DNS monitoring rules

, by DnC

All the versions of this article: [English] [français] |

NSS allows you to regularly send a DNS query, waits for a response and interprets it by applying rules. If an error situation is detected, NSS generates an alert.

The DNS watch rules offered by NSS Lite allow you to verify all aspects of the DNS configuration of the domain in question, in addition to checking response time.

Requête DNS

A DNS request is entered in the "Request" field of the task in the format:

dns: [//<server>[:<port>] /] <domain>[? <type>]

where :

 server: (optional) URL of a particular DNS server.
 domain (required): the domain of the record in the DNS zone.
 type: (optional, A) the type of record in the DNS zone of the domain: A, AAAA, CNAME, MX, NS, SOA, SPF, TXT. If this parameter is not understood, an error will be generated.

examples:

dns:buy.dnc.global
dns:dnc.global?NS
dns://dns102.ovh.net/buy.dnc.global
dns:degoy.com?A
dns:degoy.com?AAAA
dns://dns200.anycast.me/degoy.com?AAAA
dns:degoy.com?MX
dns://ns-219-a.gandi.net/www.spip.net
dns://1.1.1.1/dnc.global    /* Cloudflare resolver */
dns://8.8.8.8/dnc.global    /* Google resolver */
dns://213.186.33.99/dnc.global?AAAA    /* OVH resolver France*/
dns://5.196.123.133/dnc.global?AAAA    /* OVH resolver, Spain */
dns://193.252.10.2/dnc.global     /* Orange, Aubervilliers, France */

Reply

NSS issues the DNS query as a Unix / Linux DIG of the following form:
dig [<type>] [@ server [: port]] <domain>

If the request is successful, the response parsed by NSS is the literal form returned by DIG.
Here is for example the response to the request dns: degoy.com? MX (translated into dig MX degoy.com):

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.7 <<>> MX degoy.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36151
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;degoy.com.                     IN      MX

;; ANSWER SECTION:
degoy.com.              600     IN      MX      5 mx1.mail.ovh.net.
degoy.com.              600     IN      MX      100 mx3.mail.ovh.net.
degoy.com.              600     IN      MX      1 mx0.mail.ovh.net.
degoy.com.              600     IN      MX      200 mail.rollernet.us.
degoy.com.              600     IN      MX      200 mail2.rollernet.us.
degoy.com.              600     IN      MX      50 mx2.mail.ovh.net.

;; Query time: 11 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Tue Sep  1 17:22:07 2020
;; MSG SIZE  rcvd: 174

If this fails, NSS will log an error.

Implicit and Default Rules

The response expected by NSS following a DNS request appears in the "Rules" field of the task. This field is optional. Whether or not it is entered, implicit rules apply:

status: NOERROR : NSS vérifie que la réponse du DNS comporte "status: NOERROR". Dans le cas contraire, une alerte de niveau 5 au moins est générée.

Response Time: NSS always monitors the response time against the average time observed for the task.
An alert is generated with a level equal to 2, or the level indicated in the task definition, if the response time exceeds 4 times the average time.

For more details on this topic, see: Surveillance du temps de réponse.

Default rules: moreover, if the rule field is not filled in, NSS applies the following rules, assuming an expected response within a period of less than 50 ms:

TIME<50:3
TIME<100:4
TIME<500:5

These rules already allow effective monitoring without having to assign rules to the task. So the simple query:

dns://ns-219-a.gandi.net/www.spip.net

allows you to monitor the resolution of the domain name www.spip.net by one of its authoritative DNS servers.

Rules applicable to the DNS request


 TIME< number of ms: Checks that the server returns the response within a time period less than the value indicated in ms.

 MEAN< number of ms: Checks that the server returns the response within an average delay less than the value indicated in ms.

 IPV4= NNN.NNN.NNN.NNN : the most essential rule, allowing to verify that the domain name indicated in the DNS request is resolved and equal to the indicated IPv4 address.

 QUERY TIME< number of ms: DNS server response time.

Note: The TIME and MEAN rules take into account the total response time of the request, including transmission times, whether the DNS is responding or not), while QUERY TIME covers the time shown in the DNS response.

 CONTAINS character string: this rule allows you to check for the presence of a string in the raw response.

 MATCH character string: this rule allows you to check for the presence of any string in the raw response. The string can be a standard regular expression, so it is possible to perform any check in the response. However, the use of the ARRAY rule will most often be preferable.

