© Men & Mice http://menandmice.com
DNS High-Availability ToolsOpen-Source Load Balancing
Solutions
11Wednesday 7 December 16
© Men & Mice http://menandmice,com
Resolver HA
• The DNS protocol has built-in high availability for authoritative DNS servers, but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing
• In this webinar, we will look into
• how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers
• and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.
2Wednesday 7 December 16
© Men & Mice http://menandmice,com
Authoritative DNS
3Wednesday 7 December 16
© Men & Mice http://menandmice,com
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 2
Roundtrip Time
4Wednesday 7 December 16
© Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 2
Roundtrip Time
4Wednesday 7 December 16
© Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
What is the address of
ftp.menandmice.is.
a
b
c
Name Server
RTT
a 3
b 5
c 2
Roundtrip Time
4Wednesday 7 December 16
© Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 2
Roundtrip Time
5Wednesday 7 December 16
© Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 2
What is the address of
ftp.menandmice.is.
Roundtrip Time
5Wednesday 7 December 16
© Men & Mice http://menandmice,com
2
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c
Roundtrip Time
6Wednesday 7 December 16
© Men & Mice http://menandmice,com
2
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c
Here is a list of “is.” Name
Servers
Roundtrip Time
6Wednesday 7 December 16
© Men & Mice http://menandmice,com
338
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c
Here is a list of “is.” Name
Servers
Roundtrip Time
6Wednesday 7 December 16
© Men & Mice http://menandmice,com
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 338
Roundtrip Time
7Wednesday 7 December 16
© Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 338
Roundtrip Time
7Wednesday 7 December 16
© Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching DNS Server
What is the address of
www.yahoo.fr.
a
b
c
Name Server
RTT
a 3
b 5
c 338
Roundtrip Time
7Wednesday 7 December 16
© Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 338
Roundtrip Time
8Wednesday 7 December 16
© Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c 338
What is the address of
www.yahoo.fr.
Roundtrip Time
8Wednesday 7 December 16
© Men & Mice http://menandmice,com
331
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c
http://www.yahoo.fr.
Roundtrip Time
9Wednesday 7 December 16
© Men & Mice http://menandmice,com
331
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a 3
b 5
c
Here is a list of “fr.” Name
Servers
http://www.yahoo.fr.
Roundtrip Time
9Wednesday 7 December 16
© Men & Mice http://menandmice,com
331
85
“”
fr.
yahoo.fr.
local caching DNS Server
a
b
c
Name Server
RTT
a
b 5
c
Here is a list of “fr.” Name
Servers
http://www.yahoo.fr.
Roundtrip Time
9Wednesday 7 December 16
© Men & Mice http://menandmice,com
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a 85
b 5
c 331
Roundtrip Time
10Wednesday 7 December 16
© Men & Mice http://menandmice,com
dig @ns.berkeley.edu
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a 85
b 5
c 331
Roundtrip Time
10Wednesday 7 December 16
© Men & Mice http://menandmice,com
dig @ns.berkeley.edu
“”
edu.
berkeley.edu.
local caching DNS Server
What is the address of
ns.berkeley.edu.
a
b
c
Name Server
RTT
a 85
b 5
c 331
Roundtrip Time
10Wednesday 7 December 16
© Men & Mice http://menandmice,com
dig @ns.berkeley.edu.
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a 85
b 5
c 331
Roundtrip Time
11Wednesday 7 December 16
© Men & Mice http://menandmice,com
dig @ns.berkeley.edu.
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a 85
b 5
c 331
What is the address of
ns.berkeley.edu.
Roundtrip Time
11Wednesday 7 December 16
© Men & Mice http://menandmice,com
5
83
324
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a
b
c
dig @ns.berkeley.edu.
Roundtrip Time
12Wednesday 7 December 16
© Men & Mice http://menandmice,com
5
83
324
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a
b
c
Here is a list of “edu.” Name
Servers
dig @ns.berkeley.edu.
Roundtrip Time
12Wednesday 7 December 16
© Men & Mice http://menandmice,com
315
83
324
“”
edu.
berkeley.edu.
local caching DNS Server
a
b
c
Name Server
RTT
a
b
c
Here is a list of “edu.” Name
Servers
dig @ns.berkeley.edu.
