January 2026
M	T	W	T	F	S	S
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Archive for the ‘DNS’ Category

DNS, glue records and TTL

Posted by jpluimers on 2017/12/06

If I ever need to read why, here are the explanatory links:

[WayBack] domain name system – When does the TLD having glue records for the nameservers save DNS lookups? – Server Fault
[WayBack] dns hosting – Is there any way to tell the TTL on root name server DNS records? – Server Fault

TL;DR:

You need glue records for your domains if the nameserver is in the same TLD as your domain is (more explanation in the above links).
Your domain registrar allows you to change both your DNS servers and the glue at the TLD servers.
Glue records have a TTL at the TLD of 48 hours so changing them takes some waiting.
This is how you query the glue records so you can verify what’s setup at your DNS servers matches the ones at the TLD servers (in the below examples, replace google.com by your domain name).
- Use leafdns: http://leafdns.com/index.cgi?name=google.com
- Use dig:

dig +trace +additional google.com

Notes:

+trace will turn off recursive queries, which is good.
I’ve used google.com because it has nameservers in the .com TLD (example.org has nameservers in the .net TLD: http://leafdns.com/index.cgi?name=example.org)

At the time of writing the dig output is this:

Read the rest of this entry »

Posted in DNS, Internet, Power User | Leave a Comment »

DNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux

Posted by jpluimers on 2017/11/24

Reminder to self so I try this out: [Archive.is] DNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux

Quad9 is a free security solution that uses DNS to protect your systems against the most common cyber threats and you can setup it on Linux.

Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system’s performance, plus, it preserves and protects your privacy. It’s like an immunization for your computer.

Via: [WayBack] Remember 8.8.8.8 (Google DNS)? Now we have 9.9.9.9 from IBM/Quad9 that brings together cyber threat intelligence about malicious domains…. – nixCraft – Google+

Remember 8.8.8.8 (Google DNS)? Now we have 9.9.9.9 from IBM/Quad9 that brings together cyber threat intelligence about malicious domains. It can block malware and other bad domains. https://www.dnsknowledge.com/tutorials/how-to-setup-quad9-dns-on-a-linux/ and https://quad9.net/#/ What do you think? Do you use Google DNS or OpenDNS or ISP DNS or newer Quad9 DNS?

–jeroen

Posted in *nix, DNS, Internet, Power User, Security | Leave a Comment »

DNS BIND9 acl clause – they can be nested

Posted by jpluimers on 2017/11/16

One of the use cases of DNS acl I needed involved having some data to be duplicated across acl.

So I was looking at some way to de-duplicate and found out the term for that is nesting which the bind acl allow.

[WayBack] DNS BIND9 acl clause and [WayBack] BIND9 named.conf Definition of Address List Match have examples but don’t really refer to any standard.
[WayBack] Chapter 7. BIND 9 Security Considerations – Access Control Lists explains it towards the end: right before [WayBack] Chapter 7. BIND 9 Security Considerations – Chroot and Setuid starts.

–jeroen

Posted in DNS, Internet, Power User | Leave a Comment »

Google DNS, Open DNS or your ISP DNS servers?

Posted by jpluimers on 2017/05/26

There are various arguments for using Google DNS (8.8.8.8 or 8.8.4.4) or Open DNS servers or not. A few are listed here:

It basically comes down to two things:

DNS speed
CDN speed (Contend Delivery Network providers like CloudFlare, Akamai, etc)

If your DNS server isn’t close to you, it might select a CDN server that is far from you. If you rely on CDN, then you need to weight in that factor.

This is how I decide:

devices not needing CDN: use Google DNS or Open DNS
devices needing CDN: use Namebench to pick fast DNS servers that are nearby based on Namebench reports with “Recommended configuration (fastest + nearest)”

–jeroen

Posted in Akamai, CDN (Content Delivery Network), Cloud, Cloudflare, DNS, Google, Infrastructure, Internet, Power User | Leave a Comment »

Some links for MikroTik tips and scripts

Posted by jpluimers on 2017/04/25

MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.

So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.

Saving your configuration (two possibilities: binary backup file which only works on the same physical model device, or text based configuration export script that you can import back to any model).
- When you import a configuration, those settings are added to your current configuration.
- If your configuration gets more complex, it pays to split the textual exports into logical blocks so you can import each of them individually.
- You can even put the downloaded exports into a version control system like Git or SVN.
- The exported configurations are stored in the file system. You cannot manually rename these files, but there is a scripting trick to perform the rename.
- You can download the exported configurations from the UIs in webfig, winbox or through sftp after configuring certificate logon.
Choosing ports for WAN and LAN
- On the CCR1009, the first 4 ports can be used for switching (see also other ref), so it makes sense using those for LAN and others for WAN as it can increase speed: CCR 1009 switch chip menu – MikroTik RouterOS
  - Just look at the block diagrams of the various CCR1009-8G-1S models (currently CCR1009-8G-1S-PC, CCR1009-8G-1S-1S+, CCR1009-8G-1S-1S+PC) as they all have the first four ports connected to an Atheros 8327 Gigabit Switch chip.
  - All ports of the CRS226 models (CRS226-24G-2S+RM and CRS226-24G-2S+IN) are connected through the combined QCA8519-AC2C switching and CPU chip).
  - Note that the switching chips won’t allow for Torch. But you can find the MAC addresses per physical switch ports in the unicast FDBs: Switch -> Unicast FDB shows you every mac and the physical port it is connected to.
Never ever use the domain named .local for your local domain if you have Apple devices in your network:
- .local is a reserved dns domain by the apple os and should not be used if you expect apple devices to work as expected.
Many people like Winbox because they prefer visual configuration. Others like the web or terminal interface better (the terminal is especially useful for scripts)
- Windows Winbox: MikroTik Routers and Wireless: Downloads
- Mac OS X Winbox: “Winbox” by MikroTik with Wine in order to make it usable on Mac – Joshaven.com
Manual:First time startup – MikroTik Wiki (default password for admin is empty; WinBox and web-interface are available on WAN *and* LAN interfaces!)
- Mikrotik Howto block Winbox Discovery + Limit Winbox Access | Syed Jahanzaib Personal Blog to Share Knowledge !
One of the first things I did was binding some ports to use LAN and others to use WAN. The LAN ports are in a bridge: Configure one port for WAN and others for LAN – MikroTik RouterOS
Manual:IP/DHCP Server – MikroTik Wiki and Manual:IP/Pools – MikroTik Wiki
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
  - Assign fixed / static IP address via Mikrotik DHCP server
  - Notes:
    1. the MAC address cab be either (:) separated or minus (-) separated. And yes: there is a RegEx for that.
    2. usually you don’t pass the client-id (it’s here just as an example that you could use it, but most DHCP clients do NOT use a client-ID, as they only use the MAC address)
  - /ip dhcp-server lease add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
Manual:IP/DNS – MikroTik Wiki
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
  - Client DNS issue (reddit)
  - Firewall filter rules for DNS – MikroTik RouterOS
  - /ip firewall filter add chain=input protocol=tcp dst-port=53 action=drop in-interface=!bridge_lan add chain=input protocol=udp dst-port=53 action=drop in-interface=!bridge_lan
  - If you run your internal DNS servers for the outside world, modify the rules to forward non non-LAN ports; see https://www.youtube.com/watch?v=X-wkLYKYaj8: How to redirect DNS to own DNS server using mikrotik routerboard
  - You can add statis DNS entries to your caching server; see https://www.youtube.com/watch?v=zDEx7TxCm1s: Mikrotik Training- Static DNS Entries (With Closed Captioning)
nslookup on the Mikrotik itself is called put[: resolv ...] syntax: nslookup on Mikrotik – MikroTik RouterOS
- Examples (first uses the internal DNS, second one one of the Google DNS servers):
  - put [:resolve shell.xs4all.nl]
  - put [:resolve shell.xs4all.nl 8.8.8.8]
  - put [:resolve 194.109.21.9]
tolaris.com · Synchronising DHCP and DNS on Mikrotik routers (script available on Github: Tolaris/mikrotik-dns-dhcp).
- via MikroTik – Automatically creating DNS record for each DHCP lease/client – GeekTank
- alternatives:
  - Mikrotik DHCP to DNS hostnames | BLOG.MESOUUG.COM
  - Setting static DNS record for each DHCP lease – MikroTik Wiki
Hardening (since my Guest WiFi is outside of the Mikrotik LAN and WAN realm, I’ve left some things open, for instance MAC service is available, but on a limit set of interfaces):
- Router Hardening — Manito Networks
- Not sure if disabling Neighbour discovery is a good thing, as it will disable this from the console as well
  /ip neighbor print;
  - Mikrotik Howto block Winbox Discovery + Limit Winbox Access | Syed Jahanzaib Personal Blog to Share Knowledge !
- Blacklist Filter update script – MikroTik RouterOS
  - As the above is much better maintained it is preferred over Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS! – MikroTik RouterOS
Manual:Upgrading RouterOS – MikroTik Wiki
- http://web.archive.org/web/*/http://www.mikrotik.com/download/CHANGELOG_6
Manual:IP/Route – MikroTik Wiki (if you think routing is a massive topic, read about firewall rules).
Not sure this is a good idea, but you can get a DDNS address in the sn.mynetname.net domain and VPN to it (for instance using PPTP): Quick Set Home AP — How to use vpn provided? – MikroTik RouterOS
You need to setup both the clock (date/time) and SNTP in one step:
- Setup SNTP (Winbox) aka NTP (shell): /system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
  After a few seconds the Winbox will update the SNTP Client dialog and a few seconds later, the Clock dialog will also update itself.
Manual:IP/Firewall/NAT – MikroTik Wiki
- dstnat: Forwarding a port to an internal IP – MikroTik Wiki and https://www.youtube.com/watch?v=8sGL58AhQCQ:
  Mikrotik Training- Port Forwarding (With Closed Captioning)
- srcnat: getting NAT to work
- Hairpin NAT – MikroTik Wiki
- netmap vs srcnat/dstnat: IP Firewall rules, need help with optimization – MikroTik RouterOS
I like these ones as they use Winbox:
- Mikrotik – Setup – Powered by Kayako Help Desk Software
- Manual:Initial Configuration – MikroTik Wiki
Sharing Ideas … Mikrotik with Kannel/playSMS
- via: Mikrotik Related | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik Firewall / Short Notes + Scripts
Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS
Graphing: ensure you only limit this to IP-addresses that you want graphs to be visible on (0.0.0.0/0 makes it visible to ALL): Manual:Tools/Graphing – MikroTik Wiki
DNS – MikroTik RouterOS: I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider.
Email sending can now also use the DNS-name of the SMTP server: Why does the email server configuration only allow IP-addresses? – MikroTik RouterOS
Dynamic DNS Update Script for No-IP DNS for Router OS V.6.7 – MikroTik RouterOS
Script for Ransomware Tracker by abuse.ch. Tracking Ransomware Infrastructure around the globe. Source: How I fight ransomware (crypto viruses) with Mikrotik – MikroTik RouterOS
/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1
very simple solution for a traceroute to Hide ip address – MikroTik RouterOS
Using staged address list to perform Bruteforce login prevention – MikroTik Wiki

