The Men & Mice Blog

Win a trip to Iceland at Cisco Live, San Diego

Posted by Men & Mice Jun 10, 2015 9:04:00 PM

Lucky winner of the 1st Men & Mice "Win a trip to Iceland" at is Arshad Usmani from Wipro Limited.

On the last day, in front of a crowd of Cisco attendees, we drew the 2nd winner of a trip to Iceland. Strangely enough Arshad's friend from Wipro Limited, Mr. Piyush Trikha is the lucky winner!

Men & Mice welcomes them both to beautiful Iceland.

 

Winner_1

 

Winner_2-1

Tags: Cisco Live

Winners of a Trip to Iceland contest announced

Posted by Men & Mice May 6, 2015 11:37:00 AM

Congratulations to Asheed Vasudevan from Greenway Health, and Aaron Koenig from Kohler Co. the lucky winners in Men & Mice's "Win a Trip to Iceland" contest at #Ignite2015!

2015rafflewinner1b-664145-edited

Winner_2

Tags: Men & Mice, ignite

Men & Mice at Microsoft Ignite 2015

Posted by Men & Mice May 5, 2015 5:46:00 AM

Men & Mice is at Microsoft Ignite 2015 and can be found at booth #371, where our intrepid team of black-clad gentlemen is busy giving away free trips to Iceland.

Men and Mice booth at Microsoft Ignite 2015

Tags: Men & Mice, Microsoft Ignite

Men & Mice Suite Version 6.8 Released

Posted by Men & Mice Apr 28, 2015 7:49:34 AM

Reykjavik, Iceland, April 28th 2015 - Men & Mice announces the release of version 6.8 of the Men & Mice Suite.

The Men & Mice Suite is the ideal tool for network managers who desire minimal daily management, featuring planning, reporting, and auditing of growing dynamic IP networks, with the added benefit of delivering improved network security as well. The Men & Mice Suite version 6.8 can be deployed as a software solution on top of existing DNS/DHCP servers or as hardened DNS/DHCP virtual appliances.

Subnet Discovery and Ease of Use

Version 6.8 introduces several new features designed to streamline both initial deployment of the Men & Mice Suite, and day-to-day management of enterprise networks by way of automatic discovery and intuitive user interface improvements.

The new Subnet Discovery feature allows the Men & Mice Suite to directly query network routers for subnet information, making it far easier to add new subnets, and reducing administration time by eliminating the need for tedious manual input of new subnets. Meanwhile, the First Use Wizard allows new users to rapidly gain complete control over their networks by automating DNS/DHCP server and Active Directory Subnet discovery, and intelligently guiding administrators through the initial setup process.

Enhanced System Support

The Unbound Caching DNS Server now enjoys the same management utility as the Men & Mice Virtual Caching Appliance in the Men & Mice Suite, and can be simply added to the Men & Mice Suite Management Console like any other supported DNS server. With version 6.8 the Men & Mice Suite now also features native support for 64-bit Linux systems, and support for systemd integration on Linux installers.

Other Improvements

Version 6.8 also improves other aspects of the suite, featuring enhanced Windows DNSSEC support, improved failover handling on Microsoft DHCP servers, and a number of performance improvements to both the Men & Mice Suite and the Men & Mice Virtual Appliance products.

For a complete list of new features and enhancements:
Release notes on version 6.8.

 

Men & Mice Suite version 6.8 Free Trial

 

Tags: Men & Mice Suite, DDI, DNSSEC, IPAM, DHCP, Windows, Unbound

An Introduction to the Men & Mice Web Service: JSON-RPC

Posted by Men & Mice Feb 23, 2015 10:48:00 AM

The Men & Mice Suite is a comprehensive DDI solution that allows you to manage your DNS, DHCP and IP Addresses in a simplified, flexible manner. In order to maximize this flexibility the Men & Mice Suite provides a rich set of commands accessible through its web service interface. These commands are used internally for almost all requests between the user interface and the Central service, so if something can be done in the user interface it can also be done through the web service interface.

Initially the web service interface provided a SOAP API and a WSDL service. Starting with version 6.6, the Men & Mice Web Service also provides a JSON-RPC service that complies with the JSON-RPC 2.0 specifications. The main reason for this decision to provide JSON-RPC along with SOAP is that JSON is well supported in popular programming languages such as JavaScript and Python, and working with JSON-like data instead of XML is much easier and less error prone, not to mention that JSON packets are smaller than XML packets and more human readable.

If you are interested in the SOAP service there is an excellent introduction to it on our blog (see: Introduction to the Men & Mice Web Service API).

