The Men & Mice Blog

DNS Cookies, Response Policy Zones (RPZ), Response Rate Limiting (RRL) and DNSTAP added to Training course curriculum.

Posted by Greg Fazekas on 11/13/18 7:27 AM

If you’re looking to advance your understanding of one of the most fundamental aspects of public and private networks, from the internet to corporate intrawebs, consider that Men & Mice has been delivering DNS and BIND training courses since 1999.

menandmice_unified_console_

In the coming year, we will augment these popular courses with entirely new sections on DNS Cookies, Response Policy Zones (RPZ), Response Rate Limiting (RRL) and DNSTAP as well as updates on DNS Security and DNSSEC. Many other enhancements are also being rolled out in 2019 for the DNS & BIND courses, including refinements to course materials and the introduction of new labs (including Debugging labs). Register today, to secure your spot in one of our upcoming courses.

To ensure there is a conveniently located training program nearby, Men & Mice Training events have taken place in locations spanning four continents, and deliver learning opportunities to organizations of all sizes and functions, such as:


  • Top Level Domain (TLD) operators,
  • DNS registrars,
  • Governments,
  • Universities,
  • Enterprise and SMB businesses

DNS&BIND trainingsMen & Mice's work in developing DNS, DHCP, and IP Address management (DDI) solutions has led to the development of the vendor and environment-agnostic Men & Mice Suite, which provides a holistic DDI overlay for simplifying complex management of critical network infrastructure for enterprise organizations.

The development of our public training courses and private on-site training programs utilizes our deep expertise in DNS and BIND. The courses, which are  independent from our software solution, are designed to strengthen DNS know-how both for individual career development and to bolster expertise across network teams.

Not only useful for beginners, they’re valued by those with years of expertise. Here's what as student from one of our fall 2018 courses had to say:

“There's nothing more basic to the internet than DNS.  I've been using the internet since the days of gopher in 1995.  And running networked linux systems since 1997. But this course refreshed my understanding of the fundamentals of the internet more than anything else I've done in the last 21 years. By teaching me in-depth how the internet WORKS.”

Our training courses are designed to cater to both new students and seasoned professionals. Students often realize that while their base knowledge is valuable, taking a different approach illuminates concepts they weren't aware of before. They return to work with a deeper understanding of how their roles, tasks and input related to DNS, as well as that of their colleagues, impacts the entirety of the network.

Comprehensive Training in DNS & BIND

trainingl-1

DNS & BIND Week (DNSB-W) provides an overall understanding of the fundamental building blocks of a network.

Students get hands-on workshop experience with DNS in a practical environment. Men & Mice maximizes the efficiency of training sessions by promoting tactical application rather than simply studying, pointing out along the way the large-scale correlations born from localized concepts.

DNS & BIND Advanced (DNSB-A) - following the DNSB-W and DNSB-F programs - and DNSSEC & BIND (DNSSECB) - offered again in 2019 - programs offer more advanced knowledge and practice. Designed primarily for those responsible for some of the most mission-critical of internet services - such as DNS registrars and TLD operators - they bring students to the top of their expertise.

Foundational Training in DNS & BIND

For those peripherally working with DNS, or looking to learn the basics, the first three days of DNS & BIND Week is available as DNS & BIND Fundamentals (DNSB-F).

To learn about the Men & Mice Training Program, visit our menandmice.com/training.

New call-to-action

UPCOMING COURSES:

NOVEMBER 12 –

NOVEMBER 16, 2018

ZURICH, SWITZERLAND

 

FEBRUARY 11 –

FEBRUARY 15, 2019

PORTLAND, OR, USA

 

MARCH 4 –

MARCH 8, 2019

AMSTERDAM, NETHERLANDS

 

APRIL 22 –

APRIL 26, 2019

CENTENNIAL, CO, USA (NEAR DENVER)

 

JUNE 3 –

JUNE 7, 2019

GDANSK, POLAND

 

JUNE 24 –

JUNE 28, 2019

RESTON, VA, USA (NEAR WASHINGTON DC)

 

Topics: DNS training, BIND, Response Rate Limiting (RRL), Response Policy Zones (RPZ), DNSTAP, DNSSEC, Men & Mice, DNS Cookies

Ready for another look at DNSSEC?

