If you keep your DNS outside and you can’t monitor the zone files directly, a nice way to make sure the integrity of your DNS is intact is by checking remotely that it hasn’t been changed.
With OSSEC, you can do it using the command monitoring output.
First, download the latest version from here and install it.
You will see a new tool in the /var/ossec/bin directory:
# /var/ossec/bin/util.sh
/var/ossec/bin/util.sh: addfile <filename> [<format>]
/var/ossec/bin/util.sh: addsite <domain>
/var/ossec/bin/util.sh: adddns <domain>
Example: /var/ossec/bin/util.sh adddns ossec.net
Example: /var/ossec/bin/util.sh addsite dcid.meSo, you can just run the command “util.sh adddns” and it will add the domain specified to be monitored:
# /var/ossec/bin/util.sh adddns ossec.netIn this case, we added the domain ossec.net. In the backend, it will add those new entries:
<ossec_config>
<localfile>
<log_format>full_command</log_format>
<command>host -W 5 -t NS ossec.net; host -W 5 -t A ossec.net | sort</command>
</localfile>
</ossec_config>
<group name="local,dnschanges,">
<rule id="150013" level="10">
<if_sid>530</if_sid>
<check_diff />
<match>^ossec: output: ’host -W 5 -t NS ossec.net</match>
<description>DNS Changed for ossec.net</description>
</rule>
</group>So you get a nice alert when your IP address changes.