The Men & Mice Blog

Men & Mice

Recent Posts

Men & Mice at Cisco Live 2019: Wired for Change

Posted by Men & Mice on 6/12/19 10:17 AM

We live in a software-defined world. Whether we talk about multicloud or DNS privacy, bits and bytes are sorted, sent, and protected using software.

Today’s enterprise and large scale organizations are looking for software overlay solutions that can maximize the value of their infrastructure investments while positioning for future innovation. Many of them also rely on Cisco.

New best practices

In one of the best attended  sessions of the ThinkTank track, Men & Mice North American Director of Sales Paul Terrill explored new best practices at Cisco Live in San Diego.

Paul's talk focused on how to adapt hybrid network strategies to take advantage of service-native features in all IP infrastructure solutions, whether on-premise, cloud or multicloud. The common pain points in adapting hybrid and multicloud network strategies resonated well with the audience: the potential loss of access control assignments, lost time and staff resources during migration processes, and compatibility hurdles between multiple services are all challenges today's network professionals encounter often.

This being Cisco Live, Paul explored the advantage of Cisco IOS DHCP against other solutions, as well as where most hybrid and multicloud migration strategies go off the rails. He finished with discussing the API-shyness of IT decision makers (and why they should embrace them instead) and why homegrown solutions are no longer acceptable.

View the slides from our presentation!

Everything has changed

Yet nothing’s different. At the end of the day, software-defined or not, data is still sent and received by computers and still goes through wires, switches, and routers. On-premise solutions still matter.

But compared to today, networking used to be simple. With the Internet of Things and Edge, networks fuel and permeate everything in our world (and soon, out of this world). 

To accommodate such explosive growth, innovations like cloud computing have grown in prominence at an exponential adoption rate. And with cloud technology maturing to meet the strict regulations of enterprise-level businesses, the way we think about networking has shifted.

In our journey to simplify and secure increasingly complex networks, we also have to be aware of the need for compatibility between on-premise and cloud services, and how that impacts our future network architecture choices.

Future-ready IP infrastructure solutions

Men & Mice continues to be a leader in DNS, DHCP, and IP address management, as we've been for nearly three decades. We’ve worked with an industry-horizontal array of customers and gained deep insights into networking best practices as a result. We also recognize the widespread presence and critical importance of Cisco hardware in enterprise networks.

With products like Umbrella, Cisco is continuing to bring network infrastructure innovation to larger audiences. By utilizing the Men & Mice Suite with Umbrella, Cisco customers gain the advantage of being able to control internal DNS resolvers, numbering anywhere between dozens to hundreds, in one fell swoop. In addition, proper visibility quickly highlights servers not properly configured.

To learn more about the Men & Mice Suite, contact us or download your free trial below.

Men & Mice Suite Free Trial

Topics: Cisco Live, Cisco IOS, Paul Terrill

World IPv6 Day 2019 (plus a podcast!)

Posted by Men & Mice on 6/6/19 9:50 AM

June 6th, 2012 (or “6/6”) saw the World IPv6 Launch Day. Today we celebrate the 7th anniversary.

For those in need of a quick cheat sheet, here’s ours.

(Mind you, this is not ONLY a cheat sheet, but also doubles up as a lens cleaning cloth. Come by our booth at  Cisco Live in San Diego to pick one up.)

Beyond that quick reference, what’s all the fuss about this old-new networking technology? What has changed since it’s been around (from the 1990s)? What hasn’t? And where do (or should) we go from where we are now?

To IPv6 or not to IPv6?

That is the question. For what it’s worth we, and literally everybody we spoke to at RIPE 78, are for IPv6.

That said, there is legitimate criticism against it. More often than not, however, it tends to be rooted in shortcomings of implementation, misunderstandings in adoption strategies, or just general reluctance toward the work involved in the switch.

Large tech companies have adopted IPv6 whole-heartedly. ISPs, cloud providers, and data centers have been offering IPv6 for a while. Microsoft has been at work getting rid of IPv4 addresses in their offices for years. Google even keeps a public chart of IPv6 adoption amongst its users:

Screenshot 2019-06-06 at 10.28.10

Bottom line is: adoption is on the up, but it’s still spotty at best. And it is true: IPv6 isn’t perfect. But then again IPv4 isn’t, either. It will not get any better, though, if we don’t dedicate effort to perfecting it through practice.

Fun fact: IPv6 addresses are free. IPv4 addresses go for $20+ a piece and that price keeps rising.

It’s evident that, various inventions and initiatives notwithstanding, we’ll likely soon be out of IPv4 addresses. Never before have there been so many connected devices, from smartphones to cars, from smart thermostats to smart toasters. IPv6 is an inevitability.

What can we do?

Introducing ‘resolv.pod’: a DNS podcast

We can, and most definitely should, discuss and evaluate our options regarding anything and everything affecting the future of the networks we depend on. Attend conferences, read papers, draft strategies.

To that end, we’re happy to announce that we are launching a podcast aimed at sharing with you the mindshare we have access to.

resolv.podOf course, as is clear from the name of our podcast, the focus won’t be on IPv6 exclusively, but rather anything and everything related to DNS, DHCP, and IPAM. Facilitating discussions about IPv6, amongst other things, and giving listeners fuller context from experts in the field, are the DNAME of the game (OK, name - just couldn’t resist).

As luck would have it, we were fortunate enough to grab a conversation with Geoff Huston, Chief Scientist at APNIC (Asia Pacific Network Information Centre)  in the lovely Reykjavik sunshine at RIPE78.

So to celebrate World IPv6 Day, why don’t you sit back and listen to our very first episode featuring Geoff talking networking highs and lows with Men & Mice’s Carsten Strotmann? It’s sure to entertain - and inform - in equal measure. Happy  World IPv6 Day!

Find resolv.pod on your favorite podcast platform:

More interviews and discussions coming up in the next weeks! Let us know what you’d like to learn more about via the podcast email, our social media channels, or as a comment below.




Topics: IPv6, DNS, podcast, resolv.pod, IPv6 Day

Men & Mice @ Cisco Live 2019: New Best Practices for Future-ready Hybrid and Multicloud Networks

Posted by Men & Mice on 6/5/19 11:28 AM

 

Cisco Live San Diego: we’re coming! Find us at booth 2234 for all your DNS, DHCP, and IPAM needs, plus sweet swag from Iceland!

Copy of Copy of Booth #2432Whether you’re attending Cisco Live or not, chances are your enterprise or large organization is well into developing or implementing its cloud strategy. Further, you’re likely capitalizing on a number of cloud services across multiple platforms.

This year at Cisco Live, we’ll have Paul Terrill, our North American Director of Sales Operations, taking the Think Tank stage for a look into what best practices you can adopt today to get your environment ready for the hybrid and multicloud networks of tomorrow.

With more than a decade of experience delivering software solutions that meet the diverse IP infrastructure needs of some of the world’s largest multinational enterprises and government organizations, Paul is an expert in identifying, and solving, large scale network management challenges.

Here’s a sneak peek at Paul’s talk.

Adopting best practices for a future-ready network

Scheduled for Monday, June 10, 03:30 PM - 04:00 PM, PDT, at SDCC - World of Solutions, Think Tank 2,  Paul’s talk will focus on the challenges organizations face in a cloud-native world, the solutions that transform networks into a future-ready state, and the pitfalls to avoid along the way.

During the session, Paul will explore new best practices and the advantages to adapting hybrid network strategies to take advantage of service-native features in all IP infrastructure solutions, whether on-premise, cloud or multicloud. Specific attention will be given to some of the common pain points in adapting hybrid and multicloud network strategies, such as the potential loss of access control assignments, lost time and staff resources during migration processes and compatibility hurdles between multiple services (and how to overcome them).

Additionally, Paul will describe in detail the advantage of Cisco IOS DHCP against other solutions, as well as where most hybrid and multicloud migration strategies go off the rails. He’ll also be speaking about why IT decision makers need not fear APIs (in fact, why they should embrace them) and why homegrown solutions are no longer acceptable.

Made with your infrastructure in mind

We understand the importance of visibility, control, automation, and security — and also how challenging those can be in complex, hybrid IP infrastructures. Men & Mice provides API-driven DNS, DHCP, and IPAM software solutions to global enterprise, education, and government organizations.

Men & Mice also recognizes the widespread presence and critical importance of Cisco hardware in enterprise networks. With products like Umbrella, Cisco is continuing to bring network infrastructure innovation to larger audiences. By utilizing the Men & Mice Suite with Umbrella, Cisco customers gain the advantage of being able to control internal DNS resolvers, numbering anywhere between dozens to hundreds, in one fell swoop. In addition, proper visibility quickly highlights servers not properly configured.

Questions?

While in San Diego next week, come and listen to Paul’s talk, and/or visit us at booth 2234 throughout the event. You’re welcome to fire away with whatever questions come to mind - our experts will be on hand to help you solve your unique enterprise networking pain points.

Topics: DNS, Cisco Live, hybrid network, Cisco IOS, multicloud

The ABCs of DNS: a select glossary from the Men & Mice training archives - Part 2

Posted by Men & Mice on 5/31/19 7:46 AM

dns a-z 2-1Continuing our glossary of DNS tips & tricks, we’re covering the letters D, E, and F this time.

DNS ALERT

Our popular DNS & BIND Week, DNS Fundamentals and DNS Advanced courses are all registered to run June 20th to June 24th, in Reston, Virginia, USA. Still want to join in? All info on our training page

D is for “dig”

Dig is the Swiss army knife of network tools. It's got so much functionality, it’d be next to impossible to cover it all, but here’s a taste:

  • find your IP address using: dig @ns3.google.com +short o-o.myaddr.l.google.com txt
  • relatedly, you can make an alias in your .bashrc file: alias myip='dig o-o.myaddr.l.google.com -t txt +short @ns3.google.com'
  • you can use dig +trace <domain-name> to follow all delegation from the root down.

And if dig isn't available, you can use one with a web interface (sometimes called a DNS Looking Glass), such as https://dns.bortzmeyer.org/[URL]/[TYPE] (for example https://dns.bortzmeyer.org/menandmice.com/AAAA).

Remember, friends don’t let friends use nslookup.

E is for “error-free config files”

To err is to be human. Sometimes a typo sneaks into your configuration files. (Unless you’re using Men & Mice, in which case validation is automatic.)

A quick way to make sure everything’s in order is to run named-checkconf -z to test all zones inside the named.conf file. (Note that the command checks the validity of the master zones, and not the configuration file itself. To check the file itself use named-checkconf <path to named.conf>.)

F is for “FQDN”

FQDN stands for ‘Fully Qualified Domain Name’ and you need it for a number of things. It’s the human-readable address that the DNS resolver translates into its corresponding IP address.

The FQDN is made up of three or more parts (called labels):

  • root (the trailing dot at the end)
  • TLD (such as .com, .net, etc.)
  • domain (such as menandmice)
  • host (such as www, info, etc.)

Each label is a string between 1 and 63 characters (letters, numbers, and dashes), and the total length of the FQDN is capped at 255 characters.

To find the FQDN of your machine:

  • on Windows: Start > Programs > Administrative Tools > Active Directory Domains and Trusts (or echo %COMPUTERNAME%.%USERDNSDOMAIN% in the command line)
  • on Linux & MacOS: hostname -f (on Linux you can also use hostname --fqdn)

Want to learn more?

This series is bite-sized (almost fitting a DNS query) — but it’s just the tip of the iceberg. A lot more is said (and done) in our DNS training program:

  • If you’re new to DNS, we offer the DNS & BIND Fundamentals (DNSB-F) course. It’s part of the DNS & BIND Week (DNSB-W) and serves as a shorter introduction to the world of DNS and BIND.
  • If you’re already familiar with the basics, the full five-day DNS & BIND Week (DNSB-W) course takes you deeper into DNS, including a heavy emphasis on security, stopping just short of DNSSEC (for which we offer a separate course).
  • And if you're looking for even more, we offer the DNS & BIND Advanced (DNSB-A) program, getting into the deep end of things.

Check out our training calendar for 2019, and reach out to us with any questions.

Topics: DNS, networking best practices, dig

The Men & Mice Guide to RIPE-javik

Posted by Men & Mice on 5/15/19 7:40 AM

RIPE 78 is barely a week away! We feel it's our duty, both as locals to the city and as sponsors to the event, to compile a guide to help you make the most  of your stay.

ripe

What to attend at RIPE

You're coming to attend sessions and talks at RIPE, so let us start there. There'll be an excellent lineup of speakers, making it hard to choose. May we suggest starting with Carsten Strotmann?