Posted by Men & Mice on 4/12/17 8:32 AM

dnssec.pngSince the dawn of DNS, it has been a system regularly experiencing phases of increased vulnerability. Yet never before has it been as vulnerable to the escalating size of DNS attacks as in recent years, most notably in 2016.

Advice on how to prevent, or at least mitigate, all manner of attacks on DNS proliferates, and every security vendor and his uncle promises heaven and earth, if only you bought into their solutions. While you should investigate all options and carefully devise a wholescale security strategy, together with overhauling your network’s architecture design to close unnecessary gaps and eliminate weak links, it is critical that you don’t leave one of the most obvious DNS security stones unturned – DNSSEC. 

After Dyn went down so spectacularly last October during the biggest DDoS attack recorded to date, Geoff Huston gave an excellent talk at RIPE 73, speculating on possible ways to mitigate DNS attacks. In the process, he also managed to remind the audience that one of the ways to make DNS (and conversely, the internet) safer would be to fully implement DNSSEC. Fully deployed, DNSSEC ensures that the end user is connecting to the intended, and verified, website or service corresponding to a specific domain name. In this way, DNSSEC protects the directory lookup and complements other security technologies, such as TLS (https:). DNSSEC is not a magic bullet and won’t solve all internet security issues, but in a world of constantly multiplying mutations of attacks on DNS availability, it sure can’t hurt to add it to your DNS security repertoire.

That said, DNSSEC would be a much happier prospect for most of us if it were not so tedious to set up. Still, like all things worthwhile, a little bit of initial effort can take you a long way. To help you get a grip on the ins and outs of DNSSEC, Men & Mice’s DNS expert Carsten Strotmann recently added a DNSSEC zone signing tutorial to our useful selection of DNSSEC resources, all bound to help you take steps towards DNSSEC with greater confidence. The DNSSEC zone signing tutorial follows on from Carsten’s highly rated November 2016 webinar on DNS and DNSSEC monitoring – Strategy and Tools. An added bonus is the scripts of 15 essential DNS and DNSSEC monitoring tests which can come in pretty handy once you’ve set the DNSSEC wheels in motion.

In the greater scheme of dealing with DNS vulnerabilities, it’s reassuring to know that organizations such as the IETF are dedicated to coming up with solutions to better protect the internet at the top levels of design. The DNS PRIVate Exchange Working Group (DPRIVE – a simply brilliant acronym, as they go) is tasked with developing mechanisms to enable the confidentiality of DNS transactions. While DNSSEC revolves around ensuring that data remains unchanged during communication, the data itself remains open, so to speak. DPRIVE is working towards concealing the data, primarily focusing on providing confidentiality between DNS Clients and Iterative Resolvers, but perhaps later on progressing towards providing end-to-end confidentiality of DNS transactions. In practice, these developments mean that somewhere down the road, it will hopefully be possible to:

  1. provide DNS servers with knowledge on how the structure of the internet works so DNS queries will have a straighter and narrower path, only asking for the data that is really required and not having to put in full requests that have to go all the way to the root name servers.

  2. encrypt communication between the DNS resolver (usually on the internet provider’s network) and authoritative servers on the internet so that data transmitted can’t be harvested by ill-intentioned entities.

One of the side benefits of this type of encryption is that the underlying transport protocol will likely switch from UDP to TCP, thereby providing the ‘handshake’ required for secure communication and making spoofing so resource intensive that it will take the easy fun out of the kind of DoS attacks we’ve seen escalating in recent years.  

With all new and generic top level domains, as well as country code top level domains DNSSEC signed today, the implementation of DNSSEC to make the internet more robust and secure is quickly turning into the rule, rather than the exception. Which begs the question: why wait till tomorrow when you can begin implementing DNSSEC on your domain today?

Free trial of the Men & Mice Suite

 

Topics: DNSSEC, DANE, DNS

RIPE 72 – A Blog Report on DNS & IPv6

Posted by Carsten Strotmann on 6/22/16 5:30 AM

RIPE 72 took place in Copenhagen from 23-27 May 2016. This blog report shares some of my thoughts on interesting talks and presentations on DNS and IPv6.  

As always, this report cannot be exhaustive and I recommend that those interested browse the meeting archive of RIPE 72 for other interesting topics.

