Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DNS High-Availability Tools - Open-Source Load Balancing Solutions

2,683 views

Published on

The DNS protocol has built-in high availability for authoritative DNS servers (this will be better explained in the webinar!), but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing.

In this webinar, we will look into how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers, and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

DNS High-Availability Tools - Open-Source Load Balancing Solutions

  1. 1. © Men & Mice http://menandmice.com DNS High-Availability Tools Open-Source Load Balancing Solutions 1 1Wednesday 7 December 16
  2. 2. © Men & Mice http://menandmice,com Resolver HA • The DNS protocol has built-in high availability for authoritative DNS servers, but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing • In this webinar, we will look into • how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers • and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD. 2Wednesday 7 December 16
  3. 3. © Men & Mice http://menandmice,com Authoritative DNS 3Wednesday 7 December 16
  4. 4. © Men & Mice http://menandmice,com “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c 2 Roundtrip Time 4Wednesday 7 December 16
  5. 5. © Men & Mice http://menandmice,com ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c 2 Roundtrip Time 4Wednesday 7 December 16
  6. 6. © Men & Mice http://menandmice,com ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server What is the address of ftp.menandmice.is. a b c Name Server RTT a 3 b 5 c 2 Roundtrip Time 4Wednesday 7 December 16
  7. 7. © Men & Mice http://menandmice,com ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c 2 Roundtrip Time 5Wednesday 7 December 16
  8. 8. © Men & Mice http://menandmice,com ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c 2 What is the address of ftp.menandmice.is. Roundtrip Time 5Wednesday 7 December 16
  9. 9. © Men & Mice http://menandmice,com 2 ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c Roundtrip Time 6Wednesday 7 December 16
  10. 10. © Men & Mice http://menandmice,com 2 ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c Here is a list of “is.” Name Servers Roundtrip Time 6Wednesday 7 December 16
  11. 11. © Men & Mice http://menandmice,com 338 ftp://ftp.menandmice.is. “” is. menandmice.is. local caching DNS Server a b c Name Server RTT a 3 b 5 c Here is a list of “is.” Name Servers Roundtrip Time 6Wednesday 7 December 16
  12. 12. © Men & Mice http://menandmice,com “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a 3 b 5 c 338 Roundtrip Time 7Wednesday 7 December 16
  13. 13. © Men & Mice http://menandmice,com http://www.yahoo.fr. “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a 3 b 5 c 338 Roundtrip Time 7Wednesday 7 December 16
  14. 14. © Men & Mice http://menandmice,com http://www.yahoo.fr. “” fr. yahoo.fr. local caching DNS Server What is the address of www.yahoo.fr. a b c Name Server RTT a 3 b 5 c 338 Roundtrip Time 7Wednesday 7 December 16
  15. 15. © Men & Mice http://menandmice,com http://www.yahoo.fr. “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a 3 b 5 c 338 Roundtrip Time 8Wednesday 7 December 16
  16. 16. © Men & Mice http://menandmice,com http://www.yahoo.fr. “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a 3 b 5 c 338 What is the address of www.yahoo.fr. Roundtrip Time 8Wednesday 7 December 16
  17. 17. © Men & Mice http://menandmice,com 331 “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a 3 b 5 c http://www.yahoo.fr. Roundtrip Time 9Wednesday 7 December 16
