Skip to main content
@soar
EN

EN

RU

  1. Posts/

BIND9 + SNMP + Cacti

·408 words·2 mins· loading · loading ·
Sysadmin Monitoring Dns Like

Implementation
#

On docs.cacti.net, there’s a seemingly user-contributed set of scripts for monitoring BIND9. Here’s what you need to know about how it works (or is supposed to work):

  1. The polling is triggered by the bind-stats.sh script.
  2. This script runs an snmpget query.
  3. The SNMP request, via the extend directive, executes another script: runstats.sh.
    1. It deletes the statistics file at /var/cache/bind/named.stats (hardcoded path).
    2. It runs rndc stats.
    3. It executes: cat /var/cache/bind/named.stats | /root/bin/dnsstats.pl (again, hardcoded paths).
    4. The dnsstats.pl script reads the stats file and outputs a single line string — this becomes the SNMP response.
  4. The output is passed through sed.
  5. It’s then parsed and stored in RRD.

Here’s what the Perl script’s output looks like:

1a:5741 a6:0 aaaa:1560 any:0 cname:0 mx:0 naptr:0 ns:245 ptr:233 soa:55 spf:0 srv:6 txt:47 rsnx:19 rsfail: rserr:4 rsipv4qs:3459 rsipv4rr:3398 rsmismatch: rsqr:674 rsqt:668 rsrtt10: rsrtt100500:630 rsrtt10100:2755 rsrtt1600: rsrtt500800:13 rsrtt8001600: sockopen:3513 sockclosed:3505 sockbf: consest:3439 recverr:

Here are some recommendations on how to make it better.

Issues
#

Permissions for rndc stats
#

The command will be executed by the snmpd daemon, which runs under the snmp user. And that would be fine — except it needs access to the /etc/bind/rndc.key file, which, for security reasons, is only accessible to the bind user.

The wrong solution would be to run the command via sudo.

The right solution is to add the snmp user to the bind group. (This will also come in handy in the next tip.)

1$ usermod -a -G bind snmp

Permissions for /var/run/named/named.stats
#

The snmpd daemon runs as the snmp user, while all BIND-related processes run as the bind user. Because of this, the script won’t be able to delete the /var/run/named/named.stats file.

The solution is simple:

  1. Create the /var/run/named/named.stats file using any method you prefer.
  2. Assign ownership to the bind user: chown bind:bind /var/run/named/named.stats
  3. Grant write permissions to the group: chmod 660 /var/run/named/named.stats
  4. Instead of deleting the file each time, just empty its contents: truncate --size=0 /var/run/named/named.stats

Executing cat each time
#

We don’t need it, if we can read file directly (example patch):

1my $filename = $ARGV[0];
2open my $file, "<:encoding(utf8)", $filename or die "$filename: $!";
3...
4while(my $line = <$file>) {

Redundant runstats.sh
#

We don’t need runstats.sh, it can be done in snmpd.conf:

1extend-sh .1.3.6.1.4.1.18689.0.1 dnscache-stats /usr/bin/truncate --size=0 /var/run/named/named.stats ; /usr/sbin/rndc stats ; /etc/snmp/scripts/bind9/dnsstats.pl /var/run/named/named.stats

bind-stats.sh
#

Also, just to note, bind-stats.sh has hardcoded values for SNMP v2. If you use v1, you will need to rewrite it.

@soar
Author
@soar
Senior SRE/DevOps engineer