Checking on DNS secondaries
Rick Moen
rick at linuxmafia.com
Fri May 20 22:44:21 PDT 2011
What do folks use to check up on DNS secondaries?
My nameserver does master nameservice for a user group's domain (scruz.org).
A few days ago, I discovered that _all four_ secondaries had flaked out:
Two reIPed and didn't tell me, one shut off scruz.org service and didn't
tell me, one ceased all DNS service and didn't tell me. I found and fixed
the problems, but monitoring also seemed called for.
Output follows of my quick hack, an e-mailed report from a cronjob in
/etc/cron.weekly/, followed by the cron script itself. However, does
anyone use something better?
----- Forwarded message from root <root at linuxmafia.com> -----
Date: Fri, 20 May 2011 22:28:06 -0700
From: root <root at linuxmafia.com>
To: rick at linuxmafia.com
Subject: Domain scruz.org SOA check
As of 2011-05-20, there are supposed to be six authoritative nameservers:
ns1.scruz.org. 198.144.195.186, aka ns1.linuxmafia.com. (Rick Moen)
ns1.svlug.org. 64.62.190.98 (Rick Moen)
ns6.scruz.org. 38.102.132.186, aka ns1.phosphor.net. (Eric Cain)
ns7.scruz.org. 209.237.247.49, aka ns.portalpotty.net. (Max Baker)
ns8.scruz.org. 209.133.21.10, aka ns1.got.net. (got.net NOC)
ns9.scruz.org. 207.111.232.23 aka ns2.got.net. (got.net NOC)
If any is missing from reports below, or produces odd data, something is wrong.
Zonefile S/Ns:
2011051900 on ns1.scruz.org.
2011051900 on ns1.svlug.org.
2011051900 on ns6.scruz.org.
2011051900 on ns7.scruz.org.
2011051900 on ns8.scruz.org.
2011051900 on ns9.scruz.org.
Authoritative nameservers from whois:
NS1.SCRUZ.ORG
NS1.SVLUG.ORG
NS7.SCRUZ.ORG
NS6.SCRUZ.ORG
NS8.SCRUZ.ORG
NS9.SCRUZ.ORG
Parent-zone NS records and matching A records (glue):
; <<>> DiG 9.4.2 <<>> -t ns scruz.org. @d0.org.afilias-nst.org. +nocmd +noquestion +nostats +nocomments
;; global options: printcmd
scruz.org. 86400 IN NS ns7.scruz.org.
scruz.org. 86400 IN NS ns1.svlug.org.
scruz.org. 86400 IN NS ns8.scruz.org.
scruz.org. 86400 IN NS ns9.scruz.org.
scruz.org. 86400 IN NS ns1.scruz.org.
scruz.org. 86400 IN NS ns6.scruz.org.
ns1.scruz.org. 86400 IN A 198.144.195.186
ns1.svlug.org. 86400 IN A 64.62.190.98
ns6.scruz.org. 86400 IN A 38.102.132.186
ns7.scruz.org. 86400 IN A 209.237.247.49
ns8.scruz.org. 86400 IN A 209.133.21.10
ns9.scruz.org. 86400 IN A 207.111.232.23
In-domain NS records and matching A records:
; <<>> DiG 9.4.2 <<>> -t ns scruz.org. @ns7.scruz.org. +nocmd +noquestion +nostats +nocomments
;; global options: printcmd
scruz.org. 86400 IN NS ns1.svlug.org.
scruz.org. 86400 IN NS ns6.scruz.org.
scruz.org. 86400 IN NS ns7.scruz.org.
scruz.org. 86400 IN NS ns8.scruz.org.
scruz.org. 86400 IN NS ns9.scruz.org.
scruz.org. 86400 IN NS ns1.scruz.org.
