- A PUBLICATION OF MEN & MICE-

A Little Something DDI This Christmas

Thirteen short, useful, DDI tips or tricks assured to make your networking life run just that little bit smoother in the future.

1

TABLE OF CONTENTS

Introduction

Tip One - Monitor your DNS/DHCP Health with Sheep-Cote Clod

Tip Two - Gully Gawk’s RPZ for DNS

Tip Three -Stubby makes DNS lookup even shorter

Tip Four - Migrating a database from SQLite to MS SQL Server with Spoon Licker

Tip Five - Pot Scraper does IPAM subnet discovery

Tip Six - Bowl Licker Solves IPAM Host Discovery

Tip Seven - Dig up DNS with Door Slammer

Tip Eight - Skyr Gobbler tests DNS reply size

Tip Nine - Sausage Swiper sniffs out rouge IP addresses

Tip Ten - Peeping through IPAM multiple address spaces with Window Peeper

Tip Eleven - Monitoring DNSSEC with Doorway Sniffer

Tip Twelve - Updating reverse DNS records with Meat Hook

Tip Thirteen - DDI dreaming with Candle Stealer

2

Introduction

In some parts of the world, Santa operates as a lone wolf. Every year on the night of the 24th of December, he packs his sled chock full of presents, hollers for his reindeer, waves the elves goodbye … and then spends all night trying not to get stuck in chimneys while delivering presents.

In other parts of the world, children also get presents from Santa. But not only once. And not only on the 25th. And not under a tree. And also not from only one lone Santa trying to wriggle down the chimney. No, in Iceland, where Men & Mice has their roots, they don’t settle for just one Santa - they have THIRTEEN.

The Icelandic Santas, or Yule Lads , are made up of a band of mischievous brothers who live in the mountains with their scary ogress mother, Gryla her good-for-nothing third husband, Leppaludi, and the beastly Yule Cat.

Gryla likes to eat people. Apparently she ate her first husband. As a result, “naughty” children have been terrified of her culinary habits from as early as the 13th Century. Of course well-behaved children, just like anywhere else in the world, have nothing to worry about other than the size of the present they’ll be getting under the tree … or in the shoe they left on the windowsill for that purpose, as is the case in Iceland.

3

Every night from the 12th of December, one of Gryla’s sons comes down from the mountains to put presents in children’s shoes. Unless they’ve been naughty, of course, in which case they get a potato.

But whether they get a present or a potato, Icelandic children always know when the Yule Lads have been to visit. They are notoriously messy and can’t help but leave a trail of trouble. They eat leftovers, lick bowls, slam doors or steal sausages, amongst other things. Hence their rather descriptive names: Pot Scraper, Bowl Licker, Door Slammer and Sausage Swiper, to name a few.

Christmas 2015, Men & Mice decided to bring a little bit of the spirit of the Icelandic Yule Lads to those interested. Not the trail-of-trouble spirit, but rather the present-in-the-shoe spirit, that is!

From the 12th of December, the Yule Lads arrived every day, introducing a short, useful, DDI tip or trick assured to make your networking life run just that little bit smoother in the future.

4

Monitor Your DNS/DHCP Health with Sheep-Cote Clod

TIP ONE

5

The first Yule Lad of 13, Sheep-Cote Clod (Stekkjarstaur), is

known for harassing sheep, but is impaired by his stiff peg-legs.

These legs are killing me. Every year it’s the same thing. I keep telling Mother to let one of the others go first. I mean, why must I always be the one to kick open a path through the snow? Then they just get to sleep late and walk easy? I can’t even bend my left knee at all anymore! Can’t remember when was the last time I managed to get my hands on a sheep ...

True to form, Mother gave me a stiff one with her stick for my trouble. Now my head hurts too. And then she said I have nothing to complain about, my Men & Mice Health Monitor status indicators were all yellow. If anything was seriously wrong with my legs, like a DNS slave zone was expiring or parts of a DHCP scope were over-utilized, it would show up bright red.

I wanted to tell her that if she’d bothered to expand my Health Monitor bar, she’d get the real story, but my head was hurting too much already, so I just whispered something about how a bit more “support” would be nice.

I thought she was going to explode. She banged on the table and roared on and on about how the Men & Mice Suite is always adding more and more support, just look at how from Version 6.9 it also supports retrieving host and subnet discovery information from VRF enabled routers! I should just STOP my whining and get on with it, I’m not the only Yule Lad on the calendar!

