Monitoring Zonefiletransfer
Hey Guys, I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right "route". These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial - query first master and get serial - if serial match: get zonefile modification time (not sure if this is significant) and compare it with localtime and "soa-expiretime" + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S->expire) - time - if master serial > slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. i hope you can guide me a bit and tell me if this is what i want xD many thanks in advance seppovic ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Am 19.02.2014, 01:39 Uhr, schrieb Mark Andrews : In message , markus weber writes: --===2070182502041634286== Content-Type: multipart/alternative; boundary=001a1134888407910a04f2b6036d --001a1134888407910a04f2b6036d Content-Type: text/plain; charset=UTF-8 Hey Guys, I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zone transfer.pl). But i am curious if i took the right "route". These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial - query first master and get serial - if serial match: get zonefile modification time (not sure if this is significant) and compare it with localtime and "soa-expiretime" + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S->expire) - time - if master serial > slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Oh, i didn't know that. Thats weird behavior isn't it? I will give it definitely a try, I just added 3 of those servers to Masters option because i thought it would increase the reliability in case of an error. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Choose sane SOA values. refresh and retry << expire I will check these values, i thought they were kind of standard values i hope you can guide me a bit and tell me if this is what i want xD many thanks in advance seppovic Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Am 19.02.2014, 01:48 Uhr, schrieb Doug Barton : On 02/18/2014 04:39 PM, Mark Andrews wrote: Only transfer from one AD master. Microsoft AD doesn't maintain consistent serials across the servers. The serials should be monotonically increasing from a individual server. Also try to determine what the "primary" master is for the zone. Windows DNS does have this concept, but they don't emphasize it since they like people to believe in the fantasy that is "lazy replication." :) Doug I will ask them, but they gave me a list of 3 servers and said i could use all of them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Am 19.02.2014, 04:34 Uhr, schrieb /dev/rob0 : On Tue, Feb 18, 2014 at 11:44:15PM +0100, markus weber wrote: I am new to administer a Bind server and after a few problems i ran into i need to monitor the zonefile transfers of my slave server. I think the terminology you use shows a part of the confusion. Zone *data* is transferred to slave servers, not zone *files.* from my understanding the terminology zonefiletransfer is quite common, maybe it is just a german thing and in english its just zone transfer, but i would not fight about this. I have searched on google and nagios plugin sites but could not find anything that fits my needs entirely. Here is the Setup: - MS ActiveDirectory as primary Nameservers (not under my control) - 2 Bind server as slave for various zones (behind a loadbalancer) The problem i ran into, was that the zone transfer didn't work for some reason and the zone we hold expired causing our mailgateway to stop relaying mails :/ As i sayed i googled around and as i could not find anything i hacked a nagios plugin myself ( you can find the code here https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl). But i am curious if i took the right "route". These are my assumptions and a first approach: - read named.conf and get master servers - query soa of slave and get serial If "query" is something like "dig +short zone.example. soa @slave", right. jepp, exactly. i do it with a perlmodule but the outcome is the same - query first master and get serial Likewise here, s/slave/master/ true - if serial match: get zonefile modification time (not sure if this is significant) It is not. Zone data is kept in memory and is written to the journal. At 15-minute intervals, the zone file is written if it differs from actual zone data. I read somewhere that it is enough to look at the modification time. But if you know a way how i can get the time of the last retry i could determine for how long it did not update. and compare it with localtime and "soa-expiretime" + warn or crit on threshold (stat($zoneFile)[9] + $SOA_S->expire) - time - if master serial > slave serial create tempfile and check for how long it stays lower then masters serial + warn or crit on threshold - else test next master on last master exit with error ( this should not become true ever, right?) A few problems i discovered: - sometimes have a higher serial then all masters have, is this normal on an AD DNS? or am I doing something wrong i thought this could not happen. - Some Zones nearly always reach expireation time. and i get a lot of critical messages and a few hours/minutes before expireation it does the update. Not enough here to know what's going on. me neither :( what information could i provide for this? or where can i look for help? I will first look for the refresh and retry values as Mark pointed out and come back then. i hope you can guide me a bit and tell me if this is what i want xD ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Monitoring Zonefiletransfer
Hey guys, sorry for the delay, i urgently had to take some days off last week. Anyways, thanks for all your help, i appreciate this a lot. I will now try to use only one DC as a master. a last question, Do you also run monitoring software on bind? and if so, what or how do you monitor? Am 19.02.2014, 20:33 Uhr, schrieb Barry S. Finkel : On 2014-02-19 16:06, Barry S. Finkel wrote: >See MS KB article 282826, where MS documents the handling of zone >serial numbers in an AD environment. And Dave Warren replied: My experience is that it tends to work pretty well if BIND only points to one particular MS DNS server at a time, with a failover script that detects when that DNS server goes down and flips to another master (if you're worried about such things) That being said, even without that script and with multiple MS DNS masters configured in BIND at once, any issues generally work themselves out within 15 minutes or so, once the Active Directory serial number update propagates through the MS DNS infrastructure. As described in the article, the servers self-increment properly when a slave is detected, and occasionally sync up the serial numbers between MS DNS servers (again, only moving update). The only inconsistencies are in those recently added/modified records, so if you just plan for 15 minute update times for non-MS secondaries to sync up and ignore the periodic "serial is lower than expected" warnings, multi-mastering works fine in practice. -- Dave Warren That MS KB article states that if a Domain Controller DNS Server is not used as a master for a slave server, then the zone serial number is irrelevant. But if the Server is used as a master, then the serial number is relevant. Assume one zone that is "mastered" on two DCs, and the two serial numbers match (and the serial is N). A dynamic update for the zone is sent to DC1, and the serial number there is increased to N+1. At the same time a different dynamic update for the zone is sent to DC2, and DC2 then has serial number N+1. The two copies of the zone are different, but they both have the same serial number. When Active Directory synchronizes the zone, what serial number can it use for the synched zone? It can't use N+1, because that serial has been used, and the zone might have already been transferred to the slave server. It can't be N+2, because, in the meantime, another dynamic update may have come to DC1 or DC2, so serial N+2 might have already been used. Another thing that I hinted in an earlier reply - With AD zones, the serial number can increase unnecessarily. In the past, when a dynamic DNS update was sent to a DC, and that update was already in DNS (e.g., a re-lease of a DHCP address), the Windows DNS Server code treated the update as a no-op, except for updating an internal timestamp in the zone. But sometime later, MS changed the code, so that the dynamic DNS update is no longer treated as a no-op. This causes 1) the DNS update to be initially refused because it does not have TSIG authorization, and the client (or DHCP Server) has to re-send the update. 2) the zone serial number is updated, even when there is no update to the zone; this causes unnecessary zone transfers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
