The Men & Mice Blog

DNS Cookies, Response Policy Zones (RPZ), Response Rate Limiting (RRL) and DNSTAP added to Training course curriculum.

Posted by Greg Fazekas on 11/13/18 7:27 AM

If you’re looking to advance your understanding of one of the most fundamental aspects of public and private networks, from the internet to corporate intrawebs, consider that Men & Mice has been delivering DNS and BIND training courses since 1999.

menandmice_unified_console_

In the coming year, we will augment these popular courses with entirely new sections on DNS Cookies, Response Policy Zones (RPZ), Response Rate Limiting (RRL) and DNSTAP as well as updates on DNS Security and DNSSEC. Many other enhancements are also being rolled out in 2019 for the DNS & BIND courses, including refinements to course materials and the introduction of new labs (including Debugging labs). Register today, to secure your spot in one of our upcoming courses.

To ensure there is a conveniently located training program nearby, Men & Mice Training events have taken place in locations spanning four continents, and deliver learning opportunities to organizations of all sizes and functions, such as:


  • Top Level Domain (TLD) operators,
  • DNS registrars,
  • Governments,
  • Universities,
  • Enterprise and SMB businesses

DNS&BIND trainingsMen & Mice's work in developing DNS, DHCP, and IP Address management (DDI) solutions has led to the development of the vendor and environment-agnostic Men & Mice Suite, which provides a holistic DDI overlay for simplifying complex management of critical network infrastructure for enterprise organizations.

The development of our public training courses and private on-site training programs utilizes our deep expertise in DNS and BIND. The courses, which are  independent from our software solution, are designed to strengthen DNS know-how both for individual career development and to bolster expertise across network teams.

Not only useful for beginners, they’re valued by those with years of expertise. Here's what as student from one of our fall 2018 courses had to say:

“There's nothing more basic to the internet than DNS.  I've been using the internet since the days of gopher in 1995.  And running networked linux systems since 1997. But this course refreshed my understanding of the fundamentals of the internet more than anything else I've done in the last 21 years. By teaching me in-depth how the internet WORKS.”

Our training courses are designed to cater to both new students and seasoned professionals. Students often realize that while their base knowledge is valuable, taking a different approach illuminates concepts they weren't aware of before. They return to work with a deeper understanding of how their roles, tasks and input related to DNS, as well as that of their colleagues, impacts the entirety of the network.

Comprehensive Training in DNS & BIND

trainingl-1

DNS & BIND Week (DNSB-W) provides an overall understanding of the fundamental building blocks of a network.

Students get hands-on workshop experience with DNS in a practical environment. Men & Mice maximizes the efficiency of training sessions by promoting tactical application rather than simply studying, pointing out along the way the large-scale correlations born from localized concepts.

DNS & BIND Advanced (DNSB-A) - following the DNSB-W and DNSB-F programs - and DNSSEC & BIND (DNSSECB) - offered again in 2019 - programs offer more advanced knowledge and practice. Designed primarily for those responsible for some of the most mission-critical of internet services - such as DNS registrars and TLD operators - they bring students to the top of their expertise.

Foundational Training in DNS & BIND

For those peripherally working with DNS, or looking to learn the basics, the first three days of DNS & BIND Week is available as DNS & BIND Fundamentals (DNSB-F).

To learn about the Men & Mice Training Program, visit our menandmice.com/training.

New call-to-action

UPCOMING COURSES:

NOVEMBER 12 –

NOVEMBER 16, 2018

ZURICH, SWITZERLAND

 

FEBRUARY 11 –

FEBRUARY 15, 2019

PORTLAND, OR, USA

 

MARCH 4 –

MARCH 8, 2019

AMSTERDAM, NETHERLANDS

 

APRIL 22 –

APRIL 26, 2019

CENTENNIAL, CO, USA (NEAR DENVER)

 

JUNE 3 –

JUNE 7, 2019

GDANSK, POLAND

 

JUNE 24 –

JUNE 28, 2019

RESTON, VA, USA (NEAR WASHINGTON DC)

 

Topics: DNS training, BIND, Response Rate Limiting (RRL), Response Policy Zones (RPZ), DNSTAP, DNSSEC, Men & Mice, DNS Cookies

DNS and BIND  Training with Men & Mice

Posted by Men & Mice on 6/13/18 7:55 AM

trainingl

In the first half of 2018, Men & Mice Training taught courses in five countries with students flying in from across time zones and from other continents. Participants came from three different ccTLDs, from national governments, and from both major enterprise corporations and smaller institutions.