Very advanced stuff:

Packet flow (maybe the toughest part to wrap your head around):

Manual:Packet Flow – MikroTik Wiki (with diagrams on RouterOS 6.x and 3.x can flow).
Manual:Packet Flow v6 – MikroTik Wiki (with updated RouterOS 6.x diagram).
New Packet flow diagram – Page 2 – MikroTik RouterOS (Visio / PDF version of an even newer diagram)

Scripts:

Load balancing:

Syntax highlighting:

Syntax highlighting and completions for Sublime Text – MikroTik RouterOS
- See also: mikrotik/editors/Sublime3 at master · martinclaro/mikrotik and mikrotik/editors/Sublime2 at master · martinclaro/mikrotik and Kentzo/MikrotikScript: Syntax highlighting and completions for the Mikrotik Scripting language for the Sublime Text editor
external editor syntax highlighting – MikroTik RouterOS (Notepad++, Textpad, VIM, EditPlus – look for the word Download and the .zip, .rar and .gz extensions)
- See also: mikrotik/syntax at master · olejor/mikrotik
Atom: language-routeros-script and ofstudio/atom-language-routeros-script: MikroTik RouterOS script language support in Atom
TextMate2: tiktuk / RouterOS.tmbundle — Bitbucket
GEdit: webpagetech/gedit-routeros: Mikrotik RouterOS code syntax highlighting for .rsc Files
Notepad++: jtroybailey/RouterOS-Notepad—Syntax-Highlighting: Syntax highlighting for routeros exports in notepad++

Pictures

CCR1009-8G-1S-1S+ General info & Questions – MikroTik RouterOS

Very well written blog:

Manito Network’s Mikrotik solutions blog. In-depth articles on Mikrotik routing, security, best practices, VPN, and more.

Source: Mikrotik — Manito Networks

Solutions for RouterOS-based Mikrotik networks. Includes security and best practices, VPN, routing, switching, and more.

Source: Mikrotik-1 — Manito Networks

–jeroen

Posted in DNS, Internet, IPSec, MikroTik, Network-and-equipment, OpenVPN, Power User, PPTP, routers, VPN | Leave a Comment »

Getting the IP addresses of gmail MX servers – via Super User – dig isn’t enough

Posted by jpluimers on 2017/03/06

I needed the current IP-addresses of the gmail MX server (don’t ask the details; but it has to do with the brain-dead TP-LINK ER5120 configuration possibilities).

This is the command I finally used:

dig @8.8.8.8 +short MX gmail.com | sed "s/^[0-9]* //g" | sed "s/.$//" | xargs -I {} dig @8.8.8.8 +short {} | uniq | sort

Basically it’s a three stage sequence which had to work on OS X as well as Linux using a bash shell:

Use the Google DNS servers (either 8.8.8.8 or 8.8.4.4)
Get the FQDNs of MX records of gmail.com which are the mail servers for GMail.
Translate these in IPv4 addresses
Filter into a distinct list (just in case entries are duplicate: they aren’t yet, but might be)

The basics of the above are about using dig to get short (or terse) answers with as little (but still to the point) information as possible.
Read the rest of this entry »

Posted in *nix, *nix-tools, DNS, Power User | 1 Comment »

Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

Posted by jpluimers on 2017/03/06

DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.

Source: [WayBack] Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

–jeroen

Posted in DNS, Internet, Power User, Security | Leave a Comment »

The IoT strikes back again: half a million IoT devices killed DYN DNS for hours, but fixing this will be hard

Posted by jpluimers on 2016/10/22

Less than a month after The IoT strikes back: 650 Gigabit/second and 1 Terabit/second attacks by IoT devices within a week the IoT struck back again: an estimated half a million IoT devices was used to perform multiple DDoS attacks against Dyn Managed DNS that took around 11 hours to resolve.

Google DNS appears to “live” near me in Amsterdam

High availability usually involves a mix of DNS TTL and/or BGP routing. That’s typically how CDN providers like Cloudflare work (it’s one of the reasons that global DNS servers like Google’s 8.8.8.8 appear near to you and over time routes – some MPLS – to it change). Short DNS TTL can help CDN, requires a very stable DNS infrastructure and is similar to but different from a Fast Flux network.