DNS

Victoria Risk from ISC reported on the changes in the upcoming BIND 9.11 release (BIND 9.11 Release Update) that is planned for August 2016. The new catalog zone feature allows automatic provisioning of slave zones from a central catalog zone. New zones are configured as a master zone on one server and a special entry is written into the catalog zone, a meta-data zone that is configured on the master and all secondary servers. The catalog zone will be replicated by zone-transfer and the secondary server will automatically configure a slave-zone for the newly added domain.

Men & Mice Trainer Jan-Piet Mens has already had a chance to test this new feature and wrote a blog article about it: Catalog zones in BIND 9.11. ISC has issued an Internet Draft in the IETF about catalog zones with the hope that other DNS software vendors will implement a compatible version.

BIND 9.11 will include a new, refined backend for storing DNS zone data in databases, called the dyndb api. This new API is much faster than the older DLZ API and also works with DNSSEC.

Speaking of DNSSEC, BIND 9.11 will come with a new component called dnssec-keymgr that will be able to automate DNSSEC key-rollover based on a policy, much like the external OpenDNSSEC tool. More improvements to BIND 9.11 can be found in the presentation and also in the upcoming Men & Mice Webinar What's new in BIND 9.11.

Jeff Osborn from ISC started a discussion on a license change of the BIND 9 DNS Server in his talk Changing the Open Source License on BIND. Today, the BIND 9 DNS server is licensed under the ISC license, which is a permissive BSD-style license. Jeff proposes a switch to the Mozilla Public License (MPL), which is a so-called copy-left license. Both licenses are open-source licenses, but the main difference is that the MPL requires all source code changes to the product to be made public. This license change will have no negative effect on anyone using the BIND 9 DNS server, but might affect companies that build products that incorporate the BIND 9 server code. As an overlay management solution, the Men & Mice Suite product works with an un-altered BIND 9, so customers using the Men & Mice Suite would also not be affected by such a license change. Jeff welcomes any feedback on the license change. His contact information can be found in the talk's slides, available in the link above.

Patrik Faltstrom, Chair of the Security and Stability Advisory Committee on the DNS root-server system, presented an alert on WPAD Name Collision Vulnerability. WPAD, the "Web Proxy Auto-Discovery", is a way to configure the Web-Proxy to be used by a Web-Browser using DNS. In this function, the special domain name "wpad" is resolved in the local domain name of the network the client is in. Collisions with internal, non-registered domain names and new top level domains in the Internet DNS system now create the vulnerability that external parties can control the internal proxy configuration inside a company's network. Internet Explorer on Windows systems have this function enabled by default, but it can also be enabled in Firefox, Safari or Chrome-Browsers on MacOS X, BSD and Linux. Running an unregistered TLD in an internal DNS deployment is not recommended, but DNS administrators will find it difficult to remove the sins of the past. Administrators should block DNS queries for internal-only domains at their DNS-resolvers, monitor DNS queries leaving the network for internal names and consider manually switching off the WPAD function in the browsers.

Duane Wessels from Verisign gave a talk on the size increase of the Root-Zone Zone-Signing-Key (ZSK). Since the beginning of the DNSSEC-signed root-zone, the ZSK was a 1024bit RSA key, as recommended by RFC 6781 - DNSSEC Operational Practices, Version 2. However, while not an immediate security threat, 1024bit RSA keys are now also seen as having a too small security margin when used for DNSSEC signatures (1024bit RSA keys have been too weak for encryption for many years). The new ZSK will be a 2048bit key and it will be introduced into the DNS root-zone on 20th September 2016. All testing done so far indicates that there should be no problems. Even though the DNS responses from the root zone during a ZSK rollover do increase from 883 to 1138 octets/bytes, the response is still below the 1232byte EDNS0 limit often used in the IPv6-DNS-Resolver or the 1500byte Ethernet MTU.

