• bind9

bind9

Docs

• Bind9 doc ftp current

• Bind9 doc latest

Current ARM

Determine the current version of bind in Debian

   1 # dpkg -l bind9| grep bind
   2 ii  bind9          1:9.11.5.P4+dfsg-5 amd64        Internet Domain Name Server

• Bindv9.11 Annotated reference manual

• Bindv9.17 Annotated reference manual

Install

Without DHCP-Server

   1 aptitude install bind9 dnsutils

With DHCP-Server

   1 aptitude install autodns-dhcp

This is a lightweight package that pulls the following dependencies:

• bind9
• dnsutils
• isc-dhcp-server
• perl

The cronjob that comes with the package may be easily deactivated.
/etc/cron.d/autodns-dhcp

   1 #
   2 # Regular cron jobs for the autodns-dhcp package
   3 #
   4 #*/1 * * * *    root    /usr/bin/test -x /usr/sbin/autodns-dhcp_cron && /usr/sbin/autodns-dhcp_cron
   5 

Configure

Info

   1 rndc status

Create directories for journals and zones

   1 install -o root -g bind -m 2775 -d /var/lib/bind/zones
   2 install -o bind -g bind -m 2755 -d /var/lib/bind/journal
   3 # Just for administrative convenience
   4 ln -s /var/lib/bind/zones /etc/bind/zones

Main configuration file

I decided to move acls, auth and logging configuration to their own files and include them in the main configuration file. They may be reused on other servers as well.

/etc/bind/named.conf

   1 //
   2 // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
   3 // structure of BIND configuration files in Debian, *BEFORE* you customize
   4 // this configuration file.
   5 //
   6 // If you are just adding zones, please do that in /etc/bind/named.conf.local
   7 
   8 include "/etc/bind/named.conf.logging";
   9 include "/etc/bind/named.conf.options";
  10 include "/etc/bind/named.conf.acls";
  11 include "/etc/bind/named.conf.auth";
  12 include "/etc/bind/named.conf.local";
  13 //DEFAULT ZONES CANNOT BE INCLUDED HERE SINCE WE ARE USING VIEWS
  14 // SEE: named.conf.local
  15 //include "/etc/bind/named.conf.default-zones";
  16 

Logging

Default logging got extended by some info for debugging dynamic updates.

To use the path /var/log/bind you must extend the apparmor profile, otherwise leave it to /var/log/named. It's much easier to just create a symlink.

Create the directory

   1 install -o bind -g adm -m 2750 -d /var/log/named
   2 ### FOR MY OWN LAZYNESS I SET A LINK
   3 ln -s /var/log/named /var/log/bind

/etc/bind/named.conf.logging

   1 logging {
   2         channel null {
   3                 null;
   4         };
   5         channel update_debug {
   6                 file            "/var/log/named/update-debug.log" versions 10 size 10m;
   7                 severity        debug   3;
   8                 print-category  yes;
   9                 print-severity  yes;
  10                 print-time      yes;
  11         };
  12         channel security_info {
  13                 file            "/var/log/named/security.info" versions 10 size 10m;
  14                 severity        info;
  15                 print-category  yes;
  16                 print-severity  yes;
  17                 print-time      yes;
  18                 //stderr;
  19         };
  20         channel general_info {
  21                 file            "/var/log/named/general.info" versions 10 size 10m;
  22                 severity        info;
  23                 print-category  yes;
  24                 print-severity  yes;
  25                 print-time      yes;
  26                 //stderr;
  27         };
  28         channel general_warn {
  29                 severity        warning;
  30                 syslog          local7;
  31                 print-category  yes;
  32                 print-severity  yes;
  33                 print-time      yes;
  34                 //stderr;
  35         };
  36 
  37         // BIND9 LOGGING CATEGORIES
  38         //client cname config database default delegation-only dispatch dnssec dnstap
  39         //edns-disabled general lame-servers network notify queries query-errors
  40         //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update
  41         //update-security xfer-in xfer-out
  42 
  43         category general                { general_warn; };
  44         category general                { general_info; };
  45         category rate-limit             { security_info; };
  46         category security               { security_info; };
  47         category update                 { update_debug; };
  48         category update-security        { security_info;
  49                                           update_debug; };
  50         category notify                 { update_debug; };
  51 };
  52 
  53 // vim: set syntax=named:
  54 

Logrotate

Just remove versions 10 size 10m from the file config in /etc/bind/named.conf.logging

Please also take a look on ISC logrotate settings in bind-9

/etc/logrotate.d/named

   1 /var/log/named/*.log
   2 /var/log/named/*.info {
   3   compress
   4   create 0644 bind adm
   5   daily
   6   dateext
   7   missingok
   8   notifempty
   9   size 10M
  10   rotate 14
  11   sharedscripts
  12   postrotate
  13     /usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true
  14   endscript
  15 }
  16 

Adjust apparmor profile

In retrospective it may be easier to simply set a symlink than extending the apparmor config.

   1 ln -s /var/log/named /var/log/bind

Extend apparmor profile /etc/apparmor.d/local/usr.sbin.named

   1   # some people like to put logs in /var/log/named/ instead of having
   2   # syslog do the heavy lifting.
   3   /var/log/bind/** rw,
   4   /var/log/bind/ rw,

This path must match the named apparmor-profile /etc/apparmor.d/{,local/}usr.sbin.named or bind will not start with the following error:

Jun 18 15:04:18 kvm2 named[6707]: isc_stdio_open '/var/log/bind/update-debug.log' failed: permission denied
Jun 18 15:04:18 kvm2 named[6707]: configuring logging: permission denied
Jun 18 15:04:18 kvm2 named[6707]: loading configuration: permission denied
Jun 18 15:04:18 kvm2 named[6707]: exiting (due to fatal error)

   1 install -o bind -g adm -m 750 -d /var/log/bind

Query Log

During a migration it may be necessary to determine, which clients are using the server. This can be accomplished using the query log.

/etc/bind/named.conf.logging

   1         channel querylog_info {
   2                 file            "/var/log/bind/query.log" versions 10 size 10m;
   3                 severity        info;
   4                 print-category  yes;
   5                 print-severity  yes;
   6                 print-time      yes;
   7                 //stderr;
   8         };
   9 
  10         category queries { querylog_info; };

Regular-expression magic from
https://www.regular-expressions.info/ip.html

Determine RFC1918 client

   1 grep -Eo 'client \<[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\>' \
   2         /var/log/bind/query.log \
   3         |sed 's/client //' \
   4         |grep -E '^(10|172\.(1[6-9]|2[0-9]|3[01])|192\.168)\.' \
   5         |sort \
   6         |uniq

Options

Some common options to all instances of bind9 around in the infrastructure.

