How DNS wildcards really work & how to prevent that DNS wildcard bite!
The domain name system includes a function called "DNS wildcards". DNS wildcards are created using special domain names in DNS zones, such as "*.example.com.". DNS wildcards look similar to Unix shell globbing, Windows command.com wildcards or regular expressions. However, DNS wildcards have their own rules.
Mr. Carsten Strotmann from the Men & Mice Services team will host a 30 minutes webinar with a Q&A session at the end, on Wednesday April 16th, 2014, where you will learn how DNS wildcards really work and how to prevent that DNS wildcard bite!
Tailored for DNS administrators on Unix and Windows operating authoritative DNS Servers with one or more zone-files, as well as all those interested in the topic.
Whatever your location: Europe, USA, Asia or Middle-East, we are offering times that will fit your schedule. Mr. Strotmann will host the webinar first at 10:00 am CEST and then again at 7:00 pm CEST on April 16th.
Webinar Details: (for Asia, Europe and Middle East)
When: April 16th (WED), 2014
Time:10:00 CEST / 12:00 GST / 16:00 CST (for Asia, Europe and Middle East)
Length: 40 minutes (webinar + Q&A session)
Webinar Details: (for USA)
When: April 16th (WED), 2014
Time: 7:00 pm CEST / 1:00 pm EDT / 10:00 am PDT (for USA)
Length: 40 minutes (webinar + Q&A session)
By Mr. Carsten Strotmann, one of Men & Mice experts.
BIND 9.10 is the new version of the BIND 9 DNS server from ISC (not to be confused with BIND 10, which is a different DNS server product). We will report in a series of articles about the new features in BIND 9.10. The first beta version of BIND 9.10 was released this week and can be found at ftp://ftp.isc.org/isc/bind9/9.10.0b1/.
BIND 9.10 contains a new command-line tool to test DNSSEC installations. The tool is called delve and it works very much like the well-known dig, but with special DNSSEC validation powers.
delve checks the DNSSEC validation chain using the same code that is used by the BIND 9 DNS server itself. Compared with the DNSSEC testing function in dig +sigchase, delve is much closer to what really happens inside a DNS server.
1.1 A simple lookup
Without extra arguments, delve will query the local DNS server (taken from /etc/resolv.conf) for an IPv4-Address record at the given domain name. It tries to validate the answer received, prints the result of the validation, the requested data and the RRSIG Record (DNSSEC signature) used to verify the data.
As with dig, resource record types and network classes can be given in almost any order on the commandline. The switch +multi (for multiline) enables pretty printing; human readable output that is neatly formatted for a 78 column screen.
1.3 tracing DNSSEC validation
delve comes with a set of trace switches that can help troubleshoot DNSSEC validation issues. The first switch, +rtrace, prints the extra DNS lookups delve performs to validate the answer:
In this example, in addition to the MX-Record (Mail-Exchanger) Record, the DNSKEY record (DNSSEC public key) and the DS record (Delegation signer) for dnsworkshop.org, as well as the DNSKEY and DS records for ORG and the DNSKEY for the root-zone "." have been requested. The trust-anchor for the Internet Root-Zone is compiled into delve and acts as the starting trust anchor for the validation.
The switch +mtrace prints the content of any additional DNS records that have been fetched for validation.
+vtrace prints out the DNSSEC chain of validation:
delve is a very useful tool, not only for BIND 9 admins, but for everyone who needs to troubleshoot and fix DNS- and DNSSEC related issues.
Men & Mice, a leading provider of DNS, DHCP and IP Address Management (IPAM) solutions, announces the release of the Men & Mice Suite version 6.5.
The new release focuses on providing operational security and the ability to expand customer infrastructure.
Traditionally the Men & Mice Suite has been deployed as an overlay management solution for core DNS and DHCP services. As more customers become reliant on the Men & Mice Suite for the automation and control of their critical network infrastructure, any potential downtime can affect provisioning systems and other automated processes that must operate without interruption. To address the need for this absolute reliability, version 6.5 of the Men & Mice Suite comes with even more complete High Availability functionality.
