Domain Delegation Check XYMON

Abstract

Because of reading some reports of domain delegation hacks, i created a DNS delegation check script for XYMON.

Because of reading some reports of domain delegation hacks, i created a DNS delegation check script for XYMON. It tested with com/net/org/de/eu/name domains.

Prolog

Be aware this script is beta quality, and it might not give you all checks you want see ! For XYMON a dnsreg script allready exists, which is based on WHOIS data. But WHOIS data is differing very much, depending to country and/or registry policies etc. So i decided to create a check, based on DIG, which traces the root nameservers for delegation of a domain, by thinking the dns delegation change case of a domain is the most important thing i wanna get alarmed about. I added the WHOIS data too, only for info, but without alarming checks. Some stuff was taken out of the orginal dnsreg script.

On the XYMON Server include the check script /usr/lib/xymon/client/ext/domaincheck.sh:

#!/bin/bash
BBHTAG=domaincheck
COLUMN=$BBHTAG
COLOR=green
MYDNS1="ns.your.de."
MYDNS2="ns2.your.de."
MYDNS3="ns3.your.de."

if test "$BBHOME" = "127.0.0.1"
then
       echo "BBHOME is not set... exiting"
       exit 1
fi

/usr/lib/xymon/server/bin/bbhostgrep domaincheck | while read L

do
set $L
     DOMAIN=$2

RESULT=`dig @a.root-servers.net +trace $DOMAIN | grep -ie $MYDNS1 -ie $MYDNS2 -ie $MYDNS3  | awk 'BEGIN {  FS = " " } ; { print $1 " " $4 " " $5}' | sort -u | tail -1 | awk 'BEGIN { FS = " " } ; { print $3 }' | tr '[:upper:]' '[:lower:]'`

if [ $RESULT = $MYDNS1 ]
 then
 COLOR=green
elif [ $RESULT = $MYDNS2 ]
then
 COLOR=green
elif [ $RESULT = $MYDNS3 ]
then
 COLOR=green
else
#as you like change to red here
COLOR=yellow
fi

MSG=`whois $DOMAIN`

#send the results to hobbit so it can be graphed
DOM=`echo $DOMAIN | sed -e 's/\./,/g'`
$BB $BBDISP "status+20m $DOM.domaincheck $COLOR `date`

${MSG}

"
done
exit 0

And also in /etc/xymon/tasks.d/domaincheck.cfg:

[domaincheck]
       ENVFILE /etc/xymon/xymonclient.cfg
       CMD $XYMONCLIENTHOME/ext/domaincheck.sh
       LOGFILE /var/log/xymon/domaincheck.log
       INTERVAL 15m

You might consider to short the INTERVAL, but i wouldnt recommand using less then 15 minutes because you might get banned from some WHOIS servers ! 15 minutes should also avoid getting purple alarm.

In /etc/xymon/hosts.cfg I have:

...
0.0.0.0 example.de # noconn domaincheck NOCOLUMNS:dns TRENDS:
0.0.0.0 example.org # noconn domaincheck NOCOLUMNS:dns TRENDS:
...

Epilog

I used the yellow alarm, perhaps you might prefer red. As written, this script is not perfect, it has many limitations, it only gives you small certainness about general state of dns your domains delegated to the dns server you wanna see them, use with caution only, consider to add the orginal dnsreg script too.

Robert Schetterer, 10. February 2014

   Xymon