Use this plugin with Nagios to make sure that the authoritative nameservers for a given zone remain in sync. You can download the source. You must also have the Net::DNS module installed.
When called, the plugin issues a seed query for the SOA record of the zone to be tested. The seed query begins at a root DNS server and terminates when an authoritative answer is received.
Next, each authoritative nameserver is queried (again with type SOA). If new nameservers are discovered during this phase, they are queried as well. The script may also send queries of type NS if the SOA query results in zero answers.
After all nameservers have been queried, the responses are analyzed. The script reports the following problems:
Since Nagios normally monitors "hosts," instead of "zones," we have to to trick it just a little bit. For example, create a pseudo-host with the name of the zone. Since you might already have a host named after the zone, prefix the host name with "zone":
define host { name dns-zone hostgroups dns-zones ... register 0 } define host { use dns-zone host_name zone.example.com alias ZONE example.com }
Next, define a command and service:
define command { command_name check-zone-auth command_line /usr/local/libexec/nagios-local/check_zone_auth -Z $HOSTADDRESS$ } define service { name dns-auth-service servicegroups dns-auth-group service_description DNSAUTH check_command check-zone-auth ... register 0 } define service { use dns-auth-service host_name zone.example.com }
Note that the check_zone_auth script will receive zone.example.com as the -Z argument. The script strips off the leading "zone." from this argument.
As of revision 1.4, the plugin has the ability to check for a specific set of authoritative nameservers. This feature can be used to let you know if your domains are not automatically renewed, or are even hijacked.
To use this feature, add the -N option to the nagios command definition:
define command { command_name check-zone-auth command_line /usr/local/libexec/nagios-local/check_zone_auth -Z $HOSTADDRESS$ -N $ARG1$ }
And then specify a comma-separated list of nameservers in the service definition:
define service { use dns-auth-service host_name zone.example.com!a.iana-servers.net,b.iana-servers.net }
Note that the plugin compares its -N argument to the
union of all NS RRs that it finds, both in the parent zone
and in the zone itself.
© 2020 The Measurement Factory.