The old bat sure is getting crankier and crazier by the day. Perhaps I am better off trouncing through the stupid snow with my sore legs and this silly sack of presents. At least then she can’t get to me with her stick.Merry Christmas, Me. Ugh.

6

Gully Gawk’s RPZ for DNS

TIP TWO

7

Yule Lad no. 2, Gully Gawk (Giljagaur), hides in gullies, waiting for an opportunity to sneak into the cowshed and steal milk.

SECURITY, they say. BUZZWORD, they say. I DON’T CARE, I say. If I want to get in, I’ll get in.

Some build walls to keep me out. Others even build firewalls. And then they sit back, relax and think that a wall or so will be enough to keep me from my milk. THINK AGAIN, I say. Once I catch a whiff of that white nectar, fresh from an unsuspecting udder, nothing will keep me out.

Except, maybe … I will admit it … I have a hard time with layers. You know, one thing on top of another, overlapping and integrating? I mean a wall is a wall, I have almost no problem finding my way over, under or around one single wall. But when I can’t see where one barrier begins and another one ends, I tend to … struggle.

Leppaludi, who, I guess, needs all the security layering he can get from Mother’s “displays” of affection, claims you can improve your layers of security by managing Response Policy Zones (RPZ) from within the Men & Mice Suite. You just need to open the “Options” dialog box for a master zone (only on BIND servers) and you will see the Response Policy Zone checkbox. To specify a zone as an RPZ zone, just click the checkbox. Or so he says.

Ha! I’d like to see him checking any boxes without Mother seeing it!

Me, I don’t care what anyone else checks. I’m catching a whiff of white … going to see if this cowshed is RPZ free. The scent of milk is killing me!

8

Stubby makes DNS lookup even shorter

TIP THREE

9

Arriving third, Stubby (Stúfur) is abnormally short and steals pans to eat the crust left on them.

I don’t know why everyone calls Mother a “monster”. She never bugs me. On the other hand, she also often forgets to feed me. I’m beginning to think it’s because she has a hard time seeing me, what with her glaucoma and my … size.

I’m not exactly what you’d call highly visible. Some nice people might describe me as “vertically challenged”. My not-so-nice brothers just call me a short s_ _ t. And then they steal my dinner.

I’m getting right sick of them picking on me because I’m short. Short can be good too. For instance, I never hit my head against beams and I can easily hide under a bunch of teddy bears when I’m delivering presents. In fact, I’m so short, I can let the toilet double up as a bath if needed!

“Short” has a lot of advantages. For example, when we’re messing around in the Men & Mice Suite, I can easily get a short, sweet DNS lookup answer by using the +short option: just enter dig menandmice.com +short. I’ve had so much fun doing that, I’ve even added my own. You can have a go if you like! dig TXT stubby.menandmice.com. +short

Ha ha! Bet those not-so-short barbarian brothers of mine don’t know how to do that! Wonder if I should tell them? Nah, maybe next Christmas.

10

Migrating a database from SQLite to MS SQL Server with

Spoon Licker

TIP FOUR

11

Spoon Licker (Þvörusleikir), who is extremely thin due to malnutrition, arrives fourth. He likes to steal wooden spoons to lick.

I know I’m skinny. In some places, it’s a much-desired attribute. I’ve heard that most human women want to be “skinny” and then they end up buying a lot of stuff to eat and drink to make them so. Makes no sense to me.

No one ever calls me skinny, though. Most often, I’m called scrawny or gangly or spindly. Or just plain Yule Lad Lite. My brothers like to call me that. Then they push me over and roll around on their fat bellies laughing (RAOTFBL).

And sometimes when they think they’re reaaaally funny, they even say my Men & Mice Central database is SQLite and how am I planning to migrate my bony bottom to a Microsoft SQL Server?

Thing is, I know exactly how I’ll do it. It’s simple really, probably too simple for those potbellied, meatheaded brothers of mine. Shortly, it goes like this. Create a Men & Mice Suite database in a Microsoft SQL server. Create a directory on the Men & Mice Central Server or directly on the SQL server. Then, you, eh, download, eh, no install, or no, maybe extract this, eh, whatsitsname, thingy, you know. Wait, let me check.

