Monitoring plugins for DNS-over-TLS servers
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Monitoring plugins for DNS-over-TLS servers

The results of the project have been documented on my blog

A project for the IETF 98 Hackathon.

DNS-over-TLS is specified in RFC 7858.

The idea is to allow DNS-over-TLS service monitoring, creating a monitoring plugin (suitable for Nagios or compatible like Icinga by following their API).

We'll test with the public DNS-over-TLS resolvers.


First possibility: use Go because it has both a nice DNS library and a good TLS standard package. TODO: see how to extract key and cert info from a session (parse the conn object? See HTTP package to be sure. With the help of the TLS package?). TODO: what are the policy rules for the monitoring plugins project? (See the CODING file in the source distribution, it is mostly source code presentation details.) Do they accept plugins written in Go? TODO: is it possible to follow exactly the rules of the Nagios API in Go (command-line arguments, for instance?) TODO: once done, publish on Monitoring Exchange

Second possibility: C and getdns. TODO: see how to extract key and cert info from a session. Do a second connection with GnuTLS (there is a risk to go to a different server…) Or ask getdns to provide the raw cert in the JSON answer (TODO: format wishlist report) TODO: a good example in C? Probably use one of the monitoring plugins. check_dummy.c is a good starting point (specially for the standard command-line arguments), check_http.c a more complete one. An advantage of using C is that we may rely on monitoring plugins' utilities such as the np_net_ssl_check_cert() function in plugins/sslutils.c, to check the expiration date (we actually used GnuTLS services). To get the RTT, getdns can do it (return_call_reporting extension).


Must be able to specify: resolver, of course, but also DNS query name, DNS Query Type, expiration date for the cert (like the check_http plugin), the pinned key… Bonus: being able to test the TLS configuration (no weak cipher, etc) Bonus: check the answer (mandatory content).

Must display the answer, and the RTT.