Implementation#
On docs.cacti.net, there’s a seemingly user-contributed set of scripts for monitoring BIND9. Here’s what you need to know about how it works (or is supposed to work):
- The polling is triggered by the
bind-stats.sh
script. - This script runs an
snmpget
query. - The SNMP request, via the
extend
directive, executes another script:runstats.sh
.- It deletes the statistics file at
/var/cache/bind/named.stats
(hardcoded path). - It runs
rndc stats
. - It executes:
cat /var/cache/bind/named.stats | /root/bin/dnsstats.pl
(again, hardcoded paths). - The
dnsstats.pl
script reads the stats file and outputs a single line string — this becomes the SNMP response.
- It deletes the statistics file at
- The output is passed through
sed
. - It’s then parsed and stored in RRD.
Here’s what the Perl script’s output looks like:
1a:5741 a6:0 aaaa:1560 any:0 cname:0 mx:0 naptr:0 ns:245 ptr:233 soa:55 spf:0 srv:6 txt:47 rsnx:19 rsfail: rserr:4 rsipv4qs:3459 rsipv4rr:3398 rsmismatch: rsqr:674 rsqt:668 rsrtt10: rsrtt100500:630 rsrtt10100:2755 rsrtt1600: rsrtt500800:13 rsrtt8001600: sockopen:3513 sockclosed:3505 sockbf: consest:3439 recverr:
Here are some recommendations on how to make it better.
Issues#
Permissions for rndc stats
#
The command will be executed by the snmpd
daemon, which runs under the snmp
user. And that would be fine — except it needs access to the /etc/bind/rndc.key
file, which, for security reasons, is only accessible to the bind
user.
The wrong solution would be to run the command via sudo
.
The right solution is to add the snmp
user to the bind
group. (This will also come in handy in the next tip.)
1$ usermod -a -G bind snmp
Permissions for /var/run/named/named.stats
#
The snmpd
daemon runs as the snmp
user, while all BIND-related processes run as the bind
user.
Because of this, the script won’t be able to delete the /var/run/named/named.stats
file.
The solution is simple:
- Create the
/var/run/named/named.stats
file using any method you prefer. - Assign ownership to the
bind
user:chown bind:bind /var/run/named/named.stats
- Grant write permissions to the group:
chmod 660 /var/run/named/named.stats
- Instead of deleting the file each time, just empty its contents:
truncate --size=0 /var/run/named/named.stats
Executing cat
each time#
We don’t need it, if we can read file directly (example patch):
1my $filename = $ARGV[0];
2open my $file, "<:encoding(utf8)", $filename or die "$filename: $!";
3...
4while(my $line = <$file>) {
Redundant runstats.sh
#
We don’t need runstats.sh
, it can be done in snmpd.conf
:
1extend-sh .1.3.6.1.4.1.18689.0.1 dnscache-stats /usr/bin/truncate --size=0 /var/run/named/named.stats ; /usr/sbin/rndc stats ; /etc/snmp/scripts/bind9/dnsstats.pl /var/run/named/named.stats
bind-stats.sh#
Also, just to note, bind-stats.sh
has hardcoded values for SNMP v2. If you use v1, you will need to rewrite it.