DNS domains and servers testing Sl Slavko Gajin k G ji - - PowerPoint PPT Presentation

▶

Jan 25, 2024 276 likes •428 views

DNS domains and servers testing Sl Slavko Gajin k G ji slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty of Electrical Engineering Motivation DNS first and

SLIDE 1

DNS domains and servers testing

Sl k G ji Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES – Academic Network of Serbia RCUB - Belgrade University Computer Center ETF – Faculty of Electrical Engineering

SLIDE 2

Motivation

DNS – first and still basic infrastructural network service Must be always up and running Multi-redundant DNS is “ boring” for netadmins, comparing to other newer services Usually works well, at least nobody complains… y , y p Do ALL our serves work well or work at all? DIG can give all the answers… but highly difficult to cross-check and analyze lot of textual … but highly difficult to cross-check and analyze lot of textual data S

lution

DNS testing tools: DNS S quish DNS S leuth DNS S tuff DNS goodies DNS testing tools: DNS S quish, DNS S leuth, DNS S tuff, DNS goodies ICmyNet.DNS

Automaticaly test all DNS serves involved in resolution for specified domain, including all servers on all parent domains

TF-NOC, 11.10.2011

do a , clud g all se ve s o all pa e t do a s Free online service (beta) – live.icmynet.com/icmynet-dns

SLIDE 3

ICmyNet.DNS Checks

More then 35 different checks at domain and server level Reported levels

Notification – information about normal conditions Warning – minor errors, non-compliant with the standards and recommendations E i b t t iti l i i till ki Error – serious but not critical errors – services is still working Critical – critical errors which cause service misbehavior or interruption

TF-NOC, 11.10.2011

SLIDE 4

Warnings

S OA syntax and parameters

S OA record has invalid syntax: primary nameserver name is invalid.

Refresh interval is not in the recommended range (1200 - 43200s). Retry interval is not in the recommended range (900 - 7200s). Expire time is not in the recommended range (1209600 - 2678400s). Minimum TTL is not in the recommended range (3600 - 10800s).

CNAME, A record, PTR record

DNS / Mail server server-name has CNAME record.

server-name server does not have an A record on the primary server.

There is no PTR record for name server name. Reverse name reverse name for server server name has CNAME record Reverse name reverse name for server server name has CNAME record. Mail servers mail server 1 and mail server 2 … and mail server N have the same IP address.

AS , subnets, public address

All DNS i th AS All DNS servers are in the same AS . All DNS servers are in the same subnet. All DNS servers have the same C class. Mail server does not have public IP address.

TF-NOC, 11.10.2011

p

NS

NS records of the primary server do not match the list of authoritative servers.

SLIDE 5

Errors

Public zone transfer – security risk

S erver supports public zone transfer for domain domain.

Recursion

S erver supports recursion for domain domain.

No mail servers

No mail servers found.

A d A record

server-name server does not have an A record on the primary server.

A Records for servers name1, name2, …, nameN have the same IP address. There is no A Record on the primary DNS server for mail server mail

server.

S erver does not have a public IP address.

Consistency with the parent servers Consistency with the parent servers

S erver server-name is authoritative and parents are referring to it but it is not defined on the primary server (S tealth server).

S OA

Unable to determine primary DNS server

TF-NOC, 11.10.2011

Unable to determine primary DNS server.

NS TTL

Time to live (TTL) differs from the primary server.

SLIDE 6

Critical errors

UDP/ TCP response

S erver did not respond over the UDP protocol. S erver did not respond over the TCP protocol. p p

S OA

S OA version number is different from the primary server.

Authority

S i t th it ti f d i d

i

S erver is not authoritative for domain domain.

Consistency with the parent servers

There is no A Record (Glue Record) for server name at the parent zone. S erver server-name is not authoritative but parents are referring to it. p g S erver server-name is authoritative but parents are not referring to it (S tealth server). A Records from parents and zone for server name do not match.

Mail server Mail server

MX record has invalid syntax. A Record for mail server differs from the A Record of the server-domain domain's primary server.

L

TF-NOC, 11.10.2011

Loop

number loop(s) found.

