How do you monitor DNS?
Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using?
The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now:
- changes to the zone's serial number
- changes to the NS records (using the TLD's name servers, not mine)
- changes to MX records
- monitoring a couple critical A and AAAA records (like 'www').
In addition, for zones with DNSSEC enabled:
- does the signature expire soon?
- do all key signing keys have valid DS records with the parent zone?
- did the DS record change?
What else are you monitoring? What scripts / tools do you use to accomplish this?
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Sep 26th 2013
1 decade ago
Anonymous
Sep 26th 2013
1 decade ago
Anonymous
Sep 26th 2013
1 decade ago
Anonymous
Sep 26th 2013
1 decade ago
I just use a bit of PHP with a cron, like such:
$resolver = new Net_DNS_Resolver();
$resolver->debug = 1; // Turn on debugging output to show the query
$resolver->usevc = 1; // Force the use of TCP instead of UDP
$resolver->nameservers = array( // Set the IP addresses
'192.5.6.30' // of the nameservers
);
$response = $resolver->query('sans.edu');
http://pear.php.net/package/Net_DNS
From there you can just shoot yourself an email if anything changes.
Anonymous
Sep 26th 2013
1 decade ago
passivedns - https://github.com/gamelinux/passivedns
Anonymous
Sep 26th 2013
1 decade ago
Anonymous
Sep 27th 2013
1 decade ago
The kind of monitoring I'm setting up should be able to catch domain theft / redirections like the Twitter hack of '09, The Register/UPS etc of '11, and the New York Times & Twitter from last month.
I think this will be the first DNS monitoring service of its kind
Anonymous
Sep 27th 2013
1 decade ago
http://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS/check_zone-2Epl/details
Note: Add "# nagios: -epn" near the top of the script if you get errors.
Anonymous
Sep 27th 2013
1 decade ago
I'm thinking of writing an application/tool to do this though, and imagining the proper architecture for the app. I envision writing a distributed monitoring tool that allows you to enter a list of zones in a database; you enable AXFR for the zone, so the application can check the entire zone upon initialization, and gather the list of records to monitor.
You would install a management node, and then a bunch of "collector" nodes in various geographical locations where the users are located; the management node would push configuration to the collector nodes, and occassionally the collector nodes would synchronize with each other, and push historical data back to the management server.
The collector nodes can occassionally send a query for every record in the zone, and the master collector can request an updated AXFR; with all nodes keeping response statistics, including errors for each record, and a history of any "Reply content" changes or "Number of responses" changes.
So you can pick a domain and then have a mechanism to request the historical version as of any desired data, and also a way to visualize changes in zone data; with geolocation of the new ip, latency, response, etc.
Then maybe look at integration with the authoritative DNS servers themselves, so a reporting tool can answer questions like "Number of queries", and "Geographic location of users querying records X, Y, and Z from DNS server B"
Anonymous
Sep 27th 2013
1 decade ago