JSON-RPC

The JSON-RPC service supports all the same commands as the SOAP API. You can find a complete list of the SOAP commands available here. The same code is used internally in the Men & Mice Suite so when a new SOAP command is added, it will be readily available as a JSON-RPC method. As with SOAP, our main focus is to provide JSON-RPC over HTTP/HTTPS.

No special magic is needed to send a JSON-RPC request. When our web service receives a packet it will determine from the content of the packet whether this is a SOAP or a JSON-RPC request. You can even mix those two and the web service will simply respond with a JSON if this was a JSON-RPC request or an XML if this was a SOAP request. The general format of a Men & Mice Web Service JSON-RPC request and a response is as follows:

--> {"jsonrpc": "2.0", "method": "theMethodName", "params": theParams, "id": 1}
<-- {"jsonrpc": "2.0", "result": theResult, "id": 1} 

The jsonrpc member should always be "2.0". The method member should contain a string with the name of the method to be executed. The params member contains data that should be passed to the method. The member id is optional, but if it exists the response will contain the same ID as provided in the request. If successful the response will include a member result that will contain the result from the RPC method that was executed. If an error occurs the response will not include a result but instead another member named error that will include information about what happened.

An example:

--> {"jsonrpc": "2.0", "method": "Login", "params": {"password": "secretPassword", "loginName": "administrator", "server": "10.5.0.6"}, "id": 1}
<-- {"jsonrpc": "2.0", "result": {"session":"J95A5uh9obM6KjCtbtHZ"}, "id": 1}
    
<-- {"jsonrpc": "2.0", "method": "GetDNSServers", "params": {"session": "J95A5uh9obM6KjCtbtHZ"}, "id": 2}
--> {"jsonrpc": "2.0", "result": {"dnsServers":[{"ref":"{#2-#10}","name":"caching1.demo.","resolvedAddress":"10.5.0.27","port":1337,"type":"Unbound","state":"OK","customProperties":[],"subtype":"Unbound"},{"ref":"{#2-#11}","name":"caching2.demo.","resolvedAddress":"10.5.0.30","port":1337,"type":"Unbound","state":"OK","customProperties":[],"subtype":"Unbound"}],"totalResults":2}, "id": 2} 

JSON-RPC and Python

Python is powerful as a scripting language. The standard libraries are pretty comprehensive and if you need something more specific then there are plenty of additional libraries that can be found. One of the strengths of Python is its dynamic type system and "duck typing" that allows for the creation of complex objects without writing too much code.

We have created a small, light-weight Python module that uses the request library to simplify session handling and data conversion from Python dictionaries to JSON requests. The class overloads the __getattr__ method, so that all unknown functions are assumed to be RPC requests and all the arguments passed are assumed to be a RPC data.

You can find the latest version of the Python module here. To install it, extract the downloaded file, go into the subdirectory and run:

$ python setup.py install

Before we can use any of the commands we need to create a JSONClient object and log in to our Central Service. Let's start Python and type in the following commands.

$ python
>>> import mmJSONClient
>>> client = mmJSONClient.JSONClient()

The Basics

The Login method accepts the following arguments: proxy, server, username and password. Proxy is the name or IP address of a server running the Men & Mice Web Service. If you do not provide the proxy argument, then the Login method assumes the web service is running on the same machine as the Central Service. The server argument should contain the name or address of the machine that is running the Men & Mice Central Service. The username argument is the name of the user that we want to log in as and password is his password. Note that in order for this user to be able to use the web service he has to have permissions to use the web user interface. For optimal security, it is best to create a new dedicated user account that only has access to the objects the script needs to function.

Now let's log in to the server. In this example I'm logging in to a server named 'central.demo' with the user name 'a_user' and the password 'secret'. Since the web service is also running on 'central.demo' I don't need to provide the proxy argument.

>>> client.Login(server='central.demo', username='a_user', password='secret') 

As I mentioned earlier, we can use all the commands that are available for the SOAP API, and there are a lot (around 200 at last count). A list can be found here, along with descriptions of what arguments they need and what data they return.

Let's start with something simple, like the GetDNSServers method. As the name implies, the method will return all the DNS servers available to the user. Note that it might not return all the DNS servers available, but instead only those the user has permission to see. If you look at the description of GetDNSServers, you will see the only argument required is the session ID; everything else is optional. The session ID is a random string that the web service returned from the Login method. If you have successfully executed the Login method, you can see what your temporary session ID is by doing:

>>> print(client.sessionid)
VFr79UQMhFfOq4Q8l0Qi 

Or if you are using Python 2.7, use print without parentheses:

>>> print client.sessionid
VFr79UQMhFfOq4Q8l0Qi 

The rest of this article assumes use of Python 3.x. When using earlier versions of Python the syntax may have to be adjusted accordingly.

Fortunately when using the JSONClient class you don't have to worry about the session ID, as the class handles that automatically so if you want to list all the DNS servers available, you can simply type:

>>> print(client.GetDNSServers())
{u'totalResults': 2, u'dnsServers': [{u'name': u'caching1.demo.', u'resolvedAddress': u'10.5.0.27', u'ref': u'{#2-#10}', u'subtype': u'Unbound', u'state': u'OK', u'customProperties': [], u'type': u'Unbound', u'port': 1337}, {u'name': u'caching2.demo.', u'resolvedAddress': u'10.5.0.30', u'ref': u'{#2-#11}', u'subtype': u'Unbound', u'state': u'OK', u'customProperties': [], u'type': u'Unbound', u'port': 1337}]} 

The result from GetDNSServers is a Python dictionary that contains two members: totalResults and dnsServers. As stated in the SOAP API documentation, the totalResults member contains the number of DNS Servers we have access to, and the member dnsServers contains an array of DNS servers. To refer to a member in a Python dictionary we can use brackets - for example, the following can be used to print out the total number of DNS servers:

>>> print(client.GetDNSServers()['totalResults'])
2 

Providing arguments to a method is simple. GetDNSServers has a number of optional arguments, for example the filter argument. Filter is powerful argument that is provided with many of the Men & Mice SOAP API commands. It allows you to limit the result to only the items that you want to see. You can use wildcards and regular expressions with a filter. For more information, look at the description of filtering in the SOAP API. Let's say that we wanted to get all the servers that contain the number 2 in their name. We can simply do:

>>> print(client.GetDNSServers(filter='name:2'))
{u'totalResults': 1, u'dnsServers': [{u'name': u'caching2.demo.', u'resolvedAddress': u'10.5.0.30', u'ref': u'{#2-#11}', u'subtype': u'Unbound', u'state': u'OK', u'customProperties': [], u'type': u'Unbound', u'port': 1337}]} 

Or let's say we wanted to print out all A records from the zone 'applepie.ak.is' that start with the name 'apple':

>>> print( '\n'.join(['{}\t{}\t{}'.format(r['name'],r['type'],r['data']) for r in client.GetDNSRecords(dnsZoneRef= 'applepie.ak.is.', filter='type:^A$ name:^apple')['dnsRecords']]) )
apple1 A 10.50.0.1
apple2 A 10.50.0.2
apple3 A 10.50.0.3 

In the example below we have created a Python script that logs on to a server, prints out all of its zones and then the first 10 records of a single zone. It assumes that we are running Men & Mice Web Service and Men & Mice Central on a server named 'central.demo'. It also assumes there is a zone named 'applepie.ak.is' on one of the servers:

import mmJSONClient
 
client = mmJSONClient.JSONClient()
client.Login(server='central.demo.', username='a_user', password='secret')
 
result= client.GetDNSZones()
print('\nTotal number of zones: ' + str(result['totalResults']))
for zone in result['dnsZones']:
    print(zone['name'])
 
myZone = myZone= 'applepie.ak.is.'
result = client.GetDNSRecords(dnsZoneRef= myZone, limit= 10)
print('\nRecords in ' + myZone)
for record in result['dnsRecords']:
    print(record['name'] + "\t" + record['ttl'] + "\t" + record['type'] + "\t" + record['data'])

Manipulating DNS Zones

Now let's do something a little bit more complicated. Let's create a zone and add some records to it. If we look at the list of SOAP API commands we can find AddDNSZone. AddDNSZone requires at least two arguments: a session argument we don't have to worry about since JSONClient will handle that for us, and a dnsZone argument which should be of type DNSZone. The DNSZone type requires at least two members (or arguments): name and type. The name argument is a string, and the type argument is an enumeration which can be Master, Slave, Hint, Stub or Forward. If the call is successful AddDNSZone will return a reference to the newly created zone.

We also have to specify where we want to create the zone. Notice that we don't have any possible DNS server reference when creating a zone. The reason is that each DNS server can have one or more views that in turn can contain a number of zones. In most cases DNS servers will only have one view, called the default view or the empty view (''). When referring to any object in the Men & Mice Suite, you can either use its globally unique identifier (GUID), that was returned from the Central Server or you can pass on a string that will uniquely identify the object, in this case using its name (for a more detailed description on how this works, see Referencing Objects in the SOAP API). To reference a default view on a server you can simply use its fully qualified name and add a double column at the end.

As an example, let's say we want to send a reference to the default view as an argument on the DNS server dnsserver1.demo. Here we can simply pass the string 'dnsserver1.demo.:' as a DNS view reference.