• rate limit
• max-cache-size
• disable IPv6

/etc/bind/named.conf.options

   1 options {
   2 //      attach-cache            cache_name;
   3 //      version                 version_string;
   4 //      hostname                hostname_string;
   5 //      server-id               server_id_string;
   6         directory               "/var/cache/bind";              # path_name;
   7 //      key-directory           "/var/lib/bind/keys";           # path_name;
   8 //      managed-keys-directory  "/var/lib/bind/managed_keys";   # path_name;
   9 //      named-xfer              "/var/cache/bind";              # path_name;  // obsolete
  10 
  11         // If there is a firewall between you and nameservers you want
  12         // to talk to, you may need to fix the firewall to allow multiple
  13         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
  14 
  15         // If your ISP provided one or more IP addresses for stable
  16         // nameservers, you probably want to use them as forwarders.
  17         // Uncomment the following block, and insert the addresses replacing
  18         // the all-0's placeholder.
  19 
  20         // forwarders {
  21         //      0.0.0.0;
  22         // };
  23 
  24         //========================================================================
  25         // If BIND logs error messages about the root key being expired,
  26         // you will need to update your keys.  See https://www.isc.org/bind-keys
  27         //========================================================================
  28         dnssec-validation       auto;
  29 
  30         auth-nxdomain           no;                     # conform to RFC1035
  31         dump-file               "/var/cache/bind/named_dump.db";
  32         listen-on               { any; };               # Default "any;"
  33         listen-on-v6            { none; };              # Default
  34         allow-transfer          { rockstable_dns; };    # { address_match_list };
  35         empty-zones-enable      yes ;                   # Default no
  36 //      empty-zones-enable      no ;                    # Default no
  37 //      disable-empty-zone      zone_name ;
  38         allow-recursion { any; };       # Default with 9.4.1 { localhost; localnets; };
  39 //      allow-query { any; };
  40 //      allow-query-cache { any; };
  41         rate-limit {
  42                 responses-per-second 100;
  43         };
  44 //      listen-on-v6 { any; };
  45         //PER VIEW - DEFAULT: 90%
  46         max-cache-size 256m;
  47 };
  48 
  49 // vim: set syntax=named:
  50 

ACLs

Define ACLs for your networks and ip-interfaces. This will simplify your configuration and make it more readable.

/etc/bind/named.conf.acls

   1 // ACCESS CONTROL LISTS
   2 
   3 // ROCKSTABLE DNS-SERVERS
   4 
   5 acl ns2.rockstable.org { kvm1_eth0; };
   6 acl ns3.rockstable.org { kvm2_enp0s31f6; };
   7 acl ns4.rockstable.org { ns4_eth0; };
   8 // GROUP THEM TOGETHER
   9 acl rockstable_dns {
  10         ns2.rockstable.org;
  11         ns3.rockstable.org;
  12         ns4.rockstable.org;
  13 };
  14 
  15 // NETWORKS
  16 
  17 acl     rockstable      { 176.9.178.16/29; };
  18 acl     pub1            { 178.63.149.224/28; };
  19 
  20 // Exotic networks, client networks, …
  21 // …
  22 
  23 // INTERFACES
  24 acl     kvm1_eth0       { 176.9.99.233; };
  25 acl     kvm2_enp0s31f6  { 195.201.246.253; };
  26 acl     ns4_eth0        { 78.47.38.48; };
  27 
  28 // Exotic clients, name-server interfaces in client networks, …
  29 // …
  30 
  31 // vim: set syntax=named:
  32 

Auth

This file contains the secrets for TSIG (Transaction SIGnature) authentication and deserves some protection.
Make sure this file has correct unix-permissions!

   1 chown root:bind /etc/bind/named.conf.auth
   2 chmod o-r /etc/bind/named.conf.auth

/etc/bind/named.conf.auth

   1 // KEYS
   2 key DNS_REPLICATOR_INTERNAL {
   3         algorithm       HMAC-SHA512;
   4         secret          "ENDLESS_LONG_SECRET_KEY_FOR_INTERNAL_VIEW";
   5 };
   6 
   7 key DNS_REPLICATOR_EXTERNAL {
   8         algorithm       HMAC-SHA512;
   9         secret          "ENDLESS_LONG_SECRET_KEY_FOR_EXTERNAL_VIEW";
  10 };
  11 
  12 // MASTERS
  13 // INTERNAL
  14 masters masters_rockstable_org_internal port 53 {
  15         176.9.99.233 port 53 key DNS_REPLICATOR_INTERNAL;
  16 };
  17 
  18 masters masters_rockstable_it_internal port 53 {
  19         195.201.246.253 port 53 key DNS_REPLICATOR_INTERNAL;
  20 };
  21 
  22 // EXTERNAL
  23 masters masters_rockstable_org_external port 53 {
  24         176.9.99.233 port 53 key DNS_REPLICATOR_EXTERNAL;
  25 };
  26 
  27 masters masters_rockstable_it_external port 53 {
  28         195.201.246.253 port 53 key DNS_REPLICATOR_EXTERNAL;
  29 };
  30 
  31 // vim: set syntax=named:
  32 

Local

A slave-only setup authenticated using TSIG with only a view "external".

/etc/bind/named.conf.local

   1 //
   2 //      Do any local configuration here
   3 //
   4 
   5 //      Consider adding the 1918 zones here, if they are not used in your
   6 //      organization
   7 //include "/etc/bind/zones.rfc1918";
   8 
   9 //      be authoritative for the rockstable.org forward and reverse zones, and for
  10 //      broadcast zones
  11 
  12 view external {
  13         // TAKEN FROM named.conf.default-zones
  14         include "/etc/bind/named.conf.default-zones";
  15 
  16         match-clients {
  17                  key DNS_REPLICATOR_EXTERNAL;
  18                 !key DNS_REPLICATOR_INTERNAL;
  19                 any;
  20         };
  21 
  22         //REVERSE ZONE DEFINITIONS (INTERNAL)
  23         //-> NONE
  24 
  25         //FORWARD ZONE DEFINITIONS
  26         zone "rockstable.org" {
  27                 type                    slave;
  28                 masters                 { masters_rockstable_org_external; };
  29                 masterfile-format       text;     # (text|raw)
  30                 file                    "/var/lib/bind/zones/db.org.rockstable";
  31                 journal                 "/var/lib/bind/journal/db.org.rockstable.jnl";  # string ;
  32 
  33                 check-names             warn;     # (warn|fail|ignore) ;
  34                 notify                  yes;      # yes_or_no | explicit | master-only ;
  35                 zone-statistics         yes;      # yes_or_no ;
  36         };
  37 
  38         zone "rockstable.it" {
  39                 type                    slave;
  40                 masters                 { masters_rockstable_it_external; };
  41                 masterfile-format       text;     # (text|raw)
  42                 file                    "/var/lib/bind/zones/db.it.rockstable";
  43                 journal                 "/var/lib/bind/journal/db.it.rockstable.jnl";   # string ;
  44                 check-names             warn;     # (warn|fail|ignore) ;
  45                 notify                  yes;      # yes_or_no | explicit | master-only ;
  46                 zone-statistics         yes;      # yes_or_no ;
  47         };
  48 };
  49 
  50 // vim: syntax=named:
  51 

Forwarding

nhs.uk Forward first vs only

From bind ARM 9.17

Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.

forward

This option is only meaningful if the forwarders list is not empty. A value of first is the default and causes the server to query the forwarders first; if that does not answer the question, the server then looks for the answer itself. If only is specified, the server only queries the forwarders.

forwarders

This specifies a list of IP addresses to which queries are forwarded. The default is the empty list (no forwarding). Each address in the list can be associated with an optional port number and/or DSCP value, and a default port number and DSCP value can be set for the entire list. Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. Particular domains can be set to use different forwarders, or have a different forward only/first behavior, or not forward at all; see zone Statement Grammar.

