DNSSEC Monitoring

Your DNSSEC implementation is an important part of increasing authentication for your DNS data. NodePing’s DNS check can now verify DNSSEC authenticated data.

To monitor DNSSEC, NodePing uses public key cryptography to verify the digital signature in the data all the way back to the root servers. If there’s an issue anywhere in the chain, you’ll be the first to know with NodePing’s fast and accurate notifications.

Designed to protect DNS clients from using forged or modified DNS data, DNSSEC ensures the information in the DNS reply is identical to what the owner of the DNS zone has digitally signed and published on their authoritative nameservers.

Only enable DNSSEC verification in your NodePing checks if your nameservers have that functionality.

If you do not yet have a NodePing account, please sign up for our free, 15-day trial. We’re confident you’ll find our uptime monitoring to not only be the fastest and most accurate, but also a great value.

Auditing IP Resolution with DNS Checks

How would you know if your DNS account had been compromised?  If tampered with, an attacker could point your web and email traffic to their own controlled servers, enabling them to intercept potentially confidential information from you or your customers without your knowledge.

Emergency Directive 19-01

Recently, the US Department of Homeland Security issued its first ever Emergency Directive with a list of actions to mitigate DNS account tampering, an issue they report is on the raise.

The first recommended actions in their directive is to verify DNS resolution.

Action One: Audit DNS Records … audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location.

In this post, I’ll show you how to continually monitor your DNS resolution using NodePing DNS checks to ensure your important domain names are resolving to the expected IP addresses. If anyone tamplers with your DNS records, you’ll quickly receive actionable notifications from NodePing.

Some of the record types you may want to verify with DNS checks are:

  • SOA – Start of Authority record
  • NS – Nameservers and the IPs they resolve to
  • Website FQDN
  • Website FQDN with www prefix (example: http://www.nodeping.com)
  • Email MX records and the IPs they resolve to
  • FTP service FQDNs
  • All the above services for both IPv4 and IPv6 addresses

Setting up DNS monitoring

To create a new DNS check, click on the “Add new check” button in your NodePing account dashboard.

  1. Select DNS from the Check type drop down.
  2. Give it a friendly label to identify this check in lists and notifications.  Something like “Website resolver”
  3. Set how often you want the check to run on the Check Frequency field.  We recommend 1 minute intervals.
  4. Leave the DNS server field blank.  This will ensure that our probes will use whatever nameservers are listed on the domain.  If a hijacker accesses your DNS account , they’ll likely change the IPs of the nameservers so testing your own nameservers won’t be helpful for this type of monitoring.
  5. Enter the type of query you want to perform, and address you want the check to look up. Usually this should be a fully qualified domain name. It should not include “http://” or “https://”. Example : ‘nodeping.com’ or ’email.nodeping.com’ or ‘www.nodeping.com’
  6. Enter the information the check should look for in the DNS resolution response to verify the query has not been tampered with. What you put in this field will depend on the query type. For example, for A records, this will be your IPv4 address. For other types, such as MX or NS records, this is likely to be a fully qualified domain name. For AAAA records, the full notation is required. Example: IPv6 address 2606:c700:4020:11::53:4a3b requires the ‘missing’ zero sections – 2606:c700:4020:11:0:0:53:4a3b – there should be 8 sections total.
  7. Set a time out. The default 5 seconds works fine for most situations.
  8. Set the Sensitivity. High is usually appropriate.
  9. Set the notifications for this check. More information about notifications.

If your services are offered on both IPv4 and IPv6, you’ll need to create a separate check for each with the appropriate query type set to ‘A’ for IPv4 and ‘AAAA’ for IPv6.

Setting up one DNS check for every critical server and service will give you the peace of mind that your DNS hasn’t been tampered with and your customers are interacting with you, not some DNS hijacker.

Got questions or need help setting up DNS resolution audit checks?  Contact us; we’re happy to help.

If you don’t yet have a NodePing account, please sign up for our free, 15-day trial and sleep well knowing we’re keeping an eye on your DNS resolution.

DNS Monitoring for Both Sides

DNS monitoring, like a coin, has two sides: “What does my DNS server say?” and “What does ‘public’ DNS say?”  With NodePing server monitoring, you can ask both questions.

Our DNS check allows you to send a query of a specific type to your DNS server (or a public DNS server) and test the response against a string you define.  For example, you can verify that your website domain resolves to your web server’s static IP address and have NodePing send you an email or SMS alert when either the server or the response fails.

DNS queries can be made for the following types and the response verified:

  • A
  • MX
  • NS
  • PTR
  • SOA
  • TXT

You can find more info on the DNS checks and our other check types in our documentation.

If you don’t have a NodePing account yet, try out our new DNS monitoring checks for free with a 15-day trial.