DNS Watcher

(c) SB-Software / Scott M. Baker, smbaker@sb-software.com


DNS Watcher is a program designed to monitor and query DNS servers. DNS Watcher is mainly intended for use by webmasters and website operators to keep watch on their DNS entries and make sure the name servers are responding correctly. DNS Watcher allows you to enter a list of server names and host names, and DNS Watcher will query those servers periodically to make sure the servers are providing the correct results.

DNS Watcher also includes an interactive query tool, similar to the unix/linux "nslookup" and "dig" commands, but with a windows GUI interface.

Table of Contents
  1. Quick Start
  2. The main form
    1. Buttons
    2. Settings
    3. Preferences
  3. Adding/Editing DNS Watcher Entries
  4. Detecting Pharming Attacks
  5. Registration
  6. Revision History

Quick Start:

When you open the DNS Watcher window for the very first time, you'll see a big list where you can enter pairs of (server_name, host_name). This is where you'll want to add the servers that you want to monitor.

  1. Press the <Add> button to add a server entry
    1. This will open up an "add dns watcher entry" dialog
    2. Enter your server name into the "dns server address" box
    3. Enter the host name that you want to monitor into the "host name" box
    4. Press <Ok> when you've got it right
  2. Repeat the above step #1 for any servers and/or host names that you want to add
  3. Press the <Run Now> button to check all of the servers in the list

Main Form Buttons:

The main form has several buttons that are used to interact with the servers/hostnames in the list box:

<Run Now> Process all of the servers / hostnames in the list, checking each one and presenting the results on the screen. Entries will appear with a yellow dot while they are being checked, a green icon if they are good, or a red icon if they are bad.
<Add> Add another entry to the list
<Edit> Edit one of the entries in the List
<Delete> Delete an entry in the list
<Query> Perform an "A" query on the current hilighted entry and show you the results
<Enable> / <Disable> These two buttons together allow you to enable or disable individual entries. If an entry is disabled, DNS watcher will not check it.

Main Form Settings:

Auto-Run The auto-run setting causes DNS Watcher to periodically poll the servers in your list. This activity is automatic and should occur in the background. You can set the time period of how often the auto-run occurs (every five minutes is good for starters)
Record Log File Recording the log file will store all of the results in a log file. This is good so that you can go back and see what has happened. You can set the logging option to only record failures if you like (after all, "successes" aren't that interesting)
Retry Timeouts Timeouts occur when the DNS server does not respond in a timely manner. Since DNS operates over the UDP protocol, there is certainly a possibility that a packet may be dropped. Automatically retrying the timeouts will eliminate many of the superfluous errors.


The preferences are accessed by using the "Setting:Preferences" pull-down menu item.

Shrink to Taskbar when "X" Clicked This will cause DNS Watcher to be minimized to the system tray in the windows taskbar when you click the close ("X") button on the window. This is useful if you intend to run DNS Watcher as a system-try monitoring tool.
Pop-up when error detected Causes a balloon popup to appear over the DNS Watcher icon in the system tray whenever an error occurs.
Auto-Load on Windows Startup Automatically loads the program and minimizes it to the system tray when windows starts up.
Auto-Save modifications Automatically saves your changes when you add or edit entries.


Editing DNS Watcher Entries

The <Add> and <Edit> buttons bring up a dialog that is essentially identical, so we will discuss it here in one spot.

There are two key pieces of information that you will need to enter into the dialog:

You also have the option of entering a list of allowable addresses. If you leave the allowable addresses blank, then DNS Watcher will consider any valid 'A' record to be a successful query. While this ensures that the DNS server is working and responding to queries for the host name you've entered, it does not ensure that the DNS server is responding with the correct addresses.

In order to really bullet-proof the monitoring of your DNS server, you will always want to enter an address into the allowable addresses box. This will ensure that your servers are providing the correct address, and have not been attacked or misconfigured. Generally, you should only need to enter one address into the allowable address list. The only case where you would need to enter more than one is if you are using round-robin DNS or some other load distribution mechanism that distributes your address to a collection of addresses.

Detecting Pharming attacks on your servers

A "pharming attack" is a relatively new type of social engineering attack that is being perpetrated against web sites. The way it is done is an attacker hijacks your DNS records and changes them to point at his web server instead of your web server. Let's use the popular "paypal" service as an example and consider how such an attack might be mounted against paypal:

  1. An attacker somehow gains access to PayPal's DNS records
  2. The attacker changes the DNS record for www.paypal.com from the correct IP address to the IP address of his own server where he creates a site that looks exactly paypal
  3. Legitimate PayPal customers would be directed to the phony server
  4. They enter their user IDs and passwords, which are collected by the attacker, which he promptly uses to steal their money or their identity.

The danger in a Pharming attack is that the user believes he is accessing a legitimate web server. Pharming attacks are more insidious than phishing attacks because in a phishing attack, a savvy user is usually able to notice that he is accessing a phony server. However, since a Pharming attack is perpetrated at the DNS level, the user would have no way to know he is not accessing the correct web server.

DNS Watcher has an option "restrict the allowable addresses" that can be used by detect Pharming attacks. In this configuration, you enter a list of permissible addresses that could be returned for your web server. If the DNS query returns an address that is not on the list, the query will be flagged by DNS Watcher as an error.

Given our attack scenario outlined above, when an attacker modifies the DNS records to point to his own server, his server's IP address would not be in the list that you entered into DNS Watcher, and the attack would be detected.

In order to protect against Pharming attacks, it is important that you monitor several DNS servers with DNS watcher, and not only your company's server. There are sophisticated Pharming attacks such as "cache poisoning" that are able to corrupt the DNS records in the intermediate nodes of the DNS system, without having to compromise your company's root server. Ideally you would configure DNS watcher to watch some DNS servers outside of your company (for example, servers at some popular ISPs, or off-site servers for your company).



This software is not free! You are allowed to evaluate the software for a limited amount of time. If you find the softwareuseful and continue to use it, then you must register to continue using the product.

Complete registration information is available at http://www.sb-software.com/credit/

Registrations may be paid for online in a variety of methods (credit card, etc), or may be made through the mail. See the website site at http://www.sb-software.com/

Revision History

Looking for other shareware applications, then try the following: