a flexible dnssec validating resolver
play

A flexible DNSSEC-validating Resolver Ondej Sur - PowerPoint PPT Presentation

Jul 15, 2023 •137 likes •265 views

A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What is Knot DNS Resolver? Platform for building recursive DNS service Open-source DNS Resolver (GPLv3+) Full DNSSEC support: RFC 6650

  1. A flexible DNSSEC-validating Resolver Ondřej Surý • ondrej.sury@nic.cz • 7.3.2016

  2. What is Knot DNS Resolver? ● Platform for building recursive DNS service ● Open-source DNS Resolver (GPLv3+) ● Full DNSSEC support: ● RFC 6650 – ECDSA support ● RFC 5011 – Automated Trust Anchor Management ● RFC 7646 – Negative Trust Anchors

  3. What is Knot DNS Resolver? ● Written in C and LuaJIT ● Scriptable daemon with dynamic configuration in Lua ● Simple core extensible with modules in C, Lua & Go ● “Happy Eyeballs” IPv6 (20ms headstart) ● No internal threading, scales by self-replication

  4. Who is it for? Everybody! ● Large recursive DNS farms ● Small recursors in private networks ● Personal resolvers ● Geeks, tinkerers, you :)

  5. Large recursive DNS farms ● Scales, the really fast scriptable engine allows you to change resolution ● Flexible shared cache backends ● Local: lmdb ● Networked: memcached, redis ● New instances just pick the data from the shared cache ● Great statistics, metrics, and plotting with Graphite backend ● and f.e. InfluxDB, Grafana ● RF7646 Negative Trust Anchors ● Cluster-aware – etcd module for shared self-configuration ● Views and ACL support ● Prefetching

  6. Plotting in Grafana

  7. Small recursors in private networks ● QNAME minimisation for DNS privacy ● DNSSEC and RFC5011 key management ● Low memory consumption (cache can be paged out) ● Query policy based resolution ● Match: pattern, suffix, RPZ ● Action: PASS, DENY, DROP, FORWARD, TC ● DNS64 support to complement NAT64

  8. Personal resolvers ● Simple config-less operation ● Just give it a writeable file for DNSSEC root trust anchor and you are good to go ● Persistent caching (survives reloads/reboots) ● Tinyweb module for monitoring your queries ● Live Demo: https://kitsune.labs.nic.cz/ ● Future: ● DNS over HTTP and dealing with “hotel wifis” ● DNS over TLS (as the standards mature)

  9. Tinyweb output

  10. Geek, Tinkers, … ● kresd is scriptable without binding go port 53 ● scripts/kresd-host.lua ● dig/host like utility $ ./scripts/kresd-host.lua -c IN -t AAAA www.fosdem.org www.fosdem.org has IPv6 address 2001:67c:1808::5 ● scripts/kresd-query.lua ● Prints DNS response QNAME kresd-query.lua -t SOA cz "print(pkt:qname())" cz ● Prints RCODE from the DNS response kresd-query.lua -t SOA nan. "print(pkt:rcode())" ← 3 # NXDOMAIN ● API specification in the documentation

  11. Current status ● A beta phase of the project and almost a release candidate ● Ongoing thorough testing ● Comes with extensive documentation ● http://knot-resolver.rtfd.org ● Give it a try! ● Shiny new website: https://www.knot-resolver.cz/ ● Debian and Ubuntu packages (see the website) ● Sources: https://gitlab.labs.nic.cz/knot/resolver ● Docker # docker run cznic/knot-resolver ● Throw a normal and a weird DNS stuff on it ● Report back any oddities or success stories

  12. Thank you and you can Knot! https://www.youtube.com/watch?v=aMxcAaR0oHU

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor:

Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor:

Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor: Willem Toorop System and Network Engineering Universiteit van Amsterdam Research Project 2 Xavier Torrent Gorj on Supervisor: Willem Toorop

