DETAILED OUTLINE

Day 1: DNS refreshers - Debugging - Architecture
------------------------------------------------

S1: * Intro
    * Presentation of participants, and workshop overview
    * Presentation: Quick overview on DNS protocol and architecture
        - terminology (parent, child, zone, domain, apex,
          delegation, recursive, authoritative, SOA, ...)
        - SOA mechanism: values, notify, negative ttl
        - Reverse DNS
        - Glue records
        - RFC2317
        - Common misconceptions about primary/secondary, etc...

    * Lab requirements:

    - zones to dig/test scenarios below
    - firewall rules to block / limit

S2:
    * Lab 1: Introduction to the environment

    1. First login to the system
    2. Explore, use commands

    * Q&A session on DNS

    * Lab 2: Using dig

    1. Using dig to explore
        - walking through DNS delegations
    2. The basic dig options
        -x, +short, ...
    3. Flags, and their meaning
        - DNS flags (AA, RA, RD, ...)
    4. dig to find network/filter problems
    5. Caching effects, negative ttl
        - cached records
    6. Following a delegation
    7. Glue records
      What happens when they are not there ?
      - dig with/without

S3:
    * Lab 3: More hands on using dig, doc, wireshark

    1. using 'dig' to debug delegation problems by hand
    2. Non matching delegations between parent and child:
         a b   a b     a b      a b c
         a b     b c   a b c    a b

    3. Circular dependencies a <-> b
    4. Advanced dig options
       - options: +norec, +trace, +edns=0, +bufsize=, +dnssec
       - flags: AA, RD, RA, DF, DO/AD,
       - issues: packet size/replies, TCP/UDP, DF bit
    5. Delegation testing with doc

    * Lab 4: Query/response analysis, protocol, format
        - getting more details: using tcpdump/tshark/wireshark
          to decode and analyze DNS traffic
        - explain how to access VNC server and run wireshark
        - packet capture on a recursive query (c -> S -> {internet})
        - detail packet format
        - analysis on screen
            - illustrate query id, flags & bits
            - EDNS0

    * Lab 5: basic DNS statistics with dnstop

S4:
    * Presentation: Reliable Architecture design

    - Service vs server separation
        - Separation of authoritative and recursive
        - Historical reasons for running auth + recursive
        - What happens when recursive and auth are not separated

    - Software and topological diversity (different SW, different AS)

    - Setup distinct recursive and authoritative NSes

    * Lab 5: Service separation

    1. Start with BIND and recursive + auth enabled
    2. Sample zone gets moved/deleted
    3. Clients of the recursive + auth for obsolete zone are misled
    4. See discrepancy in results
    5. How to determine that data is wrong ?
        - dig parent
        - test delegations

DISCUSSION TOPICS:

    - GSLB, Load Balancing in general
    - Databases and DNS

Day 2: DNS Software, Sizing/configuration, Anycast
--------------------------------------------------

S1: 
    * Presentation: Software platforms - BIND, NSD, Unbound
    - Background
    - Use cases
    - Discussions

    * Lab 6: Software configuration

    1. Configuring BIND on server 1
    2. Configuring NSD on server 2
    3. Configuring Unbound on server 3
    4. Make hosts + laptop and S1 + S2 user S3 as recurser
    5. Setup primary zone on BIND
    6. Setup NSD as secondary (AXFR, no TSIG yet)

S2:
    * Presentation: Configuration & tuning

    - Sizing and deploying a DNS server
    - Platform, OS, tuning for load
    - DOs and DON'Ts - best practices config, deployment
    - When to use/not use forwarders / stubs
    - Operational aspect - RFC2870 
    - Common errors - RFC1912
    - Benchmarking tools - dnsperf, namebench
    - Not so well-known options

     - Platform specific:
        - BIND configuration
            - configuration structure
            - rndc, use of keys
            - options: fetch-glue, recursion, max-clients, etc...

        - Unbound configuraiton
            - configuration structure
            - options: pre-expire re-fetch, etc...

        - NSD configuration

    - Tuning for a particular use case

S3:
    * Presentation: Anycasting for robustness and performance

    - Anycast demo using OSPF, quagga, IOS
    - Application: AS112, root servers, site-wide recursers

    * Lab 7: Anycasting

    - anycast a /32 across all participants using ospfd|quagga +
       virtual router and show route withdrawal and service continuity
    - participate in the class-wide anycast cloud


Day 3: Logging & Monitoring, DNS Security
-----------------------------------------

S1:
    * Presentations: Log management & monitoring

    - Why logging ?
    - Proper timekeeping
    - Log management / aggregation
    - Log monitoring with SWATCH/SEC
    - Service monitoring with Nagios / SmokePing

    * Lab 8: Log management & service monitoring

    1. syslog aggregation (syslog.conf to master host)
        - install syslog-ng
        - configure syslog to master host
        - SEC/swatch on logs

    2. Service monitoring
        - Monitoring response time with SmokePing + DNS
        - DNS service availability with Nagios (check_dns)

    3. Write plugins:
        - check SOA sync between secondaries
        - verify delegations against reality
        http://www.andyd.net/2006/monitoring-soa-drift-with-nagios/
        http://www.andyd.net/media/check-dns-soamatch.pl.txt

        For all installations:

    4. RNDC & SNMP
      - Instrumentation of nameservers using SNMP
      - rndc and remote control
    

    5. DSC Demo ?

S3 - S4:

    * Presentation: DNS security (CV)
    
    - DNS areas of vulnerability
    - Secure zone transfers (AXFR) and TSIG configuration
    - Secure dynamic updates
    - MITM attacks, cache poisoning (impersonation)
    - ACLs & views
    - Running securely: chroot jails
    - Monitoring of unauthorized AXFR attempts
    - DNS cache poisoning, and the rationale for DNSsec

    * Lab 9: DNS security

    1. Securing AXFR using IP access-lists
    2. TSIG config to limit transfer to authorized hosts (key)
    3. Using swatch to monitor AXFR attempts
    4. illustrating jails
    5. dynamic updates, using & securing
    6. dns + filters hands-on with dig
    7. DNS blackbox: query recording using tcpdump / wireshark in a loop


Day 4: DNS and the network, DNSSEC
----------------------------------

S1:
    * Presentation:  DNS and IPv6
    - IPv6 service
    - IPv6 Resource Records, and impact on clients

    * Lab 10: IPv6
    - creating IPv6 resource records
    - service DNS traffic over v6, testing resolution

S2:
    * Presentation: DNS & Firewalls

    - DNS and filtering (TCP, UDP, size)
        - Why UDP 512
        - truncation, fragmentation problems
    - Packet size limitations and EDNS0

S3 - S4:
    * Presentation: Introduction to DNSSEC
        ...

Day 5: DNSSEC Hands-on
----------------------

S1:
    * Tutorial: DNSSEC hands-on

    - signing toolkits
    - BIND 9.7+, OpenDNSSEC

S2:
    * Lab 11: Zone signing
        ...

    * Lab 12: Automation using OpenDNSSEC
        ...

S3:
    * Presentation: IDN

    - protocol / encoding
    - operational impact
    - IDN demo and how DNS deals with it
    - using dig with IDN

    * Lab 13: Deploy IDN

    1. Deploy IDN zones
    2. Test with browser



    - IDN2 overview
    - Protocols, encoding
S4: - Open (Q&A, Evaluation)
Last modified 8 years ago Last modified on Feb 7, 2011, 5:06:29 PM