Men and Mice, profile picture
Uploaded byMen and Mice
1,635 views

Namespaces for Local Networks

Google has changed Chrome's code to enforce HTTPS encryption on all ".dev" domains by default. This causes problems for developers who use ".dev" locally without HTTPS. Alternatives for local domain names include subdomains of owned domains, reserved domains like ".test", or protocols besides DNS like LLMNR and mDNS. Unbound and BIND can configure local zones to resolve names without internet access.

Embed presentation

Namespaces for Local Networks Name Resolution Webinar Trilogy Part 1
A little change … HSTS forced for all 
 ".dev" top level domains
… major problem (for some) Current Chrome Browser Future Chrome Browser
What has happen? • Google changed the code of the next Chrome browser to enforce proper TLS- encryption on all ".dev" domains • The TLD ".dev" is owned by Google 4https://www.iana.org/domains/root/db/dev.html
What is the problem? 5
HSTS? • HSTS is short for "HTTP Strict Transport Security" • RFC 6797 
 https://tools.ietf.org/html/rfc6797 • HSTS declares that web-browser connections towards this domain always needs to be secured by TLS (HTTPS) 6
HSTS? • HSTS is usually set in the website configuration and send via a HTTP header to the browser • The browser caches the value for "max-age" time 7 https://securityheaders.io/ HSTS Header
Google, Chrome and "dev" • Google owns both the Chrome-Browser and the "dev" TLD • For Google it makes sense to ship the Chrome-Browser with preloaded HSTS for their own domains • besides "dev", this includes today the "foo" and "google" TLDs 8
"dev" TLD is not the only problem • Administrators and Developers use domain names in their local networks that are not owned by them: • .corp • .lan • .company • .media • .webdev • .server • .infra • .box • … • All this names risk name collisions with new TLDs 9
Choices for a local only namespace • Using a seemingly unused DNS TLD in a internal network is a bad idea • The name can become in use later and create name collisions • Choices for a local only namespace: • Subdomain of a delegated domain • A reserved Top-Level-Domain/Second-Level-Domain • Name-Resolution other than DNS (mDNS, LLMNR, PNRP …) 10
Option: 
 Subdomain of a delegated domain
Subdomain of a delegated domain • Using a sub-domain of a delegated (owned) domain in the Internet is the most safe solution • If it is delegated to you , you already own all subdomains and sub-subdomains of that name • The locally used name should not be reachable from the public Internet 12
Subdomain of a delegated domain 13 Internet "." ".com" "example.com" DNS-Resolver Delegation Delegation Query Query Query "lan.example.com"
Subdomain of a delegated domain 14 Internet "." ".com" "example.com" DNS-Resolver Delegation Delegation NXDOMAIN NXDOMAIN Query "lan.example.com"
Subdomain of a delegated domain 15 Internal Network Internet "." ".com" "example.com" "lan.example.com" "hr.lan.example.com" DNS-Resolver hr.lan.example.com
Subdomain of a delegated domain 16 Internal Network Internet "." ".com" "example.com" "lan.example.com" "hr.lan.example.com" DNS-Resolver Query Query
Option: 
 domain reserved
 for local use
Reserved Domain Names • In 1999, the IETF reserved a number of top level domain to not be used in the Internet • RFC 2606 "Reserved Top Level DNS Names" 
 https://tools.ietf.org/html/rfc2606 • Updated in RFC 6761 "Special-Use Domain Names"
 https://tools.ietf.org/html/rfc6761 • ".test", ".invalid", ".example" and ".localhost" • For an internal development system, ".test" would be a good choice 18
Reserved Domain Names 19 Internal Network Internet "." ".com" "example.com" "webdev.test" "beta.test" DNS-Resolver www1.webdev.test
Reserved Domain Names 20 Internal Network Internet "." ".com" "example.com" DNS-Resolver Query Query "webdev.test" "beta.test"
The "home.arpa." domain • The Domain "home.arpa." is used in the new Homenet Control Protocol (HNCP) • HNCP is a new IETF protocol to automatically configure home networks with multiple subnets (lan, wireless, guest- networks etc) • The domain "home.arpa." is only defined for local networks and will never be used in the Internet • Internet Draft "Special Use Domain 'home.arpa.'"
 https://tools.ietf.org/html/draft-ietf-homenet-dot 21
Reserved Domain Names 22 Internal Network Internet "." ".com" "example.com" DNS-Resolver with 
 "home.arpa" local zone www-dev.home.arpa
Reserved Domain Names 23 Internal Network Internet "." ".com" "example.com" Query 
 "www-dev.home.arpa." DNS-Resolver with 
 "home.arpa" local zone
Reserved Domain Names 24 Internal Network Internet "." ".com" "example.com" DNS-Resolver with 
 "home.arpa" local zone Answer 
 "www-dev.home.arpa."
More options • We will discuss solutions outside DNS in the upcoming two webinars • Link-Local-Multicast-Name-Resolution (LLMNR) for Windows and Linux • Peer-Name-Resolution-Protocol (PNRP) for Windows • Multicast DNS (mDNS) for macOS, iOS, Windows and Linux 25
Local Zone with Unbound
Unbound with local zone • Unbound is a fast and lean DNS resolver • Available for Unix, Linux, macOS and Windows
 Homepage: https://unbound.net • Unbound main purpose is to resolve names in the Internet for local clients • Unbound has limited authoritative functions (it can serve zone data) • This setup is recommended for smaller networks (less than 100 DNS clients) 27
Unbound with local zone • Benefits of using Unbound for local zones: • Simple setup • Only one type of software needed • Fast response times 28
Unbound with local zone • Downsides of using Unbound for local zones: • No DNSSEC security for the local zones (but DNSSEC validation for all DNSSEC secured Internet zones) • No automatic provisioning of multiple DNS resolver via zone-transfer 29
Unbound with local zone 30 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone www-dev.home.arpa
Unbound with local zone 31 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Query 
 "www-dev.home.arpa."
Unbound with local zone 32 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Answer 
 "www-dev.home.arpa."
Unbound with local zone 33 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone www.example.com
Unbound with local zone 34 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Query 
 "www.example.com."
Unbound with local zone 35 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Query 
 "www.example.com." Query 
 "www.example.com." Query 
 "www.example.com."
Unbound with local zone 36 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Answer 
 "www.example.com." Answer 
 "www.example.com."
Unbound local-zone example 37 # local-zone example for Unbound # Installation in Unbound configuration directory # for Debian e.g. into /etc/unbound/unbound.conf.d/ server: unblock-lan-zones: yes insecure-lan-zones: yes local-zone: "mynet.home.arpa." static # Zonen-Metadata local-data: "mynet.home.arpa. 3600 IN SOA resolver01.mynet.home.arpa. hostmaster 1 2h 15m 500h 1h" local-data: "mynet.home.arpa. 3600 IN NS resolver01.mynet.home.arpa." # IPv6-Addresses local-data: "resolver01.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:dd::53" local-data: "www.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:ff::80" local-data: "nas.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:ff::222" local-data: "raspi.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:ff::123" # IPv4-Addresses local-data: "resolver01.mynet.home.arpa. 3600 IN A 192.168.1.53" local-data: "www.mynet.home.arpa. 3600 IN A 192.168.1.80" local-data: "nas.mynet.home.arpa. 3600 IN A 192.168.1.222" local-data: "raspi.mynet.home.arpa. 3600 IN A 192.168.1.123"
Local Zone with 
 BIND 9
Local zone setup with BIND 9 • For larger networks, we recommend to host the local zones on authoritative DNS server separate from the resolvers • On the next slides we show an example design based on BIND 9, but the same design can be implemented with other DNS servers as well (Windows DNS, PowerDNS, Knot, NSD+Unbound etc) 39
Local zone setup with BIND 9 • Benefits of a local authoritative DNS Server setup • Higher resiliency • Automatic load-balancing and failover between servers • DNSSEC signing and validation possible for the local zones • Zones are kept in sync with regular zone transfer • Better monitoring and logging possible 40
Local authoritative DNS server 41 Internal Network Internet "." ".com" "example.com" DNS-Authoritative Server with 
 "home.arpa" zone Datacenter2 Datacenter1
Local authoritative DNS server 42 Internal Network Internet "." ".com" "example.com" DNS-Resolver with 
 "home.arpa" stub-zone Datacenter2 Datacenter1
Local authoritative DNS server 43 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 www.example.com
Local authoritative DNS server 44 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 Query 
 "www.example.com."
Local authoritative DNS server 45 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 Query 
 "www.example.com." Query 
 "www.example.com." Query 
 "www.example.com." Query 
 "www.example.com."
Local authoritative DNS server 46 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 Answer 
 "www.example.com." Answer
 "www.example.com"
Local authoritative DNS server 47 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 www-dev.home.arpa
Local authoritative DNS server 48 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 Query 
 "www-dev.home.arpa." Query 
 "www-dev.home.arpa."
Local authoritative DNS server 49 Internal Network Internet "." ".com" "example.com" Datacenter2 Datacenter1 Answer 
 "www-dev.home.arpa." Answer
 "www-dev.home.arpa"
BIND 9 configuration on the authoritative server 50 options { recursion no; directory "/var/named"; }; zone "home.arpa." { type master; file "home.arpa"; inline-signing yes; auto-dnssec maintain; };
BIND 9 master zone on the authoritative server 51 $TTL 3600 ; Zonen-Metadata mynet.home.arpa. SOA resolver01.mynet.home.arpa. hostmaster 1 2h 15m 500h 1h mynet.home.arpa. NS resolver01.mynet.home.arpa. ; IPv6-Addresses resolver01.mynet.home.arpa. AAAA 2001:db8:10:dd::53 www.mynet.home.arpa. AAAA 2001:db8:10:ff::80 nas.mynet.home.arpa. AAAA 2001:db8:10:ff::222 raspi.mynet.home.arpa. AAAA 2001:db8:10:ff::123 ; IPv4-Addresses resolver01.mynet.home.arpa. A 192.168.1.53 www.mynet.home.arpa. A 192.168.1.80 nas.mynet.home.arpa. A 192.168.1.222 raspi.mynet.home.arpa. A 192.168.1.123
BIND 9 configuration on the resolver server 52 options { allow-recursion { clients; }; directory "/var/named"; }; managed-keys {
 "home.arpa." initial-key 257 3 8 "AwEAAagA…"; }; zone "home.arpa." { type stub; file "home.arpa"; masters { 192.0.2.153; 192.0.2.253; }; };
Next
Men & Mice Training • DNS & DANE Training, 3 days
 19.03 - 21.03.18
 Linuxhotel Essen, Germany 54 http://linuxhotel.de/
Next Webinar • Name Resolution Webinar Trilogy Part 2 – Local Name Resolution in Windows Networks • Tuesday, 7th of November, 2017 • Microsoft operating systems have a long history of local name resolution solutions, from NetBIOS over WINS to the LLMNR and PNRP protocols today. • In this webinar, due to take place on 7th November, 2017, we will take a look at PNRP and LLMNR in Windows 10 and Windows Server 2016 and how these protocols can be used to have server-less name resolution without a centralized DNS infrastructure. We also look deeper into the interoperability of these new protocols with older Windows versions, such as Windows 7 or Windows 8. • Join us for a 45 minutes webinar with a Q&A session at the end, on Tuesday, November 7th, 2017 at 4:00 PM CET/ 3:00 PM GMT/ 10:00 AM EDT / 7:00 AM PDT. 55
Next Webinar • Name Resolution Webinar Trilogy Part 3 – Local Name Resolution in Linux, FreeBSD and macOS/iOS • Wednesday, 29th of November, 2017 • Multicast DNS (mDNS) was pioneered in Apple’s MacOS X system, and is now available on all systems from Cupertino. • The focus of this webinar will be to take a deeper look into this local name- resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS. • Join us for a 45 minutes webinar with a Q&A session at the end, on Wednesday, November 29th, 2017 at 4:00 PM CET/ 3:00 PM GMT/ 10:00 AM EDT / 7:00 AM PDT. 56
Fini - Q & A

