Clik here to view.
IKE Challenges
A few month ago I published many Layer 2/3 challenges on my blog. Beside the happy feedback I got some remarks that the challenges were to easy at all because you only needed the display filter at...
View ArticleClik here to view.
IKEv1 & IKEv2 Capture
It is probably one of the most used protocols in my daily business but I have never captured it in detail: IKE and IPsec/ESP. And since IKEv2 is coming I gave it a try and tcpdumped two VPN session...
View ArticleClik here to view.
IKE Solutions
Almost 4 weeks ago I published a pcap file with some challenges – this time four falsified configured IPsec VPN connections. If you have not solved it by now you should first download the pcap file and...
View ArticleClik here to view.
SSH Key Fingerprints
As a network administrator I know that there are SSH fingerprints. And of course I know that I must verify the fingerprints for every new connection. ;) But I did not know that there are so many...
View ArticleClik here to view.
Nmap Packet Capture
I am using Nmap every time I installed a new server/appliance/whatever in order to check some unknown open ports from the outside. In most situations I am only doing a very basic run of Nmap without...
View ArticleClik here to view.
Apple AirPlay Capture
I was interested in how Apple AirPlay works in my network. I am using an iPad to stream music to a Yamaha R-N500 network receiver. There is a great Unofficial AirPlay Protocol Specification which...
View ArticleClik here to view.
CAA: DNS Certification Authority Authorization
I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those. As a domain administrator you must only generate the appropriate...
View ArticleClik here to view.
PGP Key Distribution via DNSSEC: OPENPGPKEY
What is the biggest problem of PGP? The key distribution. This is well-known and not new at all. What is new is the OPENPGPKEY DNS resource record that delivers PGP public keys for mail addresses. If...
View ArticleClik here to view.
DNS Test Names & Resource Records
I am testing a lot with my own DNS servers as well as with third-party DNS implementations such as DNS proxies on firewalls, DNSSEC validation on resolvers, etc. While there are a number of free DNS...
View ArticleClik here to view.
Instrumentenbasteleien
Instrumente sind vorsichtig zu behandeln und keine Bastelobjekte! Vollkommen richtig. So habe ich meine Klampfen und Co. auch stets gut gepflegt und keine Modifikationen daran getätigt. (Eine kleine...
View ArticleClik here to view.
All-in-One DNS Tool: Domain Analyzer
Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about...
View ArticleClik here to view.
Benchmarking DNS: namebench & dnseval
If you’re running your own DNS resolver you’re probably interested in some benchmark tests against it, such as: how fast does my own server (read: Raspberry Pi) answer to common DNS queries compared to...
View ArticleClik here to view.
SSHFP behind CNAME
I am intensely using the SSH Public Key Fingerprint (SSHFP, RFC 4255) in all of my environments. Since my zones are secured via DNSSEC I got rid of any “authenticity of host ‘xyz’ can’t be established”...
View ArticleClik here to view.
SSHFP: FQDN vs. Domain Search/DNS-Suffix
This is actually a bad user experience problem: To generally omit the manual verification of SSH key fingerprints I am using SSHFP. With fully qualified domain names (FQDN) as the hostname for SSH...
View ArticleClik here to view.
Generating SSHFP Records Remotely
Until now I generated all SSHFP resource records on the SSH destination server itself via [crayon-5a7ca15318e44927714867-i/]. This is quite easy when you already have an SSH connection to a standard...
View ArticleClik here to view.
Signing a Delegated Subdomain
If you are already familiar with DNSSEC this is quite easy: How to sign a delegated subdomain zone. For the sake of completeness I am showing how to generate and use the appropriate DS record in order...
View ArticleClik here to view.
DNSSEC KSK Key Rollover
Probably the most crucial part in a DNSSEC environment is the maintenance of the key-signing key, the KSK. You should rollover this key on a regular basis, though not that often as the zone signing...
View ArticleClik here to view.
DNSSEC KSK Emergency Rollover
In my last blogpost I showed how to perform a DNSSEC KSK rollover. I did it quite slowly and carefully. This time I am looking into an emergency rollover of the KSK. That is: What to do if your KSK is...
View ArticleClik here to view.
Signed DNS Zone with too long-living TTLs
Implementing DNSSEC for a couple of years now while playing with many different DNS options such as TTL values, I came around an error message from DNSViz pointing to possible problems when the TTL of...
View ArticleClik here to view.
TROOPERS18: Dynamic IPv6 Prefix Problems and VPNs
Just a few days ago I gave a talk at Troopers 18 in Heidelberg, Germany, about the problems of dynamic (non-persistent) IPv6 prefixes, as well as IPv6 VPNs in general. Following are my slides and the...
View Article