 ARRAY [index] = character string: Checks that the character string is found in the value of the array at index A. Note that this is an inclusion and not an equality , the rule behaving like CONTAINS. The index can be multidimensional.

 ARRAY [index]> number: Checks that the value of the array at index A is greater than the number indicated. The index can be multidimensional.

Learn more about the ARRAY rule ...

The ARRAY ... rule completes the rule set to test any information returned by the DNS query.

How NSS translates the responses

To make a request, NSS calls on DIG and then breaks down the response into an associative array. The rules relate to the elements of this array.
Usually, you won’t have to worry about this table. However, the formulation of an ARRAY rule supposes to know the structure of this table well.

Here’s how NSS internally translates the previous query into an array:

  1. : array =
  2.   RAW: string = " ; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> www.spip.net\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 594\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n; COOKIE: f182cd5130c105c8056d4eed5f50bf97a6b668e584c7b2e7 (good)\n;; QUESTION SECTION:\n;www.spip.net.\t\t\tIN\tA\n\n;; ANSWER SECTION:\nwww.spip.net.\t\t1979\tIN\tA\t151.80.20.125\n\n;; AUTHORITY SECTION:\nspip.net.\t\t34795\tIN\tNS\tns-145-c.gandi.net.\nspip.net.\t\t34795\tIN\tNS\tns-77-b.gandi.net.\nspip.net.\t\t34795\tIN\tNS\tns-219-a.gandi.net.\n\n;; ADDITIONAL SECTION:\nns-219-a.gandi.net.\t34795\tIN\tA\t173.246.100.220\nns-219-a.gandi.net.\t34795\tIN\tAAAA\t2001:4b98:aaaa::dc\n\n;; Query time: 0 msec\n;; SERVER: 127.0.0.1#53(127.0.0.1)\n;; WHEN: Thu Sep 03 10:04:07 UTC 2020\n;; MSG SIZE  rcvd: 203\n"
  3.   ; <<>> DIG 9.11.5-P4-5.1+DEB10U2-DEBIAN <<>> WWW.SPIP.NET: string = ""
  4.   GLOBAL OPTIONS: string = " +cmd "
  5.   GOT ANSWER: string = " "
  6.   HEADER: array =
  7.     opcode: string = " QUERY"
  8.     status: string = " NOERROR"
  9.     id: string = " 594 "
  10.     flags: string = " qr rd ra"
  11.     QUERY: string = " 1"
  12.     ANSWER: string = " 1"
  13.     AUTHORITY: string = " 3"
  14.     ADDITIONAL: string = " 3  "
  15.   OPT PSEUDOSECTION: string = " ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f182cd5130c105c8056d4eed5f50bf97a6b668e584c7b2e7 (good) "
  16.   QUESTION SECTION: string = "www.spip.net.   IN A  "
  17.   QUERY TIME: string = " 0 msec "
  18.   SERVER: string = " 127.0.0.1#53(127.0.0.1) "
  19.   WHEN: string= "Thu Sep 03 10:04:07 UTC 2020"
  20.   MSG SIZE  RCVD: string = " 203 "
  21.   ANSWER SECTION: array =
  22.     0: array =
  23.       host: string = "www.spip.net"
  24.       class: string = "IN"
  25.       ttl: long = 1974
  26.       type: string = "A"
  27.       ip: string = "151.80.20.125"
  28.   AUTHORITY SECTION: array =
  29.     0: array =
  30.       host: string = "spip.net"
  31.       class: string = "IN"
  32.       ttl: long = 34790
  33.       type: string = "NS"
  34.       target: string = "ns-145-c.gandi.net"
  35.     1: array =
  36.       host: string = "spip.net"
  37.       class: string = "IN"
  38.       ttl: long = 34790
  39.       type: string = "NS"
  40.       target: string = "ns-77-b.gandi.net"
  41.     2: array =
  42.       host: string = "spip.net"
  43.       class: string = "IN"
  44.       ttl: long = 34790
  45.       type: string = "NS"
  46.       target: string = "ns-219-a.gandi.net"
  47.     3: array =
  48.       host: string = "spip.net"
  49.       class: string = "IN"
  50.       ttl: long = 34790
  51.       type: string = "NS"
  52.       target: string = "ns-77-b.gandi.net"
  53.     4: array =
  54.       host: string = "spip.net"
  55.       class: string = "IN"
  56.       ttl: long = 34790
  57.       type: string = "NS"
  58.       target: string = "ns-145-c.gandi.net"
  59.     5: array =
  60.       host: string = "spip.net"
  61.       class: string = "IN"
  62.       ttl: long = 34790
  63.       type: string = "NS"
  64.       target: string = "ns-219-a.gandi.net"
  65.   ADDITIONAL SECTION: array =
  66.     0: array =
  67.       host: string = "ns-219-a.gandi.net"
  68.       class: string = "IN"
  69.       ttl: long = 34790
  70.       type: string = "A"
  71.       ip: string = "173.246.100.220"
  72.     1: array =
  73.       host: string = "ns-219-a.gandi.net"
  74.       class: string = "IN"
  75.       ttl: long = 34790
  76.       type: string = "AAAA"
  77.       ipv6: string = "2001:4b98:aaaa::dc"
  78.     2: array =
  79.       host: string = "ns-219-a.gandi.net"
  80.       class: string = "IN"
  81.       ttl: long = 34790
  82.       type: string = "A"
  83.       ip: string = "173.246.100.220"
  84.     3: array =
  85.       host: string = "ns-219-a.gandi.net"
  86.       class: string = "IN"
  87.       ttl: long = 34790
  88.       type: string = "AAAA"
  89.       ipv6: string = "2001:4b98:aaaa::dc"
  90.   IPV4: string = "151.80.20.125"

