Clik here to view.
Basic BIND Installation
This is a basic tutorial on how to install BIND, the Berkeley Internet Name Domain server, on a Ubuntu server in order to run it as an authoritative DNS server. It differs from other tutorials because...
View ArticleClik here to view.
BIND DNSSEC Validation
If you are searching for a DNSSEC validating DNS server, you can use BIND to do that. In fact, with a current version of BIND, e.g. version 9.10, the dnssec-validation is enabled by default. If you are...
View ArticleClik here to view.
DNSSEC Validation with Unbound on a Raspberry
To overcome the chicken-or-egg problem for DNSSEC (“I don’t need a DNSSEC validating resolver if there are no signed zones”), let’s install the DNS server Unbound on a Raspberry Pi for home usage. Up...
View ArticleClik here to view.
DNSSEC Signing w/ BIND
To solve the chicken-or-egg problem for DNSSEC from the other side, let’s use an authoritative DNS server (BIND) for signing DNS zones. This tutorial describes how to generate the keys and configure...
View ArticleClik here to view.
How to use DANE/TLSA
DNS-based Authentication of Named Entities (DANE) is a great feature that uses the advantages of a DNSSEC signed zone in order to tell the client which TLS certificate he has to expect when connecting...
View ArticleClik here to view.
SSHFP: Authenticate SSH Fingerprints via DNSSEC
This is really cool. After DNSSEC is used to sign a complete zone, SSH connections can be authenticated via checking the SSH fingerprint against the SSHFP resource record on the DNS server. With this...
View ArticleClik here to view.
DNSSEC ZSK Key Rollover
One important maintenance requirement for DNSSEC is the key rollover of the zone signing key (ZSK). With this procedure a new public/private key pair is used for signing the resource records, of course...
View ArticleClik here to view.
DNSSEC with NSEC3
By default DNSSEC uses the next secure (NSEC) resource record “to provide authenticated denial of existence for DNS data”, RFC 4034. This feature creates a complete chain of all resource records of a...
View ArticleClik here to view.
How to walk DNSSEC Zones: dnsrecon
After the implementation of DNS and DNSSEC (see the last posts) it is good to do some reconnaissance attacks against the own DNS servers. Especially to see the NSEC or NSEC3 differences, i.e., whether...
View ArticleClik here to view.
Compare & Troubleshoot DNS Servers: dnseval
The third tool out of the DNSDiag toolkit from Babak is dnseval. “dnseval is a bulk ping utility that sends an arbitrary DNS query to a given list of DNS servers. This script is meant for comparing...
View ArticleClik here to view.
Detect DNS Spoofing: dnstraceroute
Another great tool from Babak Farrokhi is dnstraceroute. It is part of the DNSDiag toolkit from which I already showed the dnsping feature. With dnstraceroute you can verify whether a DNS request is...
View ArticleClik here to view.
Idea: On-the-Fly TLSA Record Spoofing
It is quite common that organizations use some kind of TLS decryption to have a look at the client traffic in order to protect against malware or evasion. (Some synonyms are SSL/TLS interception,...
View ArticleClik here to view.
Idea: SSHFP Validator
The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great...
View ArticleClik here to view.
BIND Inline-Signing Serial Numbers Cruncher
I know that BIND correctly changes the serial numbers of zones when it is enabled with inline signing and auto-dnssec. However, I got confused one more time as I looked on some of my SOA records. So,...
View ArticleClik here to view.
CLI Commands for Troubleshooting Juniper ScreenOS Firewalls
Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands...
View ArticleClik here to view.
Palo Alto Reporting
I wanted to configure a weekly email report on a Palo Alto Networks firewall. “Yes, no problem”, I thought. Well, it was absolutely not that easy. ;( While the PAN firewalls have a great GUI and a good...
View ArticleClik here to view.
In Sync 2017
It is not easy to sync the own files/mails/contacts/calendars/etc. in order to keep them private (not via a public cloud) and to create regular backups. Furthermore, every solution must be easy to use...
View ArticleClik here to view.
Palo Alto External Dynamic IP Lists
This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP...
View ArticleClik here to view.
Palo Alto PBF Problem
I migrated an old Juniper SSG ScreenOS firewall to a Palo Alto Networks firewall. While almost everything worked great with the Palo (of course with much more functionalities) I came across one case in...
View ArticleClik here to view.
Lastline SNMP Monitoring
This is just a small post on how to enable SNMP on a Lastline Advanced Malware Protection appliance in order to query the basic host and network MIBs from an SNMP monitoring server. Note that this is...
View Article