In the example reverse zones are resolved using forwarders only.

/etc/bind/named.conf.local

   1 // FORWARDS
   2 zone "0.10.in-addr.arpa" {
   3         type forward;
   4         forward only;
   5         forwarders {
   6                 10.0.0.5;
   7                 10.0.0.6;
   8                 10.0.0.7;
   9         };
  10 };
  11 
  12 zone "2.10.in-addr.arpa" {
  13         type forward;
  14         forward only;
  15         forwarders {
  16                 10.2.0.5;
  17                 10.2.0.6;
  18                 10.2.0.7;
  19         };
  20 };

Changing a dynamic zone with views

When you are using a dynamic zones with views there are some steps you need to walk through to update a zone.

   1 ZONE="rockstable.org"
   2 ### "IN" IS SIMPLY THE CLASS OF ZONE (CASE INSENSITIVE)
   3 VIEW="external"
   4 
   5 ### FREEZE A DYNAMIC ZONE
   6 rndc freeze "$ZONE" IN "$VIEW"
   7 ### EDIT THE ZONE AND INCREMENT THE SERIAL
   8 vim /etc/bind/zones/db.org.rockstable
   9 ### CHECK ZONE SYNTAX
  10 named-checkzone "$ZONE" /etc/bind/zones/db.org.rockstable
  11 ### RELOAD THE ZONE LOCALLY
  12 rndc reload "$ZONE" IN "$VIEW"
  13 ### UNFREEZE THE ZONE
  14 rndc thaw "$ZONE" IN "$VIEW"
  15 ### NOTIFY SLAVES EXPLICITLY
  16 rndc notify "$ZONE" IN "$VIEW"

Debugging

Check config

   1 named-checkconf

Check zone

   1 # named-checkzone rockstable.org /etc/bind/zones/db.org.rockstable
   2 zone rockstable.org/IN: _matrix._tcp.rockstable.org/SRV 'matrix.rockstable.org' is a CNAME (illegal)
   3 zone rockstable.org/IN: _stun._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
   4 zone rockstable.org/IN: _stuns._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
   5 zone rockstable.org/IN: _turn._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
   6 zone rockstable.org/IN: _turns._tcp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
   7 zone rockstable.org/IN: _stun._udp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
   8 zone rockstable.org/IN: _turn._udp.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
   9 zone rockstable.org/IN: _stun._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  10 zone rockstable.org/IN: _stuns._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  11 zone rockstable.org/IN: _turn._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  12 zone rockstable.org/IN: _turns._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  13 zone rockstable.org/IN: _xmpp-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  14 zone rockstable.org/IN: _xmpp-server._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  15 zone rockstable.org/IN: _xmpps-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  16 zone rockstable.org/IN: _xmpps-client._tcp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  17 zone rockstable.org/IN: _stun._udp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  18 zone rockstable.org/IN: _turn._udp.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  19 zone rockstable.org/IN: _xmpp-server._tcp.conference.jabber.rockstable.org/SRV 'jabber.rockstable.org' is a CNAME (illegal)
  20 zone rockstable.org/IN: loaded serial 2020030301
  21 OK

I should think about the advisory of named-checkzone one day. Seems like i'm doing illegal things with DNS.

Reformat zones

https://kb.isc.org/docs/aa-00608

Change zone format from raw to text:

   1 named-compilezone -f raw -F text \
   2         -o example.net.text example.net example.net.raw
   3 
   4 ### -f -> INPUT
   5 ### -F -> OUTPUT
   6 ### -o is mandatory
   7 

DNSsec

• dnssec-keymgr

• dnssec-keygen

• dnssec-signzone

Thank to the Leibniz-Rechenzentrum (LRZ) for it's nice tutorial (in german).

• LRZ doc DNSSEC mit BIND 9.9

• LRZ doc DNSKEYs und Key rollover - "best practices"

Server

Create key directory

   1 install -o root -g bind -m 750 -d /var/lib/bind/keys
   2 ### CREATE A SYMBOLIC LINK FOR CONVENIENCE
   3 ln -s /var/lib/bind/keys /etc/bind/keys

Create keys

   1 declare -a ZONES
   2 ZONES=( "rockstable.it" )
   3 for ZONE in ${ZONES[@]}; do
   4   ### CREATE ZONE SIGNING KEY (ZSK)
   5   dnssec-keygen -a RSASHA256 -b 2048 -3 $ZONE
   6   ### CREATE KEY SIGNING KEY (KSK)
   7   dnssec-keygen -a RSASHA256 -b 2048 -3 -f KSK $ZONE
   8 done
   9 chmod 640 /etc/bind/keys/K*

Options

   1         //key-directory path_name;
   2 
   3         //dnssec-accept-expired boolean;
   4         //dnssec-dnskey-kskonly boolean;
   5         //dnssec-enable boolean;
   6         //dnssec-loadkeys-interval integer;
   7         //dnssec-lookaside ( string trust-anchor string | auto | no );
   8         //dnssec-must-be-secure string boolean;
   9         //dnssec-secure-to-insecure boolean;
  10         //dnssec-update-mode ( maintain | no-resign );
  11         //dnssec-validation ( yes | no | auto );
  12 

update-check-ksk

• When set to the default value of yes, check the KSK bit in each key to determine how the key should be used when generating

  RRSIGs for a secure zone.
  
  Ordinarily, zone-signing keys (that is, keys without the KSK bit set) are used to sign the entire zone, while key-signing keys (keys with the KSK bit set) are only used to sign the DNSKEY RRset at the zone apex. However, if this option is set to no, then the KSK bit is ignored; KSKs are treated as if they were ZSKs and are used to sign the entire zone.

  This is similar to the dnssec-signzone -z command line option.
  
  When this option is set to yes, there must be at least two active keys for every algorithm represented in the DNSKEY RRset: at least one KSK and one ZSK per algorithm. If there is any algorithm for which this requirement is not met, this option will be ignored for that algorithm.

dnssec-dnskey-kskonly

• When this option and update-check-ksk are both set to yes, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY, CDNSKEY, and CDS RRsets at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset.

  This is similar to the dnssec-signzone -x command line option.
  
  The default is no. If update-check-ksk is set to no, this option is ignored.

key-directory

• When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files should be found, if different than the current working directory. (Note that this option has no effect on the paths for files containing non-DNSSEC keys such as bind.keys, rndc.key or session.key.)

dnssec-accept-expired

• Accept expired signatures when verifying DNSSEC signatures. The default is no. Setting this option to yes leaves named vulnerable to replay attacks.

dnssec-loadkeys-interval

• When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys’ timing metadata has been updated (see dnssec-keygen: DNSSEC key generation tool and dnssec-settime: set the key timing metadata for a DNSSEC key). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes.

  The default is 60 (1 hour),
  the minimum is 1 (1 minute),
  and the maximum is 1440 (24 hours);
  any higher value is silently reduced.

dnssec-lookaside

• When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does)

  the DNSKEY RRset is deemed to be trusted.
  
