AlertFox is part of the Ipswitch family of tools and services. Learn More »

Monitoring DNSSEC

by / Wednesday, 07 September 2011 / Published in Web Monitoring

DNSSEC is the recent answer to DNS cache poisoning [1]. So it definitely is something a web site’s admin would want to have monitored. And we are happy to tell you that AlertFox is able to do so.

While we don’t have an explicit DNSSEC sensor type, our HTTP sensor suffices, when used correctly on a publicly available DNSSEC test site hosted at VeriSign.

Here’s how to do it: 

(1) Create a new HTTP sensor
(2) As URL use ‘http://dnssec-debugger.verisignlabs.com/<YOUR_URL>’ (without the single quotes, and with ‘<YOUR_URL>’ replaced by – well – your URL)
(3) As keyword to search for enter: ‘” src=”/red.png” style=”width:1em’ (without the single quotes, but including the double quote characters!)
(4) Select the “Check if keyword is NOT present” radio button
(5) Done.

The sensor will report an error if any DNSSEC error is found for the given URL’s DNS data.

What does that sensor actually do? It starts a DNSSEC test on the VeriSign test page, then checks for the icon the page uses to display errors.

(Things are made slightly more complicated by the fact that the site always contains at least one of the error icons in an explanatory part of that page. That’s why the keyword looks so strange: we want the real errors to match, but not the explanatory one.)

[1] http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

Leave a Reply

TOP