ns1.scruz.org. 86400 IN A 198.144.195.186
ns6.scruz.org. 86400 IN A 38.102.132.186
ns7.scruz.org. 86400 IN A 209.237.247.49
ns8.scruz.org. 86400 IN A 209.133.21.10
ns9.scruz.org. 86400 IN A 207.111.232.23
----- End forwarded message -----
#!/bin/sh
# smaug Cron script to sanity-check domain scruz.org's SOA records at
# all of its authoritative nameservers, as a quick and
# dirty way of making sure (1) they're all online and
# (2) they're all serving up the same data (or at least
# data with the same zonefile serial number).
#
# The script queries all six nameservers for their current
# SOA value (for scruz.org), and then uses awk to parse
# out of that verbose record just the S/N field, which is
# field #3. The point is that you can visually spot offline
# or aberrant nameservers by their S/Ns being (respectively)
# missing or an out-of-step value.
#
# For good measure, we also report authoritative servers from
# whois, NS-type records + their glue A records at the zone's
# parent, then NS-type records + matching A records in the
# zone itself.
#
# Written by Rick Moen (rick at linuxmafia.com)
# $Id: cron.weekly,v 1.04 2011/05/20 21:47:05 rick
# Copyright (C) Rick Moen, 2011. Do anything you want with this work.
set -o errexit #aka "set -e": exit if any line returns non-true value
set -o nounset #aka "set -u": exit upon finding an uninitialised variable
test -x /usr/bin/mail || exit 0
test -x /usr/bin/whois || exit 0
test -x /usr/bin/awk || exit 0
test -x /bin/grep || exit 0
test -x /usr/bin/dig || exit 0
{
echo "As of 2011-05-20, there are supposed to be six authoritative nameservers:"
echo ""
echo "ns1.scruz.org. 198.144.195.186, aka ns1.linuxmafia.com. (Rick Moen)"
echo "ns1.svlug.org. 64.62.190.98 (Rick Moen)"
echo "ns6.scruz.org. 38.102.132.186, aka ns1.phosphor.net. (Eric Cain)"
echo "ns7.scruz.org. 209.237.247.49, aka ns.portalpotty.net. (Max Baker)"
echo "ns8.scruz.org. 209.133.21.10, aka ns1.got.net. (got.net NOC)"
echo "ns9.scruz.org. 207.111.232.23 aka ns2.got.net. (got.net NOC)"
echo ""
echo "If any is missing from reports below, or produces odd data, something is wrong."
echo ""
echo "Zonefile S/Ns:"
echo ""
dig -t soa scruz.org. @NS1.SCRUZ.ORG. +short | awk '{ print $3 " on ns1.scruz.org." }'
dig -t soa scruz.org. @NS1.SVLUG.ORG. +short | awk '{ print $3 " on ns1.svlug.org." }'
dig -t soa scruz.org. @NS6.SCRUZ.ORG. +short | awk '{ print $3 " on ns6.scruz.org." }'
dig -t soa scruz.org. @NS7.SCRUZ.ORG. +short | awk '{ print $3 " on ns7.scruz.org."}'
dig -t soa scruz.org. @NS8.SCRUZ.ORG. +short | awk '{ print $3 " on ns8.scruz.org."}'
dig -t soa scruz.org. @NS9.SCRUZ.ORG. +short | awk '{ print $3 " on ns9.scruz.org."}'
echo ""
echo "Authoritative nameservers from whois:"
echo ""
whois scruz.org | grep 'Name Server' | awk -F: '{ print $2 }' | head -n 7
echo ""
echo "Parent-zone NS records and matching A records (glue):"
echo ""
dig -t ns scruz.org. @$(dig -t ns org. +short | head -n 1) +nocmd +noquestion +nostats +nocomments
echo ""
echo "In-domain NS records and matching A records:"
echo ""
dig -t ns scruz.org. @$(dig -t ns scruz.org. +short | head -n 1) +nocmd +noquestion +nostats +nocomments
} |
mail -s "Domain scruz.org SOA check" rick at linuxmafia.com
More information about the Baylisa
mailing list