Edwin Groothuis wrote:
> On Sun, Jun 09, 2002 at 05:35:41PM +0200, Ralf Vitasek wrote:
>> what *good* use anyone could have for such a thing?
>
> Auditing. Not all information gathering is used for bad purposes :-)
>
> For example, I've developed an DNS auditing system to check the state of
> health of our servers, the ones which we (were) delegated (delegating)
> to... Warnings kept popping up for weeks after the transfers of domain
> from a remote server to us or from us to another remote server. If you
> don't check and complain your DNS-network is going to be a mess, mail
> won't be transfered anymore, hosts will resolve wrong and all kind of
> things based on hostname-authorisations will go bad.
With BIND it's possible to accomplish this type of auditing strictly by
examining the DNS message log, as long as NOTIFY functionality is enabled.
If you are running a master:
- To check if all slaves are configured to mirror all your zones, update the
serial number in all your master files and reload. Your server will send
NOTIFY messages to all the slaves. If the slaves are correctly configured they
will perform a zone transfer. Both the NOTIFY messages and the zone transfers
will by default be recorded in your message log. Make sure there is a matching
zone transfer to every slave for each zone you master.
You can also do this without updating the serial number by simply restarting
the nameserver. The nameserver will send NOTIFY messages to all the slaves.
Each slave will then send a NOTIFY answer, even if it doesn't need to perform
a zone transfer. If a slave is not configured to mirror a zone, it will not
send a NOTIFY answer. The NOTIFY answers are recorded by default in your
message logs. Make sure you get a NOTIFY answer from every slave for each zone
you master.
- To make sure slaves are not configured to mirror zones you do not master,
check your message logs for transfer requests for zones you do not master.
If you are running a slave:
- To make sure you are mirroring every zone you are supposed to mirror, check
your message logs messages of the form
rcvd NOTIFY for "example.com", name not one of our zones
Confirm using WHOIS, dig, and contact with the master server admin that you
are supposed to mirror the zone, and add it to your config.
- To make sure you aren't configured to mirror zones from a server that
doesn't master them, check your message logs for messages of the form
[192.168.0.1] not authoritative for example.com, SOA query got...
This means you're trying to do a zone transfer from a server that doesn't
think it's authoritative for the zone.
If your server is a master for some zones and a slave for others, just use an
appropriate combination of the above techniques.
The drawback to this method is that your system is sensitive to the particular
logging format and behavior of BIND, which may change every time you upgrade.
--
Jefferson Ogata : Internetworker, Antibozo
<ogataat_private> http://www.antibozo.net/ogata/
whois: jo317/whois.networksolutions.com
http://www.antibozo.net/ogata/pgp.asc
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 19:49:05 PDT