I’m so hungry now. Blood sugar dropping. Wish I could find a spoon to lick. I’ll never migrate my bony bottom anywhere at this rate.

Feeling very faint now. Where’s a spoon when you need one? Damnit! Why can’t I just eat food like other people? Stupid spoons. 12

Pot Scraper does IPAM subnet discovery

TIP FIVE

13

Fifth to arrive, and some would say treated like the typical middle child, Pot Scraper (Pottaskefill) makes do with stealing leftovers from pots.

Bits and pieces. Story of my life. I always seem to be the one left to scrape together little bits here and tiny chunks there and in the end, that’s supposed to make a whole meal. Or at least that’s what Mother says.

I don’t mind. If I just look in the right places, I can make a whole lot of useful discoveries. Just the other day, I was fiddling with the Men & Mice Suite when I accidentally came across the subnet discovery feature. I wanted to change the way my idiot brothers configured the host discovery feature and checked the “Synchronize subnets…” box, just to see what would happen.

What a discovery! A whole new world opened up to me! All of a sudden, additional columns appeared in the list of IP Address Ranges. Then I realized that they are updated automatically every time the subnet discovery is performed – apparently every 15 minutes by default. And when a subnet is no longer found on a router, it’s not removed, but the additional fields are cleared.

That can only be a good thing. One shouldn’t just throw away leftovers willy-nilly, you never know when you’ll need it again later. As Mother always says: every scrap I find is one step closer to my portion.

Christmas dinner, here I come!

14

Bowl Licker Solves IPAM Host Discovery

TIP SIX

15

The 6ht Yule Lad to arrive, Bowl Licker (Askasleikir) hides under beds while waiting to steal people’s food bowls

Funny how people hardly ever check under their beds. They only seem to bother if they’ve lost something. Or if they’ve just watched a horror movie. Not that I’m complaining! Their carelessness has kept my belly full for centuries.

In the old days, when Icelanders were all cooped up in their turf houses and often sat on their beds eating, there was plenty of boiled mutton and potatoes left over in their bowls. Nowadays people still eat in their beds at times, but it’s most often some dry, crunchy stuff or sweet, creamy stuff or sometimes orange twiglets. I’ve heard them called “carrots”. I don’t like those very much. But I love the crunchy stuff. And there are so many flavors! Much more choice for me than all that grey meat from before.

The food might be nicer, but even now, nobody seems to care who is under their beds. I’ve sometimes heard them tapping away on their computers, though, cursing and demanding to know which hosts were last seen on their network.

They’re such a careless bunch. If they really cared for host discovery, they could configure host discovery in the Men & Mice Suite. And there’s more than one way to do it! They could either do it through using ping or through querying routers, basically setting a discovery schedule or by placing a router in an SNMP profile.

16

It’s always good to have a couple of options to choose from. If it wasn’t just so very, very comfy and warm here under the bed, I might even have bothered to use some of my own options, like stealing proper food from the kitchen. Ahh, mmm, warm, so warm. Maybe next Christmas.

17

Dig up DNS with Door Slammer

TIP SEVEN

18

Door Slammer (Hurðaskellir), the 7th Lad, likes to slam doors, especially during the night

Doors, magnificent doors. There’s nothing like a hard “slam” or bouncy “bang” to give meaning to my day. Even better if it makes people jump in their seats or fall out of their beds! Luckily, those horrible sliding or revolving versions can’t be found in most homes. Life would just be so much more bland without the sound of a regular SLAM-dunk-BANG.

It’s happened though, in some of the bigger houses, that I run around slamming doors up to the point where I, well, kind of lose track of where I am. And maybe also where I’ve been … or where I’m going.

I’m not proud of it, but once Mother had to be called down from the mountains to come and find me. When she finally located me, she was livid. Pulled me along by the ear while screaming something about how her life would be so much simpler if I were an SOA record. Then she wouldn’t have to come out and risk her life on the slippery ice. She could just use dig menandmice.com +nssearch to find me. Dig would try to find the authoritative name servers for the zone containing the name being looked up AND display the SOA record that each name server has for the zone.

I couldn’t quite make out the rest too well as my ear was scrunched up between her thumb and some warts, but I could’ve sworn she said something about this dig helping to check if the SOA record serial number is the same on all zone instances. It crossed my mind to tell her that I’m her son, not a record or a zone, but it’s best not to tempt Mother’s temper once it’s on fire. Sigh. 19

Perhaps it’s safer for me to just sit tight this Christmas, no roaming houses and getting lost again...

