SysTeam.pl / Products / dnsops

dnsops

read-only dns ops cli

DNS inspection, without the browser

Propagation across resolvers, recursive vs authoritative compare, mail-DNS sanity (SPF/DKIM/DMARC), delegation diagnostics, domain expiry via RDAP. Single Go binary. CI-friendly exit codes.

View on GitHub → Quick install

What it looks like

Propagation check across public resolvers. Exit non-zero if any resolver disagrees or errors.

dnsops propagate 
$ dnsops propagate app.example.com A --until-ok

resolver         answer                       status
─────────────────────────────────────────────────────────
1.1.1.1:53       203.0.113.10                 ok
8.8.8.8:53       203.0.113.10                 ok
9.9.9.9:53       (stale: 198.51.100.5)       stale
208.67.222.222   203.0.113.10                 ok

[2026-05-24 15:51:02] 3/4 resolvers in sync · majority = 203.0.113.10
[2026-05-24 15:51:07] retry in 5s...
[2026-05-24 15:51:12] 4/4 resolvers in sync · majority = 203.0.113.10 

$ echo $?
0

Commands

Eight focused subcommands. Read-only by design — no mutations, no provider APIs, no zone edits. Just inspection.

lookup

A / AAAA / CNAME / MX / NS / TXT records. Optional custom resolver. Plain text or --json. --ttl switches to raw DNS answers with TTLs.

soa

SOA record details for a zone: TTL, primary NS, mailbox, serial, refresh, retry, expire, min TTL.

delegations

Parent NS vs child apex NS consistency, SOA serial alignment across child nameservers. Non-zero exit if delegation is broken or NS disagree.

propagate

Checks built-in or custom public resolver set. Reports stale caches. --watch --interval --until-ok for waiting on DNS changes to propagate.

compare

Baseline resolver vs others, or recursive vs authoritative. Discovers the zone NS set and derives the expected answer from authoritative, not blindly from the first response.

mail

MX presence, SPF presence + DNS-lookup count heuristic, DMARC presence, optional DKIM selector check via repeated --selector. Hard failures exit non-zero, warnings stay informational.

verify

YAML-driven expected-state check. Exact values: match, substring contains:, resolver-based verification, text or JSON output. CI-friendly. --watch --until-ok for deployment pipelines.

expiry

Domain expiration via RDAP — registrar, nameservers, status, days remaining. Severity classification (ok / warn / critical) via --warn-days / --critical-days.

watch mode

propagate, compare, verify support --watch with --interval (default 5s) and --until-ok. With --json --watch you get newline-delimited JSON — one object per iteration.

Quick install

Linux, macOS, BSD. Single Go binary, no external services.

$ git clone https://github.com/pawel-cygal/dnsops.git
$ cd dnsops
$ go build -o dnsops .
$ sudo install -m 0755 dnsops /usr/local/bin/dnsops

$ dnsops lookup example.com MX     # quick check
$ dnsops verify -f dns.yaml         # state check from YAML
$ dnsops --help                     # list all commands

Full README on GitHub →

Drop dnsops into your CI

Exit codes mean what they say. Add dnsops verify -f dns.yaml to your post-deploy job and stop guessing whether the change propagated.

github.com → Report an issue