Roundtrip Time
12Wednesday 7 December 16
© Men & Mice http://menandmice,com
UNIX / Linux Stub Resolver
13Wednesday 7 December 16
© Men & Mice http://menandmice,com
UNIX / Linux Stub Resolver
•UNIX/Linux stub resolvers use a configuration file called resolv.conf
•This file is usually found in the /etc directory
14Wednesday 7 December 16
© Men & Mice http://menandmice,com
Name Server List
• Syntax:
• nameserver <IP address>
• Example:
• nameserver 192.168.0.1
• Notes:
• Most UNIX/Linux servers allow up to 3 nameserver entries
• If multiple are listed, they are queried in the order given
15Wednesday 7 December 16
© Men & Mice http://menandmice,com
Unix DNS-Client Resolver timeout
Attempt1 DNS-
Resolver2 DNS-Resolver
3 DNS-Resolver
1 5s 2x 5s 3x 5s
2 10s 2x 5s 3x 3s
Total 15s 20s 24s
16Wednesday 7 December 16
© Men & Mice http://menandmice,com
Unix DNS-Client Resolver timeout
• the Unix-DNS Resolver timeout can be changed in the file /etc/resolv.conf
option timeout:1 attempts:4nameserver 100.64.1.100nameserver 100.64.2.120
• attempts: how many queries send to each DNS resolver (max 5)
• timeout: initial timeout for a query to a name server in resolv.conf (max 30s). For the second and successive rounds of queries, the resolver still doubles the initial timeout and divides by the number of name servers in resolv.conf
17Wednesday 7 December 16
© Men & Mice http://menandmice,com
Unix DNS-Client Resolver “Round-Robin”
• the order in which the DNS-Resolvers are queried can be tweaked in /etc/resolv.conf
option rotatenameserver 100.64.1.100nameserver 100.64.2.120
•rotate: use all DNS-Resolvers in each resolver-session. Only take effect if the client program sends multiple queries after opening the DNS-Client resolver. Not many programs do this.
18Wednesday 7 December 16
© Men & Mice http://menandmice,com
Send Client-Resolver options via DHCP (1/2)
•there are not standard DHCP options to transport the attempt, timeout and rotate resolver options
•in the ISC-DHCP Server, add a new option definition (file /etc/dhcp/dhcpd.conf)option resolv-options code 232 = text;option resolv-options "timeout:2 attempts:4 rotate";
19Wednesday 7 December 16
© Men & Mice http://menandmice,com
Send Client-Resolver options via DHCP (2/2)
•on each ISC-DHCP Client, add a new option definition(file /etc/dhcp/dhclient.conf)option resolv-options code 232 = text;request resolv-options;
•and also add a new DHCP-Script hook (File /etc/dhcp/dhclient-enter-hooks.d/resolvoptions)if [ "$new_resolv_options" ]; then echo "options $new_resolv_options" >> /etc/resolv.conffi
20Wednesday 7 December 16
© Men & Mice http://menandmice,com
Windows Stub Resolver
21Wednesday 7 December 16
© Men & Mice http://menandmice,com
22Wednesday 7 December 16
© Men & Mice http://menandmice,com
Obtain DNS servers via DHCP
22Wednesday 7 December 16
© Men & Mice http://menandmice,com
Obtain DNS servers via DHCP
Configure listed DNS servers manually
22Wednesday 7 December 16
© Men & Mice http://menandmice,com
23Wednesday 7 December 16
© Men & Mice http://menandmice,com
23Wednesday 7 December 16
© Men & Mice http://menandmice,com
24Wednesday 7 December 16
© Men & Mice http://menandmice,com
List of additional DNS-Resolver to query
24Wednesday 7 December 16
© Men & Mice http://menandmice,com
Windows DNS-Client Resolver Timeouts, 1 DNS-Server
Time DNS Query
0s initial query, wait 1s
1s 2nd query, wait 1s
2s 3rd query, wait 2s
4s 4th query, wait 4s
8s 5th query, wait 4s
12s Client-Resolver gives up
https://support.microsoft.com/de-de/kb/2834226
25Wednesday 7 December 16
© Men & Mice http://menandmice,com
Windows DNS-Client Resolver Timeouts, 2 DNS-Server
Time DNS Query
0sinitial query to 1st DNS server in the
list, wait 1s
1sinitial query to the 2nd DNS server in the
list, wait 1s
2s2nd query to the 2nd DNS server in the
list, wait 2s
4squery to all DNS server in the list,
wait 4s
8squery to all DNS server in the list,
wait 4s
12s Client-Resolver gives up
https://support.microsoft.com/de-de/kb/2834226
26Wednesday 7 December 16
© Men & Mice http://menandmice,com
Windows DNS-Client Resolver Timeouts, 3+ DNS-Server
Time DNS Query
0sinitial query to 1st DNS server in the
list, wait 1s
1sinitial query to the 2nd DNS server in the
list, wait 1s
2sinitial query to the 3rd DNS server in the
list, wait 2s
4squery to all DNS server in the list,
wait 4s
8squery to all DNS server in the list,
wait 4s
12s Client-Resolver gives up
https://support.microsoft.com/de-de/kb/2834226
27Wednesday 7 December 16
© Men & Mice http://menandmice,com
Adjusting the Windows DNS-CLient timeouts
•The DNS-Client timeouts can be customized using the registry value
HKLM\System\CurrentControlSet\Services\dnscache\Parameters\DNSQueryTimeouts
•This value does not exist by default and then the pre-defined default values are used
• https://blogs.technet.microsoft.com/stdqry/2011/12/02/dns-clients-and-timeouts-part-1/
• https://blogs.technet.microsoft.com/stdqry/2011/12/14/dns-clients-and-timeouts-part-2/
28Wednesday 7 December 16
© Men & Mice http://menandmice,com
Demo Setup
29Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver without HA
30
Internet
30Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
172.22.1.210 172.22.1.217
31Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
/etc/resolv.confnameserver 172.22.1.210nameserver 172.22.1.217
172.22.1.210 172.22.1.217
31Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
/etc/resolv.confnameserver 172.22.1.210nameserver 172.22.1.217
172.22.1.210 172.22.1.217
31Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
/etc/resolv.confnameserver 172.22.1.210nameserver 172.22.1.217
172.22.1.210 172.22.1.217
31Wednesday 7 December 16
© Men & Mice http://menandmice,com
Unix resolver demo
32Wednesday 7 December 16
© Men & Mice http://menandmice,com
OpenBSD relayd
33Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd
•relayd is a daemon to relay and dynamically redirect incoming connections to a target host
•available on OpenBSD (and older versions on FreeBSD)
•relayd can dynamically reconfigure the OpenBSD firewall “pf” to redirect traffic
•relayd can also work as an application layer proxy
34Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
172.22.1.210172.22.1.206
172.22.1.217172.22.1.206
CARP-Protocol
35Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
/etc/resolv.confnameserver 172.22.1.206nameserver 172.22.1.210nameserver 172.22.1.217
172.22.1.210172.22.1.206
172.22.1.217172.22.1.206
CARP-Protocol
35Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
/etc/resolv.confnameserver 172.22.1.206nameserver 172.22.1.210nameserver 172.22.1.217
172.22.1.210172.22.1.206
172.22.1.217172.22.1.206
CARP-Protocol
35Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
/etc/resolv.confnameserver 172.22.1.206nameserver 172.22.1.210nameserver 172.22.1.217
172.22.1.210172.22.1.206
172.22.1.217172.22.1.206
CARP-Protocol
35Wednesday 7 December 16
© Men & Mice http://menandmice.com
relayd redirect configuration
36
# Layer 3 forwarding
table <dnsserver> { 172.22.1.210, 172.22.1.217 }
redirect dnsbalance { listen on 172.22.1.206 tcp port 53 listen on 172.22.1.206 udp port 53 forward to <dnsserver> check tcp}
file /etc/relayd.conf
36Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
37
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
Layer 3 redirect
37Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
38
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
Layer 3 redirect
38Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
39
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
OK
configuresPF rules
Layer 3 redirect
39Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
40
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
OK
configuresPF rules
DNS-Query
Layer 3 redirect
40Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
41
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
OK
configuresPF rules
DNS-Query
DNS-Query
Layer 3 redirect
41Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
42
OpenBSD Kernel
Userspace
DNS-Server(BIND 9)DOWN
relayd
PF-Firewall
probes
Layer 3 redirect
42Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
43
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
configuresPF rules
DNS-Server(BIND 9)DOWN
Layer 3 redirect
43Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
44
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
configuresPF rules
DNS-Query
DNS-Server(BIND 9)DOWN
Layer 3 redirect
44Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
45
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
configuresPF rules
DNS-Query
DNS-Query
DNS-Server(BIND 9)DOWN
Layer 3 redirect
45Wednesday 7 December 16
© Men & Mice http://menandmice.com
relayd relay configuration
46
# Layer 7 Application Layer Proxy
table <dnsserver> { 172.22.1.210, 172.22.1.217 }
dns protocol "dnsproto"
relay dnsbalance { protocol dnsproto listen on 172.22.1.206 port 53 forward to <dnsserver> check tcp}
file /etc/relayd.conf
46Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
47
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
Layer 7 proxy
47Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
48
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
Layer 7 proxy
48Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
49
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
OK
Layer 7 proxy
49Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
50
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
OK
DNS-Query
DNS-Query
Layer 7 proxy
50Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
51
OpenBSD Kernel
Userspace
DNS-Server(BIND 9) relayd
PF-Firewall
probes
OK
DNS-Query
DNS-Query
Layer 7 proxy
DNS-Query
51Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
52
OpenBSD Kernel
Userspace
DNS-Server(BIND 9)DOWN
relayd
PF-Firewall
probes
Layer 7 proxy
52Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
53
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
DNS-Server(BIND 9)DOWN
Layer 7 proxy
53Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
54
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
DNS-Query
DNS-Server(BIND 9)DOWN
Layer 7 proxy
DNS-Query
54Wednesday 7 December 16
© Men & Mice http://menandmice.com
OpenBSD relayd
55
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
DNS-Query
DNS-Query
DNS-Server(BIND 9)DOWN
Layer 7 proxy
DNS-Query
55Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd demo
56Wednesday 7 December 16
© Men & Mice http://menandmice,com
PowerDNS dnsdist
57Wednesday 7 December 16
© Men & Mice http://menandmice.com
dnsdist
“dnsdist” is an DNS aware application level gateway
• part of PowerDNS, but DNS server agnostic (can be used with any DNS resolver or authoritative server)
• supports various load-balancing schemes (least outstanding, firstAvailable, weighted hash, weighted random, round-robin ...)
