DNS Workshop

Friday Feb 28, 2014

Delve deep into DNSSEC

BIND 9.10 is the new version of the BIND 9 DNS server from ISC http://isc.org (not to confuse with BIND 10, which is a different DNS server product). I will report in a series of articles about the new features in BIND 9.10. The first beta version of BIND 9.10 has been released this week and can be found at ftp://ftp.isc.org/isc/bind9/9.10.0b1/.

BIND 9.10 contains a new command-line tool to test DNSSEC installations. The tool is called delve and it works very much like the already know dig. It is like dig with special DNSSEC validation powers.

[Read More]

Saturday Feb 08, 2014

Compiling BIND 9.9.5 on OpenBSD

while compiling BIND 9 Version 9.9.5 on OpenBSD, I've got

making all in /usr/src/bind-9.9.5/lib/lwres/unix/include/lwres
gcc  -I/usr/src/bind-9.9.5 -I./unix/include  -I. -I./include -I./include
- -I/usr/src/bind-9.9.5/lib/isc/include  -I../../lib/isc
- -I../../lib/isc/include  -I../../lib/isc/unix/include
- -I../../lib/isc/nothreads/include  -I../../lib/isc/x86_32/include
- -g -O2   -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings
- -Wformat -Wpointer-arith -fno-strict-aliasing  -c gethost.c
gethost.c: In function `copytobuf':
gethost.c:307: error: `uintptr_t' undeclared (first use in this function)
gethost.c:307: error: (Each undeclared identifier is reported only once
gethost.c:307: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/bind-9.9.5/lib/lwres.
*** Error code 1

Stop in /usr/src/bind-9.9.5/lib (line 103 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.5 (line 107 of Makefile).
#include <inttypes.h> /* uintptr_t */

to the file <bind9-source>/lib/lwres/gethost.c fixes this issue (type "uintptr_t" not known). This issue has been reported upstream to ISC and will be fixed in the next BIND 9 release.

Sunday Dec 22, 2013

a local, augmented root-zone with DNSSEC

Sometimes I get this question in my DNSSEC training classes: "now DNSSEC seems to be a good technology, but the root-zone is controlled by the US government. Because of that, can we trust DNSSEC?".

My answer is not to mix technology (DNSSEC) with implementation (the DNS system of the Internet).

Both are separate. While I can understand that some people do not trust the organisations in control of the Internet DNS root-zone, I see no flaw in DNSSEC (at this moment).

One way to solve the trust issue with the Internet root-zone is to host your own root-zone for the Internet. Then you are in full control of that zone. Have that zone in your own network, or on your Laptop computer und use it for the starting.point of all DNSSEC validation (the trust anchor) for DNS.

Besides the trust question, there might be another reason to operate a local root-zone: some organisations have created an internal, private top-level domain (TLD)1. A local, dnssec-signed root-zone enables the operator to remove or add any delegations, while still being able to validate all DNSSEC signed data in the Internet, as well as data that is stored in their own private DNS namespace.

The following tutorial explains the steps required to generate a local augmented and DNSSEC signed root-zone. The tutorial requires some understanding of DNS concepts and basic knowledge on DNSSEC.

[Read More]

Wednesday Jan 23, 2013

Mirror - Mirror -- Resources on DNS reflection attacks

NCSC 2013 conference Presentation

Presentation link is a compressed (gzip) PDF. You might need to rename the downloaded file to "presentation.pdf.gz" to be able to uncompress it!


DNS Monitoring

DNS reflection and amplification attacks

Open Resolvers

Minimal Responses



Sunday Nov 04, 2012

DNSSEC with PowerShell und dnscmd (on Windows 2012)

Windows 2012 can DNSSEC sign zones using the GUI Management tools. That works fine for a handfull of zones. But how about automation, signing hundreds of zones? Windows 2012 could be used as a "hidden master" DNSSEC signing engine that provides DNSSEC signed zones to Unix based front-end servers, while automating the key rollovers and continuous re-singing of the zones to refresh the record signatures. In that scenario, automation can be important.


One automation option is the dnscmd tool. However, dnscmd is deprecated and might be removed from future versions of Windows. The more modern way is to use PowerShell (see below).

Usage: DnsCmd <ServerName> /ZoneAddSKD <ZoneName> /Alg <KeyAlg> [/Length <KeyLength>]
                      [/KSP <KeyStorageProviderName>] [/Flags <KeyFlags>] [/StoreKeysInAD]
                      [/DoNotStoreKeysInAD] [/InitialRolloverOffset <Seconds>]
                      [/DNSKEYSignatureValidityPeriod <Seconds>] [/DSSignatureValidityPeriod <Seconds>]
                      [/StandardSignatureValidityPeriod <Seconds>] [/RolloverPeriod <Seconds>]
  <KeyStorageProviderName> -- "Microsoft Software Key Storage Provider" or
                     other KSP installed on this system
  <KeyAlg>        -- the key algorithm mnemonic string. Currently only
                     "RSASHA1", "NSEC3RSASHA1", "RSASHA256", "RSASHA512",
                     "ECDSAP256SHA256" and "ECDSAP384SHA384" are supported.
  <KeyLength>     -- length of the key in bits. For RSA algorithms the value
                     can range from 1024 bits in 64 bit increments up to 4096
                     bits. Key size is ignored for other algorithms.
  <KeyFlags>      -- bits to be set to 1 in DNSKEY flags field. If 
                     is "KSK",  the Secure Entry Point bit will be set to 1
                     to indicate that this key is a Key Signing Key. If no
                     /Flags is given, the key is considered to be a Zone
                     Signing Key.
  /StoreKeysInAD  -- if specified, keys will be stored on the zone object in
                     Active Directory and will replicate to other DNS servers
  /DoNotStoreKeysInAD -- if specified, keys will be stored in a self-signed
                     certificate in the local machine certificate store and
                     will not replicate to other DNS servers

In future versions of Windows, Microsoft might remove dnscmd.exe

The dnscmd subcommand ZoneAddSKD creates a new DNSSEC key and assigns that key to a zone. Without a key assigned, dnscmd will refuse to sign the zone. Be careful not to assign more than the needed keys to a zone. Every call to ZoneAddSKD will add a new key to the zone. Usually we want to have one Key Signing Key (KSK), and one Zone Signing Key (ZSK):

creating the KSK

PS C:\Users\Administrator> dnscmd server1 /ZoneAddSkd dnscmd.example.com /Alg RSASHA256 /Length 2048 /Flags KSK

Command returned the following Signing Key Descriptor:

SKD GUID {EDADBF50-A733-4C67-A95E-8145C77BE0A1}
        key storage provider                = Microsoft Software Key Storage Provider
        store keys in AD                    = 0
        KSK flag                            = 1
        signing algorithm                   = RSASHA256
        key size                            = 2048
        initial rollover offset             = 0
        DNSKEY signature validity period    = 604800
        DS signature validity period        = 604800
        standard signature validity period  = 864000
        rollover period                     = 65232000
        next rollover action                = Normal

Command completed successfully

creating the ZSK
PS C:\Users\Administrator> dnscmd server1 /ZoneAddSkd dnscmd.example.com /Alg RSASHA256 /Length 1024

Command returned the following Signing Key Descriptor:

SKD GUID {47D410EE-35A4-483C-9B3B-1FB763F5AAB5}
        key storage provider                = Microsoft Software Key Storage Provider
        store keys in AD                    = 0
        KSK flag                            = 0
        signing algorithm                   = RSASHA256
        key size                            = 1024
        initial rollover offset             = 0
        DNSKEY signature validity period    = 604800
        DS signature validity period        = 604800
        standard signature validity period  = 864000
        rollover period                     = 7776000
        next rollover action                = Normal

Command completed successfully.

To be precise, the commands above do not directly create the keys, instead they create a "Signing Key Descriptor (SKD)", which is a kind of policy that describes how DNSSEC keys are generated for this zone. The Windows 2012 DNS server then creates new keys based on the descriptors whenever needed (for example during a key rollover).

Now we can use dnscmd subcommand "ZoneSign" to sign the zone. The parameters for "ZoneSign" are:

Usage: DnsCmd  /ZoneSign <ZoneName>
  Generates keys and adds DNSSEC records to the zone using the zone signing
  parameters and Signing Key Descriptors (SKDs) currently set on this zone.

In future versions of Windows, Microsoft might remove dnscmd.exe.

The only required parameter is the name of the zone to sign. This zone must already have DNSSEC keys attached:

PS C:\Users\Administrator> dnscmd server1 /ZoneSign dnscmd.example.com
Command completed successfully.


With PowerShell, we use the command Add-DnsServerSigningKey to create and add the DNSSEC Signing Key Descriptors to a DNS zone:

SYNTAX: Add-DnsServerSigningKey [-ZoneName] <string> 
             [[-Type] <string> {KeySigningKey | ZoneSigningKey}] 
             [[-CryptoAlgorithm] <string> {RsaSha1 | RsaSha256 | RsaSha512 | RsaSha1NSec3 | ECDsaP256Sha256 | ECDsaP384Sha384}] 
             [[-KeyLength] <uint32>] 
             [-ComputerName <string>] 
             [-InitialRolloverOffset <timespan>] 
             [-DnsKeySignatureValidityPeriod <timespan>] 
             [-DSSignatureValidityPeriod <timespan>] 
             [-RolloverPeriod <timespan>] 
             [-ActiveKey <string>] 
             [-StandbyKey <string>] 
             [-NextKey <string>] 
             [-KeyStorageProvider <string>] 
             [-StoreKeysInAD <bool>] 
             [-CimSession <CimSession[]>] 
             [-ThrottleLimit <int>] 

Again, we creating one for the KSK, and one for the ZSK:

creating the KSK

PS C:\Users\Administrator> Add-DnsServerSigningKey powershell.example.com -Type KeySigningKey -CryptoAlgorithm RsaSha256 -KeyLength 2048 

creating the ZSK
PS C:\Users\Administrator> Add-DnsServerSigningKey powershell.example.com -Type ZoneSigningKey -CryptoAlgorithm RsaSha256 -KeyLength 1024

The last step is to sign the zone, where we use Invoke-DnsServerZoneSign.

SYNTAX: Invoke-DnsServerZoneSign [-ZoneName] <string>
                    [-ComputerName <string>] 
                    [-CimSession <CimSession[]>] 
                    [-ThrottleLimit <int>] 

PS C:\Users\Administrator> Invoke-DnsServerZoneSign powershell.example.com

This will initiate online signing of the zone powershell.example.com on server SERVER1.
Do you want to continue?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

Happy automated zone signing!

Wednesday Oct 31, 2012

Who is asking for

This morning I experienced a steep increase in NXDOMAIN responses in my home network, just about the time that I started to install Windows 2012 for some DNS experiments. There were around 15 queries per minute from one source for a non-existing domain.

An increase of NXDOMAIN this morning

A closer look revealed that the NXDOMAIN responses where caused by queries for "". This looked like a misbehaving software.

A closer look: the queries are for

However the originating IPv4 address that I could see sending the queries was non of my "well known" client- or server-systems.

The machine turned to be the iDRAC card in a Dell r200 server I

It turned out to be the remote management card (iDRAC) inside the Dell r200 server I'm installing Windows 2012 on (IPv4 address is the iDRAC card, my BIND 9 resolving DNS). Luckily, because I'm running a recent version of BIND 9, these queries were stopped by the "automatic empty zones" feature in the recursive DNS server and not send out to the Internet.

The automatic empty zones are defined in RFC 6303 - "Locally Served DNS Zones" and can be controlled using the "empty-zones-enable" statement in named.conf. If you have Dell servers with iDRAC cards that show the same behaviour than mine, and you use BIND 9.5.0+ with automatic empty zones, you are fine. Look at your BIND recursive server startup messages. If you see a similar list as shown below, all is fine:

BIND "empty zones" startup messages

31-Oct-2012 12:39:26.753 automatic empty zone: 10.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 16.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 17.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 18.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 19.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 20.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 21.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 22.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 23.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 24.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 25.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 26.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 27.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 28.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 29.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 30.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 31.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 168.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 127.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 254.169.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 2.0.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 100.51.198.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 113.0.203.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone:
31-Oct-2012 12:39:26.753 automatic empty zone:
31-Oct-2012 12:39:26.753 automatic empty zone:
31-Oct-2012 12:39:26.753 automatic empty zone: D.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 9.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: A.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: B.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.B.D.

If you do not see this messages, it might be because your BIND version is quite old. Consider upgrading. If you are using a different DNS Server product, it is good practice to define empty DNS zones for the address blocks defined in RFC 6303. These zones only contain one SOA and one NS record (see below), they are "empty" and the only purpose is to stop internal traffic to leak from your internal networks to the Internet by serving the NXDOMAIN response locally.

Example "empty" zone-file

@ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
@ 10800 IN NS @

Tuesday Sep 11, 2012

DNSSEC signing a zone with Windows Server 2012

Windows 2012 Server was released on 4th of September 2012. Time to have a closer look at the DNSSEC signing capabilities (information about DNSSEC validation on Windows 2012 can be found in the article "DNSSEC validation in Microsoft DNS Server 2012").

For the DNSSEC zone signing walk-through a newly installed Windows 2012 "Standard" Server was used. Only the DNS role was installed in addition to the default components, no Active Directory. This article will cover the creation of a static DNS zone for the Internet. I do not cover the creation of an internal dynamic zones that is updated from clients or DHCP Server.

[Read More]

Thursday Jul 19, 2012

Lesser known DNS tools and BIND tricks

A talk at the german unix user group (GUUG) meeting on 2nd August 2012 in Berlin. The name of the talk is "Lesser known DNS tools and BIND tricks".

The slides

Direct Link: Lesser known DNS tools and BIND tricks

PDF Version Lesser known DNS tools and BIND tricks

Tools mentioned in the talk

commandpackage / projectwebpagedescription
dnsgetudnshttp://www.corpit.ru/mjt/udns.htmlsimple dns lookup tool
digbind9http://isc.orggeneric dns lookup tool
dnsmapdnsmaphttp://code.google.com/p/dnsmap/brute force dns zone mapper
adnshostadnshttp://www.chiark.greenend.org.uk/~ian/adns/fast, asynchronous dns lookup tool
adnsresfilteradnshttp://www.chiark.greenend.org.uk/~ian/adns/dns IP to name resolution as a filter
avahi-browseavahihttp://avahi.orgbrowse multicast DNS services
mdns-scanmdns-scanhttp://0pointer.de/lennart/projects/mdns-scan/browse multicast DNS service
ldns-mxldnshttp://www.nlnetlabs.nl/projects/ldns/lookup mail server for a domain
dnstreednsbrowsehttp://www.isi.edu/~johnh/SOFTWARE/DNS/terse display of a zone
lookupdnssec-toolshttp://www.dnssec-tools.org/graphical DNS and DNSSEC lookup tool
ldns-chaosldnshttp://www.nlnetlabs.nl/projects/ldns/find version of DNS server
fpdnsfpdnshttps://github.com/kirei/fpdnsfingerprint DNS server version
echopingechopinghttp://echoping.sourceforge.net/measure DNS server latency
dnstopdnstophttp://dns.measurement-factory.com/tools/dnstop/monitor local DNS traffic
dnscapdnscaphttps://www.dns-oarc.net/tools/dnscap/capture DNS traffic
dnspktflowdnssec-toolshttp://www.dnssec-tools.org/visualize DNS traffic in a network
dnstracerdnstracerhttp://www.mavetju.org/unix/dnstracer.php/displays the DNS delegation tree
dnswalkdnswalkhttp://sourceforge.net/projects/dnswalk/validate a DNS zone
zonecheckzonecheckhttp://zonecheck.frDNS zone debugger
mapperdnssec-toolshttp://www.dnssec-tools.org/graphically display the content of a zone file
DNSSEC-checkdnssec-toolshttp://www.dnssec-tools.org/test DNSSEC caching resolver capabilities
sshfpsshfphttp://www.xelerance.com/services/software/sshfp/generate SSHFP records from knownhosts
ldns-walkldnshttp://www.nlnetlabs.nl/projects/ldns/"walks" a NSEC signed zone
walkerwalkerhttp://josefsson.org/walker/"walks" a NSEC signed zone
drillldnshttp://www.nlnetlabs.nl/projects/ldns/clone of 'dig' with extra functions
unbound-hostunboundhttp://unbound.netthe ultimate DNS/DNSSEC troubleshooting tool
donutsdnssec-toolshttp://www.dnssec-tools.org/validates a DNSSEC signed zone
ldns-verifyldnshttp://www.nlnetlabs.nl/projects/ldns/validates a DNSSEC signed zone
named-checkconfbind9http://isc.orgverifies a BIND 9 configuration file and zones
named-checkzonebind9http://isc.orgverifies a DNS master zone file
named-compilezonebind9http://isc.orgconverts a zone file between text and binary format
named-journalprintbind9http://isc.orgprints the content of a BIND 9 journal file
nsupdatebind9http://isc.orgsends DNS dynamic updates to a DNS server

Saturday Jun 30, 2012

DNS Name Resolution Design for proper DNSSEC validation

Many networks have a DNS name resolution design that uses a hybrid DNS server. A hybrid DNS server is a DNS server that combines both functions that a DNS server can operate in into one process: the authoritative function (hosting zones) and the resolving/caching function (looking up names in DNS on behalf of DNS clients).

Both BIND and Microsoft Windows DNS server can operate in a hybrid mode. Other (some would say "more modern") DNS servers such as Unbound (resolving only) and NSD (caching only) separate these functions.

While running a hybrid DNS server was fine in the world before DNSSEC, the deployment of DNSSEC requires a closer look at these "legacy" DNS designs.

Authoritative DNS servers, when queried for a name they are authoritative for, will set the AA-flag (Authoritative Answer) in the answer.

Resolving DNS server that perform DNSSEC validation will set the AD-flag, if the DNS data received is validating. The AA-flag and the AD-flag are mutually exclusive, there can only be either one in an DNS answer. The reason is that it would be extra work, but no added security, if an authoritative DNS server would validate its own data. After all, if the server has been compromised, it cannot trust its own data and it is not possible to detect the false data from within the authoritative DNS server. Only a DNS server external to the authoritative server can validate DNSSEC signed zone data.

For proper DNSSEC name resolution (AD flag set on all answers from DNSSEC secured zones), all queries must go through a resolving DNS Server that is separate from the DNS server hosting the zones.[Read More]

Saturday Jun 23, 2012

DNSSEC validation in Microsoft DNS Server 2012

The DNS Server in Windows 2012 now supports all bits and pieces necessary to validate DNSSEC signatures and keys in the Internet (including SHA256 and NSEC3). Here is a small tutorial on how to import the trust anchor for the Internet root zone into the Windows 2012 DNS Server to enable DNSSEC validation.[Read More]

Saturday Jun 16, 2012

Supervising BIND 9

BIND 9 is a mature piece of software. Compared with its predecessors BIND 4 and BIND 8, it is more stable and has less security problems. One reason for this is the "Design by contract" programming style used by the BIND 9 team. BIND 9 is very paranoid about data it consumes, and about its internal data structures. Once BIND 9 finds an unexpected state in its internal data-structures, it terminates the DNS server process instead of continue to run with wrong data (and risking a security vulnerability).

While this behavior is good for security, it is very bad for service uptime. The DNS server process terminates, and with it the DNS service. Users (Customers) do not not so much care about security if they cannot reach Facebook. BIND 9 had several incidents in the past years where BIND 9 terminated because of issues inside the code or data-structures, like "BIND 9 Resolver crashes after logging an error in query.c".

BIND 10 is aiming to solve this, as project lead Shane Kerr writes in "Software Robustness and BIND 10". But until BIND 10 arrives, a work-around is needed for BIND 9.

The real issue for the DNS service is not BIND 9 terminating on bad data, but that BIND 9 cannot restart after the fact. There is no "supervisor" process in BIND 9.

Some operating systems have a build-in solution: MacOS X has launchd, and the BIND 9 version Apple delivers with the OS is automatically restarted should it terminate unexpected. Solaris has SMF (Service Management Facility), and BIND 9 can be integrated into SMF. Unbuntu Linux now has upstart, and Fedora systemd, which can also monitor processes and restart them if needed.

For Unix and Linux operating systems that do not ship with a process supervisor solution, supervisord is a nice and easy to setup solution. Supervisord comes as a package with many Linux distributions, and it also works on the BSD Unixes. The configuration below is for OpenBSD, but should require only minor tweaks to run on other Unix systems as well.


Supervisord is written in Python (2.4 - 2.7) and can be installed from source (where we have to download and install all dependencies) or with the help of setuptools, which takes care of downloading and installing all dependencies. Below I use setuptools:

bash# sh setuptools-0.6c11-py2.7.egg
bash# easy_install supervisor

A basic configuration file for BIND 9 "named"

Below is my basic /etc/supervisord.conf configuration file for one service, the BIND 9 DNS Server:

file = /tmp/supervisor.sock
chmod = 0777
chown= nobody:nogroup

supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface


logfile = /var/log/supervisord.log
logfile_maxbytes = 10MB
loglevel = info
pidfile = /var/run/supervisord.pid
identifier = supervisor
directory = /tmp

command=/usr/sbin/named -f

starting "supervisord"

Once the configuration file is in place, we can start supervisord. Make sure that BIND 9 is not started, else you will end up with two instances of the BIND 9 server running, which is not a good idea. Also make sure that supervisord will be started on reboot of the server, either trough a startscript or other means. The Supervisord packages coming with Linux distributions install a startscript.

bash# supervisord
bash# tail /var/log/supervisord.log
2012-06-16 16:59:48,812 INFO Increased RLIMIT_NOFILE limit to 1024
2012-06-16 16:59:48,949 INFO RPC interface 'supervisor' initialized
2012-06-16 16:59:48,953 INFO RPC interface 'supervisor' initialized
2012-06-16 16:59:48,963 INFO daemonizing the supervisord process
2012-06-16 16:59:48,964 INFO set current directory: '/tmp'
2012-06-16 16:59:48,967 INFO supervisord started with pid 14724
2012-06-16 16:59:49,976 INFO spawned: 'named' with pid 16701
2012-06-16 16:59:55,020 INFO success: named entered RUNNING state, process has stayed up for > than 5 seconds (startsecs)

Great, supervisord has started, and it also started the BIND 9 process "named". DNS is working now.

simulating a BIND 9 crash

to simulate a BIND 9 crash, we "kill" the BIND 9 named process:

bash# ps aux | grep named
_syslogd 32633  0.0  0.1   512   648 ??  I     17Apr12    2:28.76 syslogd -a /var/named/dev/log -a /var/empty/dev/log
root     16701  0.0  0.8  5684  6500 ??  I      4:59PM    0:00.50 /usr/sbin/named -f
bash# bash-3.2# kill -9 16701
bash# tail supervisord.log 
2012-06-16 17:03:29,192 INFO exited: named (terminated by SIGKILL; not expected)
2012-06-16 17:03:30,201 INFO spawned: 'named' with pid 9832

Works as a expected. Supervisord has detected that the BIND 9 process has terminated, and has restarted a new one. DNS is still up and running.

Controlling supervisord

The supervisord can be controlled from the commandline using the supervisorctl command. A list of all a control commands can be found with "help", and a description of each command with "help command":

bash# supervisorctl help

default commands (type help ):
add    clear  fg        open  quit    remove  restart   start   stop  update 
avail  exit   maintail  pid   reload  reread  shutdown  status  tail  version

bash# supervisorctl help status
status                  Get all process status info.
status            Get status on a single process by name.
status      Get status on multiple named processes.

bash# supervisorctl status
named                            RUNNING    pid 25770, uptime 0:00:12

bash# supervisorctl stop named
named: stopped

bash# supervisorctl start named
named: started

Now, whenever there is an assertion error in the code triggered, BIND 9 will terminate, but supervisord will bring it back from the dead. Your DNS service stays up, and the users and customers happy.

Read the supervisord documentation on how to setup event notifications, so that you get an E-Mail on the event that BIND 9 has been restarted. There might be a security vulnerability nontheless, which you would like to report to bind9-bugs@isc.org.

Of course supervisord can be used to restart other processes as well, including other types of DNS Servers (NSD, Unbound, dnsmasq ...).