The Unbound DNS-Resolver now implements DNS Query Name Minimisation to Improve Privacy, RFC7816. Ralf Dolmans of NLnetLabs explains in his talk QNAME Minimization in Unbound how this new feature is implemented. In traditional DNS, a DNS resolver always asks the full question to all servers in the delegation chain. This is because the DNS resolver does not know about the delegation topology of the DNS system in use. In the Internet, there is a defined delegation structure for DNS, starting with the root-zone, the generic, new and country-code top-level-domains and second-level domains owned by companies and individuals below it. In the Internet, a DNS-resolver can shorten the query when asking at the root-zone or TLD level, enhancing the privacy of the users of the DNS resolver. QNAME minimization in the DNS resolver used by a client machine can be tested with a DNS lookup tool such as dig

 

% dig txt qnamemintest.internet.nl +short


IPv6

John Jason Brzozowski from US cable giant Comcast presented IPv6 @Comcast – Then, Now and Tomorrow about the challenges and successes in their deployment of IPv6 "large scale". Overall, IPv6 at Comcast is a success and they are now putting in motion the plan to phase out IPv4.

In the IPv6-Working-Group session, John reported on Community WiFi and IPv6 and how Comcast is using IPv6 to create public WIFI hotspots on CPE devices. Comcast is giving out a full "/64" network to every WIFI-device connected, in order to create easy network isolation and to reduce the multicast traffic over WLAN. This scheme could have even more benefits, such as assigning an IPv6 address for every service running on a host.

The Google public DNS resolver now supports DNS64-translation (currently in Beta) on the public DNS-resolver address "2001:4860:4860::6464" (IPv6-Only Has Never Been So Easy). DNS64 is a translation technology that works together with NAT64 to allow a client on an IPv6-only network to connect to IPv4-only services on the Internet. As DNS64 "re-writes" DNS content, it clashes with DNSSEC, as Jen Linkova from Google explains in IPv6-only and DNS(SEC|64).The workaround proposed in the talk got some criticism from the audience.

Enno Rey from the security company ERNW had a close look at the security issues of Multicast Listener Discovery MLD, a topic that has not seen much attention so far. He and his colleagues have found several issues that can be used for denial of service attacks or traffic redirection attacks by an intruder inside the local network. He recommends an (still to be developed) "MLD guard" function in switches (similar to DHCPv4- or RA-Guard) or to deploy port based ACL filtering of MLD traffic. Nobody should panic because of these findings, but every IPv6 network admin should know about MLD and the implications of having MLD active in their networks.

Vaibhav Bajpai had an interesting talk on Measuring Webpage Similarity from Dual-Stacked Hosts, looking at the differences in website content between a page fetched via IPv6 vs. IPv4. Differences coming from certain objects on the page (CSS, JavaScript, Advertisements …) are only available for one protocol, while the general website is dual-stacked and therefore available on both IPv4 and IPv6.

Two talks covered the topic of IPv6-only networks, but from very different angles. In How to Make Trouble for Yourself - You Build an IPv6-Only Network in 2016, Roger Jørgensen from Bredbandsfylket Troms in Norway reported on their project to build a new fiber optic network in the far north of Norway. The management part of this network is designed and operated as an IPv6-only network. Luuk Hendriks gave a report of his attempt at Going IPv6-only at Home while keeping the most important user of his home network, his girlfriend, happy.

Enno Rey talks about Real Life Use Cases and Challenges When Implementing Link-local Addressing Only Networks as of RFC 7404 from his experiences implementing a Link-Local-only addressing scheme in a larger enterprise network. The Link-Local-only addressing was chosen to simplify address management, as almost 50% of networks in this customer's environment are point-to-point links. There are still issues with vendor support in network devices when implementing Link-Local-only addressing. In the discussion following the talk, the audience gave a mixed message, with some people claiming success at running a Link-Local-only network.

Other topics

Mircea Ulinic presented a way to automate the provisioning and management of network devices (router, switches etc) using the configuration orchestration tool "SaltStack". SaltStack is usually used to automate the provisioning of server machines running a Salt-Agent (Minion). As it is difficult to install a customer agent on network gear, this talk presented a way to use proxy machines that act as the minions for network hardware. SaltStack automation can save a great deal of time when used in large deployments. Details can be found in Mircea's talk: Network Automation with Salt and NAPALM.

Shane Kerr, who we recently had as an interview guest in our latest Webinar on Yeti-DNS, gave a humorous talk about the "Internet of Things (IoT)" in IoT: What is the Problem or “How To Explain To Your Boss That IoT Won't Make the Company Rich….”.

Those of you hungry for more on RIPE 72, all the above talks and more can be found in the meeting archive of RIPE 72.

