Using a DNSSEC enabled resolver

January 8th, 2011 3 comments

I am up for more. I am generally very thisty for the “new things out there”. So after successfully enabling IPv6 from yesterday’s post I was thinking “hey there is already DNSSEC out there – let me use it”.

First things first

On here is a site whether your resolvers supports EDNS, that are DNS packets bigger then 512 bytes. DNSSEC requires that. I had a big problem with that. I am running OpenWRT Backfire 10.03 on my WRT54GL. Unfortunately flash space is a premium on that – I quickly grabbed my old WRAP board with a 128MB CompacyFlash and installed OpenWRT as well, just the x86 version.

I figured I had two options, either to use DNSMasq or Bind with DNSSEC support. DNSMasq supports according to this forum’s post EDNS.

After some time I figured that OpenDNS does not support EDNS at all. So I disabled it as a forwarder.

Next problem was with DNSMasq. Configuring Bind to query the root nameservers is not a big deal and I just didnt spend the time to get up2speed with DNSMasq.

Ok, but when I did a query with

$dig . dnskey
;; Truncated, retrying in TCP mode.

. I realized that the solution was already there.

Finally, when I did the “test dig” as

dig +bufsize=1024 rs.dns-oarc.net txt

all was good, no more truncated. And in the end I got what I wanted to achieve:

root@miniserver:/etc/config# dig +bufsize=1024 +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"90.212.31.53 DNS reply size limit is at least 3843"
"Tested at 2011-01-08 16:43:42 UTC"
"90.212.31.53 sent EDNS buffer size 4096"
Final

OpenWRT only offers Bind in version 9.6.1 patchlevel 2, which is in regards to DNSSEC quite old. Long story short, I installed quite recent Bind 9.7.1 and enabled DNSSEC on there. Done in 5 minutes – see the links above.

A lots has changed, some websites were writing in regards to DNSSEC. Bind can for example also update automatically the root-key for “.”… oi!

I noticed that .com also has valid DNSSEC data and I have a .com domain. .co.uk has some data, but dig doesnt show they can be authenticated against (“ad” bit is not set.)

Categories: New technology Tags:

IPv6 @ home!

January 8th, 2011 No comments

I setup yesterday IPv6 via 6to4 with tunnel from Hurricane Electric.

It just works. I still have to do some tweaks like as I am using a dynamic IP, the tunnel will go down when my IP changes. I also need to do a couple of other minor things. It was interesting to see that my local squid running on IPv4 was actually forcing my browser to go out via IPv4… oops.

But I like it and I will do more with it. My aim is to focus primarily on IPv6 at home, ie. that clients only connect by IPv6 – when they can. I am sure, that my network printer doesnt know anything about IPv6.

Ok. Next stop DNSSEC.

Categories: IPv6 Tags:

Today’s links

January 5th, 2011 No comments
Categories: Misc Tags:

Your online RSS reader at hand – Tiny Tiny RSS

January 5th, 2011 No comments

I have to admit, I have never used Google Reader for reading online RSS. No, and I dont want to go into details here.

I am a happy user of Tiny Tiny RSS. Andrew Dolgov released on the 21st of December version 1.5.0. A fancy AJAX interface lets you browse and read your RSS feeds – even the keyboard is fully supported. On Andrew’s website you will find a forum where you can contact the author directly and I promise you, you will get timely responses.

Categories: Fun Tags:

New Core Rule Set released for ModSecurity – version 2.1.1

January 5th, 2011 6 comments

A new version of the Core Rule Set (CRS) for ModSecurity was release a couple of days back. I wanted to blog about it, as I find the changes to the previous version 2.0.9 are quite amazing, but I did not find the time to do that. So here is my list what I really find amazing:

  • Checks whether cookies are marked as http only or as secure when they came down the wire via https and throws a warning.
  • Helps mitigiting against the slow HTTP POST attack.
  • Helps mitigitating  against DoS attacks – I wonder how that works, as it is still handled at the application layer, at least at protocol level.
  • Flags up requests where a CSRF tag is expected – I did not look into this at all what this is exactly, I only see occasionally some errors popping up – when a dodgy client is accessing the site.

I think the folks at modsecurity/Trustwave have done a good job again. My feeling is that ModSecurity makes really good progress as an application firewall (even though I dont like that term, “protocol enforcer” would be better suitable).

Btw, with version 2 ModSecurity also supports now not only ingress filtering, it also has some egress filters in place, for example blocking “Directory Listings” pages to name the most famous one.

It is worth to have a look at their blog at here, which discusses certain hardcore topics from time to time, at the time of writing they have an article about “Credit Card Tracking” online, so another egress filter.

Categories: Security Tags: