Verify DNS Records


We found These commands to look up and verify DNS SRV Records useful when working with setup for Kerberos clients.


Should bring back the entries for the first domain in the /etc/resolve.conf file:

nslookup -type=any _ldap._tcp

Find all "ldap" srv records for a domain:

nslookup -type=any _ldap._tcp.<yourdomain>.net

or using dig

dig srv _ldap._tcp.<yourdomain>.net

dig srv _kerberos._tcp.<yourdomain>.net

dig srv _kerberos._tcp.<yourdomain>.net

dig ANY _ldap._tcp.<yourdomain>.net +noall +short |awk '{print $NF}' |sort

Verify DNS Records with JNDI [1]#

This is an JNDI Example a class to authenticate a user in Microsoft Active Directory using LDAP.

First locates the domain controllers (DNS lookup of SRV records for _ldap._tcp.domain), parses out the server part and then tries to authenticate the user against a domain controller.

import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import com.sun.jndi.ldap.LdapCtxFactory;
 * LDAPAuthentication class for authenticating Microsoft Active Directory users
 * If the user or password is wrong, you'll get an AuthenticationException If
 * none of the domain controllers are reachable, you'll get a
 * CommunicationException. If a domain controller cannot be located (via DNS)
 * you'll get a NamingException.
 * @author Roger Armstrong, Armstrong Consulting GmbH
public class LDAPAuthentication {
    public static void authenticateUser(String user, String password, String domain) throws AuthenticationException, NamingException {
        List<string> ldapServers = findLDAPServersInWindowsDomain(domain);
        if (ldapServers.isEmpty())
            throw new NamingException("Can't locate an LDAP server (try nslookup type=SRV _ldap._tcp." + domain + ")");
        Hashtable<string, String> props = new Hashtable<string, String>();
        String principalName = user + "@" + domain;
        props.put(Context.SECURITY_PRINCIPAL, principalName);
        props.put(Context.SECURITY_CREDENTIALS, password);
        Integer count = 0;
        for (String ldapServer : ldapServers) {
            try {
                LdapCtxFactory.getLdapCtxInstance("ldap://" + ldapServer, props);
            } catch (CommunicationException e) { // this is what'll happen if one of the domain controllers is unreachable
                if (count.equals(ldapServers.size())) {
                    // we've got no more servers to try, so throw the CommunicationException to indicate that we failed to reach an LDAP server
                    throw e;
    private static List<string> findLDAPServersInWindowsDomain(String domain) throws NamingException {
        List<string> servers = new ArrayList<string>();
        Hashtable<string, String> env = new Hashtable<string, String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory");
        env.put("java.naming.provider.url", "dns:");
        DirContext ctx = new InitialDirContext(env);
        Attributes attributes = ctx.getAttributes("_ldap._tcp." + domain, new String[] { "SRV" }); // that's how Windows domain controllers are registered in DNS
        Attribute a = attributes.get("SRV");
        for (int i = 0; i < a.size(); i++) {
            String srvRecord = a.get(i).toString();
            // each SRV record is in the format "0 100 389 dc1.company.com."
            // priority weight port server (space separated)
            servers.add(srvRecord.split(" ")[3]);
        return servers;

More Information#

There might be more information for this subject on one of the following: