Thursday, February 26, 2009

DNS and Asset Information

Saw this post at TaoSecurity today about using DNS as a tool for Asset Management.

It toys with the thought of creating custom DNS records that identify asset owners. It's an interesting thought that was partially used at my last job. Our senior sysadmin had an unwritten policy that any server added to our internal DNS would also need a TXT record that contained information such as the hardware serial number. I'm not sure how many characters a TXT record supports, but I'm sure you could add other info as well. If you weren't sure who the contact person for a server was, or where it was located, you could "dig servername txt".

Here's an example of a DNS TXT record entry.


Reamer77 said...

I received some comments through my Facebook page (I link my blog to the notes) and I wanted to share.

(Mestizo's comment [ ])

"Interesting. Yeah, for internal hosts in our company, I will sometimes still the name of the person responsible in the hostname. So I might have a server named dev-syslog-test-server-matt, just so I know who to go talk to if that machine has issues.

The TXT record is something I never thought of. I'm going to give it a try next week and see how it works!"

(Trevor's comment [])

"Any idea how to sweep a network with 1000+ devices and push that into your DNS's txt records?"

(My comment)
"I gave it a *little* thought when I was reading the article. I was thinking of script grabbing contact strings from SNMP and then populating the zonefile. But that requires individualized SNMP configs, which sucks because when you have a lot of hosts, you'd probably want them centrally maintained (rsync, cfengine, puppet, etc.)"

Trevor does bring up a good thought about how could one automate or alleviate much of the work to populate a lot of records that already exist. As I wrote, perhaps using SNMP values, but that's probably not possible when you have that many hosts. Or maybe if there was a tool that could query your asset management database?

Reamer77 said...

Here's some more interesting available DNS records that I was not aware of.