1/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Lesser known DNS tools and
BIND tricks
dnsworkshop.org
August 2012
2/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
3/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
6502
Basic
Forth
Assembler
4/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
8086
MSDOS
Pascal
C
Assembler
5/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Power CPU
AS/400
CL
RPG
SNA
6/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
386
OS/2
Rexx
Modula
Oberon
Java
NetBIOS
7/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Unix
Solaris
Linux
OpenBSD
FreeBSD
TCP/IP
8/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Network
DNS
DHCP
IPv6
DNSSEC
9/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Work
Men & Mice
ISC
LinuxHotel
10/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
11/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
quick DNS lookup
DNS lookup tool, easy to parse output
dnsget guug.de
or
dig guug.de +short
12/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
pretty print DNS
pretty print dns results
13/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
checking SOA records
lookup SOA record from all authoritative DNS servers of a zone
14/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
map DNS names in a zone
brute force map all DNS names in a zone
15/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
bulk resolve names
asynchronous DNS to resolve names (or IP addresses to names) in log
files
cat queryfileexample1million | head | adnshost af
16/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
DNS resolve filter
resolve IP addresses to names in a filter
17/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
browse multicast DNS
Bonjour / Rendezvous / Avahi DNS service discovery browser
avahibrowse
or
mdnsscan
18/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
mailserver for a domain
quick find the mailserver for a domain
19/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
a terse display of a zone
print a parseable tree view of a DNS zone
20/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
graphical DNS and DNSSEC
lookup tool
21/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
22/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
find version of server
print the version information reported by a DNS server
23/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
fingerprint DNS servers
find server software and versions by fingerprinting DNS responses
24/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
measure DNS latency
measure the DNS response time
25/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
monitor DNS queries
monitor all DNS queries seen by the local machine
26/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
monitor or capture DNS queries
dnscap is a traffic capturing tool for DNS
27/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
visualize DNS traffic flow
# sudo tcpdump i eth0 w dnsdump.pcap port 53
# dnspktflow dnsdump.pcap
# eog out.png
28/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
29/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
trace the delegation tree
dig dnsworkshop.org +trace
or
dnstracer s . www.dnsworkshop.org
30/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
check a domain for issues
download a zonefile and checks for issues
31/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
check your zone for errors
32/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
visualize a DNS zone
# dig @ns2.gnu.org. axfr gnu.org +onesoa > gnu.orgzone
# mapper gnu.orgzone gnu.org
# eog map.png
33/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
34/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
check resolver for DNSSEC
compliance
35/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
SSH fingerprint resource records
generate sshfp records from your knownhosts file
36/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Walk a NSEC signed zone
traverse all domain names in a zone that is NSEC signed
ldnswalk paypal.com
or
walker paypal.com
37/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
trace the 'chainoftrust'
tracing the chain of trust to the root trust anchor
# drill dnskey . | grep 257 > root.key
# drill SD k root.key www.ripe.net
38/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
peek into a validating resolver
unboundhost lets you view every step of DNSSEC validation
39/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
sanity check a DNSSEC signed
zone
check a DNSSEC signed zone for issues
donuts r "/usr/share/dnssectools/donuts/rules/*.txt" \
dnsworkshop.orgzonefile dnsworkshop.org
or
ldnsverify dnsworkshop.orgzonefile
40/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
41/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
statistics channel over http
acl myadmins { 192.0.2.100; 192.0.2.101; };
statisticschannels {
inet * port 8053 allow { myadmins; };
};
42/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
check config + zonefiles before
reload
verify named.conf (and all zonefiles loaded) for syntax errors
namedcheckconf z
43/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
pretty print a configuration file
if you see a messedup BIND config, pretty print it
44/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
pretty print the canonical form of
a zone
some errors are hiding in shortcuts
namedcheckzone D problemdomain.com problemdomain.comzone
45/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
tune the concurrent client setting
adjust recursive clients to real world value on a busy caching DNS
server
options {
[...]
recursiveclients 2000;
tcpclients 200;
};
46/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
limit the size of the cache
a BIND caching DNS server gets slower with a large cache (> 2GB)
options {
[...]
maxcachesize 2147483648; // 2GB max cache
};
47/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
compile zones to binary format
for fast startup
compile a textversion of a zone to "raw" binary format
# namedcompilezone F raw o gnu.orgraw gnu.org gnu.orgzone
zone gnu.org/IN: loaded serial 2011071556
dump zone to gnu.orgraw...done
OK
and in named.conf
zone "example.com" {
type master;
file "example.com.raw";
masterfileformat raw;
};
48/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
convert from RAW zone format
to text format
BIND 9.9.x+ creates RAW files by default (for slave and stubzones)
namedcompilezone f raw o slave.example.orgtext \
slave.example.org slave.example.org
this command turns them into RFC 1035 text format
49/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
print the content of a journal file
BIND collects changes for dynamic zones in a binary journal file
50/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
simple dynamic zone setup
(BIND 9.7.2+)
enable dynamic updates
zone "example.com" {
type master;
file "example.comzone";
updatepolicy local;
};
and use "nsupdate" to make changes to the zone (from the DNS server
machine)
# nsupdate l
> update add www.example.com. 3600 IN A 192.0.2.80
> update delete old.example.com. A
> send
51/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
52/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Bert's Secure Reverse Polish
DNS Calculator (BSRPDNSC)
Try Bert's Secure Reverse Polish DNS Calculator (BSRPDNSC). This
is nice because you don't need your HP48 or Forth to do serious RPN
calculations:
# dig "9.dup.*.rp.secretwg.org" TXT
53/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Wikipedia over DNS
no web browser to lookup things in Wikipedia? Use DNS
54/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Query the lastest twitter news
over DNS
who needs a twitter client?
dig guug.twitter.any.io txt +short
55/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
Thank you
[email protected]
Links to the tools and webpages mentioned
in this talk can be found on dnsworkshop.org
56/56 file:///home/cas/talk/bind-tricks/html/dns-tricks.html
