About me

6502

• Basic
• Forth
• Assembler

8086

• MS-DOS
• Pascal
• C
• Assembler

Power CPU

• AS/400
• CL
• RPG
• SNA

386

• OS/2
• Rexx
• Modula
• Oberon
• Java
• NetBIOS

Unix

• Solaris
• Linux
• OpenBSD
• FreeBSD
• TCP/IP

Network

• DNS
• DHCP
• IPv6
• DNSSEC

Work

• Men & Mice
• ISC
• LinuxHotel

DNS lookup

quick DNS lookup

• DNS lookup tool, easy to parse output

  dnsget guug.de

  or

  dig guug.de +short

pretty print DNS

• pretty print dns results

  dig soa dnsworkshop.org +multiline

checking SOA records

• lookup SOA record from all authoritative DNS servers of a zone

  dig dnsworkshop.org +nssearch

map DNS names in a zone

• brute force map all DNS names in a zone

  dnsmap guug.de

bulk resolve names

• asynchronous DNS to resolve names (or IP addresses to names) in log-files

  cat queryfile-example-1million | head | adnshost -af

DNS resolve filter

• resolve IP addresses to names in a filter

  lsof -i -n | adnsresfilter

browse multicast DNS

• Bonjour / Rendezvous / Avahi DNS service discovery browser

  avahi-browse

  or

  mdns-scan

mailserver for a domain

• quick find the mailserver for a domain

  ldns-mx isc.org

a terse display of a zone

• print a parse-able tree view of a DNS zone

  dns_tree gnu.org

graphical DNS and DNSSEC lookup tool

monitoring

find version of server

• print the version information reported by a DNS server

  ldns-chaos f.root-servers.net

fingerprint DNS servers

• find server software and versions by fingerprinting DNS responses

  fpdns -Df google.com

measure DNS latency

• measure the DNS response time

  echoping -n 20 -m dns 8.8.8.8 dnsworkshop.org

monitor DNS queries

• monitor all DNS queries seen by the local machine

  sudo dnstop -l 3 eth0

monitor or capture DNS queries

• dnscap is a traffic capturing tool for DNS

  sudo dnscap -g

visualize DNS traffic flow

# sudo tcpdump -i eth0 -w dnsdump.pcap port 53
# dnspktflow dnsdump.pcap
# eog out.png

troubleshooting

trace the delegation tree

dig dnsworkshop.org +trace

dnstracer -s . www.dnsworkshop.org

check a domain for issues

• download a zonefile and checks for issues

  dnswalk gnu.org.

check your zone for errors

• the zonecheck tool (on the Internet or installed locally)

  

visualize a DNS zone

# dig @ns2.gnu.org. axfr gnu.org +onesoa > gnu.org-zone
# mapper gnu.org-zone gnu.org
# eog map.png

DNSSEC

check resolver for DNSSEC compliance

SSH fingerprint resource records

• generate sshfp records from your known-hosts file

  sshfp

Walk a NSEC signed zone

• traverse all domain names in a zone that is NSEC signed

  ldns-walk paypal.com

  or

  walker paypal.com

trace the 'chain-of-trust'

• tracing the chain of trust to the root trust anchor

# drill dnskey . | grep 257 > root.key
# drill -SD -k root.key www.ripe.net

peek into a validating resolver

• unbound-host lets you view every step of DNSSEC validation

  unbound-host -C /etc/unbound/unbound.conf -dvv www.isc.org

sanity check a DNSSEC signed zone

• check a DNSSEC signed zone for issues

  donuts  -r "/usr/share/dnssec-tools/donuts/rules/*.txt" \
       dnsworkshop.org-zonefile dnsworkshop.org
  

  or

  ldns-verify dnsworkshop.org-zonefile

BIND

statistics channel over http

acl myadmins { 192.0.2.100; 192.0.2.101; };

statistics-channels {
    inet * port 8053 allow { myadmins; };
};

check config + zonefiles before reload

• verify named.conf (and all zonefiles loaded) for syntax errors

  named-checkconf -z

pretty print a configuration file

• if you see a messed-up BIND config, pretty print it

  named-checkconf -p > named.conf

pretty print the canonical form of a zone

• some errors are hiding in shortcuts

  named-checkzone -D problemdomain.com problemdomain.com-zone

tune the concurrent client setting

• adjust recursive clients to real world value on a busy caching DNS server

options {
[...]
    recursive-clients 2000;
    tcp-clients 200;
};

limit the size of the cache

• a BIND caching DNS server gets slower with a large cache (> 2GB)

  options {
      [...]
      max-cache-size 2147483648; // 2GB max cache
  };
  

compile zones to binary format for fast startup

• compile a text-version of a zone to "raw" binary format

  # named-compilezone -F raw -o gnu.org-raw gnu.org gnu.org-zone 
  zone gnu.org/IN: loaded serial 2011071556
  dump zone to gnu.org-raw...done
  OK
  

  and in named.conf

  zone "example.com" {
       type master;
       file "example.com.raw";
       masterfile-format raw;
  };
  

convert from RAW zone format to text format

• BIND 9.9.x+ creates RAW files by default (for slave-zones)

  named-compilezone -f raw -o slave.example.org-text \
                     slave.example.org slave.example.org
  

• this command turns them into RFC 1035 text format

print the content of a journal file

• BIND collects changes for dynamic zones in a binary journal file

  named-journalprint dynamic.signed.dnslab.org.jnl

simple dynamic zone setup (BIND 9.7.2+)

• enable dynamic updates

  zone "example.com" {
       type master;
       file "example.com-zone";
       update-policy local;
  };
  

  and use "nsupdate" to make changes to the zone (from the DNS server machine)

  # nsupdate -l
  > update add www.example.com.   3600 IN A 192.0.2.80
  > update delete old.example.com. A
  > send
  

FUN

Bert's Secure Reverse Polish DNS Calculator (BSRPDNSC)

• Try Bert's Secure Reverse Polish DNS Calculator (BSRPDNSC). This is nice because you don't need your HP48 or Forth to do serious RPN calculations:

  # dig "9.dup.*.rp.secret-wg.org" TXT
  

Wikipedia over DNS

• no web browser to lookup things in Wikipedia? Use DNS

# dig txt guug.wp.dg.cx

Query the lastest twitter news over DNS

• who needs a twitter client?

  dig guug.twitter.any.io txt +short
  

Thank you