DNSmonitor KB - DNS check KB

Integrity

The Integrity entity is the weighted result of the following zone- or record integrity checks

The integrity entity is presented as a number between 0 and 100%. The trigger levels for each event is shown below. The lowest integrity score (the highest severity) from all locations is displayed.

The result is also dependent on the total number of authoritative DNS servers serving the domain.

Note: An integrity failure on any of the user added host name integrity checks will always trigger an ERROR event!

Event severities

INFO

100%

There is no integrity anomalies found during the check run.

WARNING

70 - 99,999%

Please check the message or messages accompany the Warning event. A warning event is usually cased by discrepancies in SOA Serial numbers or Master Names between the different authoritative servers. Read more about the messages in the respective check section.

ERROR

35 - 70%

An Error event is usually triggered by multiple discrepancies between name servers but could also indicate that a host record has been altered. Check the messages for further information and take actions accordingly.

CRITICAL

0 - 35%

Please take note of the messages. A critical event is an indication of multiple integrity failures and should immediately be addressed.

Event messages

Messages can appear alone or in combination with each other.

{X} of {Y} monitored name servers are not up to date (synchronised).

Discrepancies in SOA Serial numbers is detected. If this message appear in consecutive checks the cause ned to be determined.

Different SOA master names indicate that the zone data originate from different masters, which may compromise the integrity query replies.

As the message indicate the SOA master names differs between name servers. This could be in order depending on the setup of your domain and DNS infrastructure.

{X} of {Y} monitored name servers does not resolve to the correct IP address (or addresses).

This could be a serious problem. Name server addresses are rarely altered and unless this change is legitimate chance are someone is doing something nasty to your domain. Worst case you might be a victim of a DNS hijacking attack.

One or more user defined host resource records does not resolve to the correct IP address.

This could be a serious problem. If the host resource record is updated by your organisation you need to remove the record from the Manage/Domains page and register it again so the new and correct response can be registered in the monitoring DB.

If the address (or CNAME) is not supposed to be altered chance are someone is doing something nasty to your domain. Worst case you might be a victim of a DNS hijacking attack.

Different delegation data may cause problems.

There is a discrepancy between the delegation resource records (NS) between the parent domain and the child domain. The delegation records should always match.

If you recently have added or removed NS resource records from your zone you need to update your registrar (parent) with the information and consequently perform a zone reconfiguration (on the Manage/Domains page) to update the DNS monitoring information.

If no such actions have been made from your part you might be a victim of a DNS hijacking attack.