-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Using rrdtool, dns and dnssec

For those that are interested in graphing the dns query usage of their name server, this is for you.

Just a word to begin : I’m no developer, I just write scripts using the scripting language that I currently want to use. In this case, I used perl. The script is pretty basic, doesn’t require a lot of dependencies, and if you’re allergic to perl, you can easily write the same script in another language.

What this script does

  • Connect to the statistics port
  • Parse the XML and extract the data
  • Create the RRAs if not existing
  • Inserting the statistics for these types :
    • dns: TXT, NS, SRV, AAAA, ANY, A, CNAME, NAPTR, SOA, MX, PTR, SSHFPSPF
    • dnssec: NSEC3, DLV, KEY, NSEC, DSDNSKEY
  • Create two graphs, one for standard dns queries, and another one for dnssec queries

Installing requirements

I’m using this script on CentOS boxes, and here’s what you need to install as requirement :

yum install -y perl rrdtool-perl rrdtool perl-XML-Simple perl-XML-Parser

Bind configuration

You need to add the statistics capability to your bind server so that it will listen on a port and present an XML document containing all the informations you are looking for. Of course, the firewall on the machine running bind should let the graphing machine connect to the statistics port.

cat >> /etc/named.conf << EOF
statistics-channels {
        inet * port 8080;
};
EOF

Let your nameserver process some queries, and connect to http://ip-of-your-bind-server:8080 and you should see some page with a lot of numbers. If not, make sure : that bind is listening to this port, that the firewall of the machine is not blocking the access and that your internet connection allows you to connect to port 8080.

The applied configuration allows anybody to connect to the statistics port. You don’t want that, please make sure that the asterisk is replaced by something more restrictive, and/or (at least) that your firewall is restricting the access to it.

Installing the script itself

I’ll put the script in /usr/local/bin, but you can put it somewhere else if you find it more appropriate.
If you are graphing the local machine, then the only parameters you need to change to make the script work are the following :
CHANGETHIS:RRDLOCATION : Where the rrd files will be stored and updated by the script.
CHANGETHIS:IMGLOCATION : Where the output images will be created and updated by the script.
CHANGETHIS:GRAPHNAME : The name of the server you’re graphing. Useful in case you’ll be graphing several hosts.
If you need to change the IP address and the port, it’s on the &ProcessInterface function call.

#This is exemple values, customize them.
rrdlocation="/root/rrds"
imglocation="/usr/share/nginx/html"
graphname="myawesomeserver"
wget http://bkraft.fr/files/scripts/rrd_bind.pl -O /usr/local/bin/rrd_bind.pl
perl -i -pe "s#CHANGETHIS:RRDLOCATION#$rrdlocation#;s#CHANGETHIS:IMGLOCATION#$imglocation#;s#CHANGETHIS:GRAPHNAME#$graphname#" /usr/local/bin/rrd_bind.pl

Crontab

Final step, we need to make our machine fetch values each 5 minutes (If you want to change this, you need also to change the definition of the RRA, but this is way out of the scope of this blog post), so please do the following:

cat >> /var/spool/cron/root << EOF
*/5 * * * * /usr/local/bin/rrd_bind.pl 2&>1 /dev/null
EOF

What it produces

I’m currently using this graph to show the behaviour of three of my servers in a new project of mine, and you can see the result :

DNSSEC Statistics
Bind DNS daily statistics Bind DNS daily statistics Bind DNS daily statistics
DNSSEC Statistics
Bind DNSSEC daily statistics Bind DNSSEC daily statistics Bind DNSSEC daily statistics
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJW5eRNAAoJEBeKS2x6xuR77HcQAKxMeta5updVqBV7q4tL2CYq
emuDbGdMm5dJV3Zm2JThlV0ZrRDZ4n6s3CQxMTJXHwg3Y2ndtcRhjwUIFXRUeboa
poEolt6Vnz99vgfmKGYxHsvz+AhvOBBqI4VvgAJ93ksAXENqqIw7Ad/TarL3HnzW
oTfrsVCtbxZs+3sjalR6+2341ivhVnOUm38YxgE1AVKVBg2B1Ll49SmzHnxIR76B
EyvAB+re7FvrwIBwY6di42U9B63yExdJYi7pDPI21ni3te80S44npkq0RgiXWDhj
24gYGBpF/NQWsZ3MqSJRWkwAmkOt5+hGJPi0WNjVnrm8PFXMFEQBGekdXjMh40ym
9/ybkD+cFB1knWsvwOyOj9Lr9axj2jGucBelf71nvONHiCyY1jmL2wlCqXA98zJ8
QDyshgxvq126jwtik3U7zaoHRWPdQT8dTdOdN4Mi1U7ZuMUR6vs/LD1sQcEFt3+P
1sRiUstuwHrBy6oi4668B6V/fJOnSiu3/SKNtzid3Rcdvl8CaOvln6bUoDuPHL3O
ZqmPDO40rkcyHb3gb9Y1QidX/e6SNFqUpKUcheZAXXvLH/SK+Aqn9tKA6OoILqJf
l6zJhTLPhQLxAqTQboBIK/NHMTZNgoYugQ2xvVnnqAkRXvLkdpPUBR0pwh2EetoS
n+CQv6T/cuW3KszmDwHx
=yHlc
-----END PGP SIGNATURE-----

Hint: To validate signature, please view page source and copy html code between BEGIN PGP Signed message and END PGP Signature anchors.

Created the 2012-12-22

Share this


Resources

10 last articles

blog comments powered by Disqus