CZ.NIC Laboratories released the first public version of DNS Probe. It is a high-performance DNS traffic capture tool developed as a part of the ADAM project. Its essential function is to listen on a network interface, capture DNS traffic (both UDP and TCP), pair DNS queries with corresponding responses, and export consolidated records about every single DNS transaction observed on the wire. DNS Probe can be deployed either on the same machine as the DNS server, or on a separate monitoring computer that receives an exact copy of the DNS server’s traffic (e.g. via switch port mirroring).
DNS resolvers are constantly adding features while not removing any, but this trend cannot continue indefinitely because the software would eventually break under its own weight. Which features are used in practice and which can be safely removed? We present preliminary results of a survey among DNS resolver administrators, and also invite readers to participate in cross-vendor survey which is open until 2020-06-30.
As a planned milestone in the ADAM project (Advanced DNS Analytics and Measurements), CZ.NIC Laboratories in cooperation with CSIRT.CZ are about to commence regular operation of DNS crawler. This tool will periodically scan all second-level domains under TLD .cz, collect selected publicly available data about them, and process them further in various ways. Despite the name, the DNS crawler will collect data not only from DNS; it will also communicate with each domain’s web and e-mail server. We plan to run the tool with two periods: most data items will be collected on a weekly basis, only the contents of main web pages <domain>.cz or www.<domain>.cz will be retrieved less frequently – once a month. In addition, newly registered domains will be subject to an extra scrutiny: their data will be retrieved daily for the first two weeks of their existence. The DNS crawler software is designed so as to minimize the impact on the operation of second-level domains and network infrastructure in general. Data obtained from the crawler will be used for these principal purposes:
This article describes NXNSAttack, a newly discovered DNS protocol vulnerability which affects most recursive DNS resolvers. It allows to execute random subdomain attack using DNS delegation mechanism, resulting in big packet amplification factor.
As we have reported several times, after massive upgrades of the anycast DNS for the .CZ domain zone in recent years and building of the 100GbE DNS infrastructure, we are now focusing more on targeted tuning of the anycast operation. For example, we try launching new DNS stacks in the locations of significant DNS traffic sources, both abroad and in Czechia. The launch of the DNS stack on the CESNET network at the beginning of April is the most recent fruit of this work.
Recently, two entities have asked us to help them host their DNS zones and in both cases, we were happy to oblige. One of them was the Czech neutral peering node NIX.CZ, with which we often share technical know-how and help each other when it makes sense. The other one was the domain register of Guatemala operating the .gt ccTLD, which we humored as part of our long-term support of developing registers, like we have done the case with the registers of Angola, Malawi, Tanzania or North Macedonia.
DNS is one of the critical services necessary for proper operation of the Internet. Also it is often a target of various cyber attacks. Considering this fact, operators of authoritative DNS servers require robust solutions offering enough performance for regular DNS traffic and resisting possible attacks against this service. That is the reason why we focus, besides other aspects, on the performance during development of our authoritative DNS server Knot DNS. Benchmarking is an inseparable part of the project and we have been exploring various ways of further performance growth. Recently we had a great opportunity to play with the epic 128-thread processor AMD EPYC 7702P. In this blog post I will share some results from its benchmarking.
A global DNS maintenance is scheduled for February 1, 2019, and authoritative server operators must get ready for it. That is why we dedicate our today’s article to the state of readiness of .CZ domains for changes that will be effective from the beginning of next month.
The latest release of our authoritative DNS server, Knot DNS 2.7, comes with several new features. One of them is the GeoIP module for geography-based or subnet-based responses. In this article, we will briefly explain what the module is for and how it works and then we will explore how to set up and configure the module on your Knot server.
DNS has been in use on the Internet for more than 30 years — now it is time for its worldwide maintenance that shall, for the first time in the existence of DNS, require coordinated actions from all operators of DNS servers and DNSSEC validators.