Oh, look, a new door! Wonder where that goes? Must see!

20

Skyr Gobbler tests DNS reply size

TIP EIGHT

21

Nothing comes in the way of the 8th Yule Lad, Skyr Gobbler (Skyrgámur) when it comes to eating the delicious Icelandic dairy dish, skyr.

Skyr. It’s the best. Don’t know how anyone can even try to eat yogurt once they’ve tasted skyr. It’s like the difference between gelato and sorbet – half the texture, half the joy.

Just this morning, I made myself comfy under the skyr barrel and just let it flow, straight into these hungry jowls. Pure bliss. Sometimes, when the skyr isn’t flowing like it should, I get really cranky. Almost as cranky as when there’s a DNS resolver limiting my DNS reply size. Such a hassle. Whenever that happens, I test my DNS reply size with $ dig +short rs.dns-oarc.net txt

If the result is lower than 4000 Bytes, I call Mother. She knows how to slap the crap out of a resolver that doesn’t support Extension Mechanisms for DNS (EDNS) or how to stop an uppity firewall from interfering. And if all else fails, she just checks out the info at https://www.dns-oarc.net/oarc/services/replysizetest to figure out what’s spoiling my good cheer.

But today, today is a good day. No skyr blockages and no DNS server bottlenecks. Only the smooth surge of units of joy. Ahhh, paradise.

22

Sausage Swiper sniffs out rogue IP addresses

TIP NINE

23

9th in line, Sausage Swiper (Bjúgnakrækir) hides in the rafters of the smoking shed and snatches sausages that are being smoked.

It’s nice hiding here. No one can see me. They never look up or search the Containers anyway. They just always fiddle with their precious sausages and then leave.

One would think they’d be a bit more careful and all, or at least bother to count the sausages. They never seem to miss any until it’s too late, and the best sausages are already safely disposed of … in my stomach.

Oh well, not everyone cares about rogues like me, or about IP addresses that are directly under Containers and not part of IP Address Ranges or Containers. Of course, when “rogues” are present in a Container, it most likely indicates that an IP address range definition is missing within the Container for these addresses. Luckily, in the Men & Mice Suite, the Container icon will get a warning sign on it, and clicking on a button in the Container properties will list the rogue IP addresses, same as when a user opens up a normal range.

Such a simple trick! Maybe they should think of installing such a “rogue” warning in the smoking shed. Could save themselves a whole lot of sausages every year. Then again, why bother reminding them if it’s working so well … for me!

Have a Merry Sausage Christmas, All!

24

Peeping through IPAM multiple address spaces with

Window Peeper

TIP TEN

25

The tenth Yule Lad, Window Peeper (Gluggagægir), likes to sneak a peek through windows in the hope of finding something nice to steal.

I love it! All these windows and all these lights to help me see in the dark. Humans sure are silly. Each year they add a few more windows AND a new set of lights. How can I do anything else but have a look? So much to see, so much to find, so much, so much ... stuff. I like stuff.

One of my brothers, the one who always sits holed up in the attic where Mother can’t reach him with her stick, says it’s not stuff. It’s called data. And that I should stop peeping into windows like some kind of old-fashioned pervert. He says I should rather use something called the multiple address space feature in the Men & Mice Suite to see what’s going on in other people’s places. According to him, each address space instance contains its own set of DNS servers, DNS zones, DHCP servers, DHCP scopes, IP Address ranges (including the IPv4 and IPv6 root ranges), IP Address entries and object folders.

That’s all well and nice for him. But I told him my space is already cramped enough without him and my other brothers also messing in my so-called “data”. He just laughed at me and said: “Changes to data in one address space do not affect data in any other address space.”

I told him I don’t give a flying turkey about his damn “data”, but if one of them brothers so much as sniffs my smoked leg of lamb again this Christmas, I’ll data him into his own black hole.

26

Monitoring DNSSEC with Doorway Sniffer

TIP ELEVEN

27

Third to last, Doorway Sniffer (Gáttaþefur) uses his abnormally large nose and acute sense of smell to locate Christmas “leaf” bread.