Topics: IPv6, DNSSEC, DNS

The DNSSEC - Day

Posted by Men & Mice on 7/6/15 11:35 AM

The first DNSSEC-Day was hosted on June 30th, 2015 in Germany.

With the increase of mobile devices (BYOD), the Internet of Things (IoT) and the growth of cloud-based virtual machines, a seismic shift has been in the DDI landscape, leading to greater awareness of network-related security risks.

Security manifests itself in various formats, such as availability, performance and the ability to withstand attacks like DDoS Attacks, DNS cache poisoning, DNS Spoofing and other DNS security threats.

United in increasing the security on the Internet, Heise publishing house, DeNIC, Sys4 AG and the Federal Office for Security in Information Technology (BSI) join forces and get experts to the table to explain, among other things the benefits of DNSSEC technology from the perspective of users and deal with practical questions from administrators.

The DNSSEC-Day was a 4-hour live video streaming session in German, supplemented with screencast recordings.

Contributing at the DNSSEC-Day was Men & Mice expert Mr. Carsten Strotmann giving his input on practical DNSSEC and DANE deployments.

 

Topics: DNSSEC

Men & Mice Suite Version 6.8 Released

Posted by Men & Mice on 4/28/15 7:49 AM

Reykjavik, Iceland, April 28th 2015 - Men & Mice announces the release of version 6.8 of the Men & Mice Suite.

The Men & Mice Suite is the ideal tool for network managers who desire minimal daily management, featuring planning, reporting, and auditing of growing dynamic IP networks, with the added benefit of delivering improved network security as well. The Men & Mice Suite version 6.8 can be deployed as a software solution on top of existing DNS/DHCP servers or as hardened DNS/DHCP virtual appliances.

Subnet Discovery and Ease of Use

Version 6.8 introduces several new features designed to streamline both initial deployment of the Men & Mice Suite, and day-to-day management of enterprise networks by way of automatic discovery and intuitive user interface improvements.

The new Subnet Discovery feature allows the Men & Mice Suite to directly query network routers for subnet information, making it far easier to add new subnets, and reducing administration time by eliminating the need for tedious manual input of new subnets. Meanwhile, the First Use Wizard allows new users to rapidly gain complete control over their networks by automating DNS/DHCP server and Active Directory Subnet discovery, and intelligently guiding administrators through the initial setup process.

Enhanced System Support

The Unbound Caching DNS Server now enjoys the same management utility as the Men & Mice Virtual Caching Appliance in the Men & Mice Suite, and can be simply added to the Men & Mice Suite Management Console like any other supported DNS server. With version 6.8 the Men & Mice Suite now also features native support for 64-bit Linux systems, and support for systemd integration on Linux installers.

Other Improvements

Version 6.8 also improves other aspects of the suite, featuring enhanced Windows DNSSEC support, improved failover handling on Microsoft DHCP servers, and a number of performance improvements to both the Men & Mice Suite and the Men & Mice Virtual Appliance products.

For a complete list of new features and enhancements:
Release notes on version 6.8.

 

Men & Mice Suite version 6.8 Free Trial

 

Topics: Men & Mice Suite, DDI, DNSSEC, IPAM, DHCP, Windows, Unbound

Unparalleled support for DNS Servers and tightened Security

Posted by Men & Mice on 10/8/14 8:51 AM

Men & Mice announces the release of version 6.7 of the Men & Mice Suite.

The Men & Mice Suite is the ideal tool for network managers who need superfast daily management, planning, reporting and auditing on growing dynamic IP networks, delivering the added benefit of improved network security as well. 

Unparalleled support for DNS Servers

To ensure the solution will scale with businesses as they grow, the Men & Mice Suite integrates with the widest available range of DNS servers, such as BIND, Microsoft DNS services and Unbound. The 6.7 edition adds PowerDNS to enable customers to run hybrid environments for tightened securityIn this release Men & Mice takes flexibility one step further with the addition of Amazon Route53 DNS services support.  Enterprises moving to the AWS cloud or running hybrid private/public clouds can now keep full control of their DNS, DHCP and IP environment with the Men & Mice Suite.


Support for Amazon Route53
The Men & Mice Suite now supports Route53, Amazon’s cloud DNS service. With this integration, users can manage DNS information stored on the Amazon Route53 DNS servers in the same way they can manage DNS on other supported platforms, such as creating new zones and edit DNS records in existing zones.