Cloud environments have become an important part of the enterprise network, and traditionally the visibility into the DDI component of the cloud has been limited. Version 6.5 of the Men & Mice Suite now enables customers to manage core infrastructure services in the OpenStack cloud environment as seamlessly and easily as they manage their internal networks.
Version 6.5 of the Men & Mice Suite enables customers to configure and run Men & Mice Suite (Central) in a HA mode. This means that multiple copies of the Men & Mice Central can be run simultaneously on the network, and at any given time one of them will be the active instance. If an active instance of the Men & Mice Suite fails or is taken down for any reason, one of the other instances will assume the active role. When that happens all clients, whether they be regular user interfaces or script APIs, will automatically fail over to the new Central. With the new HA setup customers can run their critical automation processes without fear of interruption from possible downtime.
Software Defined Networking (SDN) and Cloud stack solutions that act as an IaaS platform are increasingly becoming a common part of the enterprise infrastructure. The Men & Mice Suite version 6.5 contains integration with OpenStack, an open source project for service providers, enterprises, government agencies and academic institutions that want to build public or private clouds. Multiple teams within an organization, each with their own cloud instances and multiple networks and subnets, are faced with the problem of limited visibility into their cloud environment. Men & Mice integrates the software defined networks with the traditional networks that exist in the enterprise environment enabling a global view into every aspect of the network infrastructure. The "good citizen" nature of the Men & Mice Suite continues to be preserved so the OpenStack networks can be created and configured through the Suite but the solution will also adapt to changes done outside of the Men & Mice Suite, either through the Horizon UI or through the OpenStack API.
Additionally, changes to OpenStack networking can be done through the Men & Mice Suite SOAP API, which can utilize the authentication, authorization and activity logging in Men & Mice. The result is gaining the flexibility of a cloud environment while still retaining all the security and control possible through the Men & Mice Suite.
In this new release the documentation and help has been moved from the operational manual format to a web based format. This change will ensure that all users get guaranteed access to the latest version of the help and documentation.
As in previous releases of the Men & Mice Suite, the new version contains various other enhancements that are intended to improve ease-of-use, stability and performance.
By Mr. Carsten Strotmann, one of Men & Mice experts.
BIND 9 and how a security issue demonstrates quality
Recently ISC issued a security warning (CVE-2014-0591) for several BIND versions.
The issue was that BIND 9 detects wrong data while working on NSEC3 records, and because the data is wrong, it opts to terminate itself instead of working with the wrong data (which could expose more serious security issues, esp. when handling DNSSEC data).
Shane Kerr of ISC described this behavior of BIND in the blog post "BIND 9′s Security Record": "The manner in which BIND 9 reacts to software bugs is to terminate. While unpleasant for administrators, the idea is to avoid the system running in an invalid state and causing more damage."
ISC's Michael McNally gave some background information on the security issue on the BIND users mailing list. The security issue has been caused by a change in the fundamental operating system library, the "libc". The implementation of the memcpy function has been changed in a recent update of the glibc library used on Linux systems. This change of implementation has triggered the bug to become visible. So far, the same bug has not been seen on other operating systems, or with other libc implementations. However, that does not mean that these systems are safe, just that the security issue does not show (but might still be there).
I'm happy about how BIND 9 handles this issue (terminating instead of ignoring the issue). This way the administrator notices (one hopes) and updates to a fixed version of BIND 9 and as binary installer packages for RedHat, Debian and Solaris from Men & Mice.
What scares me is all the other software out there (open source or commercial) that might be affected by this bug, but does not have the security net that BIND 9 has.
There could be similar security issues lurking in other software products. Stay vigilant! Monitor your servers.
As developers, we should scan our code for this error pattern (memcpy vs. memmove).
It is in this spirit we say,
simply but sincerely…
Thank you for your business
We wish you a happy holiday season,
and a new year of health,
happiness and prosperity.
Men & Mice staff
Did you know that Men & Mice are serious about your success and eager to share our knowledge with you?
