Using named to Test Network Health
Martin McCormick
martin at dc.cis.okstate.edu
Thu Aug 21 13:30:19 UTC 2008
Next to routers, the outward-facing DNS is one of the
few parts of our network that talks to large numbers of
far-flung sites constantly.
Is there any metric presently in bind that we can look
at, say, from a cron job once a minute, that would let us know
that no root name servers are being reached. This is usually a
great indication that our connections to the rest of the
Internet are down.
It appears that all the root name servers have stopped
responding to ICMP packets, probably a good thing, but I am
trying to come up with something that mines information we
may already have which can give us a "Healthy or sick?"
indication of connectivity.
One metric I did find in the "status" command one can
issue via rndc is the number of recursive clients in use out of
1,000. We have recursion off for everybody but those within our
network (We can't turn it completely off), and bind starts
filling the log with "no more recursive clients" messages when
we have connectivity trouble, but that also can happen if
someone mounts a denial of service attack from inside.
Is there a DNS lookup request that is guaranteed to work
if a DNS is reachable? We could do that once a minute instead of
a ping.
Basically, is there a good way to know when bind isn't
getting anything from the world out there?
Thank you.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
More information about the bind-users
mailing list