DNS Workshop

Wednesday Jan 23, 2013

Mirror - Mirror -- Resources on DNS reflection attacks

NCSC 2013 conference Presentation

Presentation link is a compressed (gzip) PDF. You might need to rename the downloaded file to "presentation.pdf.gz" to be able to uncompress it!


DNS Monitoring

DNS reflection and amplification attacks

Open Resolvers

Minimal Responses



Thursday Jul 19, 2012

Lesser known DNS tools and BIND tricks

A talk at the german unix user group (GUUG) meeting on 2nd August 2012 in Berlin. The name of the talk is "Lesser known DNS tools and BIND tricks".

The slides

Direct Link: Lesser known DNS tools and BIND tricks

PDF Version Lesser known DNS tools and BIND tricks

Tools mentioned in the talk

commandpackage / projectwebpagedescription
dnsgetudnshttp://www.corpit.ru/mjt/udns.htmlsimple dns lookup tool
digbind9http://isc.orggeneric dns lookup tool
dnsmapdnsmaphttp://code.google.com/p/dnsmap/brute force dns zone mapper
adnshostadnshttp://www.chiark.greenend.org.uk/~ian/adns/fast, asynchronous dns lookup tool
adnsresfilteradnshttp://www.chiark.greenend.org.uk/~ian/adns/dns IP to name resolution as a filter
avahi-browseavahihttp://avahi.orgbrowse multicast DNS services
mdns-scanmdns-scanhttp://0pointer.de/lennart/projects/mdns-scan/browse multicast DNS service
ldns-mxldnshttp://www.nlnetlabs.nl/projects/ldns/lookup mail server for a domain
dnstreednsbrowsehttp://www.isi.edu/~johnh/SOFTWARE/DNS/terse display of a zone
lookupdnssec-toolshttp://www.dnssec-tools.org/graphical DNS and DNSSEC lookup tool
ldns-chaosldnshttp://www.nlnetlabs.nl/projects/ldns/find version of DNS server
fpdnsfpdnshttps://github.com/kirei/fpdnsfingerprint DNS server version
echopingechopinghttp://echoping.sourceforge.net/measure DNS server latency
dnstopdnstophttp://dns.measurement-factory.com/tools/dnstop/monitor local DNS traffic
dnscapdnscaphttps://www.dns-oarc.net/tools/dnscap/capture DNS traffic
dnspktflowdnssec-toolshttp://www.dnssec-tools.org/visualize DNS traffic in a network
dnstracerdnstracerhttp://www.mavetju.org/unix/dnstracer.php/displays the DNS delegation tree
dnswalkdnswalkhttp://sourceforge.net/projects/dnswalk/validate a DNS zone
zonecheckzonecheckhttp://zonecheck.frDNS zone debugger
mapperdnssec-toolshttp://www.dnssec-tools.org/graphically display the content of a zone file
DNSSEC-checkdnssec-toolshttp://www.dnssec-tools.org/test DNSSEC caching resolver capabilities
sshfpsshfphttp://www.xelerance.com/services/software/sshfp/generate SSHFP records from knownhosts
ldns-walkldnshttp://www.nlnetlabs.nl/projects/ldns/"walks" a NSEC signed zone
walkerwalkerhttp://josefsson.org/walker/"walks" a NSEC signed zone
drillldnshttp://www.nlnetlabs.nl/projects/ldns/clone of 'dig' with extra functions
unbound-hostunboundhttp://unbound.netthe ultimate DNS/DNSSEC troubleshooting tool
donutsdnssec-toolshttp://www.dnssec-tools.org/validates a DNSSEC signed zone
ldns-verifyldnshttp://www.nlnetlabs.nl/projects/ldns/validates a DNSSEC signed zone
named-checkconfbind9http://isc.orgverifies a BIND 9 configuration file and zones
named-checkzonebind9http://isc.orgverifies a DNS master zone file
named-compilezonebind9http://isc.orgconverts a zone file between text and binary format
named-journalprintbind9http://isc.orgprints the content of a BIND 9 journal file
nsupdatebind9http://isc.orgsends DNS dynamic updates to a DNS server

Monday Feb 20, 2012

Unbound & DNSSEC-Trigger Workshop at Augsburger Linutage

Workshop: secure DNS using Unbound and DNSSEC-Trigger

I will give a free workshop at the Augsburger Linux Infotage on Saturday, 24th March 2012 (http://www.luga.de/Aktionen/LIT-2012/Programm), on installing and using Unbound together with the new DNSSEC-Trigger tool.

Goal of this workshop is to learn about the security issues with plain DNS, how DNSSEC can help and how to deploy Unbound as a local DNSSEC validating DNS resolver to secure the personal mobile computer (laptop, netbook ...).

Please bring your own machine (WiFi required) to the workshop room "D", 11:00-13:00, pre-installed with either a flavor of Linux, MacOS X or Windows (Vista or newer, don't pretend to secure a XP machine). We will install Unbound and DNSSEC trigger during the workshop and learn some troubleshooting tricks on the way.

Monday May 11, 2009

Notes from DNS Working Group at RIPE 58, Part 1

My notes from the RIPE 58 DNS Workinggroup (DNS-WG) sessions:
  • Shane Kerr (ISC) - BIND 10

    Shane gave some insights in the goals of the new BIND 10 project at ISC. BIND 9 is getting old and has some issue with performance and maintainability. The process model used for BIND 9 has been "en vouge" when BIND 9 was designed, but it has proven to be non-optimal for a server daemon that is handling a huge amount of small request packages. The goal with BIND 10 is to getting closer in performance with NSD and unbound. Another issue with BIND 9 is that the sourcecode is hard to understand and to change for new project members. This has been an issue hindering interested parties to do their own customizations to the BIND 9 sourcecode. Although BIND 9 is an open source project, only programmers for ISC have worked on the code and almost no outside contribution has been seen. BIND 10 source code is planned to be more modular and more easy to understand, to attract outside developers to contribute and customize BIND 10.

    BIND 10 is planned to have APIs and interfaces to integrate with existing provisioning systems and workflows. Integration into Microsoft Windows Operating Systems will worked on.

    The BIND 10 project timeframe is set for 5 years, with the 1st test version to be due in April 2010.

  • Anand Buddhev (RIPE NCC)- RIPE NCC Reverse Tree Lame Delegation Reports

    Anand gave a report on the reverse DNS tree lameless check done by RIPE NCC. The RIPE NCC is checking for lame delegations in the reverse DNS tree (the "in-addr.arpa." and "ip6.arpa." namespace). The presentation (linked above) contains the definition of a non-lame answer:

    • Every name server of each zone is resolved into A and AAAA records - several attempts are made in case of temporary failures
    • Every IP address found is queried for the SOA record of the associated zone - several attempts are made in case of temporary failures
    • The query is done over UDP and is non- recursive
    • if there was a response:
      • Response from the same address that the query was sent to
      • RCODE is "NOERROR"
      • Response has AA bit set
      • QNAME in the response and query is the same
      • Only one SOA record is returned

    The RIPE NCC has an DNS lameness FAQ online: http://www.ripe.net/info/stats/dns-lameness/faq.html

    Any answer that is not matching the criteria is seen as an lameless error, and an E-Mail is send to the contact person owning the IP Address space for this part of the reverse DNS delegation.

    Initially the lameness for the RIPE part of the reverse DNS tree was about 6%. After some runs in February and March 2009 the number of lame delegations has gone down to 5%.

    Although the DNS lameness checks where done on request from the RIPE DNS WG in 2006 (see RIPE-400), there was a controversial discussion in the group on the usefulness of the tests. Some participants were arguing that the lameness mostly effects the party receiving the delegation. Other said that the instruments to measure the effect of lameness must be improved first to be able to measure the effect of the checks and the lameness on the DNS System. Other participants found the service useful, as did most of the DNS delegation owners that received E-Mail from RIPE NCC. Further discussion on this topic will take place on the DNS WG Mailinglist.