Lesser known DNS tools and BIND tricks

Lesser known DNS tools and BIND tricks dnsworkshop.org August 2012 1/56

About me 2/56

6502 Basic Forth Assembler 3/56

8086 MS DOS Pascal C Assembler 4/56

Power CPU AS/400 CL RPG SNA 5/56

386 OS/2 Rexx Modula Oberon Java NetBIOS 6/56

Unix Solaris Linux OpenBSD FreeBSD TCP/IP 7/56

Network DNS DHCP IPv6 DNSSEC 8/56

Work Men & Mice ISC LinuxHotel 9/56

DNS lookup 10/56

quick DNS lookup DNS lookup tool, easy to parse output dnsget guug.de or dig guug.de +short 11/56

pretty print DNS pretty print dns results dig soa dnsworkshop.org +multiline 12/56

checking SOA records lookup SOA record from all authoritative DNS servers of a zone dig dnsworkshop.org +nssearch 13/56

map DNS names in a zone brute force map all DNS names in a zone dnsmap guug.de 14/56

bulk resolve names asynchronous DNS to resolve names (or IP addresses to names) in logfiles cat queryfile example 1million head adnshost af 15/56

DNS resolve filter resolve IP addresses to names in a filter lsof i n adnsresfilter 16/56

browse multicast DNS Bonjour / Rendezvous / Avahi DNS service discovery browser avahi browse or mdns scan 17/56

mailserver for a domain quick find the mailserver for a domain ldns mx isc.org 18/56

a terse display of a zone print a parse able tree view of a DNS zone dns_tree gnu.org 19/56

graphical DNS and DNSSEC lookup tool 20/56

monitoring 21/56

find version of server print the version information reported by a DNS server ldns chaos f.root servers.net 22/56

fingerprint DNS servers find server software and versions by fingerprinting DNS responses fpdns Df google.com 23/56

measure DNS latency measure the DNS response time echoping n 20 m dns 8.8.8.8 dnsworkshop.org 24/56

monitor DNS queries monitor all DNS queries seen by the local machine sudo dnstop l 3 eth0 25/56

monitor or capture DNS queries dnscap is a traffic capturing tool for DNS sudo dnscap g 26/56

visualize DNS traffic flow # sudo tcpdump i eth0 w dnsdump.pcap port 53 # dnspktflow dnsdump.pcap # eog out.png 27/56

troubleshooting 28/56

trace the delegation tree dig dnsworkshop.org +trace or dnstracer s. www.dnsworkshop.org 29/56

check a domain for issues download a zonefile and checks for issues dnswalk gnu.org. 30/56

check your zone for errors the zonecheck tool (on the Internet or installed locally) 31/56

visualize a DNS zone # dig @ns2.gnu.org. axfr gnu.org +onesoa > gnu.org zone # mapper gnu.org zone gnu.org # eog map.png 32/56

DNSSEC 33/56

check resolver for DNSSEC compliance 34/56

SSH fingerprint resource records generate sshfp records from your known hosts file sshfp 35/56

Walk a NSEC signed zone traverse all domain names in a zone that is NSEC signed ldns walk paypal.com or walker paypal.com 36/56

trace the 'chain of trust' tracing the chain of trust to the root trust anchor # drill dnskey. grep 257 > root.key # drill SD k root.key www.ripe.net 37/56

peek into a validating resolver unbound host lets you view every step of DNSSEC validation unbound host C /etc/unbound/unbound.conf dvv www.isc.org 38/56

sanity check a DNSSEC signed zone check a DNSSEC signed zone for issues donuts r "/usr/share/dnssec tools/donuts/rules/*.txt" \ dnsworkshop.org zonefile dnsworkshop.org or ldns verify dnsworkshop.org zonefile 39/56

BIND 40/56

statistics channel over http acl myadmins { 192.0.2.100; 192.0.2.101; }; statistics channels { inet * port 8053 allow { myadmins; }; }; 41/56

check config + zonefiles before reload verify named.conf (and all zonefiles loaded) for syntax errors named checkconf z 42/56

pretty print a configuration file if you see a messed up BIND config, pretty print it named checkconf p > named.conf 43/56

pretty print the canonical form of a zone some errors are hiding in shortcuts named checkzone D problemdomain.com problemdomain.com zone 44/56

tune the concurrent client setting adjust recursive clients to real world value on a busy caching DNS server options { [...] recursive clients 2000; tcp clients 200; }; 45/56

limit the size of the cache a BIND caching DNS server gets slower with a large cache (> 2GB) options { [...] max cache size 2147483648; // 2GB max cache }; 46/56

compile zones to binary format for fast startup compile a text version of a zone to "raw" binary format # named compilezone F raw o gnu.org raw gnu.org gnu.org zone zone gnu.org/in: loaded serial 2011071556 dump zone to gnu.org raw...done OK and in named.conf zone "example.com" { type master; file "example.com.raw"; masterfile format raw; }; 47/56

convert from RAW zone format to text format BIND 9.9.x+ creates RAW files by default (for slave and stub zones) named compilezone f raw o slave.example.org text \ slave.example.org slave.example.org this command turns them into RFC 1035 text format 48/56

print the content of a journal file BIND collects changes for dynamic zones in a binary journal file named journalprint dynamic.signed.dnslab.org.jnl 49/56

simple dynamic zone setup (BIND 9.7.2+) enable dynamic updates zone "example.com" { type master; file "example.com zone"; update policy local; }; and use "nsupdate" to make changes to the zone (from the DNS server machine) # nsupdate l > update add www.example.com. 3600 IN A 192.0.2.80 > update delete old.example.com. A > send 50/56

FUN 51/56

Bert's Secure Reverse Polish DNS Calculator (BSRPDNSC) Try Bert's Secure Reverse Polish DNS Calculator (BSRPDNSC). This is nice because you don't need your HP48 or Forth to do serious RPN calculations: # dig "9.dup.*.rp.secret wg.org" TXT 52/56

Wikipedia over DNS no web browser to lookup things in Wikipedia? Use DNS # dig txt guug.wp.dg.cx 53/56

Query the lastest twitter news over DNS who needs a twitter client? dig guug.twitter.any.io txt +short 54/56

Thank you carsten@strotmann.de Links to the tools and web pages mentioned in this talk can be found on dnsworkshop.org 55/56

56/56