First commit for check_dns_replication

Frederik Lindenaar
1 parent 302f2b0a
Showing 2 changed files with 176 additions and 13 deletions
README.md
plugins/check_dns_replication
@@ -12,12 +12,14 @@ encounter any issues or require changes.
 The latest versions, documentation and bugtracker available on my
 [GitLab instance](https://gitlab.lindenaar.net/scripts/nagios-plugins)
-Copyright (c) 2015 - 2019 Frederik Lindenaar. free for distribution under
+Copyright (c) 2015 - 2021 Frederik Lindenaar. free for distribution under
 the GNU General Public License, see [below](#license)
 contents
 ========
 This repository contains the following scripts:
+  * [check_dns_replication](#check_dns_replication)
+    check DNS zone replication by comparing zone serial numbers on DNS servers
   * [check_memory](#check_memory)
     patched version of nagios-plugins check_memory script for Linux procps v3.3+
   * [check_multiple_host_addresses](#host_addresses)
@@ -30,6 +32,66 @@ This repository contains the following scripts:
   * [nagiosstatus](#nagiosstatus)
     CGI-BIN script to report the status of nagios (to monitor nagios itself)
+
+<a name=check_dns_replication>plugins/check_dns_replication</a>
+---------------------------------------------------------------
+With this check plugin / script, Nagios can monitor the replication of DNS zones
+between the authoritative DNS server for a domain and one or more of it's slave
+(or secondary) DNS servers. The script can check one or multiple DNS zones and
+can be pointed at one ore more specific DNS slave server(s) or us the NS records
+of the zone to check all DNS servers of that domain (or a combination of this)
+
+The script expects a (comma separated list of) DNS zone(s) to validate as its
+first command line parameter. It optionally also accepts one or more DNS servers
+to check as further parameters (either separate parameters or comma separated).
+If no DNS Servers are provided or the `-n` command line option is passed it will
+lookup the DNS Servers from the NS records in de DNS zone.
+
+The script will first fetch the authoritative DNS server from the SOA record, so
+that server must be reachable. This first lookup will be done against the first
+DNS server, if provided, or the default nameserver of the host. Next it will
+fetch the DNS zone's SOA record from each server and compare it with the master.
+
+Installation is straightforward, after installing the script on your server, add
+the following to your `commands.cmd` configuration file to make it available:
+
+~~~
+# 'check-dns-replication' command definition to check DNS replication of one or more zones
+define command {
+        command_name    check-dns-replication
+        command_line    [install_path]/plugins/check_dns_replication -n '$ARG1$' '$HOSTADDRESS$'
+}
+
+# 'check-dns-slave' command to check DNS replication of one or more zones against a single server
+define command {
+        command_name    check-dns-slave
+        command_line    [install_path]/plugins/check_dns_replication '$ARG1$' '$HOSTADDRESS$'
+}
+~~~
+
+The example below shows how to check DNS zone replication  for the primary DNS
+server (which checks replication to all secondaries) and how to check an extra
+secondary DNS server that is not listed as NS record in the zone.
+
+~~~
+# check DNS replication for an DNS zone to ensure all secondaries are in sync
+define service {
+        host                   auth.dns.mydomain.tld
+        service_description    DNS Zone Replication
+        check_command          check-dns-replication!mydomain.tld
+        use                    generic-service
+}
+
+# check DNS replication to a specific secondary DNS server
+define service {
+        host                   sec1.dns.mydomain.tld
+        service_description    DNS Zone Replication to secondary
+        check_command          check-dns-slave!mydomain.tld
+        use                    generic-service
+}
+~~~
+
+
 <a name=check_memory>plugins/check_memory</a>
 ---------------------------------------------
 Nagios check script to monitor the memory on Linux systems. Due to changes in
@@ -54,23 +116,23 @@ Installation is straightforward, after installing the script on your server, add
 the following to your `commands.cmd` configuration file to make it available:
 ~~~
-  # 'check-host-alive' command definition for multi-homed/dual-stack servers
-  define command{
-        command_name    check-addresses-alive
-        command_line    [install_path]/plugins/check_multiplehost_addresses '$HOSTADDRESS$' '$_HOSTADDRESS6$'
-  }
+# 'check-host-alive' command definition for multi-homed/dual-stack servers
+define command {
+    command_name    check-addresses-alive
+    command_line    [install_path]/plugins/check_multiplehost_addresses '$HOSTADDRESS$' '$_HOSTADDRESS6$'
+}
 ~~~
 The example above assumes that the IPv6 address of the host is provided as part
 of the host configuration, i.e.:
 ~~~
-  define host {
-        ...
-        address         192.168.0.1
-        _address6       fdf8:f340:ab9d:c213::1
-	...
-  }
+define host {
+    ...
+    address         192.168.0.1
+    _address6       fdf8:f340:ab9d:c213::1
+    ...
+}
 ~~~
 To use the script either add `check_command check-addresses-alive`
@@ -431,4 +493,3 @@ General Public License for more details.
 You should have received a copy of the GNU General Public License along with
 this program.  If not, download it from <http://www.gnu.org/licenses/>.