Last months attacks were on a security researcher and a single ISP. The Dyn DNS attack affected even more internet services (not just sites like Twitter, WhatsApp, AirBnB and Github). So I’m with Bruce Schneier that Someone Is Learning How to Take Down the Internet.

Handling these attacks is hard as the DDoS mitigation firms simply cannot handle the sudden increase of attack sizes yet. BCP38 should be part of mitigation, but the puzzle is big and fixing it won’t be easy though root-causes of bugs change as a lot of research is in progress.

I’m not alone in expecting it to get worse though before getting better.

On the client side, I learned that many users could cope by changing their DNS servers to either of these Public DNS Servers:

OpenDNS 208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222
- OpenDNS does a good job of handing “last known good” IPs when they can’t resolve.
Google Public DNS 8.8.8.8, 8.8.4.4
Level 3 DNS 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6

Some more interesting tidbits on the progress and mitigation on this particular attack are the over time heat-maps of affected regions and BGP routing changes below.

Read the rest of this entry »

Posted in CDN (Content Delivery Network), Cloud, Cloudflare, DNS, Hardware, Infrastructure, Internet, IoT Internet of Things, Network-and-equipment, Opinions, Power User | Leave a Comment »

domain name system – How to test DNS glue record? – Server Fault

Posted by jpluimers on 2016/05/26

Thanks Adrian W for providing the below example in your answer about obtaining GLUE record information for a domain.

It is an excellent showcase for the $IFS Internal Field Separator available in any nx shell.

In this case it is used to get the TLD (top-level domain) from the domain name specified at the command-line.

After that, it obtains the name servers for that TLD, and queries the glue records there, both using dig.

Here is a little shell script which implements Alnitak’s answer:

#!/bin/sh
S=${IFS}
IFS=.
for P in $1; do
  TLD=${P}
done
IFS=${S}

echo "TLD: ${TLD}"
DNSLIST=$(dig +short ${TLD}. NS)
for DNS in ${DNSLIST}; do
  echo "Checking ${DNS}"
  dig +norec +nocomments +noquestion +nostats +nocmd @${DNS} $1 NS
done

Pass the name of the domain as parameter:

./checkgluerecords.sh example.org

–jeroen

via domain name system – How to test DNS glue record? – Server Fault.

Posted in *nix, Apple, bash, Development, DNS, Linux, Mac, Mac OS X / OS X / MacOS, Mac OS X 10.4 Tiger, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, openSuSE, OS X 10.10 Yosemite, OS X 10.8 Mountain Lion, OS X 10.9 Mavericks, Power User, Scripting, Software Development, SuSE Linux | Leave a Comment »

Fake Internet Connectivity for your Lab (Tricking NCSI) – via: Canberra Premier Field Engineering

Posted by jpluimers on 2013/06/21

If you ever wondered why how in Windows – as of Vista – the NCIS (network connection status indicator) determines if you have a valid internet connection, it is pretty simple, as both these pages explain:

NCIS depends on the msftncis.com domain (link to the checks from IntoDNS) and is for supporting Network Awareness in applications.

The probing is done in this order: Read the rest of this entry »

Posted in Captive Portal, DNS, Internet, Power User, Windows, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Vista | Leave a Comment »

« Previous Entries

Next Entries »

	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…
	Thaddy de Koning on Formulier voor bewindvoerders…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘DNS’ Category

DNS, glue records and TTL

DNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux

DNS BIND9 acl clause – they can be nested

Google DNS, Open DNS or your ISP DNS servers?

Some links for MikroTik tips and scripts

Getting the IP addresses of gmail MX servers – via Super User – dig isn’t enough

Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

The IoT strikes back again: half a million IoT devices killed DYN DNS for hours, but fixing this will be hard

domain name system – How to test DNS glue record? – Server Fault

Fake Internet Connectivity for your Lab (Tricking NCSI) – via: Canberra Premier Field Engineering

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘DNS’ Category

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this: