Please always respond on list. > -----Original Message----- > From: Sean Schertell [mailto:[EMAIL PROTECTED] > Sent: Friday, August 31, 2007 8:47 PM > To: Marc Powell > Subject: Re: [Nagios-users] check_dns works fine for half my servers, > fails for other half > > Thanks Mark, > > So does that mean then that it isn't possible to use the check_dns > plugin without enabling recursive lookups and leaving my server open > to DNS DOS attacks?
Sure it's possible, and if the server is supposed to be a recursive server (most are) then check_dns will work as you're testing it. Nutmeg does not appear to be a recursive server though so you can't ask it about microsoft.com since it doesn't know anything about it. Change that to nutmeg.aspen.com or some other host in a domain it's authoritative for. > Is there any way to use dns_check safely? My concerns about safety weren't related to check_dns at all. My concern is that anyone anywhere in the world can use rosemary to attack other DNS servers. As a bonus, you would be the apparent source of that attack. IMHO, you should be using ACL's to allow recursive lookups only for those networks that should be using that nameserver. Bind provides an easy way of doing this if that's what you're using -- http://www.bind9.net/manual/bind/9.3.1/Bv9ARM.ch07.html -- Marc ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
