Configuring serial console access to your Infoblox VMs

blog oob mgmt infoblox

Quite often when you deploy virtualized Infoblox appliances in an enterprise VMware environment, you hand over the OVF/OVA file(s) to a VM Engineering group to complete the install.  Additionally, you find yourself giving them installation instructions because you are not granted VMware console access to your own devices. In this case, it is risky to the DDI engineering and operations team if you don't have out-of-band (OOB) serial terminal console access to all your deployed VMs. This article presents an easy to deploy solution to this problem, and the VMware Engineering and Operations teams don't have to grant any direct special access to your team by exposing the console to you. Instead these teams can configure serial console access to you by installing a virtualized serial port concentrator or vSPC. While there are commercial options from companies such as Avocet, I detail out how to perform this using a wonderful Python Open Source option, called vSPC.py. vSPC.py can be obtained here.

Checking if a list of networks is contained in a different list

I sort of struggled what to call this blog entry, but at the time, this is what I was trying to do. I was tasked with taking a list of network IP Addresses from router/switch config files and compare them to a different list of networks currently defined in an Infoblox Grid. All I needed was something that worked and that was timely since I didn't have lavish amounts of time.

The logical flow of my script would go something like this:

  1. fetch all Infoblox network objects
  2. store this list in a searchable collection
  3. iterate through my list of router networks and test against the collection

Comparing DNS Zones

DNS Zone Compare

Having performed hundreds of DNS migrations of all sorts of size and shape, I can't overemphasize the importance of performing post-migration zone-by-zone resource record validation and verification. Customers used to be amazed at the results of such a detailed check. Now, they simply demand it and expect it. I used to perform these zone-by-zone checks using personally developed scripts written in Perl, Ruby, Python, and even Java. These scripts have served me well over time. Nowadays, the zones are bigger, and there are more zones to check than ever. It also seems that I have less time to actually perform these checks. That's the point of this quick blog entry - How to compare zones faster and possibly more accurate.

How to store IP Addresses in MongoDB using Javascript

IP Addressing

Recently, I wanted to write some IP Address Management tools using server side Javascript (nodejs) and be able to store IP Address data into a MongoDB backend database. Simple! I'll just perform IP-to-Decimal conversions like I always do. Problem solved. End of article? Wait! Not so fast...

How to implement GSS-TSIG on ISC BIND

gss-tsig-overview

The purpose of this article demonstrate how to get GSS-TSIG or secure dynamic updates working using ISC Bind DNS on a *NIX server. After several hours of trying to get this to work, perhaps this article would have been better named "GSS-TSIG on ISC Bind -- The Missing Manual".  I know in working with others, we experienced many trials and tribulations in getting it all to work.  GSS-TSIG DNS Updates or secure dynamic updates is an extension to TSIG based updates which implements secure key exchange. GSS API calls for the use of Kerberos for authentication, integrity and confidentiality by establishing a limited lifetime security context.  Once the security context is established, special TKEY resource records are used to securely exchange key material between the DNS Server and DNS Client. GSS-TSIG support has been present in the ISC Bind code since version 9.5.0, circa mid-summer of 2008. In this HOW-TO, we compiled ISC Bind 9.7.1-P2 on Fedora 13 (32-bit) and used a single Microsoft Windows 2008 Server running as an Active Directory Domain Controller for example.com.

Before we demonstrate secure dynamic updates, we must first address a "chicken-and-egg" issue.  We need our Active Directory Domain Controller up and running prior so we can configure our AD user and Kerberos Service Principal.  Prior to running dcpromo to promote our first AD Domain Controller or DC, we must have DNS up and running with dynamic DNS support.  So, It is recommended that ISC Bind is built and configured to be authoritative for the AD Domain and support dynamic DNS updates using the allow-update directive by supplying the IP address of the AD DC. 

End-to-End DNSSEC using Unbound DNS

end-to-end-dnssec-unbound Given all the hoopla surrounding the topic of DNSSEC, it's definitely time to get prepared for it. After all, the last of the root name servers ( J-ROOT ) will all be serving a Deliberately Unvalidatable Root Zone or (DURZ) by May 5th. On July 1st however, there will be distribution of a validatable, production, signed root zone. Signing of the root zone is key for creating the "chain of trust" or a secure delegation hierarchy. DNSSEC securely signed zones vouch for their children's keys, but some higher level entity must vouch for the keys of these zones. The signing of the root will act as a trust anchor for top-level domains such as .com, .edu, etc. These zones will trust on down the hierarchy when configured to do so.

Please see http://www.root-dnssec.org/documentation/ for details on the DNSSEC Signing of the root name servers. In one of our previous blog articles, we discussed 10 reasons to use Unbound DNS Server. One of Unbound's main capabilities is its ability to perform DNSSEC validation. So, we thought we'd write an article explaining how you can setup the Unbound DNS server to perform DNSSEC validation as part of an end-to-end example of how DNSSEC works.

Installing Unbound DNS

For the purposes of this exercise, we installed Unbound on the Fedora 12 distribution.  A minimal install of the base 200 packages or RPMs was performed. Given the option of installing from source code or pre-built binaries, we opted to install from source to ensure the latest version of Unbound DNS software was used.  The following prerequisites were required for building Unbound:

yum install subversion
yum install libevent libevent-devel
yum install openssl openssl-devel
yum install gcc make