• can do more than load balancing (filter, block, rewrite DNS traffic ...)
58
58Wednesday 7 December 16
© Men & Mice http://menandmice.com
dnsdist
“dnsdist” is an DNS aware application level gateway
• Lua-configuration and Lua-scriptable
• available for Linux (Debian, Raspbian, Suse, Ubuntu, CentOS), FreeBSD
• should work on other Unix-ish systems
• Free Software (GPLv2 License)
59
http://dnsdist.org
59Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
172.22.1.210 172.22.1.217
Heartbeat172.22.1.200(dnsdist)
172.22.1.200(dnsdist)
60Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.confnameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat172.22.1.200(dnsdist)
172.22.1.200(dnsdist)
60Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.confnameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat172.22.1.200(dnsdist)
172.22.1.200(dnsdist)
60Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.confnameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat172.22.1.200(dnsdist)
172.22.1.200(dnsdist)
60Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.confnameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat172.22.1.200(dnsdist)
172.22.1.200(dnsdist)
60Wednesday 7 December 16
© Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.confnameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat172.22.1.200(dnsdist)
172.22.1.200(dnsdist)
60Wednesday 7 December 16
© Men & Mice http://menandmice.com
starting dnsdist
simple dnsdist startup without configuration file
# dnsdist -l 172.22.1.200 172.22.1.210 172.22.1.217
61
local IP to listen for
DNS queries
DNS server to forward
queries
61Wednesday 7 December 16
© Men & Mice http://menandmice,com
dnsdist demo
62Wednesday 7 December 16
© Men & Mice http://menandmice,com
dnsdist statistics demo
63Wednesday 7 December 16
© Men & Mice http://menandmice,com
comparing relayd and dnsdist
64Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- only available on OpenBSD (FreeBSD)
•dnsdist -- available on many Linux/Unix systems
65Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- fast layer 3 forwarding in kernel space and userspace proxying
•dnsdist -- only userspace proxying (but still pretty fast)
66Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- simple health monitoring and reporting
•dnsdist -- online DNS statistics and Web-UI statistics
67Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- filtering with “pf” firewall
•dnsdist -- DNS aware filtering with Lua-Scripting option
68Wednesday 7 December 16
© Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- BSD license
•dnsdist -- GPLv3 License
69Wednesday 7 December 16
© Men & Mice http://menandmice,com
Men & Mice Training
• February 13 – 17 -- Redwood City, California, US Introduction to DNS & BIND Hands-On class and Introduction & Advanced DNS and BIND Topics Hands-on
•March 6 – 10, -- Amsterdam (NL) or Osnabrueck (DE) Introduction to DNS & BIND Hands-On class and Introduction & Advanced DNS and BIND Topics Hands-on
https://www.menandmice.com/support-training/training/
70Wednesday 7 December 16
© Men & Mice http://menandmice.com
Webinar schedule 2017
This is our schedule for the webinars in the beginning of 2017
• 2nd Feb 2017 BIND 9 logging best practices
• 23rd March 2017 DNSSEC zone signing tutorial
• 13th April 2017 SMTP STS (Strict Transport Security) vs. SMTP with DANE
71
71Wednesday 7 December 16
© Men & Mice http://menandmice.com
Webinar schedule 2017
Additional webinar topics coming in 2017
• DNSSEC key management with BIND 9 "keymgr"
• BIND 9 (and Men & Mice) on Docker (Linux)
• Men & Mice Suite on Docker with Windows 2016 Server
• How to manage DMARC-, SPF-, DKIM-, multi-part TXT-, CAA-, DANE-records in DNS zones
• DNS over TCP: new developments from the IETF
• DNS Server with SQL-Databases: PowerDNS and BIND 9
72
72Wednesday 7 December 16
© Men & Mice http://menandmice,com
Thank you!
Questions? Comments?
7373Wednesday 7 December 16