Carsten has been supporting customers with Unix and PC/Windows networks in Germany and abroad for more than 27 years. His specialties are Unix systems, DNS, DNSSEC and IPv6 security. He's a trainer in the field of DNS/DHCP/IPv6/Linux/Unix security for Internet Systems Consortium (ISC), Linuxhotel and Men & Mice. He also is the author of various articles on IT security topics in specialist magazines.

Carsten will give two talks at RIPE:

  1. Unwind, a Validating DNS Recursive Stub-Resolver: a short introduction on what unwind(8) is, and how this always-running, validating DNS recursive nameserver on OpenBSD can help to secure DNS name resolution for mobile devices and laptops in hostile public networks.
  2. Overview of the DNS Privacy Software landscape: new DNS privacy protocols have sparked a number of new open source software tools that make use of DNS-over-TLS and DNS-over-HTTPS - however, functionalities and software quality differ greatly. This talk will give an overview of available tools, the functions they provide and their availability on popular operating systems and also a brief look on missing pieces in the DNS privacy software landscape.

Apart from the Plenary and BoF (Bird of a Feather) Sessions and Tutorials, RIPE78 features no less than 10 Working Group sessions, on DNS, IPv6, IoT, Open Source, Anti-Abuse and more.

Talks and sessions not to be missed include:

  •        Tutorial by Enno Rey on IPv6 Security for Enterprise Organisations (Monday, 20 May)
  •        The plenary session dedicated to current DDoS threads and how to mitigate them (Tuesday, 21 May),
  •        High Performance Traffic Encryption on x86_64 (Max Rottenkolber), part of the Open Source Working Group Agenda (Wednesday, 22 May)
  •        IPv6 reliability measurements (Geoff Huston) and Large-scale Deployment of IPv6-enabled Wi-Fi Hotspots (Enno Rey) – both on Thursday, 23 May
  •        Revisiting the Root (David Hubermann, ICANN), Long-Term Active Measurements for DNS Research, and That KSK Roll (Geoff Huston) – all on Tuesday, 21 May

Diversity engagement: Women in Tech Panel at RIPE78

Sponsored by Netflix with additional support from Men & Mice and WomenTech Iceland, RIPE78 will also host a Women in Tech diversity panel discussion on the 21st of May, on which our own Paula Gould will join panelists from GRID, WuXi NextCode and Lady Brewery.

Paula is the Head of Brand & Communications for Men & Mice, and has worked with IT companies for over 15 years on go-to-market, growth, and brand strategies. She founded WomenTechIceland, and has been deeply involved in notable international women-in-business and women-in-tech initiatives for two decades.

women in tech ripe

After hours: making the most of RIPE-javik

Good times don't stop at the end of the official schedule. We’ve compiled seven useful tips to make your stay during RIPE78 as pleasant as possible. (And also financially sensible.)

  1. Leave your umbrella: OK, maybe not if it’s Cisco, but if it’s one of those hand-held thingies, you may want to just let it go. There can be unexpected gusts of winds, and unless you want to re-enact Mary Poppins, there are other better (and warmer) ways to get around.
  2. Entertainment: If you want to have a good laugh at the end of a long day of DNS and IP addresses, the Secret Cellar does comedy in English every evening in a cellar on Lækjargata, smack in the middle of downtown Reykjavík.
  3. Non-alcoholic beverages: An indisputable must in almost every Icelander’s daily life is coffee: the stronger, the blacker, the better. And if you’re feeling out of sorts on your visit, why not coffee and a cat? The Cat Café, home of outstanding coffee and four-legged creatures, offers you just that.
  4. Alcoholic beverages: If coffee is not your thing, beer easily rates as the other staple Icelandic beverage. Icelanders have caught up quickly since the lift of the beer ban in 1989: these days, everyone and their brother is making their own. Micro-breweries are literally on every other corner and these bars offer an excellent selection.
  5. Hands-on fun: Beyond food and drinks, there's much else to be enjoyed in Reykjavik. You definitely can’t go wrong with karaoke Wednesdays at Sæta Svínið (The Sweet Pig) Gastropub, or Monday’s Ping Pong Tournament in "Miami". (The one on Hverfisgata, not Florida. But complete with tropical décor and cocktails to match.)
  6. Volcanic gifts: Iceland's so rife with geothermal water that we use it to heat not only our homes, but also our pavements and driveways. We love our water. And you haven’t really been to Iceland until you’ve shot the breeze with the locals in a ‘hot pot’ at one of the many public pools scattered around the country. (Note: to enter the pool area, you are required to shower naked and wash all the right spots thoroughly and with soap.)
  7. More about water: You're quite safe to drink the water from the tap in your hotel and don't hesitate to ask for tap water in restaurants. It’s pure, tastes fantastic and doesn’t cost you a krona. Bring a refillable water bottle for refreshing hydration no matter where you go.

See you at RIPE78 (come say hello to us in person or on social media) and have a great stay in Iceland!

Topics: DNS privacy, RIPE 78, Women in Tech

Men & Mice welcomes RIPE 78 to Reykjavik

Posted by Men & Mice on 5/9/19 10:42 AM

We are developers who build software for network infrastructure people. And not just any network infrastructure, but the most fundamental parts: DNS, DHCP, and IP address management.

For that reason, and for many more, we’re more than excited to welcome RIPE 78 to our home in beautiful Reykjavik, Iceland in May this year. (Forecast is balmy and warm expected to showcase all seasons every 15 minutes or so. 🙃)

What is RIPE?

RIPE NCC is one of the five Regional Internet Registries (RIRs) dealing with the network of networks: the internet. An independent, not-for-profit membership organisation, RIPE NCC serves Europe, Central Asia, Russia and West Asia and provides internet resource allocations, registration services and coordination activities that support the operation of the Internet globally.

Formed in 1992, RIPE NCC now supports more than 12,000 members in 76 countries in its service region.

ripe map

RIPE NCC holds two General Meetings a year, where members convene to discuss a wide range of subjects related to keeping the internet up and running.  

Men & Mice @ RIPE 78

This year, for the first time ever, RIPE NCC is coming to Iceland. It’s a match made in heaven: RIPE members’ knowledge and insight meet Iceland’s’ long-running expertise in all things computing, including networks, cloud technology, and software development.

Of course, this being not only our home ground geographically, but also professionally, Men & Mice is a proud sponsor of RIPE 78 and will be participating on a number of levels.

Long-time readers of our blog will recognize the name of DNS expert Carsten Strotmann, who has previously published RIPE reports, and who has worked with Men & Mice for many years on a number of initiatives (and from time to time hosts webinars, blog posts and training sessions with us).

This time around, Carsten will not only give two talks on behalf of Men & Mice at RIPE78, but also provide you with updates on what happens at RIPE on a daily basis.

Here’s a small taste of what hot topics are waiting to be discussed at RIPE 78:

  • current DDoS threads and how to mitigate them
  • review of the 2018 DNSSEC KSK Roll in the Root Zone and the February 2019 EDNS "Flag Day"
  • IPv6 reliability
  • large-scale deployment of IPv6-enabled Wi-Fi hotspots
  • high-performance traffic encryption
  • roundtable discussion on the role of open-source in industry hackathons
  • tutorial on IPv6 security for enterprise organizations

Diversity engagement: Women in Tech Panel at RIPE78

Sponsored by Netflix with additional support from Men & Mice and WomenTechIceland, RIPE78 will also host a Women in Tech diversity panel discussion on the 21st of May, on which Paula Gould, our Head of Brand & Communications will join panelists from GRID, WuXi NextCode and Lady Brewery.  Learn more here: https://ripe78.ripe.net/diversity/women-in-tech-session/

women in tech ripe

Topics: RIPE 78, Women in Tech

Men & Mice @ Cisco Live 2019: Hybrid and Multicloud Transition

Posted by Men & Mice on 5/3/19 12:01 PM

 

Men & Mice @ Cisco Live 2019

menmice_clus2019_2234Like with previous years, Men & Mice will return to Cisco Live in San Diego, June 10-13, 2019.

Cisco solutions are a staple of the networking world. Their hardware and software services are present in almost every enterprise, creating security and efficiencies for almost every aspect of network management. They’re also a treasure trove of research and know-how, which is why so many of today's large-scale organizations continue to rely on Cisco (and Men & Mice). 

Cisco Live events are a must-attend for anyone making decisions about network innovations and transformations. 

