DNS lookup failure(s)-linux-False

error
health-checks
false
linux
DNS lookup failure(s)-linux-False
0

#1

DNS lookup failure(s)-linux-False

Vendor: linux

OS: False

Description:
Indeni will alert if the DNS resolution is not working on the device.

Remediation Steps:
Review the cause for the DNS resolution not working.

How does this work?
Using the built-in “dig” command, each configured DNS server on the device is sent a query to resolve www.indeni.com and response time is measured.

Why is this important?
Even though DNS servers are configured, that does not guarantee that they are fast enough. Slow DNS servers could indicate other underlying issues on network or server side.

Without Indeni how would you find this?
An administrator could login and manually run the command.

unix-dig

#! META
name: unix-dig
description: run "dig www.indeni.com"
type: monitoring
monitoring_interval: 10 minutes
requires:
    or:
        -
            linux-based: "true"
        -
            freebsd-based: "true"

#! COMMENTS
dns-server-state:
    why: |
        Even though DNS servers are configured, that does not guarantee that they work. Many products require a fully functional DNS server being set.
    how: |
        Using the built-in "dig" command, each configured DNS server on the device is sent a query to resolve www.indeni.com
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        This can only be tested from the command line interface. However if DNS is not working other alerts might appear, for example failure to update the devices softwre packages, however it will not be clear that they are related to DNS issues.

dns-server-state:
    why: |
        Even though DNS servers are configured, that does not guarantee that they are fast enough. Slow DNS servers could indicate other underlying issues on network or server side.
    how: |
        Using the built-in "dig" command, each configured DNS server on the device is sent a query to resolve www.indeni.com and response time is measured.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        This can only be tested from the command line interface. However if DNS is not working other alerts might appear, for example failure to update the devices softwre packages, however it will not be clear that they are related to DNS issues.

dns-servers:
    why: |
        DNS allows a device to resolve a name to an IP address. For example, an application or website may be associated with many IP's and DNS allows the client to use a name or FQDN to reach it. If a device is clustered then it would be expected to have the same DNS servers configured on all members of the cluster.
    how: |
        Using the built-in "dig" command, each configured DNS server on the device is listed.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        Showing the configured DNS servers is normally only available on the CLI or via WebUI.

#! REMOTE::SSH
# We go over to bash because in FreeBSD we may be in csh, which doesn't support this format of "while"
${nice-path} -n 15 bash -c 'cat /etc/resolv.conf | grep nameserver | sed "s/.* //" |while read server; do echo DNSserver $server && dig @$server www.indeni.com +noall +stats +answer +time=1; done'

#! PARSER::AWK

############
# Script explanation: Decrease timeout (+time=1), otherwise the script times out if there are too many servers that are not reachable. One second means that for each DNS server it will make three attempts and wait 1 second for each.
###########

# DNSserver 8.8.8.8
/DNSserver/ {
	server=$NF
	serverStatus[server] = 0
	idns++
	dns[idns, "ipaddress"] = server
}

# ;; Query time: 12 msec
/Query time/ {
	querytime=$(NF-1)
	serverStatus[server] = 1
	response[server] = querytime
}


END {
	for (id in serverStatus) {
		dnstags["dns-server"] = id
		t["name"] = id
		if (serverStatus[id] == 1) {
			writeDoubleMetricWithLiveConfig("dns-response-time", dnstags, "gauge", "60", response[id], "DNS Response Time (Average)", "number", "dns-server")
		}
		writeDoubleMetricWithLiveConfig("dns-server-state", t, "gauge", "600", serverStatus[id], "DNS Servers", "state", "name")
		writeComplexMetricObjectArrayWithLiveConfig("dns-servers", null, dns, "DNS Servers")
	}
}

CrossVendorDnsFailure

package com.indeni.server.rules.library.templatebased.crossvendor

import com.indeni.ruleengine.expressions.conditions.EndsWithRepetition
import com.indeni.ruleengine.expressions.core._
import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.{ConditionalRemediationSteps, StateDownTemplateRule}
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

case class CrossVendorDnsFailure(context: RuleContext) extends StateDownTemplateRule(context,
  ruleName = "CrossVendorDnsFailure",
  ruleFriendlyName = "All Devices: DNS lookup failure(s)",
  ruleDescription = "Indeni will alert if the DNS resolution is not working on the device.",
  metricName = "dns-server-state",
  applicableMetricTag = "name",
  alertItemsHeader = "DNS Servers Affected",
  alertDescription = "One or more DNS servers configured on this device are not responding or are failing to resolve www.indeni.com.",
  baseRemediationText = "Review the cause for the DNS resolution not working.",
  historyLength = 2
)(ConditionalRemediationSteps.VENDOR_JUNIPER ->
   """|1. On the device command line interface execute the "show system name-server"  command to review the DNS configuration.
      |2. Run the "show host host-name [host-ip-address]" command to check if DNS is working properly and is reachable.
      |3. Ensure that the UDP port 53 is allowed in the firewall rules.
      |4. Check the routes to DNS server address.
      |5. Review the following article on Juniper tech support site: <a target="_blank" href="https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/dns-name-server-configuring.html">Reaching a Domain Name System Server</a>.""".stripMargin,
  ConditionalRemediationSteps.VENDOR_FORTINET ->
    """
      |1. Login via https to the Fortinet firewall and go to the menu Network> DNS to review the DNS configuration.
      |2. Login via ssh to the Fortinet firewall and review the system dns configuration.
      |3. Verify your DNS server IPs and routing. Ensure that your firewalls or routers do not block or proxy UDP port 53. 
      |4. To verify your DNS service enter the following commands in the CLI: "execute traceroute <server_fqdn>"  where <server_fqdn> is a domain name such as www.example.com. If the DNS query fails,  an error message is received such as: traceroute: unknown host www.example.com
      |5. Login via ssh to the Fortinet firewall and troubleshoot the problem by using the "diag test application dnsproxy <X>" where <X> can be 1. Clear dns cache 2. Show stats 3. Dump DNS setting 4. Reload FQDN 5. Requery FQDN 6. Dump FQDN.
      |6. For more information review the next link: https://docs.fortinet.com/uploaded/files/2924/troubleshooting-54.pdf""".stripMargin,
  ConditionalRemediationSteps.VENDOR_BLUECOAT ->
    """
      |1. Login via HTTPS to the Bluecoat ProxySG and go to the menu Configuration > Network > DNS to review the DNS configuration.
      |2. Login via SSH to the Bluecoat ProxySG and review the system dns configuration by typing the "show dns" command.
      |3. Verify your DNS server IPs and routing. Ensure that your firewalls or routers do not block UDP port 53.
      |4. To verify your DNS service enter the following commands in the CLI: "test dns <server_fqdn>" where <server_fqdn> is a domain name such as www.example.com. If the DNS query fails, an error message is received such as: "Error encountered. Response error code: Name error".
      |5. Login via HTTPS to the Bluecoat ProxySG and go to the menu Statistics tab > Advanced > DNS > Show list of DNS URLs. Here is where you can see DNS entries or delete them.
      |6. Login via ssh to the Bluecoat ProxySG via SSH and clear the DNS cache by typing the "clear-cache dns-cache" command.
      |7. For more information review the next link: <a target="_blank" https://support.symantec.com/en_US/article.TECH240878.html</a>""".stripMargin
)