bookmark_border3WoO: Alerting on DNS (IP Address) changes

If you keep your DNS outside and you can’t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn’t been changed.

With OSSEC, you can do it using the command monitoring output.

First, download the latest version from here and install it.

You will see a new tool in the /var/ossec/bin directory:

# /var/ossec/bin/
/var/ossec/bin/ addfile <filename> [<format>]
/var/ossec/bin/ addsite <domain>
/var/ossec/bin/ adddns <domain>

Example: /var/ossec/bin/ adddns
Example: /var/ossec/bin/ addsite

So, you can just run the command “ adddns” and it will add the domain specified to be monitored:

# /var/ossec/bin/ adddns

In this case, we added the domain In the backend, it will add those new entries:

     <command>host -W 5 -t NS; host -W 5 -t A | sort</command>

   <group name="local,dnschanges,">
   <rule id="150013" level="10">
     <check_diff />
     <match>^ossec: output: ’host -W 5 -t NS</match>
     <description>DNS Changed for</description>

So you get a nice alert when your IP address changes.