#!/bin/bash
# check_dns_replication - check DNS zone replication by comparing zone serials
#
# Version 1.0, latest version, documentation and bugtracker available at:
# https://gitlab.lindenaar.net/scripts/nagios-plugins
#
# Copyright (c) 2021 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program. If not, visit <http://www.gnu.org/licenses/> to download it.
# Usage: check_dns_replication [-n] dns_zone[,dns_zone...] [dns_server...]
if [ "$#" -eq 0 -o "$1" == "-n" -a "$#" -eq 1 ]; then
echo "DNSREPLICATION: UNKNOWN | missing parameter dns_zone"
exit 3
elif [ "$1" == "-n" ]; then
DNS_SERVER_LOOKUP=$1
shift
elif [ $1 == '-h' -o $1 == '--help' ]; then
cat << EOT
`basename $0` - check DNS zone replication by comparing SOA serial(s)
usage: $0 [-n] dns_zone[,dns_zone...] [dns_server...]
parameters:
-n when specified (or no dns_server provided) check domain's NS records
-h this help
dns_zone[,dns_zone...] list of DNS zones to check (comma separated!)
[dns_server...] DNS server(s) to compare with authoratative server
EOT
exit 3
elif [[ "$1" = -* ]]; then
echo "DNSREPLICATION: UNKNOWN | invalid parameter, for help run $0 -h"
exit 3
fi
DNS_ZONES=${1//,/ }
shift
DNS_SERVERS=${*//,/ }
n="
"
NAGIOS_STATE=OK
NAGIOS_RESULT=0
NAGIOS_DETAILS=
for DNS_ZONE in $DNS_ZONES; do
AUTH_NAMESERVER=$(host -t soa $DNS_ZONE ${DNS_SERVERS// .*/} | tail -1 | cut -d\ -f5 | sed "s/.$//")
[ -n "$AUTH_NAMESERVER" ] && AUTH_SOA_SERIAL=$(host -t soa $DNS_ZONE $AUTH_NAMESERVER | tail -1 | cut -d\ -f7)
if [ -z "$AUTH_SOA_SERIAL" ]; then
NAGIOS_STATE=CRITICAL
NAGIOS_RESULT=2
NAGIOS_DETAILS="$NAGIOS_DETAILS$n$DNS_ZONE: unknown domain (unable to resolve)"
else
NAMESERVER_OK=
NAMESERVER_HIGHER=
NAMESERVER_LOWER=
NAMESERVER_EMPTY=
NAMESERVERS=$DNS_SERVERS
if [ -z "$DNS_SERVERS" -o "$DNS_SERVER_LOOKUP" == '-n' -o "$DNS_SERVERS" == "$AUTH_NAMESERVER" ]; then
NAMESERVERS="$NAMESERVERS $(host -t ns $DNS_ZONE $AUTH_NAMESERVER | fgrep -v : | sed "s/.* //;s/\.$//")"
fi
NAMESERVERS=$(echo $NAMESERVERS | tr ' ' '\n' | sort -u)
for NAMESERVER in $NAMESERVERS; do
if [ "$NAMESERVER" != "$AUTH_NAMESERVER" ]; then
SOA_SERIAL=$(host -t soa $DNS_ZONE $NAMESERVER | tail -1 | cut -d\ -f 7)
if [ -z "$SOA_SERIAL" ]; then
NAMESERVER_EMPTY="$NAMESERVER_EMPTY$NAMESERVER,"
elif [ "$SOA_SERIAL" -lt "$AUTH_SOA_SERIAL" ]; then
NAMESERVER_LOWER="$NAMESERVER_LOWER$NAMESERVER,"
elif [ "$SOA_SERIAL" -gt "$AUTH_SOA_SERIAL" ]; then
NAMESERVER_HIGHER="$NAMESERVER_HIGHER$NAMESERVER,"
else
NAMESERVER_OK="$NAMESERVER_OK$NAMESERVER,"
fi
fi
done
NAGIOS_DETAILS="$NAGIOS_DETAILS$n$DNS_ZONE: $AUTH_NAMESERVER($AUTH_SOA_SERIAL)"
[ -n "$NAMESERVER_OK" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS ok:$NAMESERVER_OK"
[ -n "$NAMESERVER_HIGHER" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS higher:$NAMESERVER_HIGHER"
[ -n "$NAMESERVER_LOWER" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS lower:$NAMESERVER_LOWER"
[ -n "$NAMESERVER_EMPTY" ] && NAGIOS_DETAILS="$NAGIOS_DETAILS error:$NAMESERVER_EMPTY"
if [ -n "$NAMESERVER_HIGHER$NAMESERVER_LOWER$NAMESERVER_EMPTY" ]; then
NAGIOS_STATE=CRITICAL
NAGIOS_RESULT=2
fi
NAGIOS_DETAILS="${NAGIOS_DETAILS%,}"
fi
done
echo "DNSREPLICATION: $NAGIOS_STATE$NAGIOS_DETAILS"
exit $NAGIOS_RESULT