>>> zoneRef= client.AddDNSZone(dnsZone={'dnsViewRef':'dnsserver1.demo.:', 'name':'test1.com', 'type':'Master'} , saveComment='A zone created using Python')
>>> print(zoneRef)
{u'ref': u'{#4-#2054}'} 

Note that we also added a save comment when creating the zone as it is sensible to always add a comment when you are making changes to the system. Also notice the return value from AddDNSZone. As before it is a Python dictionary, this time with only the one member, 'ref', that contains a reference to the newly created zone. Now let's create few records:

>>> for i in range(100,105):
...     client.AddDNSRecord(dnsRecord={'dnsZoneRef':zoneRef['ref'], 'name':'test{0}'.format(i), 'ttl':'', 'type':'A', 'data':'10.50.0.{0}'.format(i), 'enabled':1})
... 

In this example, since I'm creating multiple records, I might instead use the SOAP command AddDNSRecords. AddDNSRecords will accept multiple records and update the zone just once instead of multiple times:

>>> client.AddDNSRecords(dnsRecords= [{'dnsZoneRef':zoneRef['ref'],  'name':'test{0}'.format(i), 'ttl':'', 'type':'A', 'data':'10.50.0.{0}'.format(i), 'enabled':1} for i in range(100,105)])
{'errors': [], 'objRefs': ['{#13-#9009}', '{#13-#9010}', '{#13-#9011}', '{#13-#9012}', '{#13-#9013}']}

As a final example, let's create a script that will check if all the PTR records for a DNS server are in order. The script will read through all the forward and reverse zones and report if there are any PTR records missing or if there are any orphaned PTR records:

import mmJSONClient
 
def qualifyName(recName, domainName):
    if len(recName) == 0:
        return domainName
    elif recName[len(recName) - 1] == '.':
        return recName + domainName
    return recName + '.' + domainName
 
mmServer    = 'central.demo.'
mmUser      = 'a_user'
mmPassword  = 'secret'
dnsServer   = 'b-centos6-32.demo.'
 
try:
    print('Checking reverse zone on server [{}] ...'.format(dnsServer))
    client = mmJSONClient.JSONClient()
    client.Login(server= mmServer, username= mmUser, password= mmPassword)
    viewRef = client.GetDNSView(dnsViewRef= dnsServer + ':')
    # Get all forward and reverse zones
    zoneList = client.GetDNSZones(filter= 'dnsViewRef:' + viewRef['dnsView']['ref'])['dnsZones']
    forwardZoneList = [z for z in zoneList if (not z['name'].endswith('in-addr.arpa.') and not z['name'].endswith('ip6.arpa.'))]
    revZoneList = [z for z in zoneList if z['name'].endswith('in-addr.arpa.')]
    print('Found {} forward-zone(s) and {} reverse-zone(s)'.format(len(forwardZoneList), len(revZoneList)))
  
    # Collect all PTR records as a map of ip -> [record, zone, data] 
    # and give the user a warning if there are duplicates
    ptrRecordsMap = {}
    for z in revZoneList:
        print('Scanning reverse-zone [{}]'.format(z['name']))
        try:
            records = client.GetDNSRecords(dnsZoneRef= z['ref'], filter= 'type:^PTR$')['dnsRecords']
        except Exception as e:
            print(e)
        for r in records:
            domain = qualifyName(r['name'], z['name'])
            label = domain.split('.', 4)
            ip = '{}.{}.{}.{}'.format(label[3], label[2], label[1], label[0])
            if ip in ptrRecordsMap:
                print(  ('Warning: Ignoring reverse record [{} in {} {}] for the IP address [{}]:\n'
                        + '\talready found [{} in {} {}]').format(
                              r['name'], z['name'], r['data'], ip
                            , ptrRecordsMap[ip][0], ptrRecordsMap[ip][1], ptrRecordsMap[ip][2]))
            else:
                ptrRecordsMap[ip] = [r['name'], z['name'], r['data']]
 