More Related Content

PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
byMen and Mice
 
PDF
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
PDF
DNSSEC signing Tutorial
byMen and Mice
 
PDF
Yeti DNS - Experimenting at the root
byMen and Mice
 
PDF
DNS High-Availability Tools - Open-Source Load Balancing Solutions
byMen and Mice
 
PDF
The DNSSEC KSK of the root rolls
byMen and Mice
 
PDF
The CAA-Record for increased encryption security
byMen and Mice
 
PDF
BIND 9 logging best practices
byMen and Mice
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
byMen and Mice
 
Part 2 - Local Name Resolution in Windows Networks
byMen and Mice
 
DNSSEC signing Tutorial
byMen and Mice
 
Yeti DNS - Experimenting at the root
byMen and Mice
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
byMen and Mice
 
The DNSSEC KSK of the root rolls
byMen and Mice
 
The CAA-Record for increased encryption security
byMen and Mice
 
BIND 9 logging best practices
byMen and Mice
 

What's hot

PDF
What is new in BIND 9.11?
byMen and Mice
 
PDF
DNSTap Webinar
byMen and Mice
 
PDF
Windows Server 2016 Webinar
byMen and Mice
 
PDF
How to send DNS over anything encrypted
byMen and Mice
 
PDF
Encrypted DNS - DNS over TLS / DNS over HTTPS
byAlex Mayrhofer
 
PDF
Kea DHCP – the new open source DHCP server from ISC
byMen and Mice
 
PDF
Keeping DNS server up-and-running with “runit
byMen and Mice
 
PPTX
DoH, DoT and ESNI
byJisc
 
PDF
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
byAPNIC
 
PDF
RIPE 71 and IETF 94 reports webinar
byMen and Mice
 
PDF
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
byAPNIC
 
ODP
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
byUtah Networxs Consultoria e Treinamento
 
PDF
Windows 2012 and DNSSEC
byMen and Mice
 
PDF
Dnssec
byguest3131f85
 
PDF
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
byAPNIC
 
PDF
SMTP STS (Strict Transport Security) vs. SMTP with DANE
byMen and Mice
 
PDF
DNSSEC Tutorial; USENIX LISA 2013
byShumon Huque
 
PDF
DNS/DNSSEC by Nurul Islam
byMyNOG
 
PDF
Get your instance by name integration of nova, neutron and designate
byMiguel Lavalle
 
PDF
Designate - Operators Deep Dive
byGraham Hayes
 
What is new in BIND 9.11?
byMen and Mice
 
DNSTap Webinar
byMen and Mice
 
Windows Server 2016 Webinar
byMen and Mice
 
How to send DNS over anything encrypted
byMen and Mice
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
byAlex Mayrhofer
 
Kea DHCP – the new open source DHCP server from ISC
byMen and Mice
 
Keeping DNS server up-and-running with “runit
byMen and Mice
 
DoH, DoT and ESNI
byJisc
 
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
byAPNIC
 
RIPE 71 and IETF 94 reports webinar
byMen and Mice
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
byAPNIC
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
byUtah Networxs Consultoria e Treinamento
 
Windows 2012 and DNSSEC
byMen and Mice
 
Dnssec
byguest3131f85
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
byAPNIC
 
SMTP STS (Strict Transport Security) vs. SMTP with DANE
byMen and Mice
 
DNSSEC Tutorial; USENIX LISA 2013
byShumon Huque
 
DNS/DNSSEC by Nurul Islam
byMyNOG
 
Get your instance by name integration of nova, neutron and designate
byMiguel Lavalle
 
Designate - Operators Deep Dive
byGraham Hayes
 

Viewers also liked

PPTX
Healthcare Analytics Careers: New Roles for the Brave, New World of Value-bas...
byHealth Catalyst
 
PPTX
When Healthcare Data Analysts Fulfill the Data Detective Role
byHealth Catalyst
 
PPTX
How to Tap the Power of Storytelling with Facebook Live
byBuzzSumo
 
PPTX
Tcp udp
byProgrammer
 
PDF
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
byCisco Canada
 
PDF
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
byCheapSSLsecurity
 
PPTX
Cyber crime & security
byAvani Patel
 
PDF
Dns Hardening Linux Os
byecarrow
 
ODP
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
byThreatReel Podcast
 
PDF
Role of DNS in Botnet Command and Control
byOpenDNS
 
PDF
Symantec (ISTR) Internet Security Threat Report Volume 22
byCheapSSLsecurity
 
PPTX
Cyber Security # Lec 2
byKabul Education University
 
PDF
Cisco Connect Toronto 2017 - Anatomy-of-attack
byCisco Canada
 
PPTX
Microsoft Cyber Security IT-Camp
byAlexander Benoit
 
PPTX
The Changing Role of Healthcare Data Analysts
byHealth Catalyst
 
ODP
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
PPTX
Phishing Scams: 8 Helpful Tips to Keep You Safe
byCheapSSLsecurity
 
ODP
OISF: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
PDF
Scripting and automation with the Men & Mice Suite
byMen and Mice
 
PDF
Umbrella Webcast: Redefining Security for the Nomadic Worker
byOpenDNS
 
Healthcare Analytics Careers: New Roles for the Brave, New World of Value-bas...
byHealth Catalyst
 
When Healthcare Data Analysts Fulfill the Data Detective Role
byHealth Catalyst
 
How to Tap the Power of Storytelling with Facebook Live
byBuzzSumo
 
Tcp udp
byProgrammer
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
byCisco Canada
 
Comodo Multi Domain SSL Certificate: Key Features by CheapSSLsecurity
byCheapSSLsecurity
 
Cyber crime & security
byAvani Patel
 
Dns Hardening Linux Os
byecarrow
 
(ISC)2 Cincinnati Tri-State Chapter: Phishing Forensics - Is it just suspicio...
byThreatReel Podcast
 
