Lesser known DNS tools and BIND tricks

dnsworkshop.org

August 2012

About me

6502

8086

Power CPU

386

Unix

Network

Work

DNS lookup

quick DNS lookup

pretty print DNS

checking SOA records

map DNS names in a zone

bulk resolve names

DNS resolve filter

browse multicast DNS

mailserver for a domain

a terse display of a zone

graphical DNS and DNSSEC lookup tool

monitoring

find version of server

fingerprint DNS servers

measure DNS latency

monitor DNS queries

monitor or capture DNS queries

visualize DNS traffic flow

# sudo tcpdump -i eth0 -w dnsdump.pcap port 53
# dnspktflow dnsdump.pcap
# eog out.png

troubleshooting

trace the delegation tree

dig dnsworkshop.org +trace
or
dnstracer -s . www.dnsworkshop.org

check a domain for issues

check your zone for errors

visualize a DNS zone

# dig @ns2.gnu.org. axfr gnu.org +onesoa > gnu.org-zone
# mapper gnu.org-zone gnu.org
# eog map.png

DNSSEC

check resolver for DNSSEC compliance

SSH fingerprint resource records

Walk a NSEC signed zone

trace the 'chain-of-trust'

# drill dnskey . | grep 257 > root.key
# drill -SD -k root.key www.ripe.net

peek into a validating resolver

sanity check a DNSSEC signed zone

BIND

statistics channel over http

acl myadmins { 192.0.2.100; 192.0.2.101; };

statistics-channels {
    inet * port 8053 allow { myadmins; };
};

check config + zonefiles before reload

pretty print a configuration file

pretty print the canonical form of a zone

tune the concurrent client setting

options {
[...]
    recursive-clients 2000;
    tcp-clients 200;
};

limit the size of the cache

compile zones to binary format for fast startup

convert from RAW zone format to text format

simple dynamic zone setup (BIND 9.7.2+)

FUN

Bert's Secure Reverse Polish DNS Calculator (BSRPDNSC)

Wikipedia over DNS

# dig txt guug.wp.dg.cx

Query the lastest twitter news over DNS

Thank you

carsten@strotmann.de

Links to the tools and web-pages mentioned in this talk can be found on dnsworkshop.org