dns
indexsource tools

CHECK_ZONE_AUTH

Use this plugin with Nagios to make sure that the authoritative nameservers for a given zone remain in sync. You can download the source. You must also have the Net::DNS module installed.

Dependencies

  • Net::DNS::Resolver Perl module
  • List::Util Perl module

Operation

When called, the plugin issues a seed query for the SOA record of the zone to be tested. The seed query begins at a root DNS server and terminates when an authoritative answer is received.

Next, each authoritative nameserver is queried (again with type SOA). If new nameservers are discovered during this phase, they are queried as well. The script may also send queries of type NS if the SOA query results in zero answers.

After all nameservers have been queried, the responses are analyzed. The script reports the following problems:

  • No authoritative nameservers found.
  • Only one authoritative nameserver found.
  • Non-Success response code from any nameserver.
  • No SOA record in the answer section, indicating a lame delegation.
  • When an nameserver does not include all known authoritative nameservers in the response authority section.
  • When the AA bit is not set in a nameserver's response.
  • When all nameservers do not report the same SOA serial number.
  • When the found NS RRset does not match the expected NS RRset.

How to use

Since Nagios normally monitors "hosts," instead of "zones," we have to to trick it just a little bit. For example, create a pseudo-host with the name of the zone. Since you might already have a host named after the zone, prefix the host name with "zone":

define host {
        name                    dns-zone
        hostgroups              dns-zones
        ...
        register                0
        }

define host {
        use                     dns-zone
        host_name               zone.example.com
        alias                   ZONE example.com
        }

Next, define a command and service:

define command {
        command_name            check-zone-auth
        command_line            /usr/local/libexec/nagios-local/check_zone_auth -Z $HOSTADDRESS$
        }

define service {
        name                    dns-auth-service
        servicegroups           dns-auth-group
        service_description     DNSAUTH
        check_command           check-zone-auth
        ...
        register                0
        }

define service {
        use                     dns-auth-service
        host_name               zone.example.com
        }

Note that the check_zone_auth script will receive zone.example.com as the -Z argument. The script strips off the leading "zone." from this argument.

Checking for a Specific NS RRset

As of revision 1.4, the plugin has the ability to check for a specific set of authoritative nameservers. This feature can be used to let you know if your domains are not automatically renewed, or are even hijacked.

To use this feature, add the -N option to the nagios command definition: 

define command {
        command_name            check-zone-auth
        command_line            /usr/local/libexec/nagios-local/check_zone_auth -Z $HOSTADDRESS$ -N $ARG1$
	}

And then specify a comma-separated list of nameservers in the service definition: 

define service {
        use                     dns-auth-service
        host_name               zone.example.com!a.iana-servers.net,b.iana-servers.net
        }

Note that the plugin compares its -N argument to the union of all NS RRs that it finds, both in the parent zone and in the zone itself.

© 2020 The Measurement Factory.