check_dns works fine for half my servers, fails for other half
Marc Powell
marc at ena.com
Sat Sep 1 15:37:40 CEST 2007
Please always respond on list.
> -----Original Message-----
> From: Sean Schertell [mailto:sean at datafly.net]
> Sent: Friday, August 31, 2007 8:47 PM
> To: Marc Powell
> Subject: Re: [Nagios-users] check_dns works fine for half my servers,
> fails for other half
>
> Thanks Mark,
>
> So does that mean then that it isn't possible to use the check_dns
> plugin without enabling recursive lookups and leaving my server open
> to DNS DOS attacks?
Sure it's possible, and if the server is supposed to be a recursive
server (most are) then check_dns will work as you're testing it. Nutmeg
does not appear to be a recursive server though so you can't ask it
about microsoft.com since it doesn't know anything about it. Change that
to nutmeg.aspen.com or some other host in a domain it's authoritative
for.
> Is there any way to use dns_check safely?
My concerns about safety weren't related to check_dns at all. My concern
is that anyone anywhere in the world can use rosemary to attack other
DNS servers. As a bonus, you would be the apparent source of that
attack. IMHO, you should be using ACL's to allow recursive lookups only
for those networks that should be using that nameserver. Bind provides
an easy way of doing this if that's what you're using --
http://www.bind9.net/manual/bind/9.3.1/Bv9ARM.ch07.html
--
Marc
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list