The DNS protocol has built-in high availability for authoritative DNS servers (this will be better explained in the webinar!), but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing. In this webinar, we will look into how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers, and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.

1. © Men & Mice http://menandmice.com
DNS High-Availability Tools
Open-Source Load Balancing
Solutions
1
1Wednesday 7 December 16

2. © Men & Mice http://menandmice,com
Resolver HA
• The DNS protocol has built-in high availability for authoritative DNS
servers, but client machines can see a degraded DNS service if a DNS
resolver (caching DNS server) is failing
• In this webinar, we will look into
• how the DNS clients in popular operating systems (Windows, Linux,
macOS/iOS) choose the DNS resolver among a list of available servers
• and how a DNS resolver service can be made failure-tolerant with
open-source solutions such as “dnsdist” from PowerDNS and “relayd”
from OpenBSD.
2Wednesday 7 December 16

3. © Men & Mice http://menandmice,com
Authoritative DNS
3Wednesday 7 December 16

4. © Men & Mice http://menandmice,com
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 2
Roundtrip Time
4Wednesday 7 December 16

5. © Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 2
Roundtrip Time
4Wednesday 7 December 16

6. © Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
What is the address
of
ftp.menandmice.is.
a
b
c
Name
Server
RTT
a 3
b 5
c 2
Roundtrip Time
4Wednesday 7 December 16

7. © Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 2
Roundtrip Time
5Wednesday 7 December 16

8. © Men & Mice http://menandmice,com
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 2
What is the address
of
ftp.menandmice.is.
Roundtrip Time
5Wednesday 7 December 16

9. © Men & Mice http://menandmice,com
2
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c
Roundtrip Time
6Wednesday 7 December 16

10. © Men & Mice http://menandmice,com
2
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c
Here is a list of
“is.” Name
Servers
Roundtrip Time
6Wednesday 7 December 16

11. © Men & Mice http://menandmice,com
338
ftp://ftp.menandmice.is.
“”
is.
menandmice.is.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c
Here is a list of
“is.” Name
Servers
Roundtrip Time
6Wednesday 7 December 16

12. © Men & Mice http://menandmice,com
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 338
Roundtrip Time
7Wednesday 7 December 16

13. © Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 338
Roundtrip Time
7Wednesday 7 December 16

14. © Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching
DNS Server
What is the address
of
www.yahoo.fr.
a
b
c
Name
Server
RTT
a 3
b 5
c 338
Roundtrip Time
7Wednesday 7 December 16

15. © Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 338
Roundtrip Time
8Wednesday 7 December 16

16. © Men & Mice http://menandmice,com
http://www.yahoo.fr.
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c 338
What is the address
of
www.yahoo.fr.
Roundtrip Time
8Wednesday 7 December 16

17. © Men & Mice http://menandmice,com
331
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c
http://www.yahoo.fr.
Roundtrip Time
9Wednesday 7 December 16

18. © Men & Mice http://menandmice,com
331
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 3
b 5
c
Here is a list of
“fr.” Name
Servers
http://www.yahoo.fr.
Roundtrip Time
9Wednesday 7 December 16

19. © Men & Mice http://menandmice,com
331
85
“”
fr.
yahoo.fr.
local caching
DNS Server
a
b
c
Name
Server
RTT
a
b 5
c
Here is a list of
“fr.” Name
Servers
http://www.yahoo.fr.
Roundtrip Time
9Wednesday 7 December 16

20. © Men & Mice http://menandmice,com
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 85
b 5
c 331
Roundtrip Time
10Wednesday 7 December 16

21. © Men & Mice http://menandmice,com
dig @ns.berkeley.edu
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 85
b 5
c 331
Roundtrip Time
10Wednesday 7 December 16

22. © Men & Mice http://menandmice,com
dig @ns.berkeley.edu
“”
edu.
berkeley.edu.
local caching
DNS Server
What is the address
of
ns.berkeley.edu.
a
b
c
Name
Server
RTT
a 85
b 5
c 331
Roundtrip Time
10Wednesday 7 December 16

