User Tools

Site Tools


soft:checkzone

checkzone - A python script checking secondary dns servers

You should check your secondary dns servers receive and update zones properly.

Here is a small script I wrote which simply request all the NS servers from a given domain and check their serial is equal. The script behave like a nagios compatible check, so you can easily plug into your monitoring systems.

apt-get install python3-dnspython
#!/usr/bin/env python3
 
import argparse
import sys
import dns.resolver
 
 
def get_serials(domain):
    resolver = dns.resolver.Resolver()
    for ns in resolver.query(domain, 'NS'):
        for ip in resolver.query(ns.to_text(), 'A'):
            r = dns.resolver.Resolver(configure=False)
            r.nameservers = [ip.to_text()]
            for resp in r.query(domain, 'SOA'):
                yield ns.to_text(), ip.to_text(), resp.serial
 
 
def check_zone(domain):
    serials = list(get_serials(domain))
    if len(set([s for _, _, s in serials])) == 1:
        print('ZONE {} OK - serial is {} for {}'.format(
            domain, serials[0][2],
            ', '.join(['{} ({})'.format(ns, ip) for ns, ip, _ in serials])))
        return 0
    else:
        print('ZONE {} CRITICAL - serial differ {}'.format(
            domain, ', '.join(['{} for {} ({})'.format(s, ns, ip)
                               for ns, ip, s in serials])))
        return 2
 
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser(sys.argv[0])
    parser.add_argument('domain')
    args = parser.parse_args()
    sys.exit(check_zone(args.domain))

Example output:

$ /usr/local/bin/check_zone fr.
ZONE fr. OK - serial is 2225177270 for d.nic.fr. (194.0.9.1), e.ext.nic.fr. (193.176.144.22), f.ext.nic.fr. (194.146.106.46), g.ext.nic.fr. (194.0.36.1), d.ext.nic.fr. (192.5.4.2)

$ /usr/local/bin/check_zone org.
ZONE org. CRITICAL - serial differ 2013547598 for d0.org.afilias-nst.org. (199.19.57.1), 2013547598 for a0.org.afilias-nst.info. (199.19.56.1), 2013547597 for a2.org.afilias-nst.info. (199.249.112.1), 2013547598 for b0.org.afilias-nst.org. (199.19.54.1), 2013547598 for b2.org.afilias-nst.org. (199.249.120.1), 2013547598 for c0.org.afilias-nst.info. (199.19.53.1)
$
 /usr/local/bin/check_zone philpep.org.
ZONE philpep.org. OK - serial is 2019061607 for cauchy.philpep.org. (5.39.85.37), schwarz.philpep.org. (54.37.73.55)

As you can see, the script may flap for zones updating very frequently (top level zones), but for your zone it should just work.

soft/checkzone.txt · Last modified: 2019/07/14 23:20 by phil