    # Collect all A records as a map of ip -> [record, zone] 
    # and give the user a warning if there are duplicates
    aRecordsMap = {}
    aMatchedRecordsMap = {} # contains all record that found a match
    for z in forwardZoneList:
        print('Scanning forward-zone [{}]'.format(z['name']))
        records= []
        try:
            records = client.GetDNSRecords(dnsZoneRef= z['ref'], filter= 'type:^A$')['dnsRecords']
        except Exception as e:
            print(e)
        for r in records:
            ip = r['data']
            if ip in aRecordsMap:
                print(  ('Warning: Ignoring the A record [{} in {} {}]:\n'
                        + '\talready found [{} in {} {}]').format(
                            r['name'], z['name'], r['data']
                            , aRecordsMap[ip][0], aRecordsMap[ip][1], ip))
            elif ip in ptrRecordsMap:
                # We already have this as a PTR record but do the data match?
                if qualifyName(r['name'], z['name']) != ptrRecordsMap[ip][2]:
                    print(  ('Warning: Record [{} in {} {}] has an incorrect reverse reference:\n'
                            + '\talready found a PTR record [{} in {} {}]').format(
                                r['name'], z['name'], r['data']
                                , ptrRecordsMap[ip][0], ptrRecordsMap[ip][1], ptrRecordsMap[ip][2]))
                aMatchedRecordsMap[ip] = [r['name'], z['name']]
                del ptrRecordsMap[ip]
            else:
                # the ip wasn't found in the reverse list but it might already been matched
                if ip in aMatchedRecordsMap:
                    print(  ('Warning: Ignoring the A record [{} in {} {}]:\n'
                            + '\talready found [{} in {} {}]').format(
                                r['name'], z['name'], r['data']
                                , aMatchedRecordsMap[ip][0], aMatchedRecordsMap[ip][1], ip))
                else:
                    aRecordsMap[ip] = [r['name'], z['name']]
 
    print ('\nFound {} missing PTR-Record(s)...'.format(len(aRecordsMap)))
    for ip in aRecordsMap:
        print ('{} in {} {}'.format(aRecordsMap[ip][0], aRecordsMap[ip][1], ip))
    print ('\nFound {} orphan PTR-Record(s)...'.format(len(ptrRecordsMap)))
    for ip in ptrRecordsMap:
        print ('{} in {} {}'.format(ptrRecordsMap[ip][0], ptrRecordsMap[ip][1], ptrRecordsMap[ip][2]))
except Exception as e:
    print(e)

Summary

The primary focus of the Men & Mice development team has always been to simplify the complex task of administering a DDI environment while still being flexible, as different environments can have very different needs. To achieve this flexibility the Men & Mice Suite provides rich set of commands accessible through a web service interface.

As of version 6.6 both SOAP/WSDL and JSON-RPC services are supported. Both of these services have their advantages but JSON-RPC is more light-weight than SOAP/WSDL and a better fit for many programming languages.

Tags: Men & Mice Suite, DDI, DNS, DHCP, DNS Zone, Web Services, JSON, SCRIPTING

Hybrid Cloud DNS with the Men & Mice Suite

Posted by Men & Mice Feb 2, 2015 9:55:00 AM

Since its humble origins as QuickDNS for the Apple Macintosh, the Men & Mice Suite has evolved into a comprehensive management solution for existing heterogeneous DNS/DHCP environments, with a powerful IPAM module that allows for seamless AD Sites & Subnets management in Windows Active Directory environments. Since 2011 Men & Mice have also offered the Men & Mice Appliance for customers that desire integrated DNS/DHCP or caching appliance solutions.

Introducing the Generic DNS Server Controller

In 2014 Men & Mice introduced the Generic DNS Server Controller, an extension of the existing Men & Mice DNS Server Controller that allows the Men & Mice Suite to integrate with any DNS server product that features an API to access and update DNS data.

The result is a flexible DNS solution that can deploy and centrally manage a wide variety of DNS products within a single hybrid environment, all without having to replace existing DNS infrastructure.

Better living through scripting

With the Generic Controller, communication between the DNS Server Controller and the DNS server itself is not hard coded; instead, a scripting interface is called instead of directly accessing the server whenever changes are made through the Men & Mice Management Console (or any other Men & Mice client interfaces).

Men & Mice currently provides two scripts (written in python) to interface with a cloud based DNS service (Amazons Route53) and PowerDNS (with a MySQL back-end, which is widely used as authoritative DNS in the ISP market). These scripts can be further tweaked and configured to interface with any number of different DNS servers without changes to the core infrastructure.

Looking forward

What does this mean for Men & Mice's customers?

Put simply, it can significantly lower infrastructure costs when moving into the future; should you plan to migrate your data into a cloud based DNS service or even switch over to some other DNS product types like PowerDNS you can still use the Men & Mice Suite to manage the DNS/DHCP and IPAM with all the advantages it brings, such as audit trails, automation, and delegation.

Hybrid Cloud DNS with the Men & Mice Suite
  • An administrator requests a change on the DNS server via the Men & Mice Management Console, which connects to the Men & Mice Central server.
  • Men & Mice Central connects to the DNS Server Controller and relays the change request.
  • The DNS Server Controller deploys the change and reports success or error back to Central.
  • Central reports back to the administrator.

