My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

How do you monitor DNS?

Published: 2013-09-26. Last Updated: 2013-09-26 12:51:40 UTC
by Johannes Ullrich (Version: 1)
11 comment(s)

Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using?

The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now:

- changes to the zone's serial number
- changes to the NS records (using the TLD's name servers, not mine)
- changes to MX records
- monitoring a couple critical A and AAAA records (like 'www').

In addition, for zones with DNSSEC enabled:

- does the signature expire soon?
- do all key signing keys have valid DS records with the parent zone?
- did the DS record change?

What else are you monitoring?  What scripts / tools do you use to accomplish this?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: DNS
11 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Bro IDS works well for this.
Just to clarify: I am not looking to monitor recursive DNS servers and logs, but instead the status of zones and authoritative DNS servers I own.
We also use a bunch of nagios scripts/plugins to monitore our DNS enviromment.
This is not for zones I own, but I do monitor my logs for zones with DNSSEC problems. Users will complain when they cannot reach these zones, so what we do is premptively check the logs every 3 minutes and flush any zones with DNSSEC resolution problems. The idea here is to speed up cache expiration and cause the "good" info (once published by the zone's administrator) to be learned ASAP (within 3 minutes). We haven't had any user complaints since we implimented this flushing scheme, but there have only been a few zones that have had problems since that time. We'll see the next time CA.GOV or other "large" parent zone messes up again.
[quote]- changes to the NS records (using the TLD's name servers, not mine)[/quote]
I just use a bit of PHP with a cron, like such:

$resolver = new Net_DNS_Resolver();
$resolver->debug = 1; // Turn on debugging output to show the query
$resolver->usevc = 1; // Force the use of TCP instead of UDP
$resolver->nameservers = array( // Set the IP addresses
'192.5.6.30' // of the nameservers
);
$response = $resolver->query('sans.edu');

http://pear.php.net/package/Net_DNS

From there you can just shoot yourself an email if anything changes.
Check out a tool from Edward Fjellskål called PassiveDNS.
passivedns - https://github.com/gamelinux/passivedns
Writing a directory full of tests in a mix of shell, Perl, and 'expect' script and launching them hourly with cron and run-parts, was about the best thing I ever did. I'm still running those 6 years later, and they still alert me to service outages or configuration problems (even if the exact cause of the test failure is something I never originally anticipated).
Good question... I'm very interested in changes to the NS records. I'm creating a service to monitor for exactly this kind of thing... see my info at www.antispoof.net and send me an e-mail if you'd like to give it a try

The kind of monitoring I'm setting up should be able to catch domain theft / redirections like the Twitter hack of '09, The Register/UPS etc of '11, and the New York Times & Twitter from last month.

I think this will be the first DNS monitoring service of its kind
Try this, it does some basic DNS zone sanity checks and warns if your nameservers get out of sync:

http://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/check_zone-2Epl/details

Note: Add "# nagios: -epn" near the top of the script if you get errors.
Well... the answer is I don't adequately. I know if DNS is up or not, but not if there are unexpected changes to the zone or to the nameserver list.

I'm thinking of writing an application/tool to do this though, and imagining the proper architecture for the app. I envision writing a distributed monitoring tool that allows you to enter a list of zones in a database; you enable AXFR for the zone, so the application can check the entire zone upon initialization, and gather the list of records to monitor.

You would install a management node, and then a bunch of "collector" nodes in various geographical locations where the users are located; the management node would push configuration to the collector nodes, and occassionally the collector nodes would synchronize with each other, and push historical data back to the management server.

The collector nodes can occassionally send a query for every record in the zone, and the master collector can request an updated AXFR; with all nodes keeping response statistics, including errors for each record, and a history of any "Reply content" changes or "Number of responses" changes.


So you can pick a domain and then have a mechanism to request the historical version as of any desired data, and also a way to visualize changes in zone data; with geolocation of the new ip, latency, response, etc.

Then maybe look at integration with the authoritative DNS servers themselves, so a reporting tool can answer questions like "Number of queries", and "Geographic location of users querying records X, Y, and Z from DNS server B"

Diary Archives