Role of DNS in Botnet Command and Control
byOpenDNS
 
Symantec (ISTR) Internet Security Threat Report Volume 22
byCheapSSLsecurity
 
Cyber Security # Lec 2
byKabul Education University
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
byCisco Canada
 
Microsoft Cyber Security IT-Camp
byAlexander Benoit
 
The Changing Role of Healthcare Data Analysts
byHealth Catalyst
 
DerbyCon 7.0 Legacy: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
byCheapSSLsecurity
 
OISF: Regular Expressions (Regex) Overview
byThreatReel Podcast
 
Scripting and automation with the Men & Mice Suite
byMen and Mice
 
Umbrella Webcast: Redefining Security for the Nomadic Worker
byOpenDNS
 

Similar to Namespaces for Local Networks

PPSX
Lesson 5: Configuring Name Resolution
byMahmmoud Mahdi
 
PDF
Dns
byjulien pauli
 
PDF
Hands-on DNSSEC Deployment
byBangladesh Network Operators Group
 
PPTX
Domain name system
byRahul Baghla
 
PPTX
DNS Configuration
byVinod Gour
 
PPTX
Domain name system
bySiddharth Chandel
 
PPT
Introduction
byhajafaarukh
 
PDF
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
byNetgate
 
PDF
Domain Name System (DNS) Fundamentals
byWebSniffer
 
PPT
Domain Name Server
byvipulvaid
 
PPT
Introduction.ppt
byM0reGun31
 
PPT
Introduction.ppt
byElieNGOMSEU
 
PPTX
Domain Name Service for Naming Adress and Name
byGebremaryam2
 
PPTX
c5c1db8d-8375-4f17-bf6a-56ea5342e58d.pptx
bychakravardhannani123
 
PPTX
Domain name system
bylehri_rasheeda
 
PPS
Dns And Snmp
bySeyed Ali Marjaie
 
PPTX
Dns
byIntekhab Alam Khan
 
PDF
System and Network Administration Chapter 2
byjaramharo
 
PPT
Dns
byaimanqalla
 
PPT
Dns ppt
byBizuworkk Jemaneh
 
Lesson 5: Configuring Name Resolution
byMahmmoud Mahdi
 
Dns
byjulien pauli
 
Hands-on DNSSEC Deployment
byBangladesh Network Operators Group
 
Domain name system
byRahul Baghla
 
DNS Configuration
byVinod Gour
 
Domain name system
bySiddharth Chandel
 
Introduction
byhajafaarukh
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
byNetgate
 
Domain Name System (DNS) Fundamentals
byWebSniffer
 
Domain Name Server
byvipulvaid
 
Introduction.ppt
byM0reGun31
 
Introduction.ppt
byElieNGOMSEU
 
Domain Name Service for Naming Adress and Name
byGebremaryam2
 
c5c1db8d-8375-4f17-bf6a-56ea5342e58d.pptx
bychakravardhannani123
 
Domain name system
bylehri_rasheeda
 
Dns And Snmp
bySeyed Ali Marjaie
 
Dns
byIntekhab Alam Khan
 
System and Network Administration Chapter 2
byjaramharo
 
Dns
byaimanqalla
 
Dns ppt
byBizuworkk Jemaneh
 

More from Men and Mice

PPTX
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
byMen and Mice
 
PDF
Fighting Abuse with DNS
byMen and Mice
 
PDF
PowerDNS Webinar - Part 2
byMen and Mice
 
PDF
PowerDNS Webinar
byMen and Mice
 
PDF
IETF 93 Review Webinar
byMen and Mice
 
PDF
RIPE 70 Report Webinar
byMen and Mice
 
PDF
DNSSEC best practices Webinar
byMen and Mice
 
PDF
IETF 92 Webinar
byMen and Mice
 
PDF
The KNOT DNS Server
byMen and Mice
 
PDF
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
byMen and Mice
 
PDF
DNSSEC and DANE – E-Mail security reloaded
byMen and Mice
 
PDF
IETF 90 Report – DNS, DHCP, IPv6 and DANE
byMen and Mice
 
PDF
RIPE 68 Webinar
byMen and Mice
 
Cisco Live 2019: New Best Practices for Hybrid and Multicloud Network Strategies
byMen and Mice
 
