Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - How do you monitor DNS? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How do you monitor DNS?

Published: 2013-09-26
Last Updated: 2013-09-26 12:51:40 UTC
by Johannes Ullrich (Version: 1)
11 comment(s)

Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using?

The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now:

- changes to the zone's serial number
- changes to the NS records (using the TLD's name servers, not mine)
- changes to MX records
- monitoring a couple critical A and AAAA records (like 'www').

In addition, for zones with DNSSEC enabled:

- does the signature expire soon?
- do all key signing keys have valid DS records with the parent zone?
- did the DS record change?

What else are you monitoring?  What scripts / tools do you use to accomplish this?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: DNS
11 comment(s)
Diary Archives