We are proud of our reputation for delivering exceptional training courses, positive student feedback, and humbled by the effort that people make to attend. However, we're committed to making attending easier.

New DNS & BIND fall 2018 courses added

ddi_menandmiceFive new public courses have been added to our schedule this fall, from September through November 2018.

We've also begun soliciting student feedback on where we should hold our next courses. Based on initial feedback, classes have already been scheduled for two locations where we've previously never taught: Denver, Colorado, USA, and Geneva, Switzerland.

Our most popular public course is DNS & BIND Week (DNSB-W).

DNS & BIND Week is ideal for anyone just starting in the DNS world, but most commonly attended by those knowledgeable about DNS, and by experienced BIND administrators. Those with previous skills report that the start of the course, which assumes nothing, fills in gaps in their knowledge and corrects misconceptions, and the course moves on to unknown topics and new material. All Men & Men courses are hands-on, full of laboratory exercises. 

If you want to get trained ASAP, this is your chance.

SUMMER COURSES

Space is limited but still available.

June 25 – 29, 2018 – Zurich, Switzerland

FALL COURSES 

September 17 – September 21, 2018  Europe (City TBD)


September 24 – September 28, 2018  Geneva, Switzerland


October 15 – October 19, 2018      Denver, Colorado, USA


October 22 – October 26, 2018      North America (City TBD)


November 12 – November 16, 2018    Zurich, Switzerland

DNS & BIND Fundamentals (DNSB-F): is the first three days of DNS & BIND Week.

Who attends: Those who work peripherally with DNS. After the course, many wish they had attended the entire week. For them, we offer DNS & BIND Advanced (DNSB-A), which is the final two days of DNS & BIND Week.

Looking ahead, in 2019 we plan to begin offering our three day DNSSEC & BIND (DNSSECB) course publicly. It is currently only available for private, on-site corporate training.

Register now

Topics: DNS training, BIND, DNS events

Thinking of doing DNS better?

Posted by Men & Mice on 3/20/18 10:27 AM

I train, therefore I am

Or that’s what Descartes may have said if he’d been thinking his thoughts in 2018.

Mind you, this blog is not about thinking and it’s not about physical training either, like running or wife carrying or stuff like that. It’s more about training as in training for the mind. Learning useful things. Like how to configure BIND, debug DNS, figure out TSIGs or what DNSSEC can do for your network. Basically, the kind of training that helps you build a leaner, stronger, fitter network, and create the system resilience needed to deliver those constantly surging numbers of packets to their right destination, faster and more securely.

DNS sync.png

Getting DNS skills in sync

Since 1999, Men & Mice has been known for running effective and efficient DNS & BIND training courses worldwide. Previous offerings included open, public courses in a number of locations, as well as private on-site training on request.

Beginning in 2018, we are putting a little extra effort and logging a few more air-miles, making it much easier for you to attend, wherever you are.  We’re extending our public offerings into new destinations, with upcoming courses scheduled in California, New York, Switzerland, England and Israel, with additional courses to be added as the year progresses. See the schedule at menandmice.com/training/

To get the hang of running a better network, sign up for the 3-day DNS & BIND Fundamentals, or take our most popular course and spend 5 days sinking your teeth deeper into the subject matter in DNS & BIND Week. A range of on-site training options is also on offer.

Reach out to Men & Mice Training to register for a course, ask questions, log comments, or to recommend additional locations for future public offerings.

In the meantime, check out the dates and feast your eyes on the list of topics covered by our hands-on courses, taught by DNS experts.