Fighting Abuse with DNS
byMen and Mice
 
PowerDNS Webinar - Part 2
byMen and Mice
 
PowerDNS Webinar
byMen and Mice
 
IETF 93 Review Webinar
byMen and Mice
 
RIPE 70 Report Webinar
byMen and Mice
 
DNSSEC best practices Webinar
byMen and Mice
 
IETF 92 Webinar
byMen and Mice
 
The KNOT DNS Server
byMen and Mice
 
RIPE 69 & IETF 91 Webinar - DNS-Privacy, IPv6, DANE and DHCP(v6)
byMen and Mice
 
DNSSEC and DANE – E-Mail security reloaded
byMen and Mice
 
IETF 90 Report – DNS, DHCP, IPv6 and DANE
byMen and Mice
 
RIPE 68 Webinar
byMen and Mice
 

Recently uploaded

PDF
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PDF
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
PDF
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PDF
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
PDF
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
Building Software in the AI Era: Spec-Driven Development with Kiro IDE
byHaim Michael
 
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
The_Boardroom_Cyber_Playbook_Research_Edition
bySaraDavis91
 
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 

Namespaces for Local Networks

  • 1.
    Namespaces for Local Networks NameResolution Webinar Trilogy Part 1
  • 2.
    A little change… HSTS forced for all 
 ".dev" top level domains
  • 3.
    … major problem(for some) Current Chrome Browser Future Chrome Browser
  • 4.
    What has happen? •Google changed the code of the next Chrome browser to enforce proper TLS- encryption on all ".dev" domains • The TLD ".dev" is owned by Google 4https://www.iana.org/domains/root/db/dev.html
  • 5.
    What is theproblem? 5
  • 6.
    HSTS? • HSTS isshort for "HTTP Strict Transport Security" • RFC 6797 
 https://tools.ietf.org/html/rfc6797 • HSTS declares that web-browser connections towards this domain always needs to be secured by TLS (HTTPS) 6
  • 7.
    HSTS? • HSTS isusually set in the website configuration and send via a HTTP header to the browser • The browser caches the value for "max-age" time 7 https://securityheaders.io/ HSTS Header
  • 8.
    Google, Chrome and"dev" • Google owns both the Chrome-Browser and the "dev" TLD • For Google it makes sense to ship the Chrome-Browser with preloaded HSTS for their own domains • besides "dev", this includes today the "foo" and "google" TLDs 8
  • 9.
    "dev" TLD isnot the only problem • Administrators and Developers use domain names in their local networks that are not owned by them: • .corp • .lan • .company • .media • .webdev • .server • .infra • .box • … • All this names risk name collisions with new TLDs 9
  • 10.
    Choices for alocal only namespace • Using a seemingly unused DNS TLD in a internal network is a bad idea • The name can become in use later and create name collisions • Choices for a local only namespace: • Subdomain of a delegated domain • A reserved Top-Level-Domain/Second-Level-Domain • Name-Resolution other than DNS (mDNS, LLMNR, PNRP …) 10
  • 11.
    Option: 
 Subdomain ofa delegated domain
  • 12.
    Subdomain of adelegated domain • Using a sub-domain of a delegated (owned) domain in the Internet is the most safe solution • If it is delegated to you , you already own all subdomains and sub-subdomains of that name • The locally used name should not be reachable from the public Internet 12
  • 13.
    Subdomain of adelegated domain 13 Internet "." ".com" "example.com" DNS-Resolver Delegation Delegation Query Query Query "lan.example.com"
  • 14.
    Subdomain of adelegated domain 14 Internet "." ".com" "example.com" DNS-Resolver Delegation Delegation NXDOMAIN NXDOMAIN Query "lan.example.com"
  • 15.
    Subdomain of adelegated domain 15 Internal Network Internet "." ".com" "example.com" "lan.example.com" "hr.lan.example.com" DNS-Resolver hr.lan.example.com
  • 16.
    Subdomain of adelegated domain 16 Internal Network Internet "." ".com" "example.com" "lan.example.com" "hr.lan.example.com" DNS-Resolver Query Query
  • 17.
  • 18.
    Reserved Domain Names •In 1999, the IETF reserved a number of top level domain to not be used in the Internet • RFC 2606 "Reserved Top Level DNS Names" 
 https://tools.ietf.org/html/rfc2606 • Updated in RFC 6761 "Special-Use Domain Names"
 https://tools.ietf.org/html/rfc6761 • ".test", ".invalid", ".example" and ".localhost" • For an internal development system, ".test" would be a good choice 18
  • 19.
    Reserved Domain Names 19 InternalNetwork Internet "." ".com" "example.com" "webdev.test" "beta.test" DNS-Resolver www1.webdev.test
