configuration errors is administrative oversights in a complex and ever-changing environment. In a small shop, DNS administration may constitute a tiny percentage of a technician's total responsibilities. On a large campus or in a widely distributed corporation, some zones are delegated to departmental administrators because they can respond more quickly to local changes. As a manager of the main DNS servers, I appreciated having a tool that could double-check my work, along with the contributions of other administrators.

DNS Expert offers three initial scan configurations--minimal, normal and thorough. You also can create your own scan setup. I devised a scan profile in which I elected to turn off a warning for domains containing a single mail-server record and activate a warning about records outside my domain. During testing with this scan, DNS Expert suggested potential sources of the errors. However, I would have preferred if DNS Expert had generated a report that resembled a compiler message with source server information and line numbers. This addition would have helped identify the single errors that resulted in multiple warnings.

During testing, I took advantage of DNS Expert's "explain" hyperlink, which launched my default Web browser and brought me directly to the vendor's tech-support Web site. Men & Mice could improve the functionality of this feature by including more explanations of configuration errors.

Randy Grimshaw is a network engineer for Syracuse University. Send your comments on this article to him at rgrimsha@syr.edu.