Extend DNS monitoring with DNS status

Comments (3)

Don reporter

Also, for completeness, it would be also useful for someone to be able to

verify request status (NOERROR, REFUSED, NXDOMAIN, and SERVFAIL). For example, NXDOMAIN is useful to check that nobody is added wildcard record * into zone.
To above mentioned reply flags, also flags ad (authenticated data) and cd (checking disabled) could be added, to allow particular checks for DNSSEC setups.
And finally, to allow and disallow additional request parameters, like [no]recursion, [no]cdflags, [no]dnssec (from man dig).

But, these are probably much less useful in general than options mentioned in the first post.

2016-08-05T17:10:23+00:00

Andreas

I can't wait this feature to get implemented.

2017-06-01T19:41:29+00:00

Andreas

just for reference to anyone desiring granular dns checking: i’ve configured dns response check by generic protocol checker:

if failed host 127.0.0.1 port 53 type udp
  send "\0x00\0x01\0x01\0x00\0x00\0x01\0x00\0x00\0x00\0x00\0x00\0x00\0x09localhost\0x00\0x00\0x01\0x00\0x01"
  expect "^[\\]0^A[\0x80-\0xFF].[\\]0^A[\\]0^A.*^Ilocalhost[\\]0[\\]0^A[\\]0^A.*[\\]0^A[\\]0^A([\\]0|.){4}[\\]0^D^?[\\]0[\\]0^A"

^A denoting char 0x01 (a 0x01 byte literally written in the config file), ^B is 0x02, ..., ^? is 0x7F, and the [\\]0 sequence is a trick to match to NUL byte in the read buffer.

explanation

send

\0x00 \0x01 – XID (arbitrary)
\0x01 \0x00 – flags (recursion desired)
\0x00 \0x01 – num of queries
\0x00 \0x00 – num of answers
\0x00 \0x00 – num of authority answers
\0x00 \0x00 – num of additional answers
\0x09 “localhost” \0x00 – (query section) query “localhost.” domain name
\0x00 \0x01 – query record type A
\0x00 \0x01 – query in class IN

expect

0x00 0x01 – XID (should be the same as in query)
[0x80-0xFF]. – flag: first byte most significant bit must 1 (denoting response message), second byte anything
0x00 0x01 – num of queries
0x00 0x01 – num of answers
.* – here can be anything (num of records in other sections, section data)
0x09 “localhost” 0x00 – (probably in the answer section) “localhost.” was queried
0x00 0x01 – record type A was queried
0x00 0x01 – class IN was queried
.* – any data (maybe other sections)
0x00 0x01 – answer record has type A
0x00 0x01 – answer record is in class IN
(0x00|.){4} – 4 bytes for any TTL
0x00 0x04 – following address is 4 bytes long
0x7E 0x00 0x00 0x01 – “127.0.0.1”

2019-06-03T22:31:31+00:00

Don reporter
Also, for completeness, it would be also useful for someone to be able to
- verify request status (NOERROR, REFUSED, NXDOMAIN, and SERVFAIL). For example, NXDOMAIN is useful to check that nobody is added wildcard record * into zone.
- To above mentioned reply flags, also flags ad (authenticated data) and cd (checking disabled) could be added, to allow particular checks for DNSSEC setups.
- And finally, to allow and disallow additional request parameters, like [no]recursion, [no]cdflags, [no]dnssec (from man dig).
But, these are probably much less useful in general than options mentioned in the first post.
- 2016-08-05T17:10:23+00:00
Andreas
I can't wait this feature to get implemented.
- 2017-06-01T19:41:29+00:00
Andreas
just for reference to anyone desiring granular dns checking: i’ve configured dns response check by generic protocol checker:
```
if failed host 127.0.0.1 port 53 type udp
  send "\0x00\0x01\0x01\0x00\0x00\0x01\0x00\0x00\0x00\0x00\0x00\0x00\0x09localhost\0x00\0x00\0x01\0x00\0x01"
  expect "^[\\]0^A[\0x80-\0xFF].[\\]0^A[\\]0^A.*^Ilocalhost[\\]0[\\]0^A[\\]0^A.*[\\]0^A[\\]0^A([\\]0|.){4}[\\]0^D^?[\\]0[\\]0^A"
```
^A denoting char 0x01 (a 0x01 byte literally written in the config file), ^B is 0x02, ..., ^? is 0x7F, and the [\\]0 sequence is a trick to match to NUL byte in the read buffer.

explanation

send
- \0x00 \0x01 – XID (arbitrary)
- \0x01 \0x00 – flags (recursion desired)
- \0x00 \0x01 – num of queries
- \0x00 \0x00 – num of answers
- \0x00 \0x00 – num of authority answers
- \0x00 \0x00 – num of additional answers
- \0x09 “localhost” \0x00 – (query section) query “localhost.” domain name
- \0x00 \0x01 – query record type A
- \0x00 \0x01 – query in class IN
expect
- 0x00 0x01 – XID (should be the same as in query)
- [0x80-0xFF]. – flag: first byte most significant bit must 1 (denoting response message), second byte anything
- 0x00 0x01 – num of queries
- 0x00 0x01 – num of answers
- .* – here can be anything (num of records in other sections, section data)
- 0x09 “localhost” 0x00 – (probably in the answer section) “localhost.” was queried
- 0x00 0x01 – record type A was queried
- 0x00 0x01 – class IN was queried
- .* – any data (maybe other sections)
- 0x00 0x01 – answer record has type A
- 0x00 0x01 – answer record is in class IN
- (0x00|.){4} – 4 bytes for any TTL
- 0x00 0x04 – following address is 4 bytes long
- 0x7E 0x00 0x00 0x01 – “127.0.0.1”
- 2019-06-03T22:31:31+00:00
Log in to comment