[Nagiosplug-devel] Re: Review of using Nag to check MS name resolution in AD environments [XP/2k/2k+3] - MS logon names etc.

Subhendu Ghosh sghosh at sghosh.org
Wed Feb 25 17:40:00 CET 2004


On Thu, 26 Feb 2004, Paul L. Allen wrote:

> Stanley Hopcroft writes: 
> 
> > This may be of interest to those wishing to monitor their Micorosft
> > AD/Dynamic DNS installation by ensuring that signficant names (such as 
> > the names of domain controllers corresponding to a domain) are resolved 
> > as expected.
> 
> I don't *wish* to do this (I think Microsoft products suck big time
> on technical grounds and want as little as possible to do with them)
> but I also know that one of our bigger clients for monitoring services
> would love it if we could check stuff like this (they're also so
> clueless that they're astounded we can monitor their IIS web server,
> and will get blown away when we start monitoring their MS SQL server,
> so unless we tell them this is a possibility they'll never know). 
> 
> > The problem for Nagios doing this is that as there are no options in 
> > check_dns (1.3.1 and 1.4alpha0) or check_dig to accept RR types. 
> > 
> > Would this be a useful enhancement of check_dns and or check_dig?
> 
> I think it would be useful to allow an option to select RR type and
> to do whatever processing is necessary for useful RR types - for
> some definitions of "useful." 
> 
> The SRV query you just mentioned is useful in this context.  It's too
> late for me to start looking at the latest check_dns and compare it
> against the Microsoft article to see if a switch for RR type is all
> that's needed or if the results of the query need some mangling to
> be usable.  I'd hope that either the current options make it flexible
> enough to cope or that, with careful design, post-processing options
> that have to be added would be flexible enough to cope with all sorts
> of other things. 
> 
> I can see where other RR types would be useful to some people.  The
> paranoid might like to check that AXFR and IXFR fail (the check is
> successful if they don't work) to make sure spammers can't harvest
> domain names.  I think some people might want to check that at
> least two MX records exist for critical, "bet the company" clients (the
> ones where "ooops - we forgot to set up a backup MX server in the DNS"
> is not an acceptable excuse and you end up bankrupt). 
> 
> I don't see checking LOC RRs as being of critical importance, but no
> doubt somebody, somewhere, will have a requirement for it (maybe NASA
> for its shuttle internet links, although they'd need a very low TTL).
> But there could well be other RR types that some people would find it
> useful to check, which is why I hope the post-processing is fairly
> flexible (you can't cope with everything, but you may be able to cope
> with common RR types if you give it a bit of thought). 
> 
> I can see that some people would like the TSIG and related RR types,
> but that is probably a LOT of work. 
> 
> So, after that Joycian stream-of-consciousness, yeah, go for the SRV.
> My preference is to add an RR type switch and at least enough
> result-mangling switches to allow the MS SRV stuff to be handled.
> Anything else is a bonus. 
> 
> 

Yes to an option to handle RR - but even with SRV we need to handle 
priority (as with MX).

using resolver interface would be nice
-- 

-sg





More information about the Devel mailing list