Headquartered in Iceland with locations scattered around the world, Men & Mice is proud to have offices full of extremely intelligent minds that are eager to share their knowledge. The education takes place on our website, at our webinars & trainings, and through various social media channels like Twitter.
We gather interesting industry related knowledge that we read about, and impressive software and online tools that we discover, and then share that information during webinars, on our blog and thru social media. You'll learn what is new, what dangers you should be aware of and, how you can simplify your daily network management tasks.
At Men & Mice the aim is to offer state of the art software and hardware, great service, and last but not least, industry leading education. At the upcoming "DNS fragmentation attacks - the dangers of not validating DNSSEC" webinar in December, the focus will be on why these attacks work, why DNS caching servers that do not do DNSSEC validation are especially vulnerable, why DNSSEC signed zones can be used to launch these attacks, and how IPv6 and/or DNSSEC validation can stop these attacks.
If you have a question about DNS, IPAM, DHCP, DNSSEC, IPv6, or anything really, you can ask our Experts in the Services department.
You might also want to follow us so you don't miss out on what is hot and what is not!
Men & Mice on Twitter
Men & Mice on Facebook
Men & Mice on LinkedIn
Men & Mice on Google+
Men & Mice Webinars
Men & Mice Trainings
Men & Mice is pleased to announce the release of the new Men & Mice DNS/DHCP appliance. This new purpose-built appliance solution is specifically designed to maximize the performance of both hardware and software.
Security is built-in from the ground up, with a lean hardened Linux core that prevents both internal and external threats, including Distributed Denial of Services (DDoS) attacks.
Managed by the best
This new hardened appliance is centrally-managed through the acclaimed Men & Mice Suite, thus further extending the functionality and usability of the Men & Mice DNS, DHCP and IP Address Management solutions.
The Men & Mice Suite is trusted by some of the world's most high-profile organizations to manage their vast global networks. Combined with our new appliance product, we offer an unparalleled feature set that empowers administrators to easily manage complex DDI infrastructures from a single centralized user interface.
Together, our appliance and management solutions offer users the flexibility to build and adapt their network infrastructure as suits their business needs. Unlike other DDI solutions, we do not require our customers to replace their current servers, as our management solutions can be deployed as a management layer on top of the existing DNS/DHCP infrastructure. This enables customers to achieve all the benefits of security and high availability, while still being able to tailor the network to their needs.
Where they make sense, appliances can be added gradually and without the risk of network outages when existing servers are at the end of their lifetime or are difficult to maintain.
The Men & Mice Suite management solution supports industry-standard DNS/DHCP services including Microsoft and Linux, as well as DHCP services deployed on Cisco routers and a hybrid mixture thereof.
Offering secure and reliable DNS/DHCP services that improve the stability of core services while at the same time simplifying the task of managing the fast growing IP infrastructure has clear customer value. Maintaining the environment running the core DNS/DHCP services can be quite time consuming and has inherent security risks. By implementing our appliance-based solution, the task of information gathering, patching, and securing is handled by Men & Mice. Updates are then simple to implement through one source, thereby simplifying administration tasks.
The benefits are obvious: maximized ROI, low cost of ownership and dramatically decreased network risk.
Hardware or Virtual
The Men & Mice DNS/DHCP appliance can be deployed as either a hardware appliance or as a virtual appliance, bringing still greater flexibility to the client. Deployments of the Suite can be a mixture of hardware and/or virtual appliances in conjunction with standard Microsoft, Linux and Cisco core services- all without affecting the ability to manage the entire infrastructure from a single user interface.
Great Value Proposition
Offering competitive pricing, world class 24/7 service and support along with a strong warranty package, our appliances offer great value and ROI.
By Mr. Arno Meulenkamp, one of Men & Mice experts.
