We have released a new version of Turris OS 5.0. It is based on top of OpenWrt 19.07.3 with our patches and feed for all of Turris routers. In this article, we will go through new features and changes, including experimental migration from the Turris OS 3.x version. We will mention a few obstacles we faced during the development and introduce several features you can expect in future releases.
Survey: How do you configure DNS resolvers?
DNS resolvers are constantly adding features while not removing any, but this trend cannot continue indefinitely because the software would eventually break under its own weight. Which features are used in practice and which can be safely removed? We present preliminary results of a survey among DNS resolver administrators, and also invite readers to participate in cross-vendor survey which is open until 2020-06-30.
Launching DNS Crawler
As a planned milestone in the ADAM project (Advanced DNS Analytics and Measurements), CZ.NIC Laboratories in cooperation with CSIRT.CZ are about to commence regular operation of DNS crawler. This tool will periodically scan all second-level domains under TLD .cz, collect selected publicly available data about them, and process them further in various ways. Despite the name, the DNS crawler will collect data not only from DNS; it will also communicate with each domain’s web and e-mail server. We plan to run the tool with two periods: most data items will be collected on a weekly basis, only the contents of main web pages <domain>.cz or www.<domain>.cz will be retrieved less frequently – once a month. In addition, newly registered domains will be subject to an extra scrutiny: their data will be retrieved daily for the first two weeks of their existence. The DNS crawler software is designed so as to minimize the impact on the operation of second-level domains and network infrastructure in general. Data obtained from the crawler will be used for these principal purposes:
NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack
This article describes NXNSAttack, a newly discovered DNS protocol vulnerability which affects most recursive DNS resolvers. It allows to execute random subdomain attack using DNS delegation mechanism, resulting in big packet amplification factor.
WireGuard on Turris
Now more then ever, people connect and work remotely. Everybody uses some kind of VPN, at least in the tech world. The new, trendy and cool way of doing VPNs is Wireguard. Everybody speaks about it and since March it is finally a part of Linux kernel. Its advantages are that it is setup in more straight forward way than alternatives and that it is blazingly fast.
DNS stack, now in CESNET
As we have reported several times, after massive upgrades of the anycast DNS for the .CZ domain zone in recent years and building of the 100GbE DNS infrastructure, we are now focusing more on targeted tuning of the anycast operation. For example, we try launching new DNS stacks in the locations of significant DNS traffic sources, both abroad and in Czechia. The launch of the DNS stack on the CESNET network at the beginning of April is the most recent fruit of this work.
Current statistics on global situation regarding COVID-19 at one place
The internet has been recently flooded with websites trying to create various statistical information regarding the new coronavirus. Just within the Czech register, there are several. If you are on of the people who like to follow latest “coronavirus” numbers or if you use them in your work, you can face multiple obstacles. Some of the statistics give you the data you need, but they are outdated and are not regurlarly refreshed. In case of dynamic visualizations, you are limited by fixed boundaries. If you are not satisfied with that, you can try a newly created tool for generating dynamic visualizations from the CZ.NIC Association that offers a broad set of features and settings. You can for example choose any country/region and a formula for your desired curve, copy URL and of course refresh the data simply by pressing F5. Everything you can find on the web page https://covid-19.nic.cz/.
“Critical” opkg CVE and Turris
You might have heard on some news sites about “critical” vulnerability in OpenWrt. You might be worried about how it affects is your Turris. That is the reason for quotes around the word critical. TLDR not applicable against Turris
NIX.CZ DNS hosting and .gt ccTLD
Recently, two entities have asked us to help them host their DNS zones and in both cases, we were happy to oblige. One of them was the Czech neutral peering node NIX.CZ, with which we often share technical know-how and help each other when it makes sense. The other one was the domain register of Guatemala operating the .gt ccTLD, which we humored as part of our long-term support of developing registers, like we have done the case with the registers of Angola, Malawi, Tanzania or North Macedonia.
Protecting your servers with Turris Sentinel
Little bit of history
Apart from operating .CZ top level domain, CZ.NIC does a lot of other interesting things contributing to the common good. Part of it is running Czech national CSIRT team, doing security research and raising awareness about potential security issues. As part of our security research, we started wondering a long time ago how much are the average Joes and Janes attacked, by who and how. People that are just connected to the internet, run no public service and are just consumers. If only there was some kind of probe that would allow us to see what is going on there…