Requête DNS
A DNS request is entered in the "Request" field of the task in the format:
dns: [//<server>[:<port>] /] <domain>[? <type>]
where :
– server: (optional) URL of a particular DNS server.
– domain (required): the domain of the record in the DNS zone.
– type: (optional, A) the type of record in the DNS zone of the domain: A, AAAA, CNAME, MX, NS, SOA, SPF, TXT. If this parameter is not understood, an error will be generated.
examples:
dns:buy.dnc.global
dns:dnc.global?NS
dns://dns102.ovh.net/buy.dnc.global
dns:degoy.com?A
dns:degoy.com?AAAA
dns://dns200.anycast.me/degoy.com?AAAA
dns:degoy.com?MX
dns://ns-219-a.gandi.net/www.spip.net
dns://1.1.1.1/dnc.global /* Cloudflare resolver */
dns://8.8.8.8/dnc.global /* Google resolver */
dns://213.186.33.99/dnc.global?AAAA /* OVH resolver France*/
dns://5.196.123.133/dnc.global?AAAA /* OVH resolver, Spain */
dns://193.252.10.2/dnc.global /* Orange, Aubervilliers, France */
Reply
NSS issues the DNS query as a Unix / Linux DIG of the following form:
dig [<type>] [@ server [: port]] <domain>
If the request is successful, the response parsed by NSS is the literal form returned by DIG.
Here is for example the response to the request dns: degoy.com? MX (translated into dig MX degoy.com):
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.7 <<>> MX degoy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36151
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;degoy.com. IN MX
;; ANSWER SECTION:
degoy.com. 600 IN MX 5 mx1.mail.ovh.net.
degoy.com. 600 IN MX 100 mx3.mail.ovh.net.
degoy.com. 600 IN MX 1 mx0.mail.ovh.net.
degoy.com. 600 IN MX 200 mail.rollernet.us.
degoy.com. 600 IN MX 200 mail2.rollernet.us.
degoy.com. 600 IN MX 50 mx2.mail.ovh.net.
;; Query time: 11 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Tue Sep 1 17:22:07 2020
;; MSG SIZE rcvd: 174
If this fails, NSS will log an error.
Implicit and Default Rules
The response expected by NSS following a DNS request appears in the "Rules" field of the task. This field is optional. Whether or not it is entered, implicit rules apply:
status: NOERROR : NSS vérifie que la réponse du DNS comporte "status: NOERROR". Dans le cas contraire, une alerte de niveau 5 au moins est générée.
Response Time: NSS always monitors the response time against the average time observed for the task.
An alert is generated with a level equal to 2, or the level indicated in the task definition, if the response time exceeds 4 times the average time.
For more details on this topic, see: Surveillance du temps de réponse.
Default rules: moreover, if the rule field is not filled in, NSS applies the following rules, assuming an expected response within a period of less than 50 ms:
TIME<50:3
TIME<100:4
TIME<500:5
These rules already allow effective monitoring without having to assign rules to the task. So the simple query:
dns://ns-219-a.gandi.net/www.spip.net
allows you to monitor the resolution of the domain name www.spip.net by one of its authoritative DNS servers.
Rules applicable to the DNS request
– TIME< number of ms: Checks that the server returns the response within a time period less than the value indicated in ms.
– MEAN< number of ms: Checks that the server returns the response within an average delay less than the value indicated in ms.
– IPV4= NNN.NNN.NNN.NNN : the most essential rule, allowing to verify that the domain name indicated in the DNS request is resolved and equal to the indicated IPv4 address.
– QUERY TIME< number of ms: DNS server response time.
Note: The TIME and MEAN rules take into account the total response time of the request, including transmission times, whether the DNS is responding or not), while QUERY TIME covers the time shown in the DNS response.
– CONTAINS character string: this rule allows you to check for the presence of a string in the raw response.
– MATCH character string: this rule allows you to check for the presence of any string in the raw response. The string can be a standard regular expression, so it is possible to perform any check in the response. However, the use of the ARRAY rule will most often be preferable.
– ARRAY [index] = character string: Checks that the character string is found in the value of the array at index A. Note that this is an inclusion and not an equality , the rule behaving like CONTAINS. The index can be multidimensional.
– ARRAY [index]> number: Checks that the value of the array at index A is greater than the number indicated. The index can be multidimensional.
Learn more about the ARRAY rule ...
The ARRAY ... rule completes the rule set to test any information returned by the DNS query.
How NSS translates the responses
To make a request, NSS calls on DIG and then breaks down the response into an associative array. The rules relate to the elements of this array.
Usually, you won’t have to worry about this table. However, the formulation of an ARRAY rule supposes to know the structure of this table well.