Happy training!

Topics: DNS, Men & Mice, DNS training, BIND

Supervising BIND 9

Posted by Men & Mice on 1/21/15 2:59 PM

BIND 9 is a mature piece of software, and compared with its predecessors BIND 4 and BIND 8 it is noticeably more stable and secure. One reason for this is the "Design by contract" programming style used by the BIND 9 team; as a result, BIND 9 is very particular about the data it consumes, and about its own internal data structures. Once BIND 9 encounters an unexpected state in its data structures, it terminates the DNS server process rather than continue running with bad data (and thus potentially compromise security).

While this behavior has clear advantages in terms of security, it can adversely affect service uptime - BIND 9 had several incidents in the past years where BIND 9 terminated because of issues inside the code or data structures, such as "BIND 9 Resolver crashes after logging an error in query.c". And for all its security benefits, an end user unable to reach Facebook may not be terribly understanding in the event of an outage.

The real issue, however, is not that BIND terminates when it comes across bad data, but rather that the process cannot automatically restart after the fact; there is no "supervisor" process in BIND 9.

Some operating systems have a built-in solution: MacOS X has launchd, and the BIND 9 version Apple delivers with the OS is automatically restarted should it terminate unexpectedly. Solaris has SMF (Service Management Facility), and BIND 9 can be integrated into SMF. Recent versions of Ubuntu, RedHat Enterprise, SuSe Enterprise, and Fedora now all use systemd, which can also monitor processes and restart them if needed.

But for Unix and Linux operating systems that do not ship with a process supervisor solution, supervisord is a strong alternative, with the added benefit of being relatively easy to install and configure. Supervisord comes as a package with many Linux distributions, and also works on BSD distributions.

The configuration below is intended for RedHat 6, but should require only minor tweaks to run on other Unix systems as well.

Installation

Supervisord is written in Python (2.4 - 2.7) and can be installed from source (where we have to download and install all dependencies) or with the help of setuptools, which takes care of downloading and installing dependencies (Meld3 and ElementTree).

Full Installation instructions can be found at [http://supervisord.org/installing.html]

Automatic Installation

‣ download "setuptools" from [https://pypi.python.org/packages/source/s/setuptools/setuptools-9.1.tar.gz]

 shell> tar xfz setuptools-9.1.tar.gz 
shell> cd setuptools-9.1 
root-shell> python setup.py install

Once setuptools have been installed, run the following command to install Supervisor and all required dependencies:

 root-shell> easy_install supervisor 

Manual Installation

Supervisor and its dependencies can also be installed manually.

‣ download "setuptools" from [https://pypi.python.org/packages/source/s/setuptools/setuptools-9.1.tar.gz]

 shell> tar xfz setuptools-9.1.tar.gz 
shell> cd setuptools-9.1 
root-shell> python setup.py install

‣ download "Meld3" from [http://www.plope.com/software/meld3/meld3-0.6.5.tar.gz]

 shell> tar xfz meld3-0.6.5.tar.gz 
shell> cd meld3-0.6.5 
root-shell> python setup.py install

‣ download "ElementTree" from [http://effbot.org/media/downloads/elementtree-1.2.6-20050316.tar.gz]

 shell> tar xfz elementtree-1.2.6-20050316.tar.gz 
shell> cd cd elementtree-1.2.6-20050316 
root-shell> python setup.py install

‣ download "Supervisor" from [https://pypi.python.org/packages/source/s/supervisor/supervisor-3.1.3.tar.gz]

 shell> tar xfz supervisor-3.1.3.tar.gz 
shell> cd supervisor-3.1.3 
root-shell> python setup.py install

Installing startscript and sysconfig

‣ download the startscript from [https://raw.githubusercontent.com/Supervisor/initscripts/master/redhat-init-jkoppe] and place it in /etc/init.d/supervisord

 root-shell> cp redhat-init-jkoppe /etc/init.d/supervisord 
root-shell> chmod +x /etc/init.d/supervisord