-
+#!/bin/bash
+
+# check_dns_replication - check DNS zone replication by comparing zone serials
+#
+# Version 1.0, latest version, documentation and bugtracker available at:
+#               https://gitlab.lindenaar.net/scripts/nagios-plugins
+#
+# Copyright (c) 2021 Frederik Lindenaar
+#
+# This script is free software: you can redistribute and/or modify it under the
+# terms of version 3 of the GNU General Public License as published by the Free
+# Software Foundation, or (at your option) any later version of the license.
+#
+# This script is distributed in the hope that it will be useful but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program.  If not, visit <http://www.gnu.org/licenses/> to download it.
+
+# Usage: check_dns_replication [-n] dns_zone[,dns_zone...] [dns_server...]
+
+if [ "$#" -eq 0 -o "$1" == "-n" -a "$#" -eq 1 ]; then
+    echo "DNSREPLICATION: UNKNOWN | missing parameter dns_zone"
+    exit 3
+elif [ "$1" == "-n" ]; then
+    DNS_SERVER_LOOKUP=$1
+    shift
+elif [ $1 == '-h' -o $1 == '--help' ]; then
+    cat << EOT
+`basename $0` - check DNS zone replication by comparing SOA serial(s)
+
+usage: $0 [-n] dns_zone[,dns_zone...] [dns_server...]
+
+parameters:
+    -n    when specified (or no dns_server provided) check domain's NS records
+    -h    this help
+    dns_zone[,dns_zone...]  list of DNS zones to check (comma separated!)
+    [dns_server...]         DNS server(s) to compare with authoratative server
+
+EOT
+    exit 3
+elif [[ "$1" = -* ]]; then
+    echo "DNSREPLICATION: UNKNOWN | invalid parameter, for help run $0 -h"
+    exit 3
+fi
+
+DNS_ZONES=${1//,/ }
+shift
+DNS_SERVERS=${*//,/ }
+
+n="
+"
+NAGIOS_STATE=OK
+NAGIOS_RESULT=0
+NAGIOS_DETAILS=
+
+for DNS_ZONE in $DNS_ZONES; do
+  read AUTH_NAMESERVER <<<$(host -t soa $DNS_ZONE ${DNS_SERVERS// .*/} | tail -1 | cut -d\  -f5 | sed "s/.$//")
+  [ -n "$AUTH_NAMESERVER" ] && read AUTH_SOA_SERIAL <<<$(host -t soa $DNS_ZONE $AUTH_NAMESERVER | tail -1 | cut -d\  -f7)
+  if [ -z "$AUTH_SOA_SERIAL" ]; then
+    NAGIOS_STATE=CRITICAL
+    NAGIOS_RESULT=2
+    NAGIOS_DETAILS="$NAGIOS_DETAILS$n$DNS_ZONE: unknown domain (unable to resolve)"
+  else
+    NAMESERVER_OK=
+    NAMESERVER_HIGHER=
+    NAMESERVER_LOWER=
+    NAMESERVER_EMPTY=
+    NAMESERVERS=$DNS_SERVERS
+    if [ -z "$DNS_SERVERS" -o "$DNS_SERVER_LOOKUP" == '-n' -o "$DNS_SERVERS" == "$AUTH_NAMESERVER" ]; then
+      NAMESERVERS="$NAMESERVERS $(host -t ns $DNS_ZONE $AUTH_NAMESERVER | fgrep -v : | sed "s/.* //;s/\.$//")"
+    fi
+    for NAMESERVER in $NAMESERVERS; do
+      if [ "$NAMESERVER" != "$AUTH_NAMESERVER" ]; then
+        SOA_SERIAL=$(host -t soa $DNS_ZONE $NAMESERVER | tail -1 | cut -d\  -f 7)
+        if [ -z "$SOA_SERIAL" ]; then
+          NAMESERVER_EMPTY="$NAMESERVER_EMPTY$NAMESERVER,"
+        elif [ "$SOA_SERIAL" -lt "$AUTH_SOA_SERIAL" ]; then
+          NAMESERVER_LOWER="$NAMESERVER_LOWER$NAMESERVER,"
+        elif [ "$SOA_SERIAL" -gt "$AUTH_SOA_SERIAL" ]; then
+          NAMESERVER_HIGHER="$NAMESERVER_HIGHER$NAMESERVER,"
+        else
+          NAMESERVER_OK="$NAMESERVER_OK$NAMESERVER,"
+        fi
+      fi
+    done
+    NAGIOS_DETAILS="$NAGIOS_DETAILS$n$DNS_ZONE: $AUTH_NAMESERVER($AUTH_SOA_SERIAL)"
+    [ -n "$NAMESERVER_OK" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS ok:$NAMESERVER_OK"
+    [ -n "$NAMESERVER_HIGHER" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS higher:$NAMESERVER_HIGHER"
+    [ -n "$NAMESERVER_LOWER" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS lower:$NAMESERVER_LOWER"
+    [ -n "$NAMESERVER_EMPTY" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS error:$NAMESERVER_EMPTY"
+    if [ -n "$NAMESERVER_HIGHER$NAMESERVER_LOWER$NAMESERVER_EMPTY" ]; then
+      NAGIOS_STATE=CRITICAL
+      NAGIOS_RESULT=2
+    fi
+    NAGIOS_DETAILS="${NAGIOS_DETAILS%,}"
+  fi
+done
+
+echo "DNSREPLICATION: $NAGIOS_STATE$NAGIOS_DETAILS"
+exit $NAGIOS_RESULT