Using Wazuh for DNS and DNSSEC checks
We already wrote about using Wazuh to monitor websites availability. Now, all our domains are DNSSEC-signed and with automatic key rollovers we don't really need to worry too much about expired signatures, but this is yet another layer of technology... and it's always worth having an eye on it.
We again use Wazuh command monitoring (see previous article) and custom rules, but instead of
curl we use
delv command from dnsutils package on Ubuntu.
Relevant section from
<localfile> <log_format>command</log_format> <command>delv webcookies.org +cd</command> <alias>delv webcookies.org</alias> <frequency>3600</frequency> </localfile>
Now, a word on the
delv command — it
dig equivalent for DNSSEC that performs delegation validation of the whole signature chain from TLD to your domain records. Usually you can call it just like
delv webcookies.org which will return
fully validated when everything is OK. In case of Wazuh monitoring, we are however concerned more with cases where noteverything is OK and delv's answer here is less useful. Therefore we add the
+cd option to get the full detail:
$ delv signotincepted.bad-dnssec.wb.sidnlabs.nl +cd ;; validating signotincepted.bad-dnssec.wb.sidnlabs.nl/DS: verify failed due to bad signature (keyid=56725): RRSIG validity period has not begun ;; validating signotincepted.bad-dnssec.wb.sidnlabs.nl/DS: no valid signature found ;; RRSIG validity period has not begun resolving 'signotincepted.bad-dnssec.wb.sidnlabs.nl/DS/IN': 192.168.1.254#53 ;; validating signotincepted.bad-dnssec.wb.sidnlabs.nl/DNSKEY: bad cache hit (signotincepted.bad-dnssec.wb.sidnlabs.nl/DS) ;; broken trust chain resolving 'signotincepted.bad-dnssec.wb.sidnlabs.nl/DNSKEY/IN': 192.168.1.254#53 ;; broken trust chain resolving 'signotincepted.bad-dnssec.wb.sidnlabs.nl/A/IN': 192.168.1.254#53 ;; resolution failed: broken trust chain
Now, all these unique strings are precisely what we can point Wazuh at! So here are the custom rules (see previous article for details how to add them):
<group name="ossec,dnssec,"> <rule id="100090" level="0"> <if_sid>530</if_sid> <match>delv</match> <description>DNSSEC validation check</description> </rule> <rule id="100091" level="3"> <if_sid>100080</if_sid> <match>fully validated</match> <description>DNSSEC validated</description> </rule> <rule id="100092" level="12" ignore="3600"> <if_sid>100080</if_sid> <match>resolution failed</match> <description>DNSSEC resolution failed</description> </rule> </group>
Now, a word of warning — if
delv returns nonsense responses for domains that you know have DNSSEC, you're most likely behind a resolver that strips the signature data, such as
systemd-resolved. In this case just use any other recursive nameserver which preserves DNSSEC data.