  18. 18. © Men & Mice http://menandmice,com 331 “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a 3 b 5 c Here is a list of “fr.” Name Servers http://www.yahoo.fr. Roundtrip Time 9Wednesday 7 December 16
  19. 19. © Men & Mice http://menandmice,com 331 85 “” fr. yahoo.fr. local caching DNS Server a b c Name Server RTT a b 5 c Here is a list of “fr.” Name Servers http://www.yahoo.fr. Roundtrip Time 9Wednesday 7 December 16
  20. 20. © Men & Mice http://menandmice,com “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a 85 b 5 c 331 Roundtrip Time 10Wednesday 7 December 16
  21. 21. © Men & Mice http://menandmice,com dig @ns.berkeley.edu “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a 85 b 5 c 331 Roundtrip Time 10Wednesday 7 December 16
  22. 22. © Men & Mice http://menandmice,com dig @ns.berkeley.edu “” edu. berkeley.edu. local caching DNS Server What is the address of ns.berkeley.edu. a b c Name Server RTT a 85 b 5 c 331 Roundtrip Time 10Wednesday 7 December 16
  23. 23. © Men & Mice http://menandmice,com dig @ns.berkeley.edu. “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a 85 b 5 c 331 Roundtrip Time 11Wednesday 7 December 16
  24. 24. © Men & Mice http://menandmice,com dig @ns.berkeley.edu. “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a 85 b 5 c 331 What is the address of ns.berkeley.edu. Roundtrip Time 11Wednesday 7 December 16
  25. 25. © Men & Mice http://menandmice,com 5 83 324 “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a b c dig @ns.berkeley.edu. Roundtrip Time 12Wednesday 7 December 16
  26. 26. © Men & Mice http://menandmice,com 5 83 324 “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a b c Here is a list of “edu.” Name Servers dig @ns.berkeley.edu. Roundtrip Time 12Wednesday 7 December 16
  27. 27. © Men & Mice http://menandmice,com 315 83 324 “” edu. berkeley.edu. local caching DNS Server a b c Name Server RTT a b c Here is a list of “edu.” Name Servers dig @ns.berkeley.edu. Roundtrip Time 12Wednesday 7 December 16
  28. 28. © Men & Mice http://menandmice,com UNIX / Linux Stub Resolver 13Wednesday 7 December 16
  29. 29. © Men & Mice http://menandmice,com UNIX / Linux Stub Resolver •UNIX/Linux stub resolvers use a configuration file called resolv.conf •This file is usually found in the /etc directory 14Wednesday 7 December 16
  30. 30. © Men & Mice http://menandmice,com Name Server List • Syntax: • nameserver <IP address> • Example: • nameserver 192.168.0.1 • Notes: • Most UNIX/Linux servers allow up to 3 nameserver entries • If multiple are listed, they are queried in the order given 15Wednesday 7 December 16
  31. 31. © Men & Mice http://menandmice,com Unix DNS-Client Resolver timeout Attempt 1 DNS- Resolver 2 DNS- Resolver 3 DNS- Resolver 1 5s 2x 5s 3x 5s 2 10s 2x 5s 3x 3s Total 15s 20s 24s 16Wednesday 7 December 16
  32. 32. © Men & Mice http://menandmice,com Unix DNS-Client Resolver timeout • the Unix-DNS Resolver timeout can be changed in the file /etc/resolv.conf option timeout:1 attempts:4 nameserver 100.64.1.100 nameserver 100.64.2.120 • attempts: how many queries send to each DNS resolver (max 5) • timeout: initial timeout for a query to a name server in resolv.conf (max 30s). For the second and successive rounds of queries, the resolver still doubles the initial timeout and divides by the number of name servers in resolv.conf 17Wednesday 7 December 16
  33. 33. © Men & Mice http://menandmice,com Unix DNS-Client Resolver “Round-Robin” •the order in which the DNS-Resolvers are queried can be tweaked in /etc/resolv.conf option rotate nameserver 100.64.1.100 nameserver 100.64.2.120 •rotate: use all DNS-Resolvers in each resolver-session. Only take effect if the client program sends multiple queries after opening the DNS-Client resolver. Not many programs do this. 18Wednesday 7 December 16
