Enhancements to SmokePing's AnotherDNS probe
DNS Monitoring with SmokePing
SmokePing, the popular network latency monitor, comes bundled with several probes to measure the response time of DNS servers. Instead of just gauging the ping time, they perform DNS queries to test the performance of the service itself. I prefer Christoph Heine's AnotherDNS probe, since it's capable of high-resolution timing and offers a few extra options that the other DNS plugins don't have.
In addition to tracking latency, recently I've wanted to track the contents of DNS responses, too. A spate of high-profile DNS hijacks like the one that hit linux.org got me curious whether I could keep an eye on DNS integrity without installing any new monitoring tools. SmokePing seemed like the obvious choice because I already watch DNS from there, but none of the probes were capable of inspecting response records.
So, I've added some functionality to the AnotherDNS.pm SmokePing module. You can get the new version here if you don't want to wait for the next SmokePing release.
New Features in AnotherDNS
Two new target-level variables have been introduced to AnotherDNS:
Lets you check for any string in the DNS response(s). If a query returns multiple records as an RRset,
expect_textwill search all of them, and any match is treated as success. If the string isn't found in any response records, that probe is considered packet loss for alerting purposes.
Reverses the normal behavior of the probe, treating an
NXDOMAINresponse as success instead of failure. Here, any successful answer to the query is interpreted as packet loss.
The primary use cases for
expect_text are obvious: you can verify that an
AAAA record has the correct IP address, an
MX record points to the right mail server, and so on. Countless other scenarios are possible. Get alerted if your DS or DNSKEY records are tampered with, monitor your SPF record to make sure nobody removes a vendor's MTAs from it, whatever you can think of to check should be possible here.
require_nxdomain lets you test for situations where a negative response is the desired outcome. If you use a DNS sinkhole to block bad hosts on your network, you can create a SmokePing target against a blocked domain to ensure the sinkhole is working. To monitor whether your mail servers appear on DNSBLs, target those queries with
require_nxdomain and you can trigger an alert if they do resolve, indicating your mail server is listed and needs attention.
Here are a few sample SmokePing target specifications that make use of the new options.
Verify that example.org resolves to 184.108.40.206
This target uses
expect_text to monitor the integrity of a domain's sole
A record. If example.org starts resolving to an unexpected IP address, the
dns-trouble alert (defined elsewhere) will be triggered.
+ target-example-org-a menu = example.org A record title = Check A record for example.org probe = AnotherDNS host = 220.127.116.11 lookup = example.org expect_text = 18.104.22.168 alerts = dns-trouble
Verify that a domain's DS record exists and is correct
This target uses
expect_text to make sure a domain's DS record is sane. Note the case-sensitivity here! While
dig and other utilities display a DS record with uppercase letters, DS records arrive in Perl's Net::DNS::Packet->answer with lowercase letters.
+ target-mozilla-org-ds menu = mozilla.org DS record title = Check DS record for mozilla.org probe = AnotherDNS host = 22.214.171.124 lookup = mozilla.org recordtype = DS expect_text = e5052bdb5e59fb7d1ff4f56e99eca86d29eb9834 alerts = dns-trouble
Verify that a PTR points to the correct hostname
This target uses
expect_text to ensure that 126.96.36.199 resolves back to
+ target-172-93-52-73-ptr menu = 188.8.131.52 PTR record title = Check PTR record for 184.108.40.206 probe = AnotherDNS host = 220.127.116.11 lookup = 18.104.22.168.in-addr.arpa recordtype = PTR require_noerror = 1 expect_text = mailman.shaunc.com alerts = dns-trouble
Verify that a mail server isn't listed in Spamhaus Zen
This target uses
require_nxdomain while querying the Spamhaus Zen DNSBL for a mail server's IP address, expecting to get an
NXDOMAIN response. If at some point the hostname starts resolving, that means the mail server has been listed in the DNSBL, and the
dnsbl alert (defined elsewhere) will be triggered.
+ target-1234-spamhaus-check menu = 22.214.171.124 Spamhaus Check title = Ensure 126.96.36.199 isn't listed in Spamhaus Zen DNSBL probe = AnotherDNS pings = 3 host = 192.168.53.53 lookup = 188.8.131.52.zen.spamhaus.org require_nxdomain = 1 alerts = dnsbl
require_nxdomain to check DNSBLs, you should specify your own name server as the
host, since many DNSBLs block queries from public resolvers. If you have a commercial subscription to a DNSBL, they might provide you with a special DNS server to use instead.
Other Examples Welcome
I hope you find the new AnotherDNS capabilities useful. If you come up with a creative way to take advantage of
require_nxdomain, I'm happy to post a sample target here.