Tags: Men & Mice Suite, IPAM, DNS, DHCP, CLOUD

Supervising BIND 9

Posted by Men & Mice Jan 21, 2015 2:59:00 PM

BIND 9 is a mature piece of software, and compared with its predecessors BIND 4 and BIND 8 it is noticeably more stable and secure. One reason for this is the "Design by contract" programming style used by the BIND 9 team; as a result, BIND 9 is very particular about the data it consumes, and about its own internal data structures. Once BIND 9 encounters an unexpected state in its data structures, it terminates the DNS server process rather than continue running with bad data (and thus potentially compromise security).

While this behavior has clear advantages in terms of security, it can adversely affect service uptime - BIND 9 had several incidents in the past years where BIND 9 terminated because of issues inside the code or data structures, such as "BIND 9 Resolver crashes after logging an error in query.c". And for all its security benefits, an end user unable to reach Facebook may not be terribly understanding in the event of an outage.

The real issue, however, is not that BIND terminates when it comes across bad data, but rather that the process cannot automatically restart after the fact; there is no "supervisor" process in BIND 9.

Some operating systems have a built-in solution: MacOS X has launchd, and the BIND 9 version Apple delivers with the OS is automatically restarted should it terminate unexpectedly. Solaris has SMF (Service Management Facility), and BIND 9 can be integrated into SMF. Recent versions of Ubuntu, RedHat Enterprise, SuSe Enterprise, and Fedora now all use systemd, which can also monitor processes and restart them if needed.

But for Unix and Linux operating systems that do not ship with a process supervisor solution, supervisord is a strong alternative, with the added benefit of being relatively easy to install and configure. Supervisord comes as a package with many Linux distributions, and also works on BSD distributions.

The configuration below is intended for RedHat 6, but should require only minor tweaks to run on other Unix systems as well.

Installation

Supervisord is written in Python (2.4 - 2.7) and can be installed from source (where we have to download and install all dependencies) or with the help of setuptools, which takes care of downloading and installing dependencies (Meld3 and ElementTree).

Full Installation instructions can be found at [http://supervisord.org/installing.html]

Automatic Installation

‣ download "setuptools" from [https://pypi.python.org/packages/source/s/setuptools/setuptools-9.1.tar.gz]

 shell> tar xfz setuptools-9.1.tar.gz 
shell> cd setuptools-9.1 
root-shell> python setup.py install

Once setuptools have been installed, run the following command to install Supervisor and all required dependencies:

 root-shell> easy_install supervisor 

Manual Installation

Supervisor and its dependencies can also be installed manually.

‣ download "setuptools" from [https://pypi.python.org/packages/source/s/setuptools/setuptools-9.1.tar.gz]

 shell> tar xfz setuptools-9.1.tar.gz 
shell> cd setuptools-9.1 
root-shell> python setup.py install

‣ download "Meld3" from [http://www.plope.com/software/meld3/meld3-0.6.5.tar.gz]

 shell> tar xfz meld3-0.6.5.tar.gz 
shell> cd meld3-0.6.5 
root-shell> python setup.py install

‣ download "ElementTree" from [http://effbot.org/media/downloads/elementtree-1.2.6-20050316.tar.gz]

 shell> tar xfz elementtree-1.2.6-20050316.tar.gz 
shell> cd cd elementtree-1.2.6-20050316 
root-shell> python setup.py install

‣ download "Supervisor" from [https://pypi.python.org/packages/source/s/supervisor/supervisor-3.1.3.tar.gz]

 shell> tar xfz supervisor-3.1.3.tar.gz 
shell> cd supervisor-3.1.3 
root-shell> python setup.py install

Installing startscript and sysconfig

‣ download the startscript from [https://raw.githubusercontent.com/Supervisor/initscripts/master/redhat-init-jkoppe] and place it in /etc/init.d/supervisord

 root-shell> cp redhat-init-jkoppe /etc/init.d/supervisord 
root-shell> chmod +x /etc/init.d/supervisord

‣ download the 'sysconfig' file from [https://raw.githubusercontent.com/Supervisor/initscripts/master/redhat-sysconfig-jkoppe] and place it in /etc/sysconfig/supervisord

 root-shell> cp redhat-sysconfig-jkoppe /etc/sysconfig/supervisord 

Installing Bind 9 from Men & Mice repositories

‣ download the BIND 9 RPM from [http://support.menandmice.com/download/bind/linux/redhat/6.x/]<arch>/<version>/

 root-shell> yum install ISCBIND-<version>-<flavor>RHL<arch>.rpm 
root-shell> mkdir /var/named 
root-shell> useradd -d /var/named -r named 
root-shell> chown -R named: /var/named

