DNS is a very critical part of every network. Therefore, it is very important to monitor any changes in it.
We are not talking about the DNS service monitoring. This guide describes us how to monitor any DNS changes.
There are different ways to import DNS data into a model. Simplest is to discovery zone entries by simple DNS discovery.
See fcpc dns for more info.
It is up to you, how often to download data. Differences are searched between last and previous fetch by default. If we want to track model changes within time, more epochs is needed. See epoch
EPOCH=d$(date +%Y_%m_%d)
fcpc epoch add $EPOCH
fcpc dns discovery-zone fcpc.online
fcpc diff-zones >/tmp/zones.diff 2>&1
# If there are changes within zones, return code will be 36
if [ $? -eq 36 ]; then
cat /tmp/zones.diff
# Do whatever is needed in case of changes
elif [ $? -ne 0 ]; then
echo "Error during zone fetch"
# Do whatever is needed when fetching of DNS records failed
else
true
fi
You can see how platform sees data within zone:
fcpc dns export-zone fcpc.online
@ in A 46.28.107.171 ;epoch/2022_10_02:DnsHost/e83e328c8d38
@ in NS ns.wedos.net. ;epoch/2022_10_02:DnsRR/5d82b9d839e9
@ in NS ns.wedos.cz. ;epoch/2022_10_02:DnsRR/c2def78168c0
@ in NS ns.wedos.eu. ;epoch/2022_10_02:DnsRR/5b629f45e0fb
@ in TXT "v=spf1 ip4:109.231.143.26 ip4:109.231.143.27 ip4:217.112.171.61 include:spf.protection.outlook.com -all" ;epoch/2022_10_02:DnsRR/6cba64874ebb
@ in NS ns.wedos.com. ;epoch/2022_10_02:DnsRR/eff0743b650e
@ in SOA ns.wedos.net. wedos.wedos.com. 2022060902 3600 1800 1814400 3600 ;epoch/2022_10_02:DnsRR/3823018f119c
@ in TXT "knowbe4-site-verification=64aa3c9fbd80bc6c5df98d5bc5fb6ab8" ;epoch/2022_10_02:DnsRR/817c756a0f76
Platform uses standard unified diff to interpret changes.
For example, if MX record was deleted:
fcpc dns diff-zone fcpc.online
diff
--------------------------------------------
--- DnsZone/fcpc_online 2022-10-17T15:25:58Z
+++ DnsZone/fcpc_online 2022-10-18T10:18:06Z
@@ -7 +6,0 @@
-@ in MX 0 rt.foresightcyber.com.
You can feed data about changes within domains to Zabbix server.
This example will generate text file which you can send by zabbix_sender to Zabbix server.
You need to create corresponding items for every domain or use discovery-by-query and use LLD discovery.
See fcpc zabbix for more info.
fcpc --zabbix.sender.external=1 dns report-to-zabbix
host "fcpc.dns.zone[DnsZone/fcpc_online].old_count" "9"
host "fcpc.dns.zone[DnsZone/fcpc_online].new_count" "9"
host "fcpc.dns.zone[DnsZone/fcpc_online].diff" "'--- DnsZone/fcpc_online\t2022-10-17T15:25:58Z\n+++ DnsZone/fcpc_online\t2022-10-18T10:18:06Z\n@@ -7 +6,0 @@\n-@ in MX 0 rt.foresightcyber.com.'"