  If dnssec-lookaside is set to no, then dnssec-lookaside is not used.
  
  Note

  • The ISC-provided DLV service at dlv.isc.org, has been shut down. The dnssec-lookaside auto; configuration option, which set named up to use ISC DLV with minimal configuration, has accordingly been removed.

dnssec-must-be-secure

• Specify hierarchies which must be or may not be secure (signed and validated). If yes, then named will only accept answers if they are secure. If no, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be defined as a trust anchor, for instance in a dnssec-keys statement, or dnssec-validation auto must be active.

dnssec-update-mode

• If this option is set to its default value of maintain in a zone of type master which is DNSSEC-signed and configured to allow dynamic updates (see Dynamic Update Policies), and if named has access to the private signing key(s) for the zone, then named will automatically sign all new or changed records and maintain signatures for the zone by regenerating RRSIG records

  whenever they approach their expiration date.
  
  If the option is changed to no-resign, then named will sign all new or changed records,

  but scheduled maintenance of signatures is disabled.
  
  With either of these settings, named will reject updates to a DNSSEC-signed zone when the signing keys are inactive or unavailable to named. (A planned third option, external, will disable all automatic signing and allow DNSSEC data to be submitted into a zone via dynamic update; this is not yet implemented.)

/etc/bind/named.conf.options

   1 key-directory "/var/lib/bind/keys";

Signing

inline-signing

• If yes, this enables “bump in the wire” signing of a zone, where a unsigned zone is transferred in or loaded from disk and a signed version of the zone is served, with possibly, a different serial number. This behavior is disabled by default.

/etc/bind/named.conf.options

   1 ZONES=( "rockstable.it" )
   2 for ZONE in ${ZONES[@]}; do
   3   rndc loadkeys "$ZONE."
   4   NSECSEED=$(printf "%04x%04x" "$RANDOM" "$RANDOM")
   5   rndc signing -list "$ZONE."
   6   ### USED WITH "inline-signing"
   7   rndc signing -nsec3param 1 0 10 "$NSECSEED" "$ZONE."
   8 done

#WIP

Client

/etc/bind/named.conf.options

   1 //dnssec-enable yes; obsolete
   2 dnssec-validation yes;
   3 dnssec-lookaside auto;

#WIP

Trouble shooting

journal out of sync

A dynamic zone and its journal can get out of sync like in the following example

   1 06-Apr-2020 14:40:05.555 general: error: zone 0.16.172.in-addr.arpa/IN/internal: journal rollforward failed: journal out of sync with zone
   2 06-Apr-2020 14:40:05.555 general: error: zone 0.16.172.in-addr.arpa/IN/internal: not loaded due to errors.

You can sync the zone and purge the journal

   1 rndc sync -clean 0.16.172.in-addr.arpa
   2 rndc reload 0.16.172.in-addr.arpa

Corresponding log

   1 06-Apr-2020 14:40:21.896 general: info: received control channel command 'sync -clean 0.16.172.in-addr.arpa'
   2 06-Apr-2020 14:40:21.896 general: info: sync: dumping zone '0.16.172.in-addr.arpa/IN' internal, removing journal file: success
   3 06-Apr-2020 14:40:31.721 general: info: zone 0.16.172.in-addr.arpa/IN/internal: loaded serial 2020032200
   4 06-Apr-2020 14:40:31.721 general: info: received control channel command 'reload'

name not in use

Dynamic DNS update fails with

   1 06-Apr-2020 15:16:51.501 update: info: client @0x7f10c4104640 127.0.0.1#51809/key dhcp_updater: view internal: updating zone 'subdom.rockstable.it/IN': update unsuccessful: host1.subdom.rockstable.it: 'name not in use' prerequisite not satisfied (YXDOMAIN)                                          
   2 06-Apr-2020 15:16:51.502 update: info: client @0x7f10c40e7720 127.0.0.1#41651/key dhcp_updater: view internal: updating zone 'subdom.rockstable.it/IN': update unsuccessful: host1.subdom.rockstable.it/DHCID: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)

Delete record and increment serial

   1 rndc freeze subdom.rockstable.it
   2 rndc sync -clean subdom.rockstable.it
   3 vim /etc/bind/zones/db.it.rockstable.subdom
   4 rndc thaw subdom.rockstable.it

fail2ban

Extent bind9 logging

Provide a datasource that fail2ban may parse.

/etc/bind/named.conf.logging

   1 logging {
   2         channel security_info    {
   3                 file            "/var/log/bind/security.info" versions 10 size 10m;
   4                 severity        info;
   5                 print-category  yes;
   6                 print-severity  yes;
   7                 print-time      yes;
   8                 //stderr;
   9         };
  10 
  11         // BIND9 LOGGING CATEGORIES
  12         //client cname config database default delegation-only dispatch dnssec dnstap 
  13         //edns-disabled general lame-servers network notify queries query-errors 
  14         //rate-limit resolver rpz security spill trust-anchor-telemetry unmatched update 
  15         //update-security xfer-in xfer-out 
  16 
  17         category rate-limit             { security_info; };
  18         category security               { security_info; };
  19 };
  20 
  21 // vim: set syntax=named:

Ban rogues

If you have a open DNS server, that recurses for everybody, rate-limiting the responses may not be enough.

I adjusted the filter-configuration of fail2ban to match DDOS-UDP patterns.

• Change _daemon to include rate-limiting.

• Introduce regex __log_level to make it configurable.

• Modularize __line_prefix to be not monolithic but keep optionality.

• Don't start prefregex with a ^ caret or date won't be matched.

• Add regex failregex to match rate-limits.

  • The failregex been proven to be working.

/etc/fail2ban/filter.d/named-refused.conf

   1 # Fail2Ban filter file for named (bind9).
   2 #
   3 
   4 # This filter blocks attacks against named (bind9) however it requires special
   5 # configuration on bind.
   6 #
   7 # By default, logging is off with bind9 installation.
   8 #
   9 # You will need something like this in your named.conf to provide proper logging.
  10 #
  11 # logging {
  12 #     channel security_file {
  13 #         file "/var/log/named/security.log" versions 3 size 30m;
  14 #         severity dynamic;
  15 #         print-time yes;
  16 #     };
  17 #     category security {
  18 #         security_file;
  19 #     };
  20 # };
  21 
  22 [Definition]
  23 
  24 # Daemon name
  25 #_daemon=named
  26 _daemon=(named|rate-limit)
  27 
  28 # Shortcuts for easier comprehension of the failregex
  29 
  30 __pid_re=(?:\[\d+\])
  31 __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
  32 #__daemon_re=\(?(named|rate-limit)(?:\(\S+\))?\)?:?
  33 __log_level=((error|info):)
  34 
  35 ### PID:DAEMON OR DAEMON:PID
  36 __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
  37 #__daemon_combs_re=(?:(?:\[\d+\])?:\s+\(?(named|rate-limit)(?:\(\S+\))?\)?:?|\(?(named|rate-limit)(?:\(\S+\))?\)?:?(?:\[\d+\])?:)
  38 
  39 #       hostname       daemon_id         spaces
  40 # this can be optional (for instance if we match named native log files)
  41 #__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
  42 __line_prefix=(?:\s\S+\s+)?(%(__daemon_combs_re)s)?\s*
  43 
  44 #prefregex = ^%(__line_prefix)s( error:)?\s*client <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
  45 prefregex = %(__line_prefix)s%(__log_level)s?\s*client @\S+ <HOST>#\S+( \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>$
  46 
  47 failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$
  48             ^zone transfer '\S+/AXFR/\w+' denied\s*$
  49             ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$
  50             ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \S+ IN ANY\s+\(\S+\)$
  51 
  52 ignoreregex =
  53 
  54 # DEV Notes:
  55 # Trying to generalize the
  56 #          structure which is general to capture general patterns in log
  57 #          lines to cover different configurations/distributions
  58 #          
  59 # Author: Yaroslav Halchenko

Test your filter with fail2ban-regex

   1 fail2ban-regex -vv \
   2         /var/log/bind/security.info \
   3         /etc/fail2ban/filter.d/named-refused.conf

Looks good, so far. Effectivly this rule only drops the queries from rate-limited requestors. This may be a DDOS-victim. The victim will also not be able to query this DNS-Server.

