If you need to set up DNS monitoring and check the authenticity of the DNS responses, you can configure the Custom Script monitoring device and use the DnsSecTest.cs script.

The DnsSecTest.cs script enables DNSSEC validation for DNS lookup.

What Is DNSSEC Validation

DNSSEC is a suite of extensions that improve Domain Name System (DNS) security by verifying that DNS results have not been tampered with. Enterprises can use DNSSEC to prevent a number of attacks related to DNS spoofing, DNS cache poisoning, etc.

DNS was designed when security was not a top priority in its development. Thus, when sending a request to an authoritative DNS server, the resolver can’t verify the authenticity of the response, sent by name servers to clients. The resolver can only check if the response comes from the same IP address to which the original request was sent.

DNSSEC helps to verify the authenticity of DNS responses by using digital signatures for DNS records.

Configuring DnsSecTest.cs

Custom Script File Arguments
DnsSecTest.cs <Domain/hostname> <recordType> <DnsServersUsage>

DnsSecTest.cs available parameters:

  • <Domain/hostname> – Domain or host name to resolve.
  • <recordType> – NS record type to query. Available values: Any, Uri, A, Ns, CName, Soa, Wks, Ptr, HInfo, Mx, Txt, Rp, Afsdb, X25, Isdn, Rt, Nsap, Sig, Key, Px, GPos, Aaaa, Loc, Srv, Naptr, Kx, Cert, DName, Opt, Apl, Ds, SshFp, Ipseckey, RrSig, NSec, Dnskey, Dhcid, NSec3, NSec3Param, TIsa, Hip, CDs, CDnskey, OpenPGPKey, CSync, NId, L32, L64, LP, Eui48, Eui64, TKey, TSig, Ixfr, Axfr, MailB, CAA, Dlv.
  • <DnsServersUsage>Optional: Type of DNS Server to use. Available values: Auto, IPv4Only, IPv6Priority.