‣ create a BIND 9 configuration file '/etc/named.conf'

options { directory "/var/named"; dnssec-validation auto; }; 

‣ create an 'rndc' configuration

root-shell> rndc-confgen -a 

‣ verify the configuration

root-shell> named-checkconf -z 

A basic configuration file for BIND 9 "named"

Below is my basic /etc/supervisord.conf configuration file for one service, the BIND 9 DNS Server:

 [unix_http_server] 
file = /tmp/supervisor.sock 
chmod = 0777 
chown= nobody:nobody 

[rpcinterface:supervisor] 
supervisor.rpcinterface_factory = supervisor.
rpcinterface:make_main_rpcinterface 

[supervisorctl] 
serverurl=unix:///tmp/supervisor.sock 
[supervisord] 
logfile = /var/log/supervisord.log 
logfile_maxbytes = 10MB 
logfile_backups=10 
loglevel = info 
pidfile = /var/run/supervisord.pid 
identifier = supervisor 
directory = /tmp 

[program:named] 
command=/usr/sbin/named -u named -f 
process_name=%(program_name)s 
numprocs=1 
directory=/var/named 
priority=100 
autostart=true 
autorestart=unexpected 
startsecs=5 
startretries=3 
exitcodes=0,2 
stopsignal=TERM 
stopwaitsecs=10 
redirect_stderr=false 
stdout_logfile=/var/log/named_supervisord.log 
stdout_logfile_maxbytes=1MB 
stdout_logfile_backups=10 
stdout_capture_maxbytes=1MB

Starting supervisord

With the configuration file in place, we can start supervisord. Make sure that BIND 9 is not started or you will end up with two instances of the BIND 9 server running, which isn't recommended. Also make sure that supervisord will be started on reboot of the server, either through a startscript or other means. Note that the supervisord packages bundled with Linux distributions install a startscript.

 root-shell> /etc/init.d/supervisord start 
root-shell> rndc status 
version: 9.9.6-P1 <id:3612d8fb> 
number of zones: 98 
debug level: 0 
xfers running: 0 
xfers deferred: 0 
soa queries in progress: 0 
query logging is OFF 
recursive clients: 0/0/1000 
tcp clients: 0/100 

server is up and running 
root-shell> ps -ef 
[...] 
root 10906 0.0 2.5 209096 12988 ? Ss 19:55 0:00 /usr/bin/python /usr/bin/supervisord -c /etc/supervisord.conf 
named 10908 0.7 1.6 44292 8112 ? S 19:55 0:00 /usr/sbin/named -u named -f 
root 10910 0.0 0.2 110228 1156 pts/0 R+ 19:55 0:00 ps aux 

root-shell> supervisorctl 
status 
named RUNNING pid 10908, uptime 0:03:19 
root-shell> chkconfig --add supervisord 
root-shell> chkconfig supervisord on

Great, supervisord has started, and it also started the BIND 9 process "named". DNS is working now.

Simulating a BIND 9 crash

To simulate a BIND 9 crash, we "kill" the BIND 9 named process:

root-shell> killall -9 named 

Supervisord should detect that the running BIND 9 process has terminated, and start a new one. DNS is still up and running.

Controlling supervisord

Supervisord can be controlled from the command line using the supervisorctl command. A list of all a control commands can be found with "help", and a description of each command with "help command":

 shell> supervisorctl help 
default commands (type help ): 
===================================== 
add clear fg open quit remove restart start stop update 
avail exit maintail pid reload reread shutdown status tail version 

shell> supervisorctl help status 
status Get all process status info. 
status Get status on a single process by name. 
status Get status on multiple named processes. 

shell> supervisorctl status named 
RUNNING pid 25770, uptime 0:00:12 

shell> supervisorctl stop named  named: stopped 

shell> supervisorctl start named 
named: started

Now, whenever there is a triggered assertion error in the code BIND 9 will terminate, but supervisord will bring it back from the dead. Your DNS service stays up, and your users and customers stay happy.

Read the supervisord documentation on how to setup event notifications, so that you get an e-mail notification should BIND 9 restart (should the outage be caused by a security vulnerability you might want to report it to bind9-bugs@isc.org as well).

Of course supervisord can be used to restart other processes as well, including other types of DNS Servers (NSD, Unbound, dnsmasq ...).

Tags: DNS, Linux, BIND 9, BIND, Supervisord, Red Hat

Men & Mice 2014 Holiday Greeting

Posted by Men & Mice Dec 23, 2014 9:23:00 AM

Men & Mice Christmas greeting 2014

Men & Mice thanks you for your business this year. It has been a pleasure helping you reach your goals, and we look forward to contributing to your success in 2015. We wish you a prosperous and happy new year! 

