Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added DNS zone check #29

Merged
merged 1 commit into from
Mar 29, 2018
Merged

Added DNS zone check #29

merged 1 commit into from
Mar 29, 2018

Conversation

yuri-zubov
Copy link
Contributor

@yuri-zubov yuri-zubov commented Mar 22, 2018
edited
Loading

Pull Request Checklist

Is this in reference to an existing issue?

General

  • Update Changelog following the conventions laid out here

  • Update README with any necessary configuration snippets

  • Binstubs are created if needed

  • RuboCop passes

  • Existing tests pass

New Plugins

  • Tests

  • Add the plugin to the README

  • Does it have a complete header as outlined here

Purpose

Our idea was twofold: a healtcheck against authoritative servers

  1. check consistency between whois and dig NS results
  2. test connectivity over TCP and UDP to authoritative nameservers
  3. test AXFR from authoritative nameservers (test fails if AXFR is successful)
  4. check SOA serial number across authoritative and primary (i.e. a record present in a dig SOA query but not in a dig NS query)

Known Compatibility Issues

Create a check to test for zone transfers #27
[CVE-2017-8418] sensu-plugins/community#77
[CVE-2017-17042] sensu-plugins/community#97

@yuri-zubov
Copy link
Contributor Author

testing

bundle exec check-dns-zone.rb  -d actility.com
DNSZone OK: Resolved actility.com  equal with whois (whois ["ns1.p10.dynect.net", "ns2.p10.dynect.net", "ns3.p10.dynect.net", "ns4.p10.dynect.net"]) (dig ["ns2.p10.dynect.net", "ns1.p10.dynect.net", "ns4.p10.dynect.net", "ns3.p10.dynect.net"]), 
Resolved DNS ns2.p10.dynect.net(204.13.250.10) uses udp, 
Resolved DNS ns1.p10.dynect.net(208.78.70.10) uses udp, 
Resolved DNS ns4.p10.dynect.net(204.13.251.10) uses udp, 
Resolved DNS ns3.p10.dynect.net(208.78.71.10) uses udp, 
Resolved DNS ns2.p10.dynect.net(204.13.250.10) uses tcp, 
Resolved DNS ns1.p10.dynect.net(208.78.70.10) uses tcp, 
Resolved DNS ns4.p10.dynect.net(204.13.251.10) uses tcp, 
Resolved DNS ns3.p10.dynect.net(208.78.71.10) uses tcp, 
Resolved DNS ns2.p10.dynect.net(204.13.250.10) doesn't have AXFR, 
Resolved DNS ns1.p10.dynect.net(208.78.70.10) doesn't have AXFR, 
Resolved DNS ns4.p10.dynect.net(204.13.251.10) doesn't have AXFR, 
Resolved DNS ns3.p10.dynect.net(208.78.71.10) doesn't have AXFR, 
SOA Query correct for server ns2.p10.dynect.net(204.13.250.10)} SOA ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"] - SOA primary server ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"], 
SOA Query correct for server ns1.p10.dynect.net(208.78.70.10)} SOA ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"] - SOA primary server ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"], 
SOA Query correct for server ns4.p10.dynect.net(204.13.251.10)} SOA ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"] - SOA primary server ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"], 
SOA Query correct for server ns3.p10.dynect.net(208.78.71.10)} SOA ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"] - SOA primary server ["hostmaster.gandi.net"] (1521709859) ["ns1.gandi.net"]

majormoses
majormoses requested changes Mar 26, 2018
View reviewed changes
Copy link
Member

@majormoses majormoses left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good a few comments.

Also it looks like the build is failing with ruby 2.1. As ruby 2.1 is EOL if we want to we can drop support for it (must be called out in the changelog and I will version it as a major releases) or we can look into what causes the failure I am certain its dependency related and would vote for just dropping support.

bin/check-dns-zone.rb Outdated
Resolv::DNS.new.getresources(config[:domain], Resolv::DNS::Resource::IN::NS).map { |e| e.name.to_s }
end

def check_nss(entries)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use a better name? check_nss made me think for a minute you were talking about mozilla's Network Security Services Library

bin/check-dns-zone.rb Outdated
[errors, success]
end

def check_udp(entries)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we use a better name? how about something more like check_dns_udp?

bin/check-dns-zone.rb Outdated
[errors, success]
end

def check_tcp(entries)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we use a better name? how about something more like check_dns_tcp?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I feel like we can combine the two checks and just pass in whether we want udp or tcp.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@majormoses, I agree with you - these methods have the same checking logic.
I will merge them.

majormoses
majormoses requested changes Mar 26, 2018
View reviewed changes
Copy link
Member

@majormoses majormoses left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good just a few comments/updates and we should be good.

bin/check-dns-zone.rb Outdated
[errors, success]
end

def check_dns_connection(entries, use_tcp = true)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DNS is default served over therefore I think that defaulting to false makes more sense.

bin/check-dns-zone.rb Outdated

success << "Resolved DNS #{ns}(#{ip}) uses #{use_tcp ? 'tcp' : 'udp'}"
rescue StandardError
errors << "Resolved DNS #{ns}(#{ip}) doesn't use #{use_tcp ? 'tcp' : 'udp'}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rather than using the same conditional again just assign it once out of the rescue block and use it for both inside the begin and rescue.

CHANGELOG.md Outdated
- Added many checks for DNS zone (@yuri-zubov sponsored by Actility, https://www.actility.com)

### Breaking Changes
- Dropping ruby `< 2.1` support (@yuri-zubov)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the gemspec you say it must be 2.2+ but here you have < 2.1 I think this should be < 2.2 here.

@yuri-zubov
Copy link
Contributor Author

@majormoses fixed

@majormoses majormoses merged commit 3fda4d1 into sensu-plugins:master Mar 29, 2018
@majormoses
Copy link
Member

released: https://rubygems.org/gems/sensu-plugins-dns/versions/2.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@majormoses majormoses majormoses approved these changes

Assignees
No one assigned
Labels
Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yuri-zubov @majormoses