Control: Name servers should be on different subnets
Description
Having more than 1 name server in the same class C subnet is not recommended, as this increases the likelihood of a single failure disabling all of your name servers.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.dns_ns_on_different_subnetsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.dns_ns_on_different_subnets --shareSteampipe Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | domain_names | | DNS domain names. |
SQL
with domain_ns_records as ( select domain, type, target from net_dns_record where domain in (select jsonb_array_elements_text(to_jsonb($1::text[]))) and type = 'NS'),ns_ips as ( select domain, type, host(ip) as ip_text from net_dns_record where domain in ( select target from domain_ns_records )),check_ips as ( select distinct array_to_string(array_remove(string_to_array(ns_ips.ip_text, '.'), split_part(ns_ips.ip_text, '.', 4)), '.'), domain_ns_records.domain as domain from domain_ns_records inner join ns_ips on domain_ns_records.target = ns_ips.domain where ns_ips.type = 'A')select domain as resource, case when count(*) = 1 then 'alarm' else 'ok' end as status, case when count(*) = 1 then domain || ' name servers are on the same subnet.' else domain || ' name servers are on different subnets.' end as reasonfrom check_ipsgroup by domain;