|
Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using? The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now:
- changes to the zone's serial number In addition, for zones with DNSSEC enabled:
- does the signature expire soon? What else are you monitoring? What scripts / tools do you use to accomplish this?
------ |
Johannes 4473 Posts ISC Handler Sep 26th 2013 |
| Thread locked Subscribe |
Sep 26th 2013 8 years ago |
|
Bro IDS works well for this.
|
James 35 Posts |
| Quote |
Sep 26th 2013 8 years ago |
|
Just to clarify: I am not looking to monitor recursive DNS servers and logs, but instead the status of zones and authoritative DNS servers I own.
|
Johannes 4473 Posts ISC Handler |
| Quote |
Sep 26th 2013 8 years ago |
|
We also use a bunch of nagios scripts/plugins to monitore our DNS enviromment.
|
SamuelRiesz 1 Posts |
| Quote |
Sep 26th 2013 8 years ago |
|
This is not for zones I own, but I do monitor my logs for zones with DNSSEC problems. Users will complain when they cannot reach these zones, so what we do is premptively check the logs every 3 minutes and flush any zones with DNSSEC resolution problems. The idea here is to speed up cache expiration and cause the "good" info (once published by the zone's administrator) to be learned ASAP (within 3 minutes). We haven't had any user complaints since we implimented this flushing scheme, but there have only been a few zones that have had problems since that time. We'll see the next time CA.GOV or other "large" parent zone messes up again.
|
SamuelRiesz 42 Posts |
| Quote |
Sep 26th 2013 8 years ago |
Quote:- changes to the NS records (using the TLD's name servers, not mine) I just use a bit of PHP with a cron, like such: $resolver = new Net_DNS_Resolver(); $resolver->debug = 1; // Turn on debugging output to show the query $resolver->usevc = 1; // Force the use of TCP instead of UDP $resolver->nameservers = array( // Set the IP addresses '192.5.6.30' // of the nameservers ); $response = $resolver->query('sans.edu'); http://pear.php.net/package/Net_DNS From there you can just shoot yourself an email if anything changes. |
Alex Stanford 136 Posts |
| Quote |
Sep 26th 2013 8 years ago |
|
Check out a tool from Edward Fjellskål called PassiveDNS.
passivedns - https://github.com/gamelinux/passivedns |
Bob 2 Posts |
| Quote |
Sep 26th 2013 8 years ago |
|
Writing a directory full of tests in a mix of shell, Perl, and 'expect' script and launching them hourly with cron and run-parts, was about the best thing I ever did. I'm still running those 6 years later, and they still alert me to service outages or configuration problems (even if the exact cause of the test failure is something I never originally anticipated).
|
Steven C. 171 Posts |
| Quote |
Sep 27th 2013 8 years ago |
|
Good question... I'm very interested in changes to the NS records. I'm creating a service to monitor for exactly this kind of thing... see my info at www.antispoof.net and send me an e-mail if you'd like to give it a try
The kind of monitoring I'm setting up should be able to catch domain theft / redirections like the Twitter hack of '09, The Register/UPS etc of '11, and the New York Times & Twitter from last month. I think this will be the first DNS monitoring service of its kind |
Jem 1 Posts |
| Quote |
Sep 27th 2013 8 years ago |
|
Try this, it does some basic DNS zone sanity checks and warns if your nameservers get out of sync:
http://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/check_zone-2Epl/details Note: Add "# nagios: -epn" near the top of the script if you get errors. |
Mike Donovan 4 Posts |
| Quote |
Sep 27th 2013 8 years ago |
|
Well... the answer is I don't adequately. I know if DNS is up or not, but not if there are unexpected changes to the zone or to the nameserver list.
I'm thinking of writing an application/tool to do this though, and imagining the proper architecture for the app. I envision writing a distributed monitoring tool that allows you to enter a list of zones in a database; you enable AXFR for the zone, so the application can check the entire zone upon initialization, and gather the list of records to monitor. You would install a management node, and then a bunch of "collector" nodes in various geographical locations where the users are located; the management node would push configuration to the collector nodes, and occassionally the collector nodes would synchronize with each other, and push historical data back to the management server. The collector nodes can occassionally send a query for every record in the zone, and the master collector can request an updated AXFR; with all nodes keeping response statistics, including errors for each record, and a history of any "Reply content" changes or "Number of responses" changes. So you can pick a domain and then have a mechanism to request the historical version as of any desired data, and also a way to visualize changes in zone data; with geolocation of the new ip, latency, response, etc. Then maybe look at integration with the authoritative DNS servers themselves, so a reporting tool can answer questions like "Number of queries", and "Geographic location of users querying records X, Y, and Z from DNS server B" |
Mysid 146 Posts |
| Quote |
Sep 27th 2013 8 years ago |
|
I've been using DomainTools' Domain Monitor service for a while and I'm quite happy with it.
http://www.domaintools.com/monitor/domain-monitor/ |
jrivett 3 Posts |
| Quote |
Sep 28th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
