[Xymon] Modernizing the DNS check

Jeremy Laidman jlaidman at rebel-it.com.au
Wed Jan 8 02:23:32 CET 2014


Mark

I think more DNS checks would be really useful for many, but I would say
that we'd be going down a rabbit hole chasing this.  The DNS check you've
described is worthwhile to do for many people (myself included), but is
only one of many that would need to be done to ensure that a name or domain
is resolvable.

For example, should the same checks be done for the parent zone(s)?  Should
we check the WHOIS record for impending zone expiry date?  Should we check
that there is more than one NS record?  Should we check that the NS records
don't all point at the same IP addresses?  For high-turn-over (eg dynamic)
zones, the masters nameservers might only rarely be in sync, or the serial
number might typically change before all of the SOA lookups are complete.
 What about when there's a stealth master that can't be queried?  What
about reporting on slave zones that about to expire?  Or zones that have
semantic errors such as MX records that refer to CNAME records, or host
records with underlines, or CNAME loops?  Should we be checking DNSSEC
signatures?

Hmm, that list turned into a bit of a rant, really.  Sorry.  You can
probably guess that I think about this stuff a fair bit, and many of the
things I've listed are more "niche" than others, but still.

For each possible test anyone might want to include, each installation
might need different ways of reporting and/or recording statistics, and so
it would get complex very quickly.  Do you report a yellow if only 3 out of
4 NS servers are the same, or 7 out of 8?  If the master's serial number
somehow goes backwards, do we show seven servers wrong or is it just one?
 You you assume that the master is in the MNAME field, or would you get the
option to override?  If two hosts have different values for the MNAME
field, which do you consider master?  Or in this case, do you care?
 Also, which host(s) would you report the status against?  Do you have to
create hosts.cfg entries for every NS, and then maintain that list by
tracking the NS records as they change over time, or do you create a
pseudo-host for each domain, or some of each?

Woops, there I go ranting again, sorry.

Such complexity and flexibility is better implemented outside Xymon, to
keep the Xymon core as simple and easy to maintain as possible.

I think the best solution is for each installer to decide on their own
detection and reporting requirements, and create or install ext scripts to
suit each case.  In fact, I'm surprised there aren't any on Xymonton.org
already, but that's where I would expect such code to reside.  I'd be happy
to assist with developing ext scripts for enhanced DNS checks.

J



On 8 January 2014 07:56, Mark Felder <feld at feld.me> wrote:

> Is there any hope of enhancing the DNS check capability beyond its
> current functionality? It would be nice if it could detect all the NS
> for the domain you're monitoring to compare the SOA serial of all the NS
> servers and go red if they're not in sync.
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140108/e9f36234/attachment.html>


More information about the Xymon mailing list