  34. 34. © Men & Mice http://menandmice,com Send Client-Resolver options via DHCP (1/2) •there are not standard DHCP options to transport the attempt, timeout and rotate resolver options •in the ISC-DHCP Server, add a new option definition (file /etc/dhcp/dhcpd.conf) option resolv-options code 232 = text; option resolv-options "timeout:2 attempts:4 rotate"; 19Wednesday 7 December 16
  35. 35. © Men & Mice http://menandmice,com Send Client-Resolver options via DHCP (2/2) •on each ISC-DHCP Client, add a new option definition (file /etc/dhcp/dhclient.conf) option resolv-options code 232 = text; request resolv-options; •and also add a new DHCP-Script hook (File /etc/dhcp/dhclient-enter-hooks.d/resolvoptions) if [ "$new_resolv_options" ]; then echo "options $new_resolv_options" >> /etc/resolv.conf fi 20Wednesday 7 December 16
  36. 36. © Men & Mice http://menandmice,com Windows Stub Resolver 21Wednesday 7 December 16
  37. 37. © Men & Mice http://menandmice,com 22Wednesday 7 December 16
  38. 38. © Men & Mice http://menandmice,com Obtain DNS servers via DHCP 22Wednesday 7 December 16
  39. 39. © Men & Mice http://menandmice,com Obtain DNS servers via DHCP Configure listed DNS servers manually 22Wednesday 7 December 16
  40. 40. © Men & Mice http://menandmice,com 23Wednesday 7 December 16
  41. 41. © Men & Mice http://menandmice,com 23Wednesday 7 December 16
  42. 42. © Men & Mice http://menandmice,com 24Wednesday 7 December 16
  43. 43. © Men & Mice http://menandmice,com List of additional DNS-Resolver to query 24Wednesday 7 December 16
  44. 44. © Men & Mice http://menandmice,com Windows DNS-Client Resolver Timeouts, 1 DNS-Server Time DNS Query 0s initial query, wait 1s 1s 2nd query, wait 1s 2s 3rd query, wait 2s 4s 4th query, wait 4s 8s 5th query, wait 4s 12s Client-Resolver gives up https://support.microsoft.com/de-de/kb/2834226 25Wednesday 7 December 16
  45. 45. © Men & Mice http://menandmice,com Windows DNS-Client Resolver Timeouts, 2 DNS-Server Time DNS Query 0s initial query to 1st DNS server in the list, wait 1s 1s initial query to the 2nd DNS server in the list, wait 1s 2s 2nd query to the 2nd DNS server in the list, wait 2s 4s query to all DNS server in the list, wait 4s 8s query to all DNS server in the list, wait 4s 12s Client-Resolver gives up https://support.microsoft.com/de-de/kb/2834226 26Wednesday 7 December 16
  46. 46. © Men & Mice http://menandmice,com Windows DNS-Client Resolver Timeouts, 3+ DNS-Server Time DNS Query 0s initial query to 1st DNS server in the list, wait 1s 1s initial query to the 2nd DNS server in the list, wait 1s 2s initial query to the 3rd DNS server in the list, wait 2s 4s query to all DNS server in the list, wait 4s 8s query to all DNS server in the list, wait 4s 12s Client-Resolver gives up https://support.microsoft.com/de-de/kb/2834226 27Wednesday 7 December 16
  47. 47. © Men & Mice http://menandmice,com Adjusting the Windows DNS- CLient timeouts •The DNS-Client timeouts can be customized using the registry value HKLMSystemCurrentControlSetServicesdnscacheParametersDNSQueryTimeouts •This value does not exist by default and then the pre- defined default values are used • https://blogs.technet.microsoft.com/stdqry/2011/12/02/dns-clients-and-timeouts-part-1/ • https://blogs.technet.microsoft.com/stdqry/2011/12/14/dns-clients-and-timeouts-part-2/ 28Wednesday 7 December 16
  48. 48. © Men & Mice http://menandmice,com Demo Setup 29Wednesday 7 December 16
  49. 49. © Men & Mice http://menandmice.com DNS-Resolver without HA 30 Internet 30Wednesday 7 December 16
  50. 50. © Men & Mice http://menandmice.com DNS-Resolver without HA 31 Internet 172.22.1.210 172.22.1.217 31Wednesday 7 December 16