Network growth, fueled in part by the Internet of Things and Edge computing that permeates nearly everything in our world (and soon, out of this world), is dependent on innovations to both on-premise and cloud solutions to increase resilience and uptime.  Cloud's accelerated adoption rates can likely be attributed, in part, to its maturity, meeting the strict regulations of enterprise-grade businesses, enabling implementation of nimble hybrid and multicloud infrastructure strategies to be fast-tracked.

Adding a highly compatible network overlay software, opens significant opportunities for network managers and architects to use the best-in-class services that are right for them, while leveraging the native features in both their on-premise and cloud solutions, gaining more out of their investments and positioning their network for future transition and innovation. 

Join us for our Best Practices Think Tank Session

Monday,  June 10 2019 at 3:30pm PDT

This year at Cisco Live, Paul Terrill, Men & Mice’s Director of Sales Operations, North America, will also take to the Think Tank stage to discuss New Best Practices for Future-Ready Hybrid and Multicloud Network Strategies. This session will explore new best practices and the advantages to adapting hybrid network strategies to take advantage of service-native features in all IP infrastructure solutions, whether on-premise, cloud or multicloud.

Beyond our talk, Cisco Live is also a great opportunity for us to connect with customers, old and new, and catch up on discussions with the most prominent minds of our industry.

Click here to find out more, or book a time at Cisco Live that suits you for meeting up with sales engineers from Men & Mice. Alternatively, just stop by booth #2234, any day from June 10th to June 13th, and stock up on great networking. (And nice goodies!)

 

Topics: Cisco Live

The ABC's of DNS: a select glossary from the Men & Mice training archives - Part 1

Posted by Men & Mice on 4/26/19 9:43 AM

As you’ve probably discovered by now, we have an honest passion for teaching and training. For the past 20 years, Men & Mice has been offering DNS and BIND courses across the globe. Always updated and always practical, from the start we've constructed classes to address real world challenges and solve problems that our students actually face.


Beyond this series, you can also catch us in person (outside of the training courses): we’re really proud to be sponsoring RIPE78 in Reykjavik next month!

In addition to the diversity programming, we’ll also be giving two talks, presented by Carsten Strotmann, about DNS privacy and Unwind.


And the onslaught of new challenges never stops. Public and private networks. Cloud and on-prem resources. Hybrid and multiclouds. Privacy, security, efficiency.

Being on top of our game means constantly learning.

In this new series, we'd like to give you a small taste of the Men & Mice training courses. Organized alphabetically, we'll cover a glossary of select tips, tricks, and trivia that will deepen your understanding of DNS and BIND.

Without further ado, let's get started - we have a whole alphabet to cover.

A is for "anonymizing IP addresses in logfiles"

Anonymizing IP addresses is a handy trick to know, with (DNS) privacy features often requested and businesses becoming increasingly liable for traffic to and from their servers.

ipv6loganon is a Linux command line tool for anonymizing IP addresses in HTTP server logfiles. By default your webserver (be it Apache, nginx, or something else) logs every connection.This is useful for diagnosing connection issues or find malicious actors - but during normal operations it's also a liability from a privacy standpoint.

You can type man ipv6loganon in your server terminal to see all the options. Run it as a cron job or automate some other way.

B is for "BIND features roundup"

BIND is a fantastic suite of software. Whether you consciously use it or not, it's one of the most fundamental pieces in almost any network puzzle (that's why our most popular training course is titled "DNS and BIND").

Lot of people are surprised just how many tools BIND offers. For example:

  • dig is the Swiss Army Knife of network tools. So much so, that we'll be giving it its own entry at the letter 'D' in the next post. In the meantime, read man dig in your terminal, and learn to love it.
  • delv can be used to verify DNSSEC trust. It's as easy as typing delv +v www.domain.com.
  • named-checkconf -z can be used to test manual changes to DNS zonefiles.
  • dnstap is a faster alternative to query logging. (During the training courses we go deep into how to use it.)

BIND also comes with a host of security features like DNS cookies, Response Policy Zones, Response Rate Limiting, and more. The DNSB-W and DNSB-A courses cover these in detail.

C is for "catalog zones"

C is not just for cookies, but also: catalog zones. Catalog zones are special DNS zones, used to quickly propagate DNS zones from master to slave servers. Slave servers use catalog zones to recreate member zones, and if any changes occur "upstream", they're also synced across slaves using the catalog zones.