Since February 2013, to roughly coincide with the release of version 1.0 of BIND 10, Men & Mice, together with ISC, has been conducting BIND 10 workshops, allowing administrators to get a feel for the new software from ISC. The workshops have been a great success and feedback has been almost unanimously positive. In the workshops, several bug reports have been sent to ISC, with some fixes incorporated in the upcoming 1.2.0 release. In every workshop up to now (we won't guarantee it for future workshops!) we've had actual BIND 10 developers come in and talk about the development and answer questions. The BIND 10 team is very approachable and this has really helped with developing this workshop, but also in getting participants to think about what they need to implement BIND 10 best in their environment.
BIND 10 is a major change from BIND 9, not only in functionality (currently DNS *and* DHCP are supported, with no real limits on other additions later on), but also in configuration (no more named.conf!), flexibility (you only have to load the modules you need and you can relatively simply develop modules for features you miss) and development model (more bazaar than cathedral). In almost all cases, the people that came to the workshops have been impressed and sometimes even excited about the possibilities that BIND 10 will give.
At the same time, it became clear that the expectations of the big "1.0" release were different from reality. Lots of time and effort has been spent by the ISC developers to put a structure in place that is fast and stable and will allow for a scalable and flexible platform. That meant that some areas have gotten more attention than others, and this consequently means that the BIND 10 modules you need might not be feature complete or tested properly to be deployed in a production environment right now. You should make sure the functionality you need is ready or scheduled to be included soon before you create your deployment schedule.
That's not to say that BIND 10 now is not ready, but there are some very rough edges still and the expectations that we see in the workshop are for a much smoother ride. Until that smooth ride is here though, we have the BIND 10 workshop that will give you a look at this exciting new software and allows you to poke and prod and start imagining how this software will fit into your workflow, and what work needs to be done to get BIND 10 to be deployed in your network. You may just find yourself writing code for BIND 10 or sponsor the development of your killer feature.
We hope to see you soon in one of our workshops!
Men & Mice, a leading provider of DNS, DHCP and IP Address Management (IPAM) solutions, announces the release of the Men & Mice Suite version 6.4. The new release of the Men & Mice Suite shows continued commitment to provide a high quality and feature rich DNS, DHCP and IP address management product.
This new version of the Men & Mice Suite expands management flexibility by introducing appliance management, full-spectrum device management and an enhanced feature set which make the system uniquely powerful and flexible.
Management for the Men & Mice DNS/DHCP Appliance
Version 6.4 of the Men & Mice Suite contains management features for the Men & Mice DNS/DHP Appliance, it contains a hardened Linux kernel combined with secure DNS and DHCP servers and is available both as a hardware and a virtual appliance. The appliance manager handles all communications, updates and configuration settings of the new appliance product.
All DNS and DHCP management features of the Men & Mice Suite can be used for the service on the appliances, enabling flexible and secure end-to-end DNS, DHCP and IP infrastructure management from one console. The Men & Mice Suite user can as before manage most industry standard DNS/DHCP services, including Microsoft and Linux as well as DHCP services deployed on Cisco routers and a hybrid mixture thereof. This unique combination offers flexibility in deploying and using these solutions and allows customers to combine the Men & Mice appliance products in hybrid environments with industry standard DNS/DHCP services.
Management of Devices
Subnet utilization history
New Update Manager
A Migrate Zone Wizard has been added
Subnet containers can now be created and used to ease subnet management
Access is now inherited for subnets and scopes
Support for creation and modification of $GENERATE zone statements has been added
It is now possible to view and clear selected DNS Cache entries from BIND DNS servers and the DNS/DHCP appliances
Various new SOAP commands have been added, further extending the flexible usage of the Men & Mice Suite
As in previous releases of the Men & Mice Suite the new version contains various enhancements and improvements. Many of these improvements have been worked on in cooperation with our current customers to meet their needs.
For further information contact Men & Mice
How does the Internet sort out your request to read this blog article from all the request to look at, such as the newspapers online or videos about cute kittens?
Rules are the answer!
Rules come in the form of acronyms and an IP address in the world of computing. A Protocol is another name for a rule and an Internet Protocol (IP) address is a unique number assigned to every device on the Internet. But how does it all work? Take a look at James May's Q&A on "How the Internet works" to learn more.