bind-users Digest, Vol 1766, Issue 2

Barry S. Finkel bsfinkel at att.net
Wed Feb 19 14:22:54 UTC 2014 

markus weber <bumpemacvettn at googlemail.com> wrote:

> Hey Guys,
>
> I am new to administer a Bind server and after a few problems i ran into i
> need to monitor the zonefile transfers of my slave server.
> I have searched on google and nagios plugin sites but could not find
> anything that fits my needs entirely.
>
> Here is the Setup:
> - MS ActiveDirectory as primary Nameservers (not under my control)
> - 2 Bind server as slave for various zones (behind a loadbalancer)
>
> The problem i ran into, was that the zone transfer didn't work for some
> reason and the zone we hold expired causing our mailgateway to stop
> relaying mails :/
>
> As i sayed i googled around and as i could not find anything i hacked a
> nagios plugin myself ( you can find the code here
> https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl).
> But i am curious if i took the right "route". These are my assumptions and
> a first approach:
>
> - read named.conf and get master servers
> - query soa of slave and get serial
> - query first master and get serial
> - if serial match:
>          get zonefile modification time (not sure if this is significant)
> and compare it with localtime and "soa-expiretime"
>          + warn or crit on threshold
>          (stat($zoneFile)[9] + $SOA_S->expire) - time
> - if master serial > slave serial
>          create tempfile and check for how long it stays lower then masters
> serial
>          + warn or crit on threshold
> - else
>          test next master
>          on last master exit with error ( this should not become true ever,
> right?)
>
>
> A few problems i discovered:
> - sometimes have a higher serial then all masters have, is this normal on
> an AD DNS? or am I doing something wrong i thought this could not happen.
> - Some Zones nearly always reach expireation time. and i get a lot of
> critical messages and a few hours/minutes before expireation it does the
> update.
>
> i hope you can guide me a bit and tell me if this is what i want xD
>
> many thanks in advance
> seppovic

When I had BIND slaves of zones mastered on Windows Domain Controller
DNS Servers, the problem I had was that Microsoft in the EventLog only
logged successful zone transfers.  I told MS (in a conversation with one
of the DNS developers) that I needed failed zone transfers to be logged
along with the reason for the refused transfer.  The response from the
developer was that MS did not want all of the failed zone transfers
filling up the EventLog.  In my case, there were lots of unnecessary
successful zone transfers, but if one failed, I had no way of knowing
why.  There might have been information in the Windows dns.log file
(where I had complete logging), but when that file got to its max size,
MS would clear the file and start again, losing all of the information.

--Barry Finkel

More information about the bind-users mailing list