Use catalog zones for redundancy, so if your slave servers go out of commission for any reason, you can resume normal operations by quickly spinning up backups.

Want to learn more?

In this DNS glossary series, we focus on just a handful of concepts in each post. Bite-sized, they're but the tip of the iceberg. Our training program is where all of these concepts come to exist in the right context - and you get to try your hand at putting newly learnt skills in action.

  • If you’re new to DNS, we offer the DNS & BIND Fundamentals (DNSB-F) course. It’s part of the DNS & BIND Week (DNSB-W) and serves as a shorter introduction to the world of DNS and BIND.
  • If you’re already familiar with the basics, the full five-day DNS & BIND Week (DNSB-W) course takes you deeper into DNS, including a heavy emphasis on security, stopping just short of DNSSEC (for which we offer a separate course).
  • And if you're looking for even more, we offer the DNS & BIND Advanced (DNSB-A) program, getting into the deep end of things.

Check out our training calendar for 2019, and reach out to us with any questions. 

Topics: IT best practices, DNS training, RIPE 78

DNS Privacy: DNS-over-HTTPS

Posted by Men & Mice on 4/16/19 5:24 AM

DNS-over-HTTPS (DoH for short) is a standard developed by the IETF (under the RFC 8484 designation) to solve privacy concerns in DNS communication.

DNS Privacy: a primer

As we’ve talked about before, using DNS has been done in cleartext: the queries and responses between both the end user (applications, or stub resolvers, such as a browser) and the (first-hop) DNS resolver and the resolver and the DNS nameserver(s) are unencrypted by default.

While DNSSEC extensions were developed early on, they only added response integrity and not privacy. As IETF states, “either privacy was not considered a requirement for DNS traffic or it was assumed that network traffic was sufficiently private.

In recent years, however, that changed. Privacy has become a central concern and addressing it has spawned numerous solutions, such as DNS-over-HTTPS (DoH).

DNS-over-HTTPS

DoH conducts DNS operations using secure http urls and mapping DNS queries and responses into http exchanges, using default media formatting types.doh

While DoH uses existing protocols for communication, the IETF emphasizes that “[The] described approach is more than a tunnel over HTTP.” Aligned with existing http features, DNS servers and clients supporting DoH are called ‘DoH server' and ‘DoH client’ respectively, as they can be used for more than only DNS.

While DNS-over-HTTPS and DNS-over-TLS are colloquially used as different protocols, because DoH uses https it also includes TLS security. The key difference between DoH and DoT is the manner in which DNS operations are conducted.

DoH in action

DoH clients are configured with a URI template containing the url structure for DNS resolution. The client then uses a GET or POST method to send an encoded DNS query.

DNS-over-HTTPS uses standard https traffic (via port 443) to communicate. Because DNS communication is done through standard https methods and resides within https traffic, overhead for DoH is low.

DoH challenges

DNS-over-HTTPS is a newer protocol than DNS-over-TLS. DoH has had less testing and research than DoT, but because it aligns with https as an underlying transport protocol, it is less susceptible to issues other than those associated with https itself.

DoH, though still young, has successfully leveraged the existing ecosystem of native web applications and APIs. It can create more efficient (and private!) communications with DNS.

Arguments against DNS-over-HTTPS (in its current form) stem more from operational considerations. Whereas DoT can be controlled because of its use of a single and unique port, DoH is almost impossible to control or filter.

DNS privacy (DoH, as well as DoT and other solutions) is a good representation of the operational shifts network managers and architects face. DNS-over-HTTPS in particular is a solution born from a public networking mindset. Traditional corporate network operations that are increasingly dependent on cloud services and experience an influx of connected devices through IoT and BYOD, have to re-adjust.

But DNS privacy also means that the opportunity for corporate network managers and architects is more pertinent than ever before. DoH, DoT, and other solutions are young and still forming. Whereas the question before centered around ‘adoption’ of protocols, these new technologies offer a chance to ‘influence’. Ongoing participation in the conversation and debate over the merits and shortcomings of each is necessary.

Additionally, pilot programs, particularly those run in regulated, corporate environments, are invaluable to both the developers of DNS privacy solutions as well as the network managers and architects who will be charged with implementing it.