Men & Mice staff

Tags: Men & Mice

Unparalleled support for DNS Servers and tightened Security

Posted by Men & Mice Oct 8, 2014 8:51:00 AM

Men & Mice announces the release of version 6.7 of the Men & Mice Suite.

The Men & Mice Suite is the ideal tool for network managers who need superfast daily management, planning, reporting and auditing on growing dynamic IP networks, delivering the added benefit of improved network security as well. 

Unparalleled support for DNS Servers

To ensure the solution will scale with businesses as they grow, the Men & Mice Suite integrates with the widest available range of DNS servers, such as BIND, Microsoft DNS services and Unbound. The 6.7 edition adds PowerDNS to enable customers to run hybrid environments for tightened securityIn this release Men & Mice takes flexibility one step further with the addition of Amazon Route53 DNS services support.  Enterprises moving to the AWS cloud or running hybrid private/public clouds can now keep full control of their DNS, DHCP and IP environment with the Men & Mice Suite.


Support for Amazon Route53
The Men & Mice Suite now supports Route53, Amazon’s cloud DNS service. With this integration, users can manage DNS information stored on the Amazon Route53 DNS servers in the same way they can manage DNS on other supported platforms, such as creating new zones and edit DNS records in existing zones.


Support for PowerDNS
PowerDNS, an open source, high performance DNS server, is now supported in the Men & Mice Suite.  This capability will especially benefit customers with complex hybrid environments, as they will be able to  manage all their diverse DNS servers from one solution, regardless if they are BIND, Microsoft DNS or PowerDNS servers. 


DNS Security

The increase of mobile devices (BYOD), the Internet of Things (IoT) and the growth of cloud-based virtual machines has caused a seismic shift in the DDI landscape, leading to greater awareness of network-related security risks. Security manifests itself in various formats, such as availability, performance and the ability to withstand attacks like DDoS Attacks, DNS cache poisoning and other DNS security threats. The Men & Mice Suite helps network administrators address such risks by offering hybrid DNS server support and high availability.

The 6.7 edition of the Men & Mice Suite adds DNS and DHCP service Monitoring and support for TLSA records that enable the storage of/and signing keys that are used to verify SSL/TLS certificates through DNSSEC.


DNS and DHCP service Monitoring

The Men & Mice Suite now actively monitors the status of the DNS and DHCP services on all managed platforms and will alert users if the services become unavailable.  In addition to being displayed in the user interface, the alerts can be sent to monitoring systems for further processing.  This will serve to maximize availability and enable customers to avoid costly unscheduled downtime.


Support for TLSA records
TLSA records,  in conjunction with DNSSEC signatures, provide an easier and more secure way for applications such as Web browsers and mail servers to authenticate SSL/TLS certificates.   Support for management of TLSA records has been added to the Men & Mice Suite.  For more info on TLSA and DANE (DNS-based Authentication of Named Entities), users can view a recent Men & Mice webinar on the topic.


Reverse zone improvements
Handling of reverse records and reverse zones has been enhanced in this new version and is now much more tightly integrated into the IPAM module.  Users can select any number of subnets and create and/or update the corresponding reverse entries for the subnets.  Reverse record (PTR records) details are now also included with the IP address details in the IPAM view.

 

Role-based access support

Role-based access allows customers to create roles in the Men & Mice Suite and assign these roles to users and groups.  All supported users and groups, whether Men & Mice built-in or from Active Directory or Radius can have roles assigned to them, which will greatly simplify access administration while providing a more flexible access model.  

 

Men & Mice Suite version 6.7 FREE TRIAL

 

or Call us at +1 408.516.9582 to speak to a sales representative.


New features in version 6.7

Tags: DNS/DHCP Appliance, Men & Mice Suite, DDI, DNSSEC, IPAM, Monitoring, Security

DNSSEC & DANE – E-Mail security reloaded

Posted by Men & Mice Sep 9, 2014 8:06:00 AM

Conventional TLS/SSL for SMTP is flawed and the x509 certificate business is a pain

Get a 35 minute crash course in "DANE" style securing x509 certificates using DNSSEC secured DNS using BIND 9 and the Postfix mail server from Mr. Carsten Strotmann from the Men & Mice Services team.

Carsten also answers the following questions:

  • Does the Men & Mice Suite support DANE & TLSA?
  • For DANE I need a DNS hosting provider that supports DNSSEC, where can I find one?
  • What impact will DANE have on the current certificate business?

Take a look!


 

Tags: DDI, DNSSEC, DNS, BIND 9, DANE