‣ download the 'sysconfig' file from [https://raw.githubusercontent.com/Supervisor/initscripts/master/redhat-sysconfig-jkoppe] and place it in /etc/sysconfig/supervisord

 root-shell> cp redhat-sysconfig-jkoppe /etc/sysconfig/supervisord 

Installing Bind 9 from Men & Mice repositories

‣ download the BIND 9 RPM from [http://support.menandmice.com/download/bind/linux/redhat/6.x/]<arch>/<version>/

 root-shell> yum install ISCBIND-<version>-<flavor>RHL<arch>.rpm 
root-shell> mkdir /var/named 
root-shell> useradd -d /var/named -r named 
root-shell> chown -R named: /var/named

‣ create a BIND 9 configuration file '/etc/named.conf'

options { directory "/var/named"; dnssec-validation auto; }; 

‣ create an 'rndc' configuration

root-shell> rndc-confgen -a 

‣ verify the configuration

root-shell> named-checkconf -z 

A basic configuration file for BIND 9 "named"

Below is my basic /etc/supervisord.conf configuration file for one service, the BIND 9 DNS Server:

 [unix_http_server] 
file = /tmp/supervisor.sock 
chmod = 0777 
chown= nobody:nobody 

[rpcinterface:supervisor] 
supervisor.rpcinterface_factory = supervisor.
rpcinterface:make_main_rpcinterface 

[supervisorctl] 
serverurl=unix:///tmp/supervisor.sock 
[supervisord] 
logfile = /var/log/supervisord.log 
logfile_maxbytes = 10MB 
logfile_backups=10 
loglevel = info 
pidfile = /var/run/supervisord.pid 
identifier = supervisor 
directory = /tmp 

[program:named] 
command=/usr/sbin/named -u named -f 
process_name=%(program_name)s 
numprocs=1 
directory=/var/named 
priority=100 
autostart=true 
autorestart=unexpected 
startsecs=5 
startretries=3 
exitcodes=0,2 
stopsignal=TERM 
stopwaitsecs=10 
redirect_stderr=false 
stdout_logfile=/var/log/named_supervisord.log 
stdout_logfile_maxbytes=1MB 
stdout_logfile_backups=10 
stdout_capture_maxbytes=1MB

Starting supervisord

With the configuration file in place, we can start supervisord. Make sure that BIND 9 is not started or you will end up with two instances of the BIND 9 server running, which isn't recommended. Also make sure that supervisord will be started on reboot of the server, either through a startscript or other means. Note that the supervisord packages bundled with Linux distributions install a startscript.

 root-shell> /etc/init.d/supervisord start 
root-shell> rndc status 
version: 9.9.6-P1 <id:3612d8fb> 
number of zones: 98 
debug level: 0 
xfers running: 0 
xfers deferred: 0 
soa queries in progress: 0 
query logging is OFF 
recursive clients: 0/0/1000 
tcp clients: 0/100 

server is up and running 
root-shell> ps -ef 
[...] 
root 10906 0.0 2.5 209096 12988 ? Ss 19:55 0:00 /usr/bin/python /usr/bin/supervisord -c /etc/supervisord.conf 
named 10908 0.7 1.6 44292 8112 ? S 19:55 0:00 /usr/sbin/named -u named -f 
root 10910 0.0 0.2 110228 1156 pts/0 R+ 19:55 0:00 ps aux 

root-shell> supervisorctl 
status 
named RUNNING pid 10908, uptime 0:03:19 
root-shell> chkconfig --add supervisord 
root-shell> chkconfig supervisord on

Great, supervisord has started, and it also started the BIND 9 process "named". DNS is working now.

Simulating a BIND 9 crash

To simulate a BIND 9 crash, we "kill" the BIND 9 named process:

root-shell> killall -9 named 

Supervisord should detect that the running BIND 9 process has terminated, and start a new one. DNS is still up and running.

