DNS Stats Collection

In this second part, I offer another solution for collecting DNS client query statistics on the fly using commercial off-the-shelf tools that will provide a bit more flexibility.

OVERVIEW

In this blog article, I explore a different way of gathering and reporting DNS Client Resolver statistics. In this post, I use a combination of Open Source Software and commercial off-the-shelf software in rolling a solution to build a list of DNS Top Talkers. In this second part, we continue to rely on DNS query logging, but instead of harvesting log data by downloading and parsing through Infobl...

Read More...

Picture of guy holding head

A common task for decommissioning or moving a name server is figuring out which clients are querying our particular name server. In this article, I discuss how you can parse syslog messages and build a DNS Top Talkers list.

OVERVIEW

I recently worked with a customer on a project to help them decommission an Infoblox DNS appliance from their Grid. They needed the device to be removed from "play" immediately and there was very little time to accomplish the task. Our first task was to determine the following:

  • What IP addresses were querying the DNS?
  • What was the volume of DNS quer...

Read More...

BIND 9 logo

The ISC has issued an Operation Notification for BIND 9.16.0 - An error in handling TCP client quota limits can exhaust TCP connections.

Description

In the previous blog article announcing BIND 9.16.0, it was discussed that significant work was done to modernize BIND's networking framework to use libuv, a multi-platform C library that provides async I/O on event loops. Unfortunately, as a result of that work, there was an issue introduced in the code that enforces TCP client quota limits. The issue in the code is that there are situations where the TCP client count is not properly...

Read More...

misdirection sign

DNS Response Policy Zones (DNS RPZ) is a method that allows a name server to be configured with information on top of the global DNS to provide alternate responses to queries.

One of the original purposes for DNS RPZ was to provide "DNS Firewall" capabilities. DNS RPZ was originally created to protect internet users from an ever-expanding list of threats, exploits, and attacks. While DNS RPZ excels at providing users protection, it also provides ancillary benefits and can be used to serve a wide variety of other use cases. Here are a few:

  1. DevOps
  2. Static NAT
  3. Split Horizon DNS en...

Read More...

ISC Bind 9 Logo

ISC releases BIND 9.16.0 as a stable release - Here's an inside look at what's new, changed and dropped from the latest stable version of BIND.

Bind 9.16.0 was recently released by the ISC and announced Feb. 19, 2020. The BIND 9.15 experimental branch of code has been deemed complete, stable and production worthy, making BIND 9.16 a stable branch of BIND. The ISC has adopted (as of BIND 9.13 and 9.14) an odd-unstable vs even-stable release numbering convention. This BIND 9.16.0 release is characterized using the following three (3) criteria:

  • major code refactoring
  • new featu...

Read More...

Compare DNS Zones

Learn how to compare DNS zones as a post DNS migration task.

Having performed hundreds of DNS migrations of all sorts of size and shape, I can't overemphasize the importance of performing post-migration zone-by-zone resource record validation and verification. Customers used to be amazed at the results of such a detailed check. Now, they simply demand it and expect it. I used to perform these zone-by-zone checks using personally developed scripts written in Perl, Ruby, Python, and even Java. These scripts have served me well over time. Nowadays, the zones are bigger, and there are more zon...

Read More...

GSS-TSIG on ISC Bind

A demonstration of how to successfully configure GSS-TSIG or secure dynamic updates on ISC Bind.

After several hours of trying to get this to work, perhaps this article would have been better named "GSS-TSIG on ISC Bind -- The Missing Manual".  I know in working with others, we experienced many trials and tribulations in getting it all to work.  GSS-TSIG DNS Updates or secure dynamic updates is an extension to TSIG based updates which implements secure key exchange. GSS API calls for the use of Kerberos for authentication, integrity and confidentiality by establishing a limited lifetim...

Read More...

End to End DNSSEC using Unbound

Configure the high-performing recursive Unbound DNS server with DNSSEC validation on Linux.

Given all the hoopla surrounding the topic of DNSSEC, it's definitely time to get prepared for it. After all, the last of the root name servers ( J-ROOT ) will all be serving a Deliberately Unvalidatable Root Zone or (DURZ) by May 5th. On July 1st however, there will be distribution of a validatable, production, signed root zone. Signing of the root zone is key for creating the "chain of trust" or a secure delegation hierarchy. DNSSEC securely signed zones vouch for their children's keys, but...

Read More...