DNSSEC Monitoring

Your DNSSEC implementation is an important part of increasing authentication for your DNS data. NodePing’s DNS check can now verify DNSSEC authenticated data.

To monitor DNSSEC, NodePing uses public key cryptography to verify the digital signature in the data all the way back to the root servers. If there’s an issue anywhere in the chain, you’ll be the first to know with NodePing’s fast and accurate notifications.

Designed to protect DNS clients from using forged or modified DNS data, DNSSEC ensures the information in the DNS reply is identical to what the owner of the DNS zone has digitally signed and published on their authoritative nameservers.

Only enable DNSSEC verification in your NodePing checks if your nameservers have that functionality.

If you do not yet have a NodePing account, please sign up for our free, 15-day trial. We’re confident you’ll find our uptime monitoring to not only be the fastest and most accurate, but also a great value.

Auditing IP Resolution with DNS Checks

How would you know if your DNS account had been compromised?  If tampered with, an attacker could point your web and email traffic to their own controlled servers, enabling them to intercept potentially confidential information from you or your customers without your knowledge.

Emergency Directive 19-01

Recently, the US Department of Homeland Security issued its first ever Emergency Directive with a list of actions to mitigate DNS account tampering, an issue they report is on the raise.

The first recommended actions in their directive is to verify DNS resolution.

Action One: Audit DNS Records … audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location.

In this post, I’ll show you how to continually monitor your DNS resolution using NodePing DNS checks to ensure your important domain names are resolving to the expected IP addresses. If anyone tamplers with your DNS records, you’ll quickly receive actionable notifications from NodePing.

Some of the record types you may want to verify with DNS checks are:

  • SOA – Start of Authority record
  • NS – Nameservers and the IPs they resolve to
  • Website FQDN
  • Website FQDN with www prefix (example: http://www.nodeping.com)
  • Email MX records and the IPs they resolve to
  • IMAP, POP, and SMTP FQDNs
  • FTP service FQDNs
  • All the above services for both IPv4 and IPv6 addresses

Setting up DNS monitoring

To create a new DNS check, click on the “Add new check” button in your NodePing account dashboard.

  1. Select DNS from the Check type drop down.
  2. Give it a friendly label to identify this check in lists and notifications.  Something like “Website resolver”
  3. Set how often you want the check to run on the Check Frequency field.  We recommend 1 minute intervals.
  4. Leave the DNS server field blank.  This will ensure that our probes will use whatever nameservers are listed on the domain.  If a hijacker accesses your DNS account , they’ll likely change the IPs of the nameservers so testing your own nameservers won’t be helpful for this type of monitoring.
  5. Enter the type of query you want to perform, and address you want the check to look up. Usually this should be a fully qualified domain name. It should not include “http://” or “https://”. Example : ‘nodeping.com’ or ’email.nodeping.com’ or ‘www.nodeping.com’
  6. Enter the information the check should look for in the DNS resolution response to verify the query has not been tampered with. What you put in this field will depend on the query type. For example, for A records, this will be your IPv4 address. For other types, such as MX or NS records, this is likely to be a fully qualified domain name. For AAAA records, the full notation is required. Example: IPv6 address 2606:c700:4020:11::53:4a3b requires the ‘missing’ zero sections – 2606:c700:4020:11:0:0:53:4a3b – there should be 8 sections total.
  7. Set a time out. The default 5 seconds works fine for most situations.
  8. Set the Sensitivity. High is usually appropriate.
  9. Set the notifications for this check. More information about notifications.

If your services are offered on both IPv4 and IPv6, you’ll need to create a separate check for each with the appropriate query type set to ‘A’ for IPv4 and ‘AAAA’ for IPv6.

Setting up one DNS check for every critical server and service will give you the peace of mind that your DNS hasn’t been tampered with and your customers are interacting with you, not some DNS hijacker.

Got questions or need help setting up DNS resolution audit checks?  Contact us; we’re happy to help.

If you don’t yet have a NodePing account, please sign up for our free, 15-day trial and sleep well knowing we’re keeping an eye on your DNS resolution.

Diagnostic Tools

“Why is my check failing?”

It isn’t always obvious what’s causing the failure when a check does ‘down’ and additional information about what our probes are experiencing can be helpful. For example, if your website is timing out, is it the web server, a DNS problem, or maybe packet loss on the network?

Our new diagnostic tools allow you to run several utilities on our probes and give visibility to what our probes are seeing to help you troubleshoot a failing service. These tools can be useful to narrow down where the failure is so you can get things fixed and services restored as quickly as possible.

Tools available:

  • Ping
  • Traceroute
  • MTR
  • Dig
  • Page Load (browser loading with page speed – HAR viewer)
  • Screenshot

More information about the tools and some troubleshooting advice can be found in our documentation.

You can find these tools on the “Diagnostic Tools” tab when you login to your NodePing account.  If you don’t yet have a NodePing account, you can create one and try out these tools with our 15-day, free uptime monitoring trial.

What other tools would be helpful on that page? Let us know in the comments.

rDNS: Monitoring the Flip Side of DNS

DNS monitoring is an important part of keeping your services available. DNS is what allows your browser to turn the name ‘nodeping.com’ into the IP address 192.95.37.22. Without proper functioning DNS, your website, email, and other services would be unreachable.

One often neglected part of DNS monitoring is the rDNS, or reverse DNS, entries. As the name suggests, rDNS is the reverse of DNS. It maps an IP address to a hostname using a special PTR DNS record type. In essence, it associates an IP address to a specific hostname or domain.

PTR records are used by all kinds of utilities and services like the humble ‘ping’ and ‘traceroute’ as well as more complex FCrDNS-enabled services. A forward-confirmed reverse DNS (FCrDNS) verification uses the PTR record to associate a domain owner with an IP address. It’s not a rock-solid form of validating ownership but is usually considered enough to be used for whitelisting servers for SMTP services because spammers usually can’t fake an rDNS record when they forge domains.

If you’re sending email from a server, you should have a proper PTR record in place that includes the domain for the ‘from’ address. This will help ensure your email from that server will not get sent to the spam bucket. A PTR, or ‘pointer’, record is usually configured by whomever owns the IP address so you often have to put in a ticket with your colocation or service provider to set or change rDNS entries.

NodePing is one of very few server monitoring services that can monitor rDNS entries. To set up a rDNS check, select ‘DNS’ from the check type and ‘PTR’ from the record type dropdown. It’s important to note that your PTR record will be in what is commonly called ‘arpa’ format. An example of the ‘arpa’ format for the IP 192.95.37.22 is ‘22.37.95.192.in-addr.arpa’ – please note how the octets are in reverse order, not the numbers. Set the ‘arpa’ address for your IP address in the ‘Query’ text field. You’ll also want to set the ‘Expected Response:’ field to the hostname for that IP, example: ‘api.nodeping.com’.

For more information about rDNS/PTR monitoring or our DNS check capabilities in general, check out our DNS check documentation.

DNS Monitoring for Both Sides

DNS monitoring, like a coin, has two sides: “What does my DNS server say?” and “What does ‘public’ DNS say?”  With NodePing server monitoring, you can ask both questions.

Our DNS check allows you to send a query of a specific type to your DNS server (or a public DNS server) and test the response against a string you define.  For example, you can verify that your website domain resolves to your web server’s static IP address and have NodePing send you an email or SMS alert when either the server or the response fails.

DNS queries can be made for the following types and the response verified:

  • A
  • CNAME
  • MX
  • NS
  • PTR
  • SOA
  • TXT

You can find more info on the DNS checks and our other check types in our documentation.

If you don’t have a NodePing account yet, try out our new DNS monitoring checks for free with a 15-day trial.