Support for PowerDNS
PowerDNS, an open source, high performance DNS server, is now supported in the Men & Mice Suite.  This capability will especially benefit customers with complex hybrid environments, as they will be able to  manage all their diverse DNS servers from one solution, regardless if they are BIND, Microsoft DNS or PowerDNS servers. 


DNS Security

The increase of mobile devices (BYOD), the Internet of Things (IoT) and the growth of cloud-based virtual machines has caused a seismic shift in the DDI landscape, leading to greater awareness of network-related security risks. Security manifests itself in various formats, such as availability, performance and the ability to withstand attacks like DDoS Attacks, DNS cache poisoning and other DNS security threats. The Men & Mice Suite helps network administrators address such risks by offering hybrid DNS server support and high availability.

The 6.7 edition of the Men & Mice Suite adds DNS and DHCP service Monitoring and support for TLSA records that enable the storage of/and signing keys that are used to verify SSL/TLS certificates through DNSSEC.


DNS and DHCP service Monitoring

The Men & Mice Suite now actively monitors the status of the DNS and DHCP services on all managed platforms and will alert users if the services become unavailable.  In addition to being displayed in the user interface, the alerts can be sent to monitoring systems for further processing.  This will serve to maximize availability and enable customers to avoid costly unscheduled downtime.


Support for TLSA records
TLSA records,  in conjunction with DNSSEC signatures, provide an easier and more secure way for applications such as Web browsers and mail servers to authenticate SSL/TLS certificates.   Support for management of TLSA records has been added to the Men & Mice Suite.  For more info on TLSA and DANE (DNS-based Authentication of Named Entities), users can view a recent Men & Mice webinar on the topic.


Reverse zone improvements
Handling of reverse records and reverse zones has been enhanced in this new version and is now much more tightly integrated into the IPAM module.  Users can select any number of subnets and create and/or update the corresponding reverse entries for the subnets.  Reverse record (PTR records) details are now also included with the IP address details in the IPAM view.

 

Role-based access support

Role-based access allows customers to create roles in the Men & Mice Suite and assign these roles to users and groups.  All supported users and groups, whether Men & Mice built-in or from Active Directory or Radius can have roles assigned to them, which will greatly simplify access administration while providing a more flexible access model.  

 

Men & Mice Suite version 6.7 FREE TRIAL

 

or Call us at +1 408.516.9582 to speak to a sales representative.


New features in version 6.7

Topics: DNSSEC, IPAM, Men & Mice Suite, DDI, Monitoring, DNS/DHCP Appliance, Security

DNSSEC & DANE – E-Mail security reloaded

Posted by Men & Mice on 9/9/14 8:06 AM

Conventional TLS/SSL for SMTP is flawed and the x509 certificate business is a pain

Get a 35 minute crash course in "DANE" style securing x509 certificates using DNSSEC secured DNS using BIND 9 and the Postfix mail server from Mr. Carsten Strotmann from the Men & Mice Services team.

Carsten also answers the following questions:

  • Does the Men & Mice Suite support DANE & TLSA?
  • For DANE I need a DNS hosting provider that supports DNSSEC, where can I find one?
  • What impact will DANE have on the current certificate business?

Take a look!


 

Topics: DNSSEC, DNS, DDI, BIND 9, DANE

RIPE 68 report

Posted by Men & Mice on 6/25/14 12:04 PM

Report from RIPE 68 in Warsaw, Poland

A RIPE Meeting is a five-day event where Internet Service Providers (ISPs), network operators and other interested parties from all over the world gather.

In this webinar, Carsten Strotmann from the Men & Mice Services team reports about what was new at the RIPE 68 meeting.

Hear what he had to say on:

  • Amplification DDoS Attacks – Defenses for Vulnerable Protocols
  • news from DNS-OARC meeting (DNS measurements, open resolver stats)
  • Strengthening the Internet Against Pervasive Monitoring
  • What Went Wrong With IPv6?
  • RIPE IPv6 Analyser
  • IPv6 troubleshooting procedures for helpdesks
  • Using DDoS to Trace the Source of a DDoS Attack
  • Measuring DNSSEC from the End User Perspective
  • Google DNS Hijacking in Turkey
  • The Rise and Fall of BIND 10
  • Knot DNS Update – DNSSEC and beyond
  • Bundy-DNS – the new life of BIND 10

Have a look at the slides and recording from the webinar to learn more.