Download

Examples of ARRAY rules

ARRAY[HEADER][AUTHORITY]= 2  /*verify that there are two authoritative servers */
ARRAY[HEADER][ADDITIONAL]> 0  /* check that there is at least one additional server */
ARRAY[RAW]=EDNS    /* check EDNS support*/
ARRAY[AUTHORITY SECTION][0][target]=ns-145-c.gandi.net

The last example shows a difficulty: if there are several authoritative servers, what is the rank of the one whose presence we want to check? The ’*’ sign in the ARRAY [] = rule is used to test all indexes:

ARRAY[AUTHORITY SECTION][*][target]=ns-145-c.gandi.net

Inversion, combination, alert level

The inversion of the rules by NOT is possible for the TIME, MEAN and CONTAINS rules.

The combination of the rules and the definition of the alert level are done in the same way as in the case ofHTTP monitoring rules.

Which DNS server is responding?

A DNS query specifies the server to query by providing the @ parameter as in the following examples:

dns: //ns-219-a.géat/www.spip.net
dns: // 2001: 4b98: aaaa :: dc / www.spip.net

If the request does not specify the server, the local NSS resolver at address 127.0.0.1 will respond. While this is appropriate in some cases, it is not the best way to ensure that a domain’s DNS is working properly, as the resolver will not recursion until the SOA has expired.

Furthermore, when the local resolver responds, it does so in Query time: 0 msec. It is not very interesting to know!

Which DNS server should I query?

To ensure the proper functioning of the DNS, you must contact a domain authoritative nameserver. In the previous example, we queried one of the three authority servers for the domain www.spip.net.

You can find out the list of authority servers for the domain by issuing the following command in command mode:

dig www.spip.net
</dig>
that returns:
<code>
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> www.spip.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3800
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 798ddf1f8a880829b2ae2fae5f4f590bd9ae0131be4067c2 (good)
;; QUESTION SECTION:
;www.spip.net.                  IN      A

;; ANSWER SECTION:
www.spip.net.           1427    IN      A       151.80.20.125

;; AUTHORITY SECTION:
spip.net.               126583  IN      NS      ns-219-a.gandi.net.
spip.net.               126583  IN      NS      ns-77-b.gandi.net.
spip.net.               126583  IN      NS      ns-145-c.gandi.net.

;; ADDITIONAL SECTION:
ns-77-b.gandi.net.      590     IN      A       213.167.230.78
ns-145-c.gandi.net.     545     IN      A       217.70.187.146
ns-219-a.gandi.net.     126583  IN      A       173.246.100.220
ns-77-b.gandi.net.      590     IN      AAAA    2001:4b98:aaab::4e
ns-145-c.gandi.net.     545     IN      AAAA    2604:3400:aaac::92
ns-219-a.gandi.net.     126583  IN      AAAA    2001:4b98:aaaa::dc

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 02 08:34:19 UTC 2020
;; MSG SIZE  rcvd: 291

A good query would therefore be:

dns://ns-219-a.gandi.net/www.spip.net

Public resolvers are also interesting, for example:

dns://1.1.1.1/www.spip.net      /* Cloudflare resolver */
dns://8.8.8.8/www.spip.net    /* Google resolver */

Note about HTTP codes

...