DETAILED OUTLINE
Day 1: DNS refreshers - Debugging - Architecture
------------------------------------------------
S1: * Intro
* Presentation of participants, and workshop overview
* Presentation: Quick overview on DNS protocol and architecture
- terminology (parent, child, zone, domain, apex,
delegation, recursive, authoritative, SOA, ...)
- SOA mechanism: values, notify, negative ttl
- Reverse DNS
- Glue records
- RFC2317
- Common misconceptions about primary/secondary, etc...
* Lab requirements:
- zones to dig/test scenarios below
- firewall rules to block / limit
S2:
* Lab 1: Introduction to the environment
1. First login to the system
2. Explore, use commands
* Q&A session on DNS
* Lab 2: Using dig
1. Using dig to explore
- walking through DNS delegations
2. The basic dig options
-x, +short, ...
3. Flags, and their meaning
- DNS flags (AA, RA, RD, ...)
4. dig to find network/filter problems
5. Caching effects, negative ttl
- cached records
6. Following a delegation
7. Glue records
What happens when they are not there ?
- dig with/without
S3:
* Lab 3: More hands on using dig, doc, wireshark
1. using 'dig' to debug delegation problems by hand
2. Non matching delegations between parent and child:
a b a b a b a b c
a b b c a b c a b
3. Circular dependencies a <-> b
4. Advanced dig options
- options: +norec, +trace, +edns=0, +bufsize=, +dnssec
- flags: AA, RD, RA, DF, DO/AD,
- issues: packet size/replies, TCP/UDP, DF bit
5. Delegation testing with doc
* Lab 4: Query/response analysis, protocol, format
- getting more details: using tcpdump/tshark/wireshark
to decode and analyze DNS traffic
- explain how to access VNC server and run wireshark
- packet capture on a recursive query (c -> S -> {internet})
- detail packet format
- analysis on screen
- illustrate query id, flags & bits
- EDNS0
* Lab 5: basic DNS statistics with dnstop
S4:
* Presentation: Reliable Architecture design
- Service vs server separation
- Separation of authoritative and recursive
- Historical reasons for running auth + recursive
- What happens when recursive and auth are not separated
- Software and topological diversity (different SW, different AS)
- Setup distinct recursive and authoritative NSes
* Lab 5: Service separation
1. Start with BIND and recursive + auth enabled
2. Sample zone gets moved/deleted
3. Clients of the recursive + auth for obsolete zone are misled
4. See discrepancy in results
5. How to determine that data is wrong ?
- dig parent
- test delegations
DISCUSSION TOPICS:
- GSLB, Load Balancing in general
- Databases and DNS
Day 2: DNS Software, Sizing/configuration, Anycast
--------------------------------------------------
S1:
* Presentation: Software platforms - BIND, NSD, Unbound
- Background
- Use cases
- Discussions
* Lab 6: Software configuration
1. Configuring BIND on server 1
2. Configuring NSD on server 2
3. Configuring Unbound on server 3
4. Make hosts + laptop and S1 + S2 user S3 as recurser
5. Setup primary zone on BIND
6. Setup NSD as secondary (AXFR, no TSIG yet)
S2:
* Presentation: Configuration & tuning
- Sizing and deploying a DNS server
- Platform, OS, tuning for load
- DOs and DON'Ts - best practices config, deployment
- When to use/not use forwarders / stubs
- Operational aspect - RFC2870
- Common errors - RFC1912
- Benchmarking tools - dnsperf, namebench
- Not so well-known options
- Platform specific:
- BIND configuration
- configuration structure
- rndc, use of keys
- options: fetch-glue, recursion, max-clients, etc...
- Unbound configuraiton
- configuration structure
- options: pre-expire re-fetch, etc...
- NSD configuration
- Tuning for a particular use case
S3:
* Presentation: Anycasting for robustness and performance
- Anycast demo using OSPF, quagga, IOS
- Application: AS112, root servers, site-wide recursers
* Lab 7: Anycasting
- anycast a /32 across all participants using ospfd|quagga +
virtual router and show route withdrawal and service continuity
- participate in the class-wide anycast cloud
Day 3: Logging & Monitoring, DNS Security
-----------------------------------------
S1:
* Presentations: Log management & monitoring
- Why logging ?
- Proper timekeeping
- Log management / aggregation
- Log monitoring with SWATCH/SEC
- Service monitoring with Nagios / SmokePing
* Lab 8: Log management & service monitoring
1. syslog aggregation (syslog.conf to master host)
- install syslog-ng
- configure syslog to master host
- SEC/swatch on logs
2. Service monitoring
- Monitoring response time with SmokePing + DNS
- DNS service availability with Nagios (check_dns)
3. Write plugins:
- check SOA sync between secondaries
- verify delegations against reality
http://www.andyd.net/2006/monitoring-soa-drift-with-nagios/
http://www.andyd.net/media/check-dns-soamatch.pl.txt
For all installations:
4. RNDC & SNMP
- Instrumentation of nameservers using SNMP
- rndc and remote control
5. DSC Demo ?
S3 - S4:
* Presentation: DNS security (CV)
- DNS areas of vulnerability
- Secure zone transfers (AXFR) and TSIG configuration
- Secure dynamic updates
- MITM attacks, cache poisoning (impersonation)
- ACLs & views
- Running securely: chroot jails
- Monitoring of unauthorized AXFR attempts
- DNS cache poisoning, and the rationale for DNSsec
* Lab 9: DNS security
1. Securing AXFR using IP access-lists
2. TSIG config to limit transfer to authorized hosts (key)
3. Using swatch to monitor AXFR attempts
4. illustrating jails
5. dynamic updates, using & securing
6. dns + filters hands-on with dig
7. DNS blackbox: query recording using tcpdump / wireshark in a loop
Day 4: DNS and the network, DNSSEC
----------------------------------
S1:
* Presentation: DNS and IPv6
- IPv6 service
- IPv6 Resource Records, and impact on clients
* Lab 10: IPv6
- creating IPv6 resource records
- service DNS traffic over v6, testing resolution
S2:
* Presentation: DNS & Firewalls
- DNS and filtering (TCP, UDP, size)
- Why UDP 512
- truncation, fragmentation problems
- Packet size limitations and EDNS0
S3 - S4:
* Presentation: Introduction to DNSSEC
...
Day 5: DNSSEC Hands-on
----------------------
S1:
* Tutorial: DNSSEC hands-on
- signing toolkits
- BIND 9.7+, OpenDNSSEC
S2:
* Lab 11: Zone signing
...
* Lab 12: Automation using OpenDNSSEC
...
S3:
* Presentation: IDN
- protocol / encoding
- operational impact
- IDN demo and how DNS deals with it
- using dig with IDN
* Lab 13: Deploy IDN
1. Deploy IDN zones
2. Test with browser
- IDN2 overview
- Protocols, encoding
S4: - Open (Q&A, Evaluation)
Last modified 8 years ago
Last modified on Feb 7, 2011, 5:06:29 PM