markus weber <bumpemacve...@googlemail.com> wrote:
Hey Guys, I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right "route". These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial - query first master and get serial - if serial match: get zonefile modification time (not sure if this is significant) and compare it with localtime and "soa-expiretime" + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S->expire) - time - if master serial > slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. i hope you can guide me a bit and tell me if this is what i want xD many thanks in advance seppovic
When I had BIND slaves of zones mastered on Windows Domain Controller DNS Servers, the problem I had was that Microsoft in the EventLog only logged successful zone transfers. I told MS (in a conversation with one of the DNS developers) that I needed failed zone transfers to be logged along with the reason for the refused transfer. The response from the developer was that MS did not want all of the failed zone transfers filling up the EventLog. In my case, there were lots of unnecessary successful zone transfers, but if one failed, I had no way of knowing why. There might have been information in the Windows dns.log file (where I had complete logging), but when that file got to its max size, MS would clear the file and start again, losing all of the information. --Barry Finkel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
