Monitoring Zonefiletransfer

Mark Andrews marka at isc.org
Wed Feb 19 00:39:34 UTC 2014 

In message <CAFw0=Wj2XQQcC69uqEtZ6SC0OXDKJAZT4O+Vh0WhfvuyiA+fCQ at mail.gmail.com>
, markus weber writes:
> --===============2070182502041634286==
> Content-Type: multipart/alternative; boundary=001a1134888407910a04f2b6036d
> 
> --001a1134888407910a04f2b6036d
> Content-Type: text/plain; charset=UTF-8
> 
> Hey Guys,
> 
> I am new to administer a Bind server and after a few problems i ran into i
> need to monitor the zonefile transfers of my slave server.
> I have searched on google and nagios plugin sites but could not find
> anything that fits my needs entirely.
> 
> Here is the Setup:
> - MS ActiveDirectory as primary Nameservers (not under my control)
> - 2 Bind server as slave for various zones (behind a loadbalancer)
> 
> The problem i ran into, was that the zone transfer didn't work for some
> reason and the zone we hold expired causing our mailgateway to stop
> relaying mails :/
> 
> As i sayed i googled around and as i could not find anything i hacked a
> nagios plugin myself ( you can find the code here
> https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zone
> transfer.pl).
> But i am curious if i took the right "route". These are my assumptions and
> a first approach:
> 
> - read named.conf and get master servers
> - query soa of slave and get serial
> - query first master and get serial
> - if serial match:
>         get zonefile modification time (not sure if this is significant)
> and compare it with localtime and "soa-expiretime"
>         + warn or crit on threshold
>         (stat($zoneFile)[9] + $SOA_S->expire) - time
> - if master serial > slave serial
>         create tempfile and check for how long it stays lower then masters
> serial
>         + warn or crit on threshold
> - else
>         test next master
>         on last master exit with error ( this should not become true ever,
> right?)
> 
> 
> A few problems i discovered:
> - sometimes have a higher serial then all masters have, is this normal on
> an AD DNS? or am I doing something wrong i thought this could not happen.

	Only transfer from one AD master.  Microsoft AD doesn't maintain
	consistent serials across the servers.  The serials should be
	monotonically increasing from a individual server.

> - Some Zones nearly always reach expireation time. and i get a lot of
> critical messages and a few hours/minutes before expireation it does the
> update.

	Choose sane SOA values.  refresh and retry << expire
 
> i hope you can guide me a bit and tell me if this is what i want xD
> 
> many thanks in advance
> seppovic
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list