446 views • 20 slides
ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
DNSSEC on Campus By Michael Sinatra University of California, Berkeley You didnt think I

DNSSEC on Campus By Michael Sinatra University of California, Berkeley You didnt think I

DNSSEC on Campus By Michael Sinatra University of California, Berkeley You didnt think I was really going to use that font, did you? What we did Began validating DNSSEC responses on our caching resolvers using ISC DLV in October 2008

504 views • 21 slides
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and interoperable Secure and scalable DNSSEC in Windows DNS

266 views • 14 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij

DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij

DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl The problem in 1 slide Authoritative Name Server Firewall Recursive Caching Name Server (resolver) 2 SURFnet:

442 views • 13 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Investor Presentation Q1 2020 Financial & Business Review 21 May 2020 1 Disclaimer This

Investor Presentation Q1 2020 Financial & Business Review 21 May 2020 1 Disclaimer This

Investor Presentation Q1 2020 Financial & Business Review 21 May 2020 1 Disclaimer This presentation may contain forward-looking statements which are based on Media Prima Berhads (MPB) current expectations, forecasts and

549 views • 22 slides
#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL

#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL

#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL LONDON VENTURE CRAWL What is this thing? LONDON VENTURE CRAWL Venture Crawl through the ages.. 2017 2018 2019 LONDON VENTURE CRAWL

512 views • 22 slides
Analytics & Tech Trends How to sound techy without actually being a nerd Jai Govindani

Analytics & Tech Trends How to sound techy without actually being a nerd Jai Govindani

Analytics & Tech Trends How to sound techy without actually being a nerd Jai Govindani Chief Technology Officer Red Planet Hotels HSMAI August 2016 The Digital Journey Digital its not just about tools, its a way of life

396 views • 15 slides
AGM Presentation 29 November 2017. CONTENTS. Company

AGM Presentation 29 November 2017. CONTENTS. Company

AGM Presentation 29 November 2017. CONTENTS. Company Overview......3 FY 2017

624 views • 38 slides
Is Work a Game? Josh Hart CTO of yulife Prepared for REBA Innovation Day Are you entertained?

Is Work a Game? Josh Hart CTO of yulife Prepared for REBA Innovation Day Are you entertained?

Is Work a Game? Josh Hart CTO of yulife Prepared for REBA Innovation Day Are you entertained? Are you entertained? Weve had Weve had a busy a busy decade decade Entertainment is changing Entertainment is changing 32

634 views • 49 slides
Planned Accidents: Unit 2 Research Proposal How do graphic design students utlise the internet

Planned Accidents: Unit 2 Research Proposal How do graphic design students utlise the internet

Planned Accidents: Unit 2 Research Proposal How do graphic design students utlise the internet for research? Is it effective? Or is it just eye candy? Can it be improved? PG Certificate unit 2 / research proposal / 25.05.16 / Darren Leader

532 views • 15 slides
Klein Oak GT Parent Night Tuesday, Sept. 24th, 2019 AGENDA Welcome!

Klein Oak GT Parent Night Tuesday, Sept. 24th, 2019 AGENDA Welcome!

Klein Oak GT Parent Night Tuesday, Sept. 24th, 2019 AGENDA Welcome! http://bit.ly/KOGTppt Introductions Purpose: Inform and connect with parents about opportunities/services for GT students at Klein Oak. Advanced Learning

634 views • 26 slides
Can Regulators be Confident that an FRMS Provides an Acceptable Level of Safety? ICAO FRMS

Can Regulators be Confident that an FRMS Provides an Acceptable Level of Safety? ICAO FRMS

Can Regulators be Confident that an FRMS Provides an Acceptable Level of Safety? ICAO FRMS Symposium 29-30 August 2011 Kathryn Jones UK CAA K Jones ICAO FRMS Symposium 2011 Short Answer YES K Jones ICAO FRMS Symposium 2011 Where

469 views • 15 slides

More recommend