Here’s how NSS internally translates the previous query into an array:
- RAW: string = " ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> www.spip.net\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 594\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n; COOKIE: f182cd5130c105c8056d4eed5f50bf97a6b668e584c7b2e7 (good)\n;; QUESTION SECTION:\n;www.spip.net.\t\t\tIN\tA\n\n;; ANSWER SECTION:\nwww.spip.net.\t\t1979\tIN\tA\t151.80.20.125\n\n;; AUTHORITY SECTION:\nspip.net.\t\t34795\tIN\tNS\tns-145-c.gandi.net.\nspip.net.\t\t34795\tIN\tNS\tns-77-b.gandi.net.\nspip.net.\t\t34795\tIN\tNS\tns-219-a.gandi.net.\n\n;; ADDITIONAL SECTION:\nns-219-a.gandi.net.\t34795\tIN\tA\t173.246.100.220\nns-219-a.gandi.net.\t34795\tIN\tAAAA\t2001:4b98:aaaa::dc\n\n;; Query time: 0 msec\n;; SERVER: 127.0.0.1#53(127.0.0.1)\n;; WHEN: Thu Sep 03 10:04:07 UTC 2020\n;; MSG SIZE rcvd: 203\n"
- ; <<>> DIG 9.11.5-P4-5.1+DEB10U2-DEBIAN <<>> WWW.SPIP.NET: string = ""
- GLOBAL OPTIONS: string = " +cmd "
- GOT ANSWER: string = " "
- opcode: string = " QUERY"
- status: string = " NOERROR"
- id: string = " 594 "
- flags: string = " qr rd ra"
- QUERY: string = " 1"
- ANSWER: string = " 1"
- AUTHORITY: string = " 3"
- ADDITIONAL: string = " 3 "
- OPT PSEUDOSECTION: string = " ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f182cd5130c105c8056d4eed5f50bf97a6b668e584c7b2e7 (good) "
- QUESTION SECTION: string = "www.spip.net. IN A "
- SERVER: string = " 127.0.0.1#53(127.0.0.1) "
- WHEN: string= "Thu Sep 03 10:04:07 UTC 2020"
- MSG SIZE RCVD: string = " 203 "
- host: string = "www.spip.net"
- class: string = "IN"
- ttl: long = 1974
- type: string = "A"
- ip: string = "151.80.20.125"
- host: string = "spip.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "NS"
- target: string = "ns-145-c.gandi.net"
- host: string = "spip.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "NS"
- target: string = "ns-77-b.gandi.net"
- host: string = "spip.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "NS"
- target: string = "ns-219-a.gandi.net"
- host: string = "spip.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "NS"
- target: string = "ns-77-b.gandi.net"
- host: string = "spip.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "NS"
- target: string = "ns-145-c.gandi.net"
- host: string = "spip.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "NS"
- target: string = "ns-219-a.gandi.net"
- host: string = "ns-219-a.gandi.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "A"
- ip: string = "173.246.100.220"
- host: string = "ns-219-a.gandi.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "AAAA"
- ipv6: string = "2001:4b98:aaaa::dc"
- host: string = "ns-219-a.gandi.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "A"
- ip: string = "173.246.100.220"
- host: string = "ns-219-a.gandi.net"
- class: string = "IN"
- ttl: long = 34790
- type: string = "AAAA"
- ipv6: string = "2001:4b98:aaaa::dc"
- IPV4: string = "151.80.20.125"
Examples of ARRAY rules
ARRAY[HEADER][AUTHORITY]= 2 /*verify that there are two authoritative servers */
ARRAY[HEADER][ADDITIONAL]> 0 /* check that there is at least one additional server */
ARRAY[RAW]=EDNS /* check EDNS support*/
ARRAY[AUTHORITY SECTION][0][target]=ns-145-c.gandi.net
The last example shows a difficulty: if there are several authoritative servers, what is the rank of the one whose presence we want to check? The ’*’ sign in the ARRAY [] = rule is used to test all indexes:
ARRAY[AUTHORITY SECTION][*][target]=ns-145-c.gandi.net
Inversion, combination, alert level
The inversion of the rules by NOT is possible for the TIME, MEAN and CONTAINS rules.
The combination of the rules and the definition of the alert level are done in the same way as in the case ofHTTP monitoring rules.
Which DNS server is responding?
A DNS query specifies the server to query by providing the @ parameter as in the following examples:
dns: //ns-219-a.géat/www.spip.net
dns: // 2001: 4b98: aaaa :: dc / www.spip.net
If the request does not specify the server, the local NSS resolver at address 127.0.0.1 will respond. While this is appropriate in some cases, it is not the best way to ensure that a domain’s DNS is working properly, as the resolver will not recursion until the SOA has expired.
Furthermore, when the local resolver responds, it does so in Query time: 0 msec. It is not very interesting to know!
Which DNS server should I query?
To ensure the proper functioning of the DNS, you must contact a domain authoritative nameserver. In the previous example, we queried one of the three authority servers for the domain www.spip.net.
You can find out the list of authority servers for the domain by issuing the following command in command mode:
dig www.spip.net
</dig>
that returns:
<code>
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> www.spip.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3800
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 798ddf1f8a880829b2ae2fae5f4f590bd9ae0131be4067c2 (good)
;; QUESTION SECTION:
;www.spip.net. IN A
;; ANSWER SECTION:
www.spip.net. 1427 IN A 151.80.20.125
;; AUTHORITY SECTION:
spip.net. 126583 IN NS ns-219-a.gandi.net.
spip.net. 126583 IN NS ns-77-b.gandi.net.
spip.net. 126583 IN NS ns-145-c.gandi.net.
;; ADDITIONAL SECTION:
ns-77-b.gandi.net. 590 IN A 213.167.230.78
ns-145-c.gandi.net. 545 IN A 217.70.187.146
ns-219-a.gandi.net. 126583 IN A 173.246.100.220
ns-77-b.gandi.net. 590 IN AAAA 2001:4b98:aaab::4e
ns-145-c.gandi.net. 545 IN AAAA 2604:3400:aaac::92
ns-219-a.gandi.net. 126583 IN AAAA 2001:4b98:aaaa::dc
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 02 08:34:19 UTC 2020
;; MSG SIZE rcvd: 291
A good query would therefore be:
dns://ns-219-a.gandi.net/www.spip.net
Public resolvers are also interesting, for example:
dns://1.1.1.1/www.spip.net /* Cloudflare resolver */
dns://8.8.8.8/www.spip.net /* Google resolver */
Note about HTTP codes
...