You may check your regex with the great webtool https://regex101.com/.

Make sure you servers are configured correctly!!1!

Once your confident enable the configuration. /etc/fail2ban/jail.d/named-refused.conf

   1 ### SEE ../filter.d/named-refused.conf
   2 ### ADDED REGEX TO failregex TO PROTECT DDOS ATTACKS
   3 ### ^(view (internal|external): )?rate limit (drop|slip) response to \S+ for \S+ IN ANY\s+\(\S+\)$
   4 
   5 [named-refused-udp]
   6 
   7 enabled = true
   8 filter   = named-refused
   9 port     = domain,953
  10 protocol = udp
  11 logpath  = /var/log/bind/security.info
  12 
  13 [named-refused]
  14 
  15 enabled = true
  16 port     = domain,953
  17 logpath  = /var/log/bind/security.info

Check jail status

   1 watch -n1 -- fail2ban-client status named-refused-udp
   2 Status for the jail: named-refused-udp
   3 |- Filter
   4 |  |- Currently failed: 4
   5 |  |- Total failed:     25502
   6 |  `- File list:        /var/log/bind/security.info
   7 `- Actions
   8    |- Currently banned: 20
   9    |- Total banned:     1702
  10    `- Banned IP list:   …

Well, it saves bandwidth! I guess, it attenuates a DDOS but is not free of side effects!

Unban

Very specific to one jail

   1 fail2ban-client status <JAIL>
   2 fail2ban-client set <JAIL> unbanip <IP>

or an IP globally

   1 fail2ban-client status
   2 fail2ban-client unban <IP>

or unban all

   1 fail2ban-client unban --all

dnsutils

Must have!

   1 aptitude install dnsutils

Test zone transfer

   1 dig -t AXFR rockstable.it @ns3.rockstable.org

Request short answer from local dns-server listening on non standard port

   1 dig rockstable.it @127.0.0.1 -p5302

DNS

Top-Level Domains (TLDs)

Groups of TLDs

generic TLD (gTLD)

with three or more characters

managed by Internet Corporation for Assigned Names and Numbers (ICANN)

restricted generic TLD (grTLD)

managed under official ICANN accredited registrars

sponsored TLD (sTLD)

are proposed and sponsored by private agencies or organizations that establish and enforce rules restricting the eligibility to use the TLD. Use is based on community theme concepts;

managed under official ICANN accredited registrars.

unsponsored TLD (uTLD)

country-code TLD (ccTLD)

two-letter domains established for countries or territories. With some historical exceptions (e.g. .uk (additionally to .gb), .eu for Europe), the code for any territory is the same as its two-letter ISO 3166 code. Creation and delegation of ccTLDs is described in RFC 1591, corresponding to ISO 3166-1 alpha-2 country codes.

managed by local (IANA) trusted registries

internationalized ccTLD (IDN ccTLD)

ccTLDs in non-Latin character sets (e.g., Arabic, Cyrillic, Hebrew, or Chinese) since November 2009;

Punycode-translated ASCII domain names.

test TLD (tTLD)

These domains were installed under .test for testing purposes in the IDN development process

these domains are not present in the root zone.

infrastructure TLD (iTLD)

managed by IANA

• .root (never actively used)

• .arpa (Address and Routing Parameter Area)

• .root (never actively used)

• .bitnet (decrecated)

• .uucp (decrecated)

Lists

• Official, authoritative list of all Top-Level domains published by Internet Assigned Numbers Authority (IANA)

  Root Zone Database

• Country code top-level domains with commercial licenses

Reserved domains

RFC 6761 reserves the following four top-level domain names to avoid confusion and conflict. Any such reserved usage of those TLDs should not occur in production networks that utilize the global domain name system:

• example: reserved for use in examples
• invalid: reserved for use in obviously invalid domain names
• localhost: reserved to avoid conflict with the traditional use of localhost as a hostname
• test: reserved for use in tests

RFC 6762 reserves the use of .local for link-local host names that can be resolved via the Multicast DNS name resolution protocol.

RFC 7686 reserves the use of .onion for the self-authenticating names of Tor hidden services. These names can only be resolved by a Tor client because of the use of onion routing to protect the anonymity of users.

EDNS Client Subnet (ECS)

• EDNS Client Subnet

• IETF RFC 7871 Client Subnet in DNS Queries

• Google EDNS Client Subnet (ECS) Guidelines

• IETF RFC 6891 Extension Mechanisms for DNS (EDNS(0))

PowerDNS:

• PowerDNS#ECS authoritative

• PowerDNS#ECS recursor

• PowerDNS#ECS dnsdist

Record Types

• Wiki EN List of DNS Record types

Start Of Authority (SOA)

SOA Record - from Wikipedia, the free encyclopedia

A Start of Authority record (abbreviated as SOA record) is a type of resource record in the Domain Name System (DNS) containing administrative information about the zone, especially regarding zone transfers. The SOA record format is specified in RFC 1035.

Background

Normally DNS name servers are set up in clusters. The database within each cluster is synchronized through zone transfers. The SOA record for a zone contains data to control the zone transfer. This is the serial number and different timespans.

It also contains the email address of the responsible person for this zone, as well as the name of the primary master name server. Usually the SOA record is located at the top of the zone. A zone without a SOA record does not conform to the standard required by RFC 1035.

Structure

name

• name of the zone (mostly "@")

IN

• zone class (usually IN for internet)

SOA

• abbreviation for Start of Authority

MNAME

• Primary master name server for this zone UPDATE requests should be forwarded toward the primary master[2] NOTIFY requests propagate outward from the primary master[3]

RNAME

• Email address of the administrator responsible for this zone. (As usual, the email address is encoded as a name. The part of the email address before the @ becomes the first label of the name; the domain name after the @ becomes the rest of the name. In zone-file format, dots in labels are escaped with backslashes; thus the email address john.doe@example.com would be represented in a zone file as john\.doe.example.com.)

SERIAL

• Serial number for this zone. If a secondary name server slaved to this one observes an increase in this number, the slave will assume that the zone has been updated and initiate a zone transfer.

REFRESH

• number of seconds after which secondary name servers should query the master for the SOA record, to detect zone changes. Recommendation for small and stable zones:[4] 86400 seconds (24 hours).

RETRY

• number of seconds after which secondary name servers should retry to request the serial number from the master if the master does not respond. It must be less than Refresh. Recommendation for small and stable zones:[4] 7200 seconds (2 hours).

EXPIRE

• number of seconds after which secondary name servers should stop answering request for this zone if the master does not respond. This value must be bigger than the sum of Refresh and Retry. Recommendation for small and stable zones:[4] 3600000 seconds (1000 hours).

TTL, a.k.a. MINIMUM

• Time To Live for purposes of negative caching. Recommendation for small and stable zones:[4] 172800 seconds (2 days). Originally this field had the meaning of a minimum TTL value for resource records in this zone; it was changed to its current meaning by RFC 2308.[5]

Abstracted SOA layout

• Strongly annotated
• Names are taken from upper definitions.

moinmoin: Use #!highlight clojure

   1 ;ORIGIN IS APPENDED TO ANY NAME-STRING THAT DOES NOT END ON "."
   2 $ORIGIN .               ;GET ORIGIN FROM BIND CONFIG (named.conf.local)
   3 ;$ORIGIN domain.tld.    ;SET ORIGIN
   4 $TTL 86400              ;DEFAULT TTL FOR RESOURCE RECORDS
   5 name    zone_class      SOA     MNAME   RNAME (
   6                                 2018110201      ;Serial         (ISO 8601 basic format followed by a two-digit counter)
   7                                 86400           ;Refresh        (SOA Query Interval in [s])
   8                                 7200            ;Retry          (Query Retry Interval after failed query in [s], Retry < Refresh < Expire)
   9                                 604800          ;Expire         (delay in [s] from contact loss to stop of response)
  10                                 86400           ;Minimum TTL    ([s] actually lifetime for negative caching, SEE: [[https://tools.ietf.org/html/rfc2308|RFC 2308]])
  11 )
  12 ; SOA ALREADY ENDED BUT NS RECORDS ARE OF INTEREST DURING ZONE TRANSFER TO!
  13         IN      NS      MNAME
  14         IN      NS      NS1
  15         IN      NS      NS2.other-domain.tld.

Typical impression of a SOA record in BIND syntax

Cleaned up

   1 $ORIGIN domain.tld.
   2 $TTL 86400
   3 @       IN      SOA     master1 hostmaster.domain.tld. (
   4                                 2018110201      ;Serial
   5                                 86400           ;Refresh
   6                                 7200            ;Retry
   7                                 604800          ;Expire
   8                                 86400           ;Minimum TTL
   9                                 )
  10         IN      NS      master1
  11         IN      NS      ns1
  12         IN      NS      ns2.other-domain.tld.
  13 
  14 master1 IN      A       192.168.0.11
  15 ns1     IN      A       192.168.0.21

Serial number changes

Several methods have been established for updates to the SERIAL field of a zone's SOA record:

• The serial number begins at 1, and is simply incremented at every change.
• The serial number contains the date of the last change (in ISO 8601 basic format) followed by a two-digit counter (e.g. 2017031405 = the fifth change dated March 14, 2017). This method is recommended in RFC 1912.
• The serial number is the time of last modification to the zone's data file expressed as the number of seconds since the UNIX epoch. This method is used by default in the djbdns suite. Although it uses a 32-bit counter, it is not susceptible to the year 2038 problem due to the effect of serial number arithmetic.

HINT: IN VIM TRY CTRL+A or CTRL+Y

NameServer (NS)

The NameServer resource record

• A NS-RR in a public zone must never be a private IP. Some mail servers check this …

  • In that case consider using the private IP in also-notify

• When changing objects in the NICs/Domain Name Registries, always prepare everything in your DNS (NS- or DS-RR). Some NICs like the italian NIC ".it" have very strict policies.
• If the fully qualified domain name of a nameserver is a subdomain of a domain it is authoritative for, a circular dependency exists. To resolve this problem, glue RR of type A/AAAA, which provide the IP4/6 addresses of the nameservers,

  are necessary in the parent domain.
  Wiki EN: DNS Circular dependencies and glue records

DNSsec

DNS Security Extensions (DNSSEC).

The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS.

Some old RFCs all updated in the meantime.

• RFC4033 DNS Security Introduction and Requirements

• RFC4034 Resource Records for the DNS Security Extensions

• Protocol Modifications for the DNS Security Extensions

• Domain Name System Security (DNSSEC) Algorithm Numbers

Resource records:

• public key (DNSKEY),
• delegation signer (DS),
• resource record digital signature (RRSIG),
• authenticated denial of existence (NSEC).

Delegation signer (DS)

Delegation signer

The record used to identify the DNSSEC signing key of a delegated zone.

The following example shows a DNSKEY RR and its corresponding DS RR.

   1 dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
   2                                           fwJr1AYtsmx3TGkJaNXVbfi/
   3                                           2pHm822aJ5iI9BMzNXxeYCmZ
   4                                           DRD99WYwYqUSdjMmmAphXdvx
   5                                           egXd/M5+X7OrzKBaMbCVdFLU
   6                                           Uh6DhweJBjEVv5f2wwjM9Xzc
   7                                           nOf+EPbtG9DMBmADjFDc2w/r
   8                                           ljwvFw==
   9                                           ) ;  key id = 60485
  10 
  11 dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
  12                                            98631FAD1A292118 )

NextSECure (NSEC)

Authenticated denial of existence

• Wiki DE NSEC Resource Record

• https://tools.ietf.org/html/rfc2535

IETF RCF 3845 section-2 The NSEC Resource Record

• The NSEC resource record lists two separate things: the owner name of the next RRset in the canonical ordering of the zone, and the set of RR types present at the NSEC RR's owner name. The complete set of NSEC RRs in a zone indicate which RRsets exist in a zone, and form a chain of owner names in the zone. This information is used to provide authenticated denial of existence for DNS data, as described in RFC 2535 [2].

These records themselfes are authenticated by their own RRSIG-RR.

The following NSEC RR identifies the RRsets associated with alfa.example.com. and identifies the next authoritative name after alfa.example.com.

   1 alfa.example.com. 86400 IN NSEC host.example.com. (
   2                                    A MX RRSIG NSEC TYPE1234 )

So there is no name between alfa.example.com. and host.example.com.

The Next Domain Name Field 'host.example.com' allows to gather information by zone walking. Therefore #NextSECure3 (NSEC3) was indroduced.