 

Topics: DNSSEC, IPv6, BIND 10, Webinars

Delve deep into DNSSEC

Posted by Men & Mice on 3/28/14 8:49 AM

By Mr. Carsten Strotmann, one of Men & Mice experts.

BIND 9.10 is the new version of the BIND 9 DNS server from ISC (not to be confused with BIND 10, which is a different DNS server product). We will report in a series of articles about the new features in BIND 9.10. The first beta version of BIND 9.10 was released this week and can be found at ftp://ftp.isc.org/isc/bind9/9.10.0b1/.

BIND 9.10 contains a new command-line tool to test DNSSEC installations. The tool is called delve and it works very much like the well-known dig, but with special DNSSEC validation powers.

delve checks the DNSSEC validation chain using the same code that is used by the BIND 9 DNS server itself. Compared with the DNSSEC testing function in dig +sigchase, delve is much closer to what really happens inside a DNS server.

1.1 A simple lookup

Without extra arguments, delve will query the local DNS server (taken from /etc/resolv.conf) for an IPv4-Address record at the given domain name. It tries to validate the answer received, prints the result of the validation, the requested data and the RRSIG Record (DNSSEC signature) used to verify the data.

1.2 pretty-printing

As with dig, resource record types and network classes can be given in almost any order on the commandline. The switch +multi (for multiline) enables pretty printing; human readable output that is neatly formatted for a 78 column screen.

and IPv6

1.3 tracing DNSSEC validation

delve comes with a set of trace switches that can help troubleshoot DNSSEC validation issues. The first switch, +rtrace, prints the extra DNS lookups delve performs to validate the answer:

In this example, in addition to the MX-Record (Mail-Exchanger) Record, the DNSKEY record (DNSSEC public key) and the DS record (Delegation signer) for dnsworkshop.org, as well as the DNSKEY and DS records for ORG and the DNSKEY for the root-zone "." have been requested. The trust-anchor for the Internet Root-Zone is compiled into delve and acts as the starting trust anchor for the validation.

The switch +mtrace prints the content of any additional DNS records that have been fetched for validation.

+vtrace prints out the DNSSEC chain of validation:

delve is a very useful tool, not only for BIND 9 admins, but for everyone who needs to troubleshoot and fix DNS- and DNSSEC related issues.

Topics: DNSSEC, IPv6, BIND 9

Intelligent minds - need to pick our brains?

Posted by Men & Mice on 11/25/13 8:39 AM

Did you know that Men & Mice are serious about your success and eager to share our knowledge with you?

Headquartered in Iceland with locations scattered around the world, Men & Mice is proud to have offices full of extremely intelligent minds that are eager to share their knowledge. The education takes place on our website, at our webinars & trainings, and through various social media channels like Twitter.

We gather interesting industry related knowledge that we read about, and impressive software and online tools that we discover, and then share that information during webinars, on our blog and thru social media. You'll learn what is new, what dangers you should be aware of and, how you can simplify your daily network management tasks.

At Men & Mice the aim is to offer state of the art software and hardware, great service, and last but not least, industry leading education. At the upcoming "DNS fragmentation attacks - the dangers of not validating DNSSEC" webinar in December, the focus will be on why these attacks work, why DNS caching servers that do not do DNSSEC validation are especially vulnerable, why DNSSEC signed zones can be used to launch these attacks, and how IPv6 and/or DNSSEC validation can stop these attacks.

Eythor - Men & Mice ServicesArniIf you have a question about DNS, IPAM, DHCP, DNSSEC, IPv6, or anything really, you can ask our Experts in the Services department. 

 

 

You might also want to follow us so you don't miss out on what is hot and what is not!

Men & Mice on Twitter
Men & Mice on Facebook
Men & Mice on LinkedIn
Men & Mice on Google+
Men & Mice Webinars
Men & Mice Trainings

Topics: DNSSEC, Men & Mice

Why follow Men & Mice?

The Men & Mice blog publishes educational, informational, as well as product-related material for everyone and anyone interested in IP Address Management, DNS, DHCP, IPv6, DNSSEC and more.

Subscribe to Email Updates

Recent Posts