  • 20.
    Reserved Domain Names 20 InternalNetwork Internet "." ".com" "example.com" DNS-Resolver Query Query "webdev.test" "beta.test"
  • 21.
    The "home.arpa." domain •The Domain "home.arpa." is used in the new Homenet Control Protocol (HNCP) • HNCP is a new IETF protocol to automatically configure home networks with multiple subnets (lan, wireless, guest- networks etc) • The domain "home.arpa." is only defined for local networks and will never be used in the Internet • Internet Draft "Special Use Domain 'home.arpa.'"
 https://tools.ietf.org/html/draft-ietf-homenet-dot 21
  • 22.
    Reserved Domain Names 22 InternalNetwork Internet "." ".com" "example.com" DNS-Resolver with 
 "home.arpa" local zone www-dev.home.arpa
  • 23.
    Reserved Domain Names 23 InternalNetwork Internet "." ".com" "example.com" Query 
 "www-dev.home.arpa." DNS-Resolver with 
 "home.arpa" local zone
  • 24.
    Reserved Domain Names 24 InternalNetwork Internet "." ".com" "example.com" DNS-Resolver with 
 "home.arpa" local zone Answer 
 "www-dev.home.arpa."
  • 25.
    More options • Wewill discuss solutions outside DNS in the upcoming two webinars • Link-Local-Multicast-Name-Resolution (LLMNR) for Windows and Linux • Peer-Name-Resolution-Protocol (PNRP) for Windows • Multicast DNS (mDNS) for macOS, iOS, Windows and Linux 25
  • 26.
  • 27.
    Unbound with localzone • Unbound is a fast and lean DNS resolver • Available for Unix, Linux, macOS and Windows
 Homepage: https://unbound.net • Unbound main purpose is to resolve names in the Internet for local clients • Unbound has limited authoritative functions (it can serve zone data) • This setup is recommended for smaller networks (less than 100 DNS clients) 27
  • 28.
    Unbound with localzone • Benefits of using Unbound for local zones: • Simple setup • Only one type of software needed • Fast response times 28
  • 29.
    Unbound with localzone • Downsides of using Unbound for local zones: • No DNSSEC security for the local zones (but DNSSEC validation for all DNSSEC secured Internet zones) • No automatic provisioning of multiple DNS resolver via zone-transfer 29
  • 30.
    Unbound with localzone 30 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone www-dev.home.arpa
  • 31.
    Unbound with localzone 31 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Query 
 "www-dev.home.arpa."
  • 32.
    Unbound with localzone 32 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Answer 
 "www-dev.home.arpa."
  • 33.
    Unbound with localzone 33 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone www.example.com
  • 34.
    Unbound with localzone 34 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Query 
 "www.example.com."
  • 35.
    Unbound with localzone 35 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Query 
 "www.example.com." Query 
 "www.example.com." Query 
 "www.example.com."
  • 36.
    Unbound with localzone 36 Internal Network Internet "." ".com" "example.com"DNS-Resolver with 
 "home.arpa" local zone Answer 
 "www.example.com." Answer 
 "www.example.com."
  • 37.
    Unbound local-zone example 37 #local-zone example for Unbound # Installation in Unbound configuration directory # for Debian e.g. into /etc/unbound/unbound.conf.d/ server: unblock-lan-zones: yes insecure-lan-zones: yes local-zone: "mynet.home.arpa." static # Zonen-Metadata local-data: "mynet.home.arpa. 3600 IN SOA resolver01.mynet.home.arpa. hostmaster 1 2h 15m 500h 1h" local-data: "mynet.home.arpa. 3600 IN NS resolver01.mynet.home.arpa." # IPv6-Addresses local-data: "resolver01.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:dd::53" local-data: "www.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:ff::80" local-data: "nas.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:ff::222" local-data: "raspi.mynet.home.arpa. 3600 IN AAAA 2001:db8:10:ff::123" # IPv4-Addresses local-data: "resolver01.mynet.home.arpa. 3600 IN A 192.168.1.53" local-data: "www.mynet.home.arpa. 3600 IN A 192.168.1.80" local-data: "nas.mynet.home.arpa. 3600 IN A 192.168.1.222" local-data: "raspi.mynet.home.arpa. 3600 IN A 192.168.1.123"
  • 38.
    Local Zone with
 BIND 9
  • 39.
    Local zone setupwith BIND 9 • For larger networks, we recommend to host the local zones on authoritative DNS server separate from the resolvers • On the next slides we show an example design based on BIND 9, but the same design can be implemented with other DNS servers as well (Windows DNS, PowerDNS, Knot, NSD+Unbound etc) 39