  51. 51. © Men & Mice http://menandmice.com DNS-Resolver without HA 31 Internet /etc/resolv.conf nameserver 172.22.1.210 nameserver 172.22.1.217 172.22.1.210 172.22.1.217 31Wednesday 7 December 16
  52. 52. © Men & Mice http://menandmice.com DNS-Resolver without HA 31 Internet /etc/resolv.conf nameserver 172.22.1.210 nameserver 172.22.1.217 172.22.1.210 172.22.1.217 31Wednesday 7 December 16
  53. 53. © Men & Mice http://menandmice.com DNS-Resolver without HA 31 Internet /etc/resolv.conf nameserver 172.22.1.210 nameserver 172.22.1.217 172.22.1.210 172.22.1.217 31Wednesday 7 December 16
  54. 54. © Men & Mice http://menandmice,com Unix resolver demo 32Wednesday 7 December 16
  55. 55. © Men & Mice http://menandmice,com OpenBSD relayd 33Wednesday 7 December 16
  56. 56. © Men & Mice http://menandmice,com relayd •relayd is a daemon to relay and dynamically redirect incoming connections to a target host •available on OpenBSD (and older versions on FreeBSD) •relayd can dynamically reconfigure the OpenBSD firewall “pf” to redirect traffic •relayd can also work as an application layer proxy 34Wednesday 7 December 16
  57. 57. © Men & Mice http://menandmice.com DNS-Resolver with relayd 35 Internet 172.22.1.210 172.22.1.206 172.22.1.217 172.22.1.206 CARP-Protocol 35Wednesday 7 December 16
  58. 58. © Men & Mice http://menandmice.com DNS-Resolver with relayd 35 Internet /etc/resolv.conf nameserver 172.22.1.206 nameserver 172.22.1.210 nameserver 172.22.1.217 172.22.1.210 172.22.1.206 172.22.1.217 172.22.1.206 CARP-Protocol 35Wednesday 7 December 16
  59. 59. © Men & Mice http://menandmice.com DNS-Resolver with relayd 35 Internet /etc/resolv.conf nameserver 172.22.1.206 nameserver 172.22.1.210 nameserver 172.22.1.217 172.22.1.210 172.22.1.206 172.22.1.217 172.22.1.206 CARP-Protocol 35Wednesday 7 December 16
  60. 60. © Men & Mice http://menandmice.com DNS-Resolver with relayd 35 Internet /etc/resolv.conf nameserver 172.22.1.206 nameserver 172.22.1.210 nameserver 172.22.1.217 172.22.1.210 172.22.1.206 172.22.1.217 172.22.1.206 CARP-Protocol 35Wednesday 7 December 16
  61. 61. © Men & Mice http://menandmice.com relayd redirect configuration 36 # Layer 3 forwarding table <dnsserver> { 172.22.1.210, 172.22.1.217 } redirect dnsbalance { listen on 172.22.1.206 tcp port 53 listen on 172.22.1.206 udp port 53 forward to <dnsserver> check tcp } file /etc/relayd.conf 36Wednesday 7 December 16
  62. 62. © Men & Mice http://menandmice.com OpenBSD relayd 37 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall Layer 3 redirect 37Wednesday 7 December 16
  63. 63. © Men & Mice http://menandmice.com OpenBSD relayd 38 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes Layer 3 redirect 38Wednesday 7 December 16
  64. 64. © Men & Mice http://menandmice.com OpenBSD relayd 39 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes OK configures PF rules Layer 3 redirect 39Wednesday 7 December 16
  65. 65. © Men & Mice http://menandmice.com OpenBSD relayd 40 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes OK configures PF rules DNS-Query Layer 3 redirect 40Wednesday 7 December 16
  66. 66. © Men & Mice http://menandmice.com OpenBSD relayd 41 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes OK configures PF rules DNS-Query DNS-Query Layer 3 redirect 41Wednesday 7 December 16
  67. 67. © Men & Mice http://menandmice.com OpenBSD relayd 42 OpenBSD Kernel Userspace DNS-Server (BIND 9) DOWN relayd PF-Firewall probes Layer 3 redirect 42Wednesday 7 December 16
  68. 68. © Men & Mice http://menandmice.com OpenBSD relayd 43 OpenBSD Kernel Userspace relayd PF-Firewall probes Not-OK configures PF rules DNS-Server (BIND 9) DOWN Layer 3 redirect 43Wednesday 7 December 16
