programming / bind

check_axfr
due to public demand ;-) i'm making available my quick 'n dirty check_axfr script.
i've tried to clean it up a bit and added a version number for better problem tracking. Please refer to it if you have any problems/questions.

So what does the script do at all?

it takes as input a logfile with lines from the bind-8.x security channel. you can create a file containing only those lines by adding the following lines to your named.conf

        channel my_security {
                file "/your/path/to/security";
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        category security { my_security; };

i strongly encourage you to do so, as it will report all lines that it doesn't know how to handle as "ERRLINE: line"

    ERRLINE: 30-Aug-2000 08:54:01.625 security: notice: dropping source port zero packet from [195.186.98.10].0

it creates a summary per IP address, about which host did how many transfers, whether they were approved or not and which zones where tried to be AXFR'd. if you have toplevel domains that are included in the RIPE hostcount you'll probably want to take advantage of the collapse feature ;-)

System Requirements

the check_axfr script. script is written in perl and needs the non-standard Net::DNS module, which can be downloaded from your next CPAN server or directly from Mike Fuhr's perldns page. as the module is used only for IP lookups it is not that essential, but you would have to hack the script a bit to get it running without.

How does the output look like?

    [129.70.132.4]      sequoia.techfak.uni-bielefeld.de  (COLL)         23  
       *   papavero.de                                   (not m/s)       23      1  
       *   papier-kraemer.de                             (not m/s)       23      1  
       *   papierus.de                                   (not m/s)       23      1

this means there were 23 AXFR requests from 129.70.132.4 (i.e. sequoia.techfak.uni-bielefeld.de). The (COLL) indicates that the output was collapsed and only errors are listed. The asterisk indicates that the AXFR was unapproved for the domain and the reason was that the local server ist not master/slave for that domain. There was one request for each of those domains out of 23 in total from that host.

    [193.40.215.132]    pc132.kivioli.edu.ee                              4  
       *   aum.at                                        (acl)            4      2  
       *   kk.co.at                                      (acl)            4      1

193.40.215.132 (i.e. pc132.kivioli.edu.ee) made 3 AXFR requests, 2 for aum.at and 1 for kk.co.at, which were all denied because of ACL entries.

    [202.101.0.58]      max-p12-58.sta.net.cn                           114  
      U*   SF.COM                                                       114    114

114 unapproved updates from 202.101.0.58 (i.e. max-p12-58.sta.net.cn) for SF.COM.

    [195.30.0.14]       popmail.space.net                                 1  
	   spacenet.de                                                    1      1

195.30.0.14 (i.e. popmail.space.net) made one successful AXFR for the zone spacenet.de.

Copyright © 2000 Markus 'Maex' Stumpf created: Tue Aug 29 23:39:01 CEST 2000 last modified: