Presentation is loading. Please wait.

Presentation is loading. Please wait.

So You Inherited a DNS Server…

Published byFay Rice Modified over 6 years ago

Similar presentations

Presentation on theme: "So You Inherited a DNS Server…"— Presentation transcript:

1 So You Inherited a DNS Server…
DNS Best Practices from Day One

2 How did the DNS find you? Because I knew *nix No one else would
It just sort of happened… voluntold

3 The Question What would you do if dropped into an existing organization to run their DNS?

4 First action, Recon! Actually, first action is freak out!
2nd action is caffeine, then deep breath and recon: Any network or infrastructure diagrams available?

5 diagrams

6 Pick a nameserver, login!
Running a current version of dns software? OS? How is dns service started on this box? Does this match the version currently running? Is there a nanny script in use?

7 named -V % named -V BIND P2 built with '--prefix=/usr' '-- infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable- threads' '--enable-getifaddrs' '--disable-linux-caps' '--with- openssl=/usr' '--with-randomdev=/dev/random' '--without- idn' '--without-libxml2' using OpenSSL version: OpenSSL 0.9.8zd-freebsd 8 Jan 2015

8 On to configuration Do the global options make sense?
Basic security check: TSIG secured zone transfers? allow-transfer? allow-query (is this an open resolver?)

9 Global options options {
 directory "/etc/namedb/";
 dnssec-enable yes;
 dnssec- validation yes;
 allow-recursion { none; };
 allow-query { any; };
 allow-transfer { none; };
 notify no;
 key-directory "/etc/namedb/keys";
 max-journal-size 32k;
 zone-statistics yes;
 listen-on { ; };
 listen-on-v6 { 2001:db8:100::251; };
 notify-source ;
 notify-source-v6 2001:db8:100::251;
};

10 zone stanzas zone "example.com" IN {
 file "example.com-zone";
 type slave;
 masters { ; ; };
 notify no;
};

11 logging Is the logging stanza sane and actually occurring?
Check the config as well as the actual logs. Have a look at the system logs

12 logging stanza logging {
 channel query_log {
 file "logs/query.log" versions 5 size 1M;
 severity info;
 print-time yes;
 };
 category queries { query_log; };
};

13 checkconf is your friend
$ named-checkconf –z zone ./IN: loaded serial 121 (DNSSEC signed) zone test.dnslab.org/IN: loaded serial 50 (DNSSEC signed)

14 rndc Is rndc configured? If not, ‘rndc-confgen –a’ rndc status
rndc notify zone rndc retransfer zone

15 Recon Repeat Repeat the prior Recon for all known nameservers!
If diagrams were available, check to see if configs match stated functionality.

16 Some fun things you ought to know…

17 DNS personality disorders
Clients are often happy even when servers aren’t configured well. A bit passive-aggressive… things are acceptable until they’re not. OCD, clients and resolvers are content to retry and retry and retry...

18

19 RFCs

20

21 Back to your new predicament…

22 Authoritative specific
Use external tools to check service: DNSViz dnscheck.iis.se ednscomp.isc.org (firewall check)

23 Recursive specific Perform queries against these servers via dig
Are they answering appropriately? Are they refusing appropriately?

24 Actions for Day 2 and beyond
Meet with the following teams: Provisioning: how fast for new servers? Operations: how’s life? Security: about those firewalls… Monitoring: alerting on?, peak traffic? Architecture: future plans? Management: support?

25 Interconnectedness Join some lists:
Get your boss to send you to DNS-OARC meeting(s) Join some lists: dns-operations (DNS OARC) nanog etc

26 Questions ?

27 www.isc.org info@isc.org
Thank You!

Download ppt "So You Inherited a DNS Server…"

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Zone transfer and dns-express

Zone transfer and dns-express
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
BIND-8 to BIND-9 Migration A short tutorial APNIC Meeting, Brisbane, October 2000 Mathias Körber Nominum, Inc. © Copyright.

BIND-8 to BIND-9 Migration A short tutorial APNIC Meeting, Brisbane, October 2000 Mathias Körber Nominum, Inc. © Copyright.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
The Domain Name System Unix System Administration Download PowerPoint Presentation.

The Domain Name System Unix System Administration Download PowerPoint Presentation.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
Module 3 DNS Types.

Module 3 DNS Types.
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.
Configuring DNS.

Configuring DNS.
Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.

Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.

Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.

Similar presentations

Ads by Google