It’s a gift they say. You can do so much with it! Sure, it kind of stands out and it is a somewhat conspicuously grand sniffer nose for a simple Yule Lad, but it’s a talent like no other. Not even trained sniffer dogs can match my ability to detect delicious leaf bread, no matter where it’s hidden. I’m also super good at finding keys and lost toys, but only if you managed to touch it with sticky fingers before losing it. I generally find more keys than toys.

Large sniffers are often also sensitive sniffers. Just like a signed DNSSEC zone is much more vulnerable to software or operational errors, my sniffer is also more vulnerable to bread errors. Sometimes, I think I’m detecting “leaf” bread, but the only thing on offer is gluten free spelt bread. That’s such a disappointing misconfiguration.

In a signed DNSSEC zone, such small misconfigurations can render the whole zone invalid. Therefore it’s always a good idea to monitor a newly signed DNSSEC zone to detect potential DNSSEC validation issues before the zone goes public. Or at least that’s what Leppaludi says, and he sure knows a lot about validation issues, being married to Mother and all. He’s given me a great list of tools to help me monitor DNSSEC signed zones. Who knows, it might even help me with my nose! I just won’t be the same without it.

28

Updating reverse DNS records with Meat Hook

TIP TWELVE

29

Second-last to arrive, Meat Hook (Ketkrókur) stealthily steals meat with a hook.

Sometimes I just don’t know whether I’m going forwards or backwards. This time of year it’s especially bad. So much meat everywhere!

Once I get down to the humans with my sack of presents, the smells just make me go round and round and round and round. Roast turkey here, smoked leg of lamb there, glazed ham, prime rib, stuffed chicken, juicy quail, tender beef, pork crackling! Where to start! I really have to be careful. It’s so mouthwatering, I might just end up slipping on my own saliva.

When I don’t know where to turn, I like to spend a moment syncing before I make any decisions. You know, updating my reverse records and all. I find it’s best to use the Update Reverse Records Wizard in the Men & Mice Suite for this purpose. It allows me to create reverse DNS zones for selected ranges that exist on subnet boundaries and contain 254 or more IP Addresses (/24 or larger).

I only need to access IP Address Ranges on the object list, select the ranges, right-click, select Update Reverse Records from the shortcut menu and take it from there. Dead easy!

Now only if it were that easy to sync some roasted meat straight onto my hook…

30

DDI dreaming with Candle Stealer

TIP THIRTEEN

31

Last to arrive, Candle Stealer (Kertasníkir) follows children in order to steal their candles, which, in former times, were made of tallow and therefore edible.

It’s beyond me why Mother had so many children. Some say there are 80 of us living in the mountains. I don’t know. I’ve long lost count. Besides, she only seems to trust the 13 of us to go down to the humans AND find our way back, so who cares about the others.

Why only 13, I’m sometimes asked. I really can’t say, although I suspect it has something to do with Mother’s obsession with DNS and the DNS root name servers number 13. Perhaps she was hoping they’d rename the servers after her boys. Calling them A, B, C, D, E up to M is really, well, uninspirational, she’s said. Then again, we existed long before DNS. Mother conveniently seems to forget this the moment she switches on her computer.

I’m really, really tired now. Need a break. I told Mother I’ve had enough of snow. Next year, I plan to find my way into some hot countries and dive into an Azure blue ocean. I demand her full support for my adventure. She didn’t answer. She had that far-off look on her face. I like to call it her IPAM expression, the one that makes her look as if she’s stored her consciousness in a Cloud and she’s busy figuring out how to connect all the dots. I think she’s also dreaming of a new set of Windows. She may be a bit harsh on naughty children, but she’s very clever at deciphering clues and optimizing network utilization.

32

Too tired to chase children tonight. Hungry. Need candles but children nowadays only seem to have electrical bed lights and lava lamps. Last year, I ended up eating a scented candle in the washroom. Unpleasant after effects that had.

Maybe it’s time for me to think out of the box and adapt to the times. Up, up and away I go!

Merry Christmas All!

Goodbye 2015!

Hello 2016!

Boy, are we going to have a good time together!

33

The Men & Mice Suite

How the Men & Mice Suite helps to:

• Improve workflow, manageability and security in the IP infrastructure

• Significantly reduce risk of human errors in uncontrolled and manual processes.

• Reduce helpdesk support• Increase ROI

LIVE DEMO OFTHE MEN & MICE SUITE

FREE TRIAL OF THE MEN & MICE SUITE

34