Thursday Mar 01, 2012

Fixing BIND 9.9.0 compilation on OpenBSD

Compiling the new BIND Version 9.9.0 can lead to an compilation error on systems that do not have the ENOTSUP constant defined (such as OpenBSD).

stdio.c: In function `isc_stdio_sync':
stdio.c:117: error: `ENOTSUP' undeclared (first use in this function)
stdio.c:117: error: (Each undeclared identifier is reported only once
stdio.c:117: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib/isc/unix.
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib/isc (line 174 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib (line 103 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.0 (line 107 of Makefile).

ISC has already applied a patch that will be out with the next version(s). For all that want to compile and run BIND 9.9.0 now, below is a patch that works for me:

*** /usr/src/bind-9.9.0/lib/isc/include/isc/stdio.h.orig        Wed Feb 29 21:04:43 2012
--- /usr/src/bind-9.9.0/lib/isc/include/isc/stdio.h     Wed Feb 29 21:05:34 2012
*** 22,27 ****
--- 22,32 ----

  /*! \file isc/stdio.h */

+ /* OpenBSD doesn't have ENOTSUP, but does have EOPNOTSUPP */
+ #if defined (EOPNOTSUPP) && !defined (ENOTSUP)
+ #endif
   * These functions are wrappers around the corresponding stdio functions.

Monday Feb 20, 2012

Unbound & DNSSEC-Trigger Workshop at Augsburger Linutage

Workshop: secure DNS using Unbound and DNSSEC-Trigger

I will give a free workshop at the Augsburger Linux Infotage on Saturday, 24th March 2012 (http://www.luga.de/Aktionen/LIT-2012/Programm), on installing and using Unbound together with the new DNSSEC-Trigger tool.

Goal of this workshop is to learn about the security issues with plain DNS, how DNSSEC can help and how to deploy Unbound as a local DNSSEC validating DNS resolver to secure the personal mobile computer (laptop, netbook ...).

Please bring your own machine (WiFi required) to the workshop room "D", 11:00-13:00, pre-installed with either a flavor of Linux, MacOS X or Windows (Vista or newer, don't pretend to secure a XP machine). We will install Unbound and DNSSEC trigger during the workshop and learn some troubleshooting tricks on the way.

Wednesday Jan 11, 2012

Give nsupdate a history

the useful nsupdate tool (used to send dynamic updates towards an authoritative DNS server, part of the BIND nameserver distribution, www.isc.org) does not have a commandline history, nor automatic command completion.

Luckily, on Unix systems, this missing feature can be added to nsupdate using a small tool called rlwrap. rlwrap stands for 'readline wrapper'. Readline is an open source library that implements command history and tab completion, and it is used inside many well known command line tools. However it needs to be linked at compile time to be work on a program by default. If the developer does not link readline, the functions are not part of the program.

However it is possible to start a commandline tool such as nsupdate under the control of the readline wrapper. In this case, the readline wrapper will intercept when the command line tool tries to read data from the keyboard and will add the additional readline functions to the command line tool. rlwrap is part of most Unix/Linux distributions and can often be installed using the systems package manager.

In case of nsupdate, we can start nsupdate with

$ rlwrap nsupdate 

and voila, our old dog nsupdate has just learned some new tricks, it has now a command history that can be used with the cursor up and down keys (see the readline man page for a complete list of possible key bindings).

If rlwrap finds a file (named with the name of the commandline tool) containing keywords (space separated) in its search path for completion files (on my system that is /usr/share/rlwrap/completions), it will auto-complete the keywords found in the file when the user presses the tabulator key. Please find attached to this blogpost my completion file for nsupdate.

I don't not want to encourage the usage of nslookup (use dig or drill), but rewrap works also on the old steam engine called nslookup.

Please have a look at the rlwrap manual page. There are some more tricks to rlwrap that are not mentioned in this blog post.


Friday Dec 30, 2011

Take your DNSSEC with a grain of salt

DNSSEC has many useful properties. One is called 'Authenticated denial of existence'. This basically means that a DNSSEC validating DNS Server can prove that domain-names and resource records do not exist in the DNS.

But how does NSEC and NSEC3 work. And how to choose good values for NSEC3 salt and iterations?

[Read More]