Here is a quick trigger to examine the TTL in a DNS response.
nslookup would be faster. But what if you want to monitor your network for low TTLs in DNS responses? Synthetic checks (i.e., nslookup every 10 seconds) put additional load on your network and DNS infrastructure and they don't give you an accurate picture of what is actually happening in production.
The solution: a trigger to monitor TTLs as they fly across the wire.
I've packaged the trigger as a bundle.
I modified the trigger and ran it against a couple random sites. The different TTLs were interesting. (Not sure what to make of it though.)
You could take this trigger and:
- store specific TTLs in the ExtraHop datastore,
- create alerts when TTLs for critical infrastructure falls out of spec (like if a TTL for a heavily used infrastrucure component is set to 0),
- set Service Availability dashboards to monitor TTLs for critical infrastructure,
rsyslog()the findings to Splunk
- Download and apply the bundle.
- Edit the trigger (TTL in DNS Response) to specify the lookups you want to know the TTL for. By default the trigger looks for
- Apply the trigger to DNS server(s) or client(s) of interest.
- Look at the trigger's Runtime Log for the output.