Topics: DNS privacy, DNS-over-HTTPS

DNS privacy: DNS-over-TLS

Posted by Men & Mice on 4/10/19 11:05 AM

DNS-over-TLS (DoT for short) is a standard developed by the IETF (under the RFC 7858 designation) to solve privacy concerns in DNS communication.

DNS Privacy: a primer

As we’ve talked about before, until recently,  DNS has been done in cleartext: the queries and responses between both the end user (applications, or stub resolvers, such as a browser) and the (first-hop) DNS resolver and the resolver and the DNS nameserver(s) are unencrypted by default.

While DNSSEC extensions were developed early on, they only added response integrity and not privacy. As the IETF states, “either privacy was not considered a requirement for DNS traffic or it was assumed that network traffic was sufficiently private.

In recent years, however, that changed. Privacy has become a central concern and addressing it has spawned numerous solutions, such as DNS-over-TLS.dot

DNS-over-TLS

DoT approaches privacy by encrypting DNS queries and responses between entities (predominantly between the stub resolver and the first hop resolver) using TLS (Transport Layer Security).

DoT uses a standard port (853) to initiate and accept DNS queries. It is possible to use a mutually agreed different port, but it is not the default. Once the connection is made, a TLS handshake is attempted, and after authentication the encrypted DNS communication can commence.

DNS servers supporting DoT are not accepting unencrypted data on the designated port, neither during session initiation, nor after a failed TLS authentication.

DoT overhead

Computers are powerful and efficient, but not without limits. DNS-over-TLS adds latency to DNS operations that needs to be accounted for and minimized.

DNS clients are required to adhere to a certain field length (two octets) and it is recommended to keep established, but idle, connections alive to the server. Another way to minimize latency is to pipeline multiple queries over the same TLS session. In this case, it’s the DNS client’s responsibility to match responses to queries, as they may arrive and be answered out of order.

Keeping established connections alive helps distribute the connection setup costs. Misconfigured handling of idle connections can lead to denial of service issues.

Flavors of DoT

DNS-over-TLS can be used in various ways. The IETF standard identifies opportunistic and Out-of-Band Key-Pinned privacy profiles.

Opportunistic privacy profile means the client recognizes a TLS-enabled DNS resolver and attempts to use it. If it successfully validates it, DNS-over-TLS may be used, but isn’t mandatory and the client can fall back to non-encrypted DNS.

Out-of-Band Key-Pinned privacy profile is usable where the trust between stub and recursive resolvers is already established. Enterprise DNS is one good example. With this profile, DNS clients authenticate servers by a set of (previously distributed) SPKI Fingerprints.

DoT pros and cons

DNS-over-TLS addresses privacy, but not the security of DNS operations. It is important to note that DNSSEC and DoT are not mutually exclusive, but rather compatible protocols that complement each other.

DoT is a straightforward protocol, and fairly easy to implement. TLS authentication is a mature, trusted, and well-maintained technology for encryption. But DNS-over-TLS also presents a number of challenges and concerns.

Attacks against TLS itself, such as protocol downgrade, affect DNS-over-TLS. DNS resolvers offering DoT have to be aware and be patched against TLS vulnerabilities. DNS clients can, in order to defend against person-in-the-middle attacks, discard cached data from a server stored in cleartext.

DoT isn’t fully protected against traffic analysis and SNI leaks. (Although it is in constant development to patch these vulnerabilities.) Split horizon DNS, where the DNS response may be different based on the source of the query, is also known to experience issues when used with DoT.

Network managers for both private networks and public services need to learn more about DNS privacy, DoT (and DoH and other implementations), and the solutions, and challenges, they present for their work. Education about these protocols is also important for end users — both for owning their privacy and to avoid issues resulting from unintentionally harmful configurations brought to a network.

DoT, DoH, and other protocols are in constant development, offering ways to influence their evolution. All network managers and architects, whether they’re running public or private infrastructures, should participate in pilot programs to discover and best voice and address their challenges and requirements.

Topics: DNS-over-TLS, DNS privacy

Why follow Men & Mice?

The Men & Mice blog publishes educational, informational, as well as product-related material for everyone and anyone interested in IP Address Management, DNS, DHCP, IPv6, DNSSEC and more.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all