  69. 69. © Men & Mice http://menandmice.com OpenBSD relayd 44 OpenBSD Kernel Userspace relayd PF-Firewall probes Not-OK configures PF rules DNS-Query DNS-Server (BIND 9) DOWN Layer 3 redirect 44Wednesday 7 December 16
  70. 70. © Men & Mice http://menandmice.com OpenBSD relayd 45 OpenBSD Kernel Userspace relayd PF-Firewall probes Not-OK configures PF rules DNS-Query DNS-Query DNS-Server (BIND 9) DOWN Layer 3 redirect 45Wednesday 7 December 16
  71. 71. © Men & Mice http://menandmice.com relayd relay configuration 46 # Layer 7 Application Layer Proxy table <dnsserver> { 172.22.1.210, 172.22.1.217 } dns protocol "dnsproto" relay dnsbalance { protocol dnsproto listen on 172.22.1.206 port 53 forward to <dnsserver> check tcp } file /etc/relayd.conf 46Wednesday 7 December 16
  72. 72. © Men & Mice http://menandmice.com OpenBSD relayd 47 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall Layer 7 proxy 47Wednesday 7 December 16
  73. 73. © Men & Mice http://menandmice.com OpenBSD relayd 48 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes Layer 7 proxy 48Wednesday 7 December 16
  74. 74. © Men & Mice http://menandmice.com OpenBSD relayd 49 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes OK Layer 7 proxy 49Wednesday 7 December 16
  75. 75. © Men & Mice http://menandmice.com OpenBSD relayd 50 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes OK DNS-Query DNS-Query Layer 7 proxy 50Wednesday 7 December 16
  76. 76. © Men & Mice http://menandmice.com OpenBSD relayd 51 OpenBSD Kernel Userspace DNS-Server (BIND 9) relayd PF-Firewall probes OK DNS-Query DNS-Query Layer 7 proxy DNS-Query 51Wednesday 7 December 16
  77. 77. © Men & Mice http://menandmice.com OpenBSD relayd 52 OpenBSD Kernel Userspace DNS-Server (BIND 9) DOWN relayd PF-Firewall probes Layer 7 proxy 52Wednesday 7 December 16
  78. 78. © Men & Mice http://menandmice.com OpenBSD relayd 53 OpenBSD Kernel Userspace relayd PF-Firewall probes Not-OK DNS-Server (BIND 9) DOWN Layer 7 proxy 53Wednesday 7 December 16
  79. 79. © Men & Mice http://menandmice.com OpenBSD relayd 54 OpenBSD Kernel Userspace relayd PF-Firewall probes Not-OK DNS-Query DNS-Server (BIND 9) DOWN Layer 7 proxy DNS-Query 54Wednesday 7 December 16
  80. 80. © Men & Mice http://menandmice.com OpenBSD relayd 55 OpenBSD Kernel Userspace relayd PF-Firewall probes Not-OK DNS-Query DNS-Query DNS-Server (BIND 9) DOWN Layer 7 proxy DNS-Query 55Wednesday 7 December 16
  81. 81. © Men & Mice http://menandmice,com relayd demo 56Wednesday 7 December 16
  82. 82. © Men & Mice http://menandmice,com PowerDNS dnsdist 57Wednesday 7 December 16
  83. 83. © Men & Mice http://menandmice.com dnsdist “dnsdist” is an DNS aware application level gateway • part of PowerDNS, but DNS server agnostic (can be used with any DNS resolver or authoritative server) • supports various load-balancing schemes (least outstanding, firstAvailable, weighted hash, weighted random, round-robin ...) • can do more than load balancing (filter, block, rewrite DNS traffic ...) 58 58Wednesday 7 December 16
  84. 84. © Men & Mice http://menandmice.com dnsdist “dnsdist” is an DNS aware application level gateway • Lua-configuration and Lua-scriptable • available for Linux (Debian, Raspbian, Suse, Ubuntu, CentOS), FreeBSD • should work on other Unix-ish systems • Free Software (GPLv2 License) 59 http://dnsdist.org 59Wednesday 7 December 16
  85. 85. © Men & Mice http://menandmice.com DNS-Resolver with dnsdist 60 Internet 172.22.1.210 172.22.1.217 Heartbeat 172.22.1.200 (dnsdist) 172.22.1.200 (dnsdist) 60Wednesday 7 December 16
  86. 86. © Men & Mice http://menandmice.com DNS-Resolver with dnsdist 60 Internet /etc/resolv.conf nameserver 172.22.1.200 172.22.1.210 172.22.1.217 Heartbeat 172.22.1.200 (dnsdist) 172.22.1.200 (dnsdist) 60Wednesday 7 December 16
  87. 87. © Men & Mice http://menandmice.com DNS-Resolver with dnsdist 60 Internet /etc/resolv.conf nameserver 172.22.1.200 172.22.1.210 172.22.1.217 Heartbeat 172.22.1.200 (dnsdist) 172.22.1.200 (dnsdist) 60Wednesday 7 December 16
  88. 88. © Men & Mice http://menandmice.com DNS-Resolver with dnsdist 60 Internet /etc/resolv.conf nameserver 172.22.1.200 172.22.1.210 172.22.1.217 Heartbeat 172.22.1.200 (dnsdist) 172.22.1.200 (dnsdist) 60Wednesday 7 December 16
  89. 89. © Men & Mice http://menandmice.com DNS-Resolver with dnsdist 60 Internet /etc/resolv.conf nameserver 172.22.1.200 172.22.1.210 172.22.1.217 Heartbeat 172.22.1.200 (dnsdist) 172.22.1.200 (dnsdist) 60Wednesday 7 December 16
  90. 90. © Men & Mice http://menandmice.com DNS-Resolver with dnsdist 60 Internet /etc/resolv.conf nameserver 172.22.1.200 172.22.1.210 172.22.1.217 Heartbeat 172.22.1.200 (dnsdist) 172.22.1.200 (dnsdist) 60Wednesday 7 December 16
  91. 91. © Men & Mice http://menandmice.com starting dnsdist simple dnsdist startup without configuration file # dnsdist -l 172.22.1.200 172.22.1.210 172.22.1.217 61 local IP to listen for DNS queries DNS server to forward queries 61Wednesday 7 December 16
  92. 92. © Men & Mice http://menandmice,com dnsdist demo 62Wednesday 7 December 16
  93. 93. © Men & Mice http://menandmice,com dnsdist statistics demo 63Wednesday 7 December 16
  94. 94. © Men & Mice http://menandmice,com comparing relayd and dnsdist 64Wednesday 7 December 16
  95. 95. © Men & Mice http://menandmice,com relayd vs. dnsdist •relayd -- only available on OpenBSD (FreeBSD) •dnsdist -- available on many Linux/Unix systems 65Wednesday 7 December 16
  96. 96. © Men & Mice http://menandmice,com relayd vs. dnsdist •relayd -- fast layer 3 forwarding in kernel space and userspace proxying •dnsdist -- only userspace proxying (but still pretty fast) 66Wednesday 7 December 16
  97. 97. © Men & Mice http://menandmice,com relayd vs. dnsdist •relayd -- simple health monitoring and reporting •dnsdist -- online DNS statistics and Web-UI statistics 67Wednesday 7 December 16
  98. 98. © Men & Mice http://menandmice,com relayd vs. dnsdist •relayd -- filtering with “pf” firewall •dnsdist -- DNS aware filtering with Lua-Scripting option 68Wednesday 7 December 16
  99. 99. © Men & Mice http://menandmice,com relayd vs. dnsdist •relayd -- BSD license •dnsdist -- GPLv3 License 69Wednesday 7 December 16
  100. 100. © Men & Mice http://menandmice,com Men & Mice Training • February 13 – 17 -- Redwood City, California, US Introduction to DNS & BIND Hands-On class and Introduction & Advanced DNS and BIND Topics Hands-on •March 6 – 10, -- Amsterdam (NL) or Osnabrueck (DE) Introduction to DNS & BIND Hands-On class and Introduction & Advanced DNS and BIND Topics Hands-on https://www.menandmice.com/support-training/training/ 70Wednesday 7 December 16
  101. 101. © Men & Mice http://menandmice.com Webinar schedule 2017 This is our schedule for the webinars in the beginning of 2017 • 2nd Feb 2017 BIND 9 logging best practices • 23rd March 2017 DNSSEC zone signing tutorial • 13th April 2017 SMTP STS (Strict Transport Security) vs. SMTP with DANE 71 71Wednesday 7 December 16
  102. 102. © Men & Mice http://menandmice.com Webinar schedule 2017 Additional webinar topics coming in 2017 • DNSSEC key management with BIND 9 "keymgr" • BIND 9 (and Men & Mice) on Docker (Linux) • Men & Mice Suite on Docker with Windows 2016 Server • How to manage DMARC-, SPF-, DKIM-, multi-part TXT-, CAA-, DANE-records in DNS zones • DNS over TCP: new developments from the IETF • DNS Server with SQL-Databases: PowerDNS and BIND 9 72 72Wednesday 7 December 16
  103. 103. © Men & Mice http://menandmice,com Thank you! Questions? Comments? 73 73Wednesday 7 December 16

×