Fortinet black logo

User Guide

DNS

24.1.0
Copy Link
Copy Doc ID af1daa65-c273-11ec-9fd1-fa163e15d75b:112934
Download PDF

DNS

DNS monitoring is a truly valuable and often neglected tool. If the authoritative DNS servers that are responsible for your server are down (or do not have the correct information) it makes your server effectively invisible to the internet. This type of monitoring checks each authoritative DNS server to see if it is running or if it has the correct IP information for your domain name.

The first thing you need to set up a DNS check is the IP or FQDN of the authoritative DNS servers you would like to monitor. To find the IP addresses of the authoritative DNS servers you can use the whois" command (or www.whois.net) in a Linux terminal on the domain name of the server you would like to check. For example typing in whois panopta.com returns (among other things) the list of name servers we are looking for seen below:

Name Server: NS1198.DNS.DYN.COM
Name Server: NS2195.DNS.DYN.COM
Name Server: NS3181.DNS.DYN.COM
Name Server: NS4163.DNS.DYN.COM

Once you have the IP addresses or FQDN of your name servers add them to your list of servers in the FortiMonitor control panel.

Control Panel Configuration

Select DNS from the monitoring catalog.

There are two options for DNS checks.

Network check

  • DNS Name Lookup

  • DNS Port

A DNS port check is very rudimentary; it will only check to see if the authoritative DNS server is listening through a given port.

A DNS name lookup will allow you to test to see if this authoritative DNS server has an IP address for a specific domain name. For additional protection you can add the correct IP address for this domain name, so you will be informed if the authoritative DNS server reports back an incorrect IP.

There are a number of options in the DNS Options tab.

  • DNS Record type (A, CNAME, MX, NS, SOA, TXT)

  • Match Options for IP address

  • Recursive or non-recursive

  • DNSSEC Validation

How to monitor DNS on a regionally partitioned DNS record

The good news is that DNS monitoring will still work as normal (so long as you have configured your server with an FQDN), since our monitoring nodes perform local DNS resolution on that domain name.

However this can be a confusing approach, so we recommend that you create a DNS service check for each one of your FQDN’s IP addresses. This would mean creating a separate server (using the IP address, but not the FQDN) in your FortiMonitor control panel and setting up DNS monitoring for each. By doing this you will know where your DNS outages are coming from.

DNS

DNS monitoring is a truly valuable and often neglected tool. If the authoritative DNS servers that are responsible for your server are down (or do not have the correct information) it makes your server effectively invisible to the internet. This type of monitoring checks each authoritative DNS server to see if it is running or if it has the correct IP information for your domain name.

The first thing you need to set up a DNS check is the IP or FQDN of the authoritative DNS servers you would like to monitor. To find the IP addresses of the authoritative DNS servers you can use the whois" command (or www.whois.net) in a Linux terminal on the domain name of the server you would like to check. For example typing in whois panopta.com returns (among other things) the list of name servers we are looking for seen below:

Name Server: NS1198.DNS.DYN.COM
Name Server: NS2195.DNS.DYN.COM
Name Server: NS3181.DNS.DYN.COM
Name Server: NS4163.DNS.DYN.COM

Once you have the IP addresses or FQDN of your name servers add them to your list of servers in the FortiMonitor control panel.

Control Panel Configuration

Select DNS from the monitoring catalog.

There are two options for DNS checks.

Network check

  • DNS Name Lookup

  • DNS Port

A DNS port check is very rudimentary; it will only check to see if the authoritative DNS server is listening through a given port.

A DNS name lookup will allow you to test to see if this authoritative DNS server has an IP address for a specific domain name. For additional protection you can add the correct IP address for this domain name, so you will be informed if the authoritative DNS server reports back an incorrect IP.

There are a number of options in the DNS Options tab.

  • DNS Record type (A, CNAME, MX, NS, SOA, TXT)

  • Match Options for IP address

  • Recursive or non-recursive

  • DNSSEC Validation

How to monitor DNS on a regionally partitioned DNS record

The good news is that DNS monitoring will still work as normal (so long as you have configured your server with an FQDN), since our monitoring nodes perform local DNS resolution on that domain name.

However this can be a confusing approach, so we recommend that you create a DNS service check for each one of your FQDN’s IP addresses. This would mean creating a separate server (using the IP address, but not the FQDN) in your FortiMonitor control panel and setting up DNS monitoring for each. By doing this you will know where your DNS outages are coming from.