  • 40.
    Local zone setupwith BIND 9 • Benefits of a local authoritative DNS Server setup • Higher resiliency • Automatic load-balancing and failover between servers • DNSSEC signing and validation possible for the local zones • Zones are kept in sync with regular zone transfer • Better monitoring and logging possible 40
  • 41.
    Local authoritative DNS server 41 InternalNetwork Internet "." ".com" "example.com" DNS-Authoritative Server with 
 "home.arpa" zone Datacenter2 Datacenter1
  • 42.
    Local authoritative DNS server 42 InternalNetwork Internet "." ".com" "example.com" DNS-Resolver with 
 "home.arpa" stub-zone Datacenter2 Datacenter1
  • 43.
    Local authoritative DNS server 43 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 www.example.com
  • 44.
    Local authoritative DNS server 44 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 Query 
 "www.example.com."
  • 45.
    Local authoritative DNS server 45 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 Query 
 "www.example.com." Query 
 "www.example.com." Query 
 "www.example.com." Query 
 "www.example.com."
  • 46.
    Local authoritative DNS server 46 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 Answer 
 "www.example.com." Answer
 "www.example.com"
  • 47.
    Local authoritative DNS server 47 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 www-dev.home.arpa
  • 48.
    Local authoritative DNS server 48 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 Query 
 "www-dev.home.arpa." Query 
 "www-dev.home.arpa."
  • 49.
    Local authoritative DNS server 49 InternalNetwork Internet "." ".com" "example.com" Datacenter2 Datacenter1 Answer 
 "www-dev.home.arpa." Answer
 "www-dev.home.arpa"
  • 50.
    BIND 9 configurationon the authoritative server 50 options { recursion no; directory "/var/named"; }; zone "home.arpa." { type master; file "home.arpa"; inline-signing yes; auto-dnssec maintain; };
  • 51.
    BIND 9 masterzone on the authoritative server 51 $TTL 3600 ; Zonen-Metadata mynet.home.arpa. SOA resolver01.mynet.home.arpa. hostmaster 1 2h 15m 500h 1h mynet.home.arpa. NS resolver01.mynet.home.arpa. ; IPv6-Addresses resolver01.mynet.home.arpa. AAAA 2001:db8:10:dd::53 www.mynet.home.arpa. AAAA 2001:db8:10:ff::80 nas.mynet.home.arpa. AAAA 2001:db8:10:ff::222 raspi.mynet.home.arpa. AAAA 2001:db8:10:ff::123 ; IPv4-Addresses resolver01.mynet.home.arpa. A 192.168.1.53 www.mynet.home.arpa. A 192.168.1.80 nas.mynet.home.arpa. A 192.168.1.222 raspi.mynet.home.arpa. A 192.168.1.123
  • 52.
    BIND 9 configurationon the resolver server 52 options { allow-recursion { clients; }; directory "/var/named"; }; managed-keys {
 "home.arpa." initial-key 257 3 8 "AwEAAagA…"; }; zone "home.arpa." { type stub; file "home.arpa"; masters { 192.0.2.153; 192.0.2.253; }; };
  • 53.
  • 54.
    Men & MiceTraining • DNS & DANE Training, 3 days
 19.03 - 21.03.18
 Linuxhotel Essen, Germany 54 http://linuxhotel.de/
  • 55.
    Next Webinar • NameResolution Webinar Trilogy Part 2 – Local Name Resolution in Windows Networks • Tuesday, 7th of November, 2017 • Microsoft operating systems have a long history of local name resolution solutions, from NetBIOS over WINS to the LLMNR and PNRP protocols today. • In this webinar, due to take place on 7th November, 2017, we will take a look at PNRP and LLMNR in Windows 10 and Windows Server 2016 and how these protocols can be used to have server-less name resolution without a centralized DNS infrastructure. We also look deeper into the interoperability of these new protocols with older Windows versions, such as Windows 7 or Windows 8. • Join us for a 45 minutes webinar with a Q&A session at the end, on Tuesday, November 7th, 2017 at 4:00 PM CET/ 3:00 PM GMT/ 10:00 AM EDT / 7:00 AM PDT. 55
  • 56.
    Next Webinar • NameResolution Webinar Trilogy Part 3 – Local Name Resolution in Linux, FreeBSD and macOS/iOS • Wednesday, 29th of November, 2017 • Multicast DNS (mDNS) was pioneered in Apple’s MacOS X system, and is now available on all systems from Cupertino. • The focus of this webinar will be to take a deeper look into this local name- resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS. • Join us for a 45 minutes webinar with a Q&A session at the end, on Wednesday, November 29th, 2017 at 4:00 PM CET/ 3:00 PM GMT/ 10:00 AM EDT / 7:00 AM PDT. 56
  • 57.