DNS Stats Collection

In this second part, I offer another solution for collecting DNS client query statistics on the fly using commercial off-the-shelf tools that will provide a bit more flexibility.

OVERVIEW

In this blog article, I explore a different way of gathering and reporting DNS Client Resolver statistics. In this post, I use a combination of Open Source Software and commercial off-the-shelf software in rolling a solution to build a list of DNS Top Talkers. In this second part, we continue to rely on DNS query logging, but instead of harvesting log data by downloading and parsing through Infobl...

Read More...

BIND 9 logo

The ISC has issued an Operation Notification for BIND 9.16.0 - An error in handling TCP client quota limits can exhaust TCP connections.

Description

In the previous blog article announcing BIND 9.16.0, it was discussed that significant work was done to modernize BIND's networking framework to use libuv, a multi-platform C library that provides async I/O on event loops. Unfortunately, as a result of that work, there was an issue introduced in the code that enforces TCP client quota limits. The issue in the code is that there are situations where the TCP client count is not properly...

Read More...

misdirection sign

DNS Response Policy Zones (DNS RPZ) is a method that allows a name server to be configured with information on top of the global DNS to provide alternate responses to queries.

One of the original purposes for DNS RPZ was to provide "DNS Firewall" capabilities. DNS RPZ was originally created to protect internet users from an ever-expanding list of threats, exploits, and attacks. While DNS RPZ excels at providing users protection, it also provides ancillary benefits and can be used to serve a wide variety of other use cases. Here are a few:

  1. DevOps
  2. Static NAT
  3. Split Horizon DNS en...

Read More...

ISC Bind 9 Logo

ISC releases BIND 9.16.0 as a stable release - Here's an inside look at what's new, changed and dropped from the latest stable version of BIND.

Bind 9.16.0 was recently released by the ISC and announced Feb. 19, 2020. The BIND 9.15 experimental branch of code has been deemed complete, stable and production worthy, making BIND 9.16 a stable branch of BIND. The ISC has adopted (as of BIND 9.13 and 9.14) an odd-unstable vs even-stable release numbering convention. This BIND 9.16.0 release is characterized using the following three (3) criteria:

  • major code refactoring
  • new featu...

Read More...

Compare DNS Zones

Learn how to compare DNS zones as a post DNS migration task.

Having performed hundreds of DNS migrations of all sorts of size and shape, I can't overemphasize the importance of performing post-migration zone-by-zone resource record validation and verification. Customers used to be amazed at the results of such a detailed check. Now, they simply demand it and expect it. I used to perform these zone-by-zone checks using personally developed scripts written in Perl, Ruby, Python, and even Java. These scripts have served me well over time. Nowadays, the zones are bigger, and there are more zon...

Read More...

GSS-TSIG on ISC Bind

A demonstration of how to successfully configure GSS-TSIG or secure dynamic updates on ISC Bind.

After several hours of trying to get this to work, perhaps this article would have been better named "GSS-TSIG on ISC Bind -- The Missing Manual".  I know in working with others, we experienced many trials and tribulations in getting it all to work.  GSS-TSIG DNS Updates or secure dynamic updates is an extension to TSIG based updates which implements secure key exchange. GSS API calls for the use of Kerberos for authentication, integrity and confidentiality by establishing a limited lifetim...

Read More...

ISC Logo

In-depth details on the tools and "Smart Sign" functionality in Bind 9.7.0

The last article discussed the basics of the BIND 9.7.0 "Smart Sign" feature. In this article, we expose additional functionality that has been incorporated into the software to make it much simpler to sign, operate, and maintain DNSSEC signed zones.  This article will help tie in some of the information provided in the previous article, Bind 9.7.0 - Part 2, New DNSSEC key metadata.  Bind 9.7.0 takes an interesting approach to automating DNSSEC key lifecycle maintenance, leveraging local Dynamic DNS enabled zo...

Read More...

DNSSEC Improved Smart Signing

/ DNS, DNSSEC, BIND, BIND 9.7

ISC Logo

DNSSEC keys are now automatically imported directly into the zone using the new Smart Signing feature introduced in BIND 9.7.0

In our previous article, we covered how BIND 9.7.0 embeds timing metadata directly in DNSSEC keys as its method for DNSSEC key lifecycle management. In this article, we discuss the new BIND 9.7.0 Smart Signing feature and how it improves and simplifies the process of signing a single zone. 

With all the DNSSEC related changes in BIND 9.7.0, it should come as no surprise that many of the BIND-provided utilities have been updated, and a few new ones have been a...

Read More...