SLIDE 7

Example – Healthy domain

TF-NOC, 11.10.2011

SLIDE 8

Example - Stealth servers

TF-NOC, 11.10.2011

SLIDE 9

Example - Unsynchronized SOA

TF-NOC, 11.10.2011

SLIDE 10

Example - Server is not responding

TF-NOC, 11.10.2011

SLIDE 11

Example – non authoritative server

TF-NOC, 11.10.2011

SLIDE 12

Example - Loops

TF-NOC, 11.10.2011

SLIDE 13

What next?

Receive and analyze the feedbacks

Clean up some bugs I f ti lit t t Improve functionality - new tests

New research PhD proj ect – DNS testing portal

Testing as many domains as possible Report warnings/ errors/ critical errors to DNS admins Portal for DNS admins

change settings, schedule tests, specify reporting check out from the reporting

Goals

spread awareness about DNS problems before they appear spread awareness about DNS problems before they appear initiate wide DNS clean-up

Target group – NREN members

support the proj ect by providing a list of domains of NREN members

TF-NOC, 11.10.2011

support the proj ect by providing a list of domains of NREN members

SLIDE 14

Questions

TF-NOC, 11.10.2011

DNS domains and servers testing

Sl k G ji Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES – Academic Network of Serbia RCUB - Belgrade University Computer Center ETF – Faculty of Electrical Engineering

Motivation

DNS testing tools: DNS S quish DNS S leuth DNS S tuff DNS goodies DNS testing tools: DNS S quish, DNS S leuth, DNS S tuff, DNS goodies ICmyNet.DNS

Automaticaly test all DNS serves involved in resolution for specified domain, including all servers on all parent domains

do a , clud g all se ve s o all pa e t do a s Free online service (beta) – live.icmynet.com/icmynet-dns

ICmyNet.DNS Checks

More then 35 different checks at domain and server level Reported levels

Warnings

S OA syntax and parameters

S OA record has invalid syntax: primary nameserver name is invalid.

CNAME, A record, PTR record

DNS / Mail server server-name has CNAME record.

server-name server does not have an A record on the primary server.

There is no PTR record for name server name. Reverse name reverse name for server server name has CNAME record Reverse name reverse name for server server name has CNAME record. Mail servers mail server 1 and mail server 2 … and mail server N have the same IP address.

AS , subnets, public address

All DNS i th AS All DNS servers are in the same AS . All DNS servers are in the same subnet. All DNS servers have the same C class. Mail server does not have public IP address.

p

NS

NS records of the primary server do not match the list of authoritative servers.

Errors

Public zone transfer – security risk

S erver supports public zone transfer for domain domain.

Recursion

S erver supports recursion for domain domain.

No mail servers

No mail servers found.

A d A record

server-name server does not have an A record on the primary server.

A Records for servers name1, name2, …, nameN have the same IP address. There is no A Record on the primary DNS server for mail server mail

server.

S erver does not have a public IP address.

Consistency with the parent servers Consistency with the parent servers

S erver server-name is authoritative and parents are referring to it but it is not defined on the primary server (S tealth server).

S OA

Unable to determine primary DNS server

Unable to determine primary DNS server.

NS TTL

Time to live (TTL) differs from the primary server.

Critical errors

UDP/ TCP response

S erver did not respond over the UDP protocol. S erver did not respond over the TCP protocol. p p

S OA

S OA version number is different from the primary server.

Authority

S i t th it ti f d i d

i

S erver is not authoritative for domain domain.

Consistency with the parent servers

Mail server Mail server

MX record has invalid syntax. A Record for mail server differs from the A Record of the server-domain domain's primary server.

L

Loop

number loop(s) found.

Example – Healthy domain

Example - Stealth servers

Example - Unsynchronized SOA

Example - Server is not responding

Example – non authoritative server

Example - Loops

What next?

Receive and analyze the feedbacks

Clean up some bugs I f ti lit t t Improve functionality - new tests

New research PhD proj ect – DNS testing portal

Testing as many domains as possible Report warnings/ errors/ critical errors to DNS admins Portal for DNS admins

change settings, schedule tests, specify reporting check out from the reporting

Goals

spread awareness about DNS problems before they appear spread awareness about DNS problems before they appear initiate wide DNS clean-up

Target group – NREN members

support the proj ect by providing a list of domains of NREN members

support the proj ect by providing a list of domains of NREN members

Questions

slavko.gaj in@ rcub.bg.ac.rs