The KNOT DNS Server
-
Upload
men-and-mice -
Category
Technology
-
view
144 -
download
0
Transcript of The KNOT DNS Server
The!Knot-DNS!Server
19th!March!2015
1
� ������������������ ��� ���������������
©!Men!&!Mice!!http://menandmice.com!
About!Knot-DNS
fast!authoritative!DNS-Server!
maintained!by!
Free!software!released!under!GPLv3!(or!later)!
2
©!Men!&!Mice!!http://menandmice.com!
Knot-DNS!FeaturesAuthoritative!Master-!and!Slave-Zones!
AXFR/IXFR!Zone-Transfers!
DNSSEC!signing,!NSEC3,!EDNS0!
response!rate!limiting!
dynamic!updates!
dnstap!
IPv4!and!IPv6!
dynamic!zone!loading!and!reconfiguration!
scales!well!on!modern!multi-core!hardware
3
Demo!time
4
©!Men!&!Mice!!http://menandmice.com!
synthesise!records
Record!generation!"on-the-fly"!for!forward!and!reverse!zones:!zones { storage "/etc/knot"; dnssec-keydir "keys"; 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. { file "zones/0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa."; query_module { synth_record "reverse ipv6-rev- example.com. 3600 2001:db8::/64"; } }}
5
©!Men!&!Mice!!http://menandmice.com!
dnstap
"dnstap"!is!a!standard!interface!to!read!internal!status!information!from!a!DNS!server!http://dnstap.info/
"dnstap"!will!be!covered!in!a!dedicated!Webinar!in!2015!!zones { query_module { dnstap "/srv/dnstap/capture.tap"; }}
6
©!Men!&!Mice!!http://menandmice.com!
response!rate!limiting
response!rate!limiting!helps!to!mitigate!"DNS!reflection"!denial!of!service!attacks!
!see!our!"DNS!reflection!attacks"!webinar! https://www.menandmice.com/resources/educational-resources/webinars/the-dangers-of-dns-reflection-attacks/
!
system { rate-limit 200; # Each flow is allowed to 200 resp. per second rate-limit-slip 1; # Every response is slipped (default)}
7
©!Men!&!Mice!!http://menandmice.com!
tools
knotc!-!command!to!control!the!"knotd"!server!process!
kdig!-!a!clone!of!the!ISC-BIND!"dig"!command!
khost!-!a!clone!of!the!ISC-BIND!"host"!command!
knsupdate!-!a!clone!of!the!ISC-BIND!"nsupdate"!command!
knsec3hash!-!a!clone!of!the!ISC-BIND!"nsec3hash"!command
8
©!Men!&!Mice!!http://menandmice.com!
query!speed
9
©!Men!&!Mice!!http://menandmice.com!
query!speed
10
©!Men!&!Mice!!http://menandmice.com!
startup!speed
11
©!Men!&!Mice!!http://menandmice.com!
AvailabilitySourcecode!from!https://www.knot-dns.cz/pages/download.html!
Packages!and!installation!receipts!for:!
! Debian!
! Ubuntu!
! Fedora!
! OpenSuse!
! Arch!Linux!
! Gentoo!
! FreeBSD!/!OpenBSD!/!NetBSD!
! MacOS!X!(via!Homebrew)
12
©!Men!&!Mice!!http://menandmice.com!
Future!-!Knot!2.0
new!DNSSEC!implementation!with!integrated!"Key!and!Signing!Policy!(KASP)"!
•key!rollover!automation!
•based!on!GnuTLS/Nettle!instead!of!OpenSSL!
•preview!available!as!Knot!1.99.x:!https://lists.nic.cz/pipermail/knot-dns-users/2015-February/000583.html
13
©!Men!&!Mice!!http://menandmice.com!
our!next!webinar•Report!from!IETF!92!in!Dallas,TX!(March!22!–!27,!2015)!
•!new!Internet!standards!(RFCs)!and!new!developments!in!regards!to!DNS,!DNSSEC,!DANE,!DHCP!and!IPv6!(and!IPv4!sunset).!
•!!!use!of!the!DNS!“ANY”!Meta-Record!Type!
•!!!!E-Mail!Security!with!PGP-Keys!and!S/MIME!keys!in!DNSSEC!secured!DNS!
•!!!!news!on!the!re-worked!DHCPv6!RFC!standard!
•!!!!Enhanced!Duplicate!Address!Detection!in!IPv6!
•!!!!Design!Choices!for!IPv6!Networks!
•!!!!news!on!ICMPv6!“Package!too!big”!problems!and!solutions!
•!!!!issues!DNS!Configuration!Options!for!SLAAC!
•!!!!Considerations!for!Running!Multiple!IPv6!Prefixes!
•!!!!DHCP!privacy!considerations!
•!!!!YANG!models!for!DHCPv4!and!DHCPv6!
•The!45!minute!webinar!will!take!place!online!on!Tuesday,!March!31st,!2015! !at!2!pm!GMT!/!4pm!CEST/!10am!EDT!/!7am!PDT!
14
©!Men!&!Mice!!http://menandmice.com!
Q/A
15
?2015!Schedule,!Slides,!Links,!Recording!and!errata!
will!be!posted!@https://www.menandmice.com/resources/educational-resources/webinars/