FOSS tools for infrastructure testing
updated on 2025-04-04: added SPFToolbox
Running even a single server connected to the internet can be a challenge these days. There are many technologies involved - some are arcane (DNS), some are constantly evolving (TLS), and some look simple but are amazingly hard to get right (DNSSEC). And then, there are some which are all of the above, such as “a mail server” 1…
These technologies are the foundation of the internet, so you cannot be ignorant towards them. But it is also unreasonable to expect everyone to know everything about them 2. Hence, every now and then, it makes sense to turn to some tools to help you out.
If this sounds familiar to you, you have probably heard of the big names: the (formerly) Qualys SSL Analyzer, the ubiquitous MXToolbox, or maybe services like Hardenize. These services do provide value, and they are free-as-in-beer to use. I am not linking to them, but I would also never condemn their usage. However, I do want to draw some attention to existing open source alternatives.
Zonemaster
For all things DNS, turn to Zonemaster! It’s a long-running, but still quite active project. You can live-query the main instance at zonemaster.net. And they have amazing documentation where all their test cases are specified (example), so it is easy to understand how any warnings or errors you get for your zone came about.
testssl.sh
The testssl.sh project is probably the most sophisticated alternative to the venerable SSL Analyzer. It tests the security of any TLS endpoint (including STARTTLS). There is also a homepage, but no web interface for a quick test. However, testssl.sh is included in various distributions, so it’s easy to give it a spin.
SSLyze
Another alternative for testing TLS endpoints is SSLyze. It doesn’t
seem to be packaged for many distros, but you can use either pip
or Docker to
try it out. The test suite is pretty comprehensive, and it’s always good to
have choices (or run multiple tools).
Internet.nl
At first, I thought internet.nl was some weird ISP’s homepage. But it is, in fact, an initiative sponsored by the Dutch government. And it is open source! It looks a bit too complicated to run for one-off tests, and I find their scoring a bit too opinionated, but it is certainly useful to run the tests on their homepage for your domain and study the results. You probably won’t be solving your site’s RPKI issues anytime soon, but the more you know…
MECSA
This one is a bit curious. The European Commission offers this portal to test the security of your email provider (i.e. your mail server, if you run one). They get one thing exactly right: for them to properly assess this, you must send them an email. They also did throw some code over the fence, but unfortunately not all of it. The open-sourced stand-alone tool is a bit awkward to get running, and the report is less useful without the actual test email. But I could not find much of an alternative in this space…
SPFToolbox
Well, I had the tab open the whole time, but somehow forgot this in the initial draft. SPFToolbox is also pretty neat, with a live-query instance available at spftoolbox.com. It does mostly DNS lookups, but also a bit more, with a slight focus on mail server setups.
DNSViz
Think twice before you do, but should you go down the road of DNSSEC, have a look at DNSViz. You can also run queries on the homepage. And always start with a toy domain. Trust me…
Final notes
When talking about tools like these (open source or otherwise), it is important to point out: do not blindly go about fixing warnings or errors. Always try to understand the underlying issue. You don’t need DNSSEC just so that internet.nl will give you a 100% score. It’s fine to offer some older ciphers on your TLS endpoint if you’re just serving your static personal website. But it is good to be aware of the “opinions” of these tools and their reasoning.
And, last but not least, I certainly may have missed some good tools. Do you know about any? Send me a link to my public inbox (archives), I’d love to hear about them!
-
Which is of course mostly due to the fact that in reality, running a mail server these days requires command of probably a dozen of intertwined technologies: SMTP, IMAP, SPF, DKIM, DMARC, DNS, TLS, even HTTP, etc.↩︎
-
Here is a quick test: without looking it up, what is the meaning of each field in a DNS SOA record? After all these years, I am not sure how often I looked it up. But I always forget again after at most two days…↩︎