Wiki DE Zone Walking

NextSECure3 (NSEC3)

Hashed Authenticated Denial of Existence

• Wiki DE NSEC3 Resource Record

• IETF RFC 5155 DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

You may calculate a NSEC3 hash with nsec3hash

   1 ### Usage: nsec3hash salt algorithm iterations domain
   2 # nsec3hash CA12B74ADB90591A 1 15 example-domain-does-not-exist.de
   3 BRSD1OSC2HU0G6I5CLH99A8VRC9IJE02 (salt=CA12B74ADB90591A, hash=1, iterations=15)
   4 # nsec3hash CA12B74ADB90591A 1 15 de
   5 TJLB7QBOJVMLF1S6GDRIRU7VSMS1LG16 (salt=CA12B74ADB90591A, hash=1, iterations=15)
   6 # nsec3hash CA12B74ADB90591A 1 15 '*.de'
   7 NIHKEQI54QCK38BPFVGGV7RQ5JRRD2VP (salt=CA12B74ADB90591A, hash=1, iterations=15)

Example

   1 dig +dnssec @ns3.rockstable.org example-domain-does-not-exist.de
   2 …
   3 ;; QUESTION SECTION:
   4 ;example-domain-does-not-exist.de. IN   A
   5 
   6 ;; AUTHORITY SECTION:
   7 de.                     6200    IN      SOA     f.nic.de. its.denic.de. 1596536258 7200 7200 3600000 7200
   8 de.                     6200    IN      RRSIG   SOA 8 1 86400 20200818101721 20200804084721 53031 de. ib/6DpoLaoYng35Xx7jcZ6pfW0mDytrJmK3FgorgH0ZMatfBcDsN31lP HgG/CDPXn/KLSCsqA+gwammIkqOHusM2c/TaaeCJQyVDSt6wCWs3j6ox E4sRZYbI+pABqjR3O2YrZDHDrAtvU1UCd5Pw0qI1jxPLju7+Nk+2XX+a JDM=
   9 
  10 ### DOMAIN "example-domain-does-not-exist.de" DOES NOT EXIST
  11 brs96vbp1sahe35lpkt3uoogsq5bnah4.de. 6200 IN RRSIG NSEC3 8 2 7200 20200817031534 20200803014534 53031 de. XY2eZDo3fKyDCsUzK0EnP2Z8qSk5lFNu0SUROkvyNQG4BL5L13qp6JVZ 9DsEaPB6TiouK2f7XL6KauAsEUD0jsBJOYxTSY74wLmBQbGXrd21q0UN rsi4/XXSqD8aP6H6cKVb7mzdcqr8iF27DbUTKYZJQmZu/W3cTavlKLIL RQU=
  12 brs96vbp1sahe35lpkt3uoogsq5bnah4.de. 6200 IN NSEC3 1 1 15 CA12B74ADB90591A BRSDPAF1BH7JFSTL8A9MAKVIEHE8QJMI NS DS RRSIG
  13 
  14 ### WILDCARD "*.de" DOES NOT EXIST
  15 nihitgish70cve28nu73a3segd6r1d4p.de. 6200 IN RRSIG NSEC3 8 2 7200 20200817031534 20200803014534 53031 de. DkwxuXIqGbshC5fOBRUKW1hWkAdWPBQjioSyhPrNbcs325vB26QSIa8R cKImwrtJ3qUAmpCdP8IcO1So6p/KW7YCoORt88a/lj+N3RKF67Val5Ie KgJpq3PKwn8umszbNRYFJPIKkugERE8xWggopE6q9hN9fvh3DIQ4X+Je Rpg=
  16 nihitgish70cve28nu73a3segd6r1d4p.de. 6200 IN NSEC3 1 1 15 CA12B74ADB90591A NIHRI169E5SB3FJMDM1I3LTSNURVSITQ NS DS RRSIG
  17 
  18 ### DOMAIN "de" EXISTS
  19 tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 6200 IN RRSIG NSEC3 8 2 7200 20200817015011 20200803002011 53031 de. ZLyo18DvvCZenk+FKcjiYhnESjoOLx8bacE3DQ0E5MtgFBXEJP3Ayxuf vIRiwCMlEuicS/wntH5Jj7sKvJ7I19Wq+IBvVSS5X+W5fWLlhqOxYXnW Kg2t5khcNwupF4716RVUyirh2brCp2vo78WMm/jXNFtFaLoeM9d0tza8 b2k=
  20 tjlb7qbojvmlf1s6gdriru7vsms1lg16.de. 6200 IN NSEC3 1 1 15 CA12B74ADB90591A TJLD25EJ1NKGCSHQ3OM1J58DHA96ULK7 NS SOA RRSIG DNSKEY NSEC3PARAM

The answer states that a domain, which hash is in between of BRS96VBP1SAHE35LPKT3UOOGSQ5BNAH4 and BRSDPAF1BH7JFSTL8A9MAKVIEHE8QJMI does not exists. The calculated hash (RSASHA1-NSEC3-SHA1) of example-domain-does-not-exist.de is BRSD1OSC2HU0G6I5CLH99A8VRC9IJE02 in between. The domain does therefore not exist. Wrapping domain 'de' exists. There is no wildcard domain matching. See the calculated hashes above.

Note:<<BR>> When NSEC3 records are not generated dynamically, zone walking may still be performed by attacking the hash functions.

NextSECure3 parameters (NSEC3PARAM)

• IETF RFC 5155 The NSEC3PARAM Resource Record

Example for de.

   1 dig -t NSEC3PARAM de.
   2 ;; QUESTION SECTION:
   3 ;de.                            IN      NSEC3PARAM
   4 
   5 ;; ANSWER SECTION:
   6 de.                     0       IN      NSEC3PARAM 1 0 15 CA12B74ADB90591A

DNSKEY

Public key

The following DNSKEY RR stores a DNS zone key for example.com.

   1 example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3
   2                                        Cbl+BBZH4b/0PY1kxkmvHjcZc8no
   3                                        kfzj31GajIQKY+5CptLr3buXA10h
   4                                        WqTkF7H6RfoRqXQeogmMHfpftf6z
   5                                        Mv1LyBUgia7za6ZEzOJBOztyvhjL
   6                                        742iU/TpPSEDhm2SNKLijfUppn1U
   7                                        aNvv4w==  )

RRSIG

Resource record digital signature

The following RRSIG RR stores the signature for the A RRset of host.example.com:

   1 host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
   2                                20030220173103 2642 example.com.
   3                                oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
   4                                PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
   5                                B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
   6                                GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
   7                                J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )

Benchmarking

By the usage of benchmarking, i was able to identify a configuration problem with the adblocker in my openwrt-router and speed up DNS requests extremely.

dnsdiag

Install

   1 apt install dnsdiag

dnseval is a bulk ping utility that sends an arbitrary DNS query to a given list of DNS servers. This script is meant for comparing response time of multiple DNS servers at once.