Controlling supervisord

Supervisord can be controlled from the command line using the supervisorctl command. A list of all a control commands can be found with "help", and a description of each command with "help command":

 shell> supervisorctl help 
default commands (type help ): 
===================================== 
add clear fg open quit remove restart start stop update 
avail exit maintail pid reload reread shutdown status tail version 

shell> supervisorctl help status 
status Get all process status info. 
status Get status on a single process by name. 
status Get status on multiple named processes. 

shell> supervisorctl status named 
RUNNING pid 25770, uptime 0:00:12 

shell> supervisorctl stop named  named: stopped 

shell> supervisorctl start named 
named: started

Now, whenever there is a triggered assertion error in the code BIND 9 will terminate, but supervisord will bring it back from the dead. Your DNS service stays up, and your users and customers stay happy.

Read the supervisord documentation on how to setup event notifications, so that you get an e-mail notification should BIND 9 restart (should the outage be caused by a security vulnerability you might want to report it to bind9-bugs@isc.org as well).

Of course supervisord can be used to restart other processes as well, including other types of DNS Servers (NSD, Unbound, dnsmasq ...).

Topics: DNS, Linux, BIND, BIND 9, Supervisord, Red Hat

A visit from an ISC BIND 10 team to Iceland

Posted by Dora Vigfusdottir on 4/26/12 12:36 PM

We here at Men & Mice have been playing host to a very happy and eager group of people from ISC this week. The purpose of their visit to Iceland has been to meet up, work together, learn from us and vice versa. 

isc

I was able to lure Shane Kerr out of a meeting for a minute and asked him some questions!

So Shane, what exactly is BIND 10? 

BIND 10 is the next-generation DNS server currently being developed by ISC, with financial and coding support from several generous sponsors. It is intended not only to fix limitations found in all current DNS servers, but also to allow DNS administrators to better intigrate BIND into their operations and use the DNS in new and interesting ways. 

And how is the progress so far in the project?

We've gotten to the point where the server is useful as an authoritative server, but we've had to do quite a bit more refactoring of the code than I would have preferred. My feeling is that this is because we're trying to do things in ways that have never been attempted before, so it should not be surprising that we have made some imperfect decisions early on.

Some pioneer work going on then, exciting! But when should users download and test BIND 10 in their environment?

This depends on what each user does with DNS, and also how comfortable they are with experimental code.

Right now users interested in looking at BIND 10 from a software or system level should go ahead and download it immediately.

Users who are more interested in installing production software should wait until October 2012, when we are going to be putting out either a beta or alpha version of the authoritative server. (If we have completed feature work it will be a beta, otherwise it will be an alpha).

Users who run recursive resolvers should wait until mid-2013, when we hope to release the results of our recursive work. We have a basic resolver now, but we are looking at architectural changes needed to improve performance so we can run faster than any alternatives.

Makes sense, but is there a way for users to participate in or comment on the BIND 10 project?

Right now we have a user mailing list which is designed for people with operational questions or suggestions:

https://lists.isc.org/mailman/listinfo/bind10-users

We also have a development mailing list where all of the development discussions happen. This is a bit high-volume, and probably only interesting for DNS developers, but it is open for all:

https://lists.isc.org/mailman/listinfo/bind10-dev

We periodically invite anyone interested to join us for a day of discussion with the developers, which we call the BIND Open Day. We've had two so far, and tend to have them around our face to face team meetings. These get announced on our mailing lists, as well as all the usual social media sites. We hope to see you at one! :)

Excellent, lots of ways to stay tuned. But how does the BIND 10 team like Iceland?

Well, a number of the team were really looking forward to the trip, and several have taken the opportunity to plan their holidays around the meeting. We generally like it so far and some of us are going on a day tour this weekend to see your geysers and other nature wonders. 

 

It's been a pleasure to have all these wonderful people gathered here at our offices.

Everyone hard at workHard at work and keeping busy!
 

 

Topics: DNS, Men & Mice, ISC, BIND

Why follow Men & Mice?

The Men & Mice blog publishes educational, informational, as well as product-related material for everyone and anyone interested in IP Address Management, DNS, DHCP, IPv6, DNSSEC and more.

Subscribe to Email Updates

Recent Posts