DNS: check content

[jtagcat]

DNS should have a 'keyword'-like field.

ie uptime-kuma.io TXT kirjukala.

What differentiates it from keywords is that uptime-kuma.io TXT kirjukala pahamaja should be read as failure.

For example, with AAAA, it doesn't help, if it is pointed elsewhere.

GitHub Etiquette

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

[N4v41]

a checksum with sha1 or md5 of the record value would be great for dns record integrity check.

[jtagcat]

DNSSEC, while you at it.

[romprod]

Is it also possible to compare against the previous results?

[jtagcat]

(Mass) import from current zone file. This would probably be copy-paste style. You can't just do 'get current' reliably, unfortunately.

[kingforaday]

Would be a really great feature to assert an expected value from the DNS answer. Keyword is a great idea.

[ilogus]

I wanted to use it to check DKIM record in case it gets changed.

[ryanjaeb]

This would be really useful. I would love to be able to import a zone file as a starting point. I haven't used it, but this project will convert a zone file to JSON and may be a nice reference or starting point since it has a permissible license and the author is active.

It would also be useful to be able to create a monitor from an existing query to catch records that aren't in an exported zone file. If you export a zone file from Cloudflare, it'll contain all the CAA records that you've explicitly configured, but if you query for CAA records directly you'll get a bunch of extras that Cloudflare adds so they can request certificates on your behalf.

For example, I get this (partial) zone file from Cloudflare:

;; CAA Records
example.com.	1	IN	CAA	0 iodef "mailto:caa@example.com"

However, a dig example.com CAA will return this:

;; ANSWER SECTION:
example.com.           300     IN      CAA     0 issuewild "digicert.com; cansignhttpexchanges=yes"
example.com.           300     IN      CAA     0 issue "comodoca.com"
example.com.           300     IN      CAA     0 issue "letsencrypt.org"
example.com.           300     IN      CAA     0 issue "pki.goog; cansignhttpexchanges=yes"
example.com.           300     IN      CAA     0 issuewild "comodoca.com"
example.com.           300     IN      CAA     0 issuewild "letsencrypt.org"
example.com.           300     IN      CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"
example.com.           300     IN      CAA     0 iodef "mailto:caa@example.com"
example.com.           300     IN      CAA     0 issue "digicert.com; cansignhttpexchanges=yes"

As @jtagcat mentioned, it may not be possible to rely on querying for a current record, so that might not be practical. To me the only important thing would be to have a match based on an exact response. Using the above ANSWER SECTION as an example, I'd want to make sure the CAA query responds with exactly those 9 records and nothing else.

MX is similar. Some mail providers like Zoho recommend using priorities of 10, 20, and 50 for MX records and that makes it possible for a bad actor that compromises DNS to add a record with a lower value (aka higher priority). For example, if a bad actor gains control of your DNS they could add an MX record with a priority of 0 and you wouldn't get notified if you're only monitoring to ensure your records contain the results you're expecting.

[adamshand]

This would be very helpful in a lot of situations. For example, I just had to deal with a domain which was (for dumb reasons) allowed to expire and broke email for a bunch of people. I tried to setup a monitor on the MX records to prevent this happening again, but that doesn't work.

While being able to assert what the answer should be would be helpful, in some ways it would be better (require less maintenance) to simply notify any time the response doesn't match the previous response.

[CommanderStorm]

Note that our contribution guide can be found here and that we are open to contributions if you adhere to this
The DNS monitor is located here

[chakflying]

This will be fixed by #3919, but it will be a while before it gets implemented.

[danielb7390]

What about checking the result of a simple A query against the expected IP?
Currently it will only fail if the DNS lookup fails to return anything. It would be nice to check against a expected value.