Create a server.list or configured OS resolver will be used

   1 ns3.rockstable.org.
   2 ns4.rockstable.org.
   3 192.168.182.1
   4 8.8.8.8

dnseval

   1 % dnseval -C -f server.list rockstable.it
   2 server                  avg(ms)     min(ms)     max(ms)     stddev(ms)  lost(%)  ttl        flags
   3 ----------------------------------------------------------------------------------------------------------------
   4 ns3.rockstable.org.     27.204      17.369      46.375      11.029      %0       86400      QR AA -- RD RA -- --
   5 ns4.rockstable.org.     23.405      17.237      41.271      7.602       %0       86400      QR AA -- RD RA -- --
   6 192.168.182.1           135.950     106.881     216.447     36.557      %0       86400      QR AA -- RD RA -- --
   7 8.8.8.8                 33.768      24.764      67.073      14.191      %0       21585      QR -- -- RD RA -- --

dnsping pings a DNS resolver by sending an arbitrary DNS query for given number of times. It calculates minimum, maximum and average response time as well as jitter (stddev).

dnsping

   1 # dnsping rockstable.it 
   2 dnsping DNS: 192.168.182.1:53, hostname: rockstable.it, rdatatype: A
   3 40 bytes from 192.168.182.1: seq=1   time=109.288 ms
   4 40 bytes from 192.168.182.1: seq=2   time=140.449 ms
   5 40 bytes from 192.168.182.1: seq=3   time=107.434 ms
   6 40 bytes from 192.168.182.1: seq=4   time=107.955 ms
   7 40 bytes from 192.168.182.1: seq=5   time=107.957 ms
   8 ^C
   9 --- 192.168.182.1 dnsping statistics ---
  10 5 requests transmitted, 5 responses received, 0% lost
  11 min=107.434 ms, avg=114.617 ms, max=140.449 ms, stddev=14.457 ms
  12 # dnsping -s 8.8.8.8 rockstable.it
  13 dnsping DNS: 8.8.8.8:53, hostname: rockstable.it, rdatatype: A
  14 40 bytes from 8.8.8.8: seq=1   time=28.992 ms
  15 40 bytes from 8.8.8.8: seq=2   time=30.218 ms
  16 40 bytes from 8.8.8.8: seq=3   time=26.093 ms
  17 40 bytes from 8.8.8.8: seq=4   time=26.565 ms
  18 40 bytes from 8.8.8.8: seq=5   time=23.357 ms
  19 ^C
  20 --- 8.8.8.8 dnsping statistics ---
  21 5 requests transmitted, 5 responses received, 0% lost
  22 min=23.357 ms, avg=27.045 ms, max=30.218 ms, stddev=2.674 ms

Ohh, my router in the local network seams to be quite slow…

dnstraceroute is a traceroute utility to figure out the path that a DNS request is passing through to get to its destination. Comparing it to a network traceroute can help identify if DNS traffic is routed via any unwanted path.

Trace the path a DNS-request travels along. dnstraceroute

   1 # sudo dnstraceroute -Cea -s ns4.rockstable.org rockstable.it
   2 dnstraceroute DNS: 78.47.38.48:53, hostname: rockstable.it, rdatatype: A
   3 1       quasar.domain.tld (192.168.182.1) 1.812 ms
   4 2       ipADDRESS.dynamic.kabel-deutschland.de (IP.ADD.RE.SS) [AS3209 VODANET International IP-Backbone of Vodafone, DE] 13.736 ms
   5 3       83-169-181-254-isp.superkabel.de (83.169.181.254) [AS3209 VODANET International IP-Backbone of Vodafone, DE] 13.670 ms
   6 4       ip5886c0f1.static.kabel-deutschland.de (88.134.192.241) [AS3209 VODANET International IP-Backbone of Vodafone, DE] 16.776 ms
   7 5       145.254.3.68 (145.254.3.68) [AS3209 VODANET International IP-Backbone of Vodafone, DE] 9.191 ms
   8 6       145.254.2.179 (145.254.2.179) [AS3209 VODANET International IP-Backbone of Vodafone, DE] 17.176 ms
   9 7       145.254.2.179 (145.254.2.179) [AS3209 VODANET International IP-Backbone of Vodafone, DE] 17.767 ms
  10 8       decix2-gw.hetzner.com (80.81.193.164) 16.208 ms
  11 9       core24.fsn1.hetzner.com (213.239.203.150) [AS24940 HETZNER-AS, DE] 38.136 ms
  12 10      spine1.cloud2.fsn1.hetzner.com (213.239.239.126) [AS24940 HETZNER-AS, DE] 25.434 ms
  13 11       *
  14 12      12420.your-cloud.host (136.243.183.34) [AS24940 HETZNER-AS, DE] 19.371 ms
  15 13       *
  16 14      ns4.rockstable.org (78.47.38.48) [AS24940 HETZNER-AS, DE] 22.618 ms

namebench

namebench - open-source DNS benchmark utility

https://github.com/google/namebench

namebench searches the fastest DNS servers available for your computer to use. namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized dataset in order to provide an individualized recommendation.

Install

   1 apt install namebench

Defaults are in
/etc/namebench/namebench.cfg

   1 # NOTE: Most settings can be overriden on the command line
   2 # with the appropriate --option to namebench.py
   3 
   4 [general]
   5 
   6 # Number of tests to run
   7 query_count=250
   8 
   9 # number of runs
  10 run_count=1
  11 
  12 # Selection algorithm to pick tests with (automatic, weighted, random, chunk)
  13 select_mode=automatic
  14 
  15 # If you are on a shared shell-server, you may want to set this to 8.
  16 # If you are on Windows, we limit you to no more than 60 automatically.
  17 # If you are on other platforms, we limit you to no more than 90 automatically.
  18 health_thread_count=40
  19 
  20 # How many threads to use for the benchmark. nb 1.1 defaulted to 1 thread.
  21 benchmark_thread_count=2
  22 
  23 # How long should we wait for general queries to complete (seconds)
  24 timeout=3.5
  25 
  26 # How long to wait for an initial nameserver ping (seconds)
  27 ping_timeout=0.5
  28 
  29 # How long should we wait for secondary health checks to complete (seconds)
  30 health_timeout=3.75
  31 
  32 # How many servers should we include in our benchmark test
  33 num_servers=11
  34 
  35 # Results sharing. Must be enabled by using -u or from the GUI.
  36 site_url=http://namebench.appspot.com/
  37 upload_results=0
  38 hide_results=0
  39 
  40 # Always include at least one of each anycast service in the benchmarks.
  41 [global]
  42 8.8.8.8=Google Public DNS
  43 8.8.4.4=Google Public DNS-2
  44 156.154.70.1=UltraDNS
  45 156.154.71.1=UltraDNS-2
  46 208.67.220.220=OpenDNS
  47 208.67.222.222=OpenDNS-2
  48 216.146.35.35=DynGuide
  49 216.146.36.36=DynGuide-2
  50 2001_470_20__2=Hurricane Electric IPv6
  51 
  52 [regional]
  53 # LINES OMITTED
  54 
  55 # These are unlikely to work for most people, but are useful enough to keep
  56 [private]

Namebench only extracts IP-Adresses as nameservers, don't provide domain-names.

namebench with gui

   1 namebench --num_servers=11 --query_count=25 --open_webbrowser \
   2         --output=namebench_$(date +%F).html --template=html \
   3         --only 192.168.182.1 195.201.246.253 78.47.38.48

namebench without gui

   1 namebench --num_servers=11 --query_count=25 --no_gui \
   2         --output=namebench_$(date +%F).html --template=html \
   3         --only 192.168.182.1 195.201.246.253 78.47.38.48

Domain transfers

Other names:

• Konnektivitäts-Koordination (KK)
• change provider (CHPROV)

Authinfo

• https://en.wikipedia.org/wiki/Domain_name_registrar#Domain_name_transfer

• https://de.wikipedia.org/wiki/AuthInfo

• https://www.denic.de/domains/de-domains/providerwechsel/

• Providerwechsel – Erzeugen und Hinterlegen einer AuthInfo

Transfering a domain from one provider to another.

1. Make sure you have access to both domain management systems (source and destination).