(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Enhancements to SmokePing's AnotherDNS probe

Posted December 23, 2018 by shaun

DNS Monitoring with SmokePing

SmokePing, the popular network latency monitor, comes bundled with several probes to measure the response time of DNS servers. Instead of just gauging the ping time, they perform DNS queries to test the performance of the service itself. I prefer Christoph Heine's AnotherDNS probe, since it's capable of high-resolution timing and offers a few extra options that the other DNS plugins don't have.

In addition to tracking latency, recently I've wanted to track the contents of DNS responses, too. A spate of high-profile DNS hijacks like the one that hit linux.org got me curious whether I could keep an eye on DNS integrity without installing any new monitoring tools. SmokePing seemed like the obvious choice because I already watch DNS from there, but none of the probes were capable of inspecting response records.

So, I've added some functionality to the AnotherDNS.pm SmokePing module. You can get the new version here if you don't want to wait for the next SmokePing release.

New Features in AnotherDNS

Two new target-level variables have been introduced to AnotherDNS:

  • expect_text

    Lets you check for any string in the DNS response(s). If a query returns multiple records as an RRset, expect_text will search all of them, and any match is treated as success. If the string isn't found in any response records, that probe is considered packet loss for alerting purposes.

  • require_nxdomain

    Reverses the normal behavior of the probe, treating an NXDOMAIN response as success instead of failure. Here, any successful answer to the query is interpreted as packet loss.

The primary use cases for expect_text are obvious: you can verify that an A or AAAA record has the correct IP address, an MX record points to the right mail server, and so on. Countless other scenarios are possible. Get alerted if your DS or DNSKEY records are tampered with, monitor your SPF record to make sure nobody removes a vendor's MTAs from it, whatever you can think of to check should be possible here.

require_nxdomain lets you test for situations where a negative response is the desired outcome. If you use a DNS sinkhole to block bad hosts on your network, you can create a SmokePing target against a blocked domain to ensure the sinkhole is working. To monitor whether your mail servers appear on DNSBLs, target those queries with require_nxdomain and you can trigger an alert if they do resolve, indicating your mail server is listed and needs attention.

Sample Targets

Here are a few sample SmokePing target specifications that make use of the new options.

Verify that example.org resolves to 93.184.216.34

This target uses expect_text to monitor the integrity of a domain's sole A record. If example.org starts resolving to an unexpected IP address, the dns-trouble alert (defined elsewhere) will be triggered.

+ target-example-org-a
menu = example.org A record
title = Check A record for example.org
probe = AnotherDNS
host = 8.8.8.8
lookup = example.org
expect_text = 93.184.216.34
alerts = dns-trouble

Verify that a domain's DS record exists and is correct

This target uses expect_text to make sure a domain's DS record is sane. Note the case-sensitivity here! While dig and other utilities display a DS record with uppercase letters, DS records arrive in Perl's Net::DNS::Packet->answer with lowercase letters.

+ target-mozilla-org-ds
menu = mozilla.org DS record
title = Check DS record for mozilla.org
probe = AnotherDNS
host = 8.8.8.8
lookup = mozilla.org
recordtype = DS
expect_text = e5052bdb5e59fb7d1ff4f56e99eca86d29eb9834
alerts = dns-trouble

Verify that a PTR points to the correct hostname

This target uses expect_text to ensure that 172.93.52.73 resolves back to mailman.shaunc.com.

+ target-172-93-52-73-ptr
menu = 172.93.52.73 PTR record
title = Check PTR record for 172.93.52.73
probe = AnotherDNS
host = 8.8.8.8
lookup = 73.52.93.172.in-addr.arpa
recordtype = PTR
require_noerror = 1
expect_text = mailman.shaunc.com
alerts = dns-trouble

Verify that a mail server isn't listed in Spamhaus Zen

This target uses require_nxdomain while querying the Spamhaus Zen DNSBL for a mail server's IP address, expecting to get an NXDOMAIN response. If at some point the hostname starts resolving, that means the mail server has been listed in the DNSBL, and the dnsbl alert (defined elsewhere) will be triggered.

+ target-1234-spamhaus-check
menu = 1.2.3.4 Spamhaus Check
title = Ensure 1.2.3.4 isn't listed in Spamhaus Zen DNSBL
probe = AnotherDNS
pings = 3
host = 192.168.53.53
lookup = 4.3.2.1.zen.spamhaus.org
require_nxdomain = 1
alerts = dnsbl

When using require_nxdomain to check DNSBLs, you should specify your own name server as the host, since many DNSBLs block queries from public resolvers. If you have a commercial subscription to a DNSBL, they might provide you with a special DNS server to use instead.

Other Examples Welcome

I hope you find the new AnotherDNS capabilities useful. If you come up with a creative way to take advantage of expect_text or require_nxdomain, I'm happy to post a sample target here.



Recent articles

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

📰 Strange DNS queries: qname "miep", qtype ANY

📰 Undeliverable as addressed: A massive broken spam campaign?

📰 Using WITH_META_MODE and ccache for FreeBSD build boosts

📰 Resolving subversion error E000013: Unable to create pristine install stream

📰 Enhancements to SmokePing's AnotherDNS probe

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

▲ Back to top | Permalink to this page