23. © Men & Mice http://menandmice,com
dig @ns.berkeley.edu.
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 85
b 5
c 331
Roundtrip Time
11Wednesday 7 December 16

24. © Men & Mice http://menandmice,com
dig @ns.berkeley.edu.
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a 85
b 5
c 331
What is the address
of
ns.berkeley.edu.
Roundtrip Time
11Wednesday 7 December 16

25. © Men & Mice http://menandmice,com
5
83
324
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a
b
c
dig @ns.berkeley.edu.
Roundtrip Time
12Wednesday 7 December 16

26. © Men & Mice http://menandmice,com
5
83
324
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a
b
c
Here is a list of
“edu.” Name
Servers
dig @ns.berkeley.edu.
Roundtrip Time
12Wednesday 7 December 16

27. © Men & Mice http://menandmice,com
315
83
324
“”
edu.
berkeley.edu.
local caching
DNS Server
a
b
c
Name
Server
RTT
a
b
c
Here is a list of
“edu.” Name
Servers
dig @ns.berkeley.edu.
Roundtrip Time
12Wednesday 7 December 16

28. © Men & Mice http://menandmice,com
UNIX / Linux Stub Resolver
13Wednesday 7 December 16

29. © Men & Mice http://menandmice,com
UNIX / Linux Stub Resolver
•UNIX/Linux stub resolvers use a configuration file called
resolv.conf
•This file is usually found in the /etc directory
14Wednesday 7 December 16

30. © Men & Mice http://menandmice,com
Name Server List
• Syntax:
• nameserver <IP address>
• Example:
• nameserver 192.168.0.1
• Notes:
• Most UNIX/Linux servers allow up to 3 nameserver entries
• If multiple are listed, they are queried in the order given
15Wednesday 7 December 16

31. © Men & Mice http://menandmice,com
Unix DNS-Client Resolver
timeout
Attempt
1 DNS-
Resolver
2 DNS-
Resolver
3 DNS-
Resolver
1 5s 2x 5s 3x 5s
2 10s 2x 5s 3x 3s
Total 15s 20s 24s
16Wednesday 7 December 16

32. © Men & Mice http://menandmice,com
Unix DNS-Client Resolver
timeout
• the Unix-DNS Resolver timeout can be changed in the file
/etc/resolv.conf
option timeout:1 attempts:4
nameserver 100.64.1.100
nameserver 100.64.2.120
• attempts: how many queries send to each DNS resolver (max 5)
• timeout: initial timeout for a query to a name server in resolv.conf (max
30s). For the second and successive rounds of queries, the resolver still
doubles the initial timeout and divides by the number of name servers in
resolv.conf
17Wednesday 7 December 16

33. © Men & Mice http://menandmice,com
Unix DNS-Client Resolver
“Round-Robin”
•the order in which the DNS-Resolvers are queried can be
tweaked in
/etc/resolv.conf
option rotate
nameserver 100.64.1.100
nameserver 100.64.2.120
•rotate: use all DNS-Resolvers in each resolver-session. Only
take effect if the client program sends multiple queries after
opening the DNS-Client resolver. Not many programs do this.
18Wednesday 7 December 16

34. © Men & Mice http://menandmice,com
Send Client-Resolver options
via DHCP (1/2)
•there are not standard DHCP options to transport the
attempt, timeout and rotate resolver options
•in the ISC-DHCP Server, add a new option definition
(file /etc/dhcp/dhcpd.conf)
option resolv-options code 232 = text;
option resolv-options "timeout:2 attempts:4 rotate";
19Wednesday 7 December 16

35. © Men & Mice http://menandmice,com
Send Client-Resolver options
via DHCP (2/2)
•on each ISC-DHCP Client, add a new option definition
(file /etc/dhcp/dhclient.conf)
option resolv-options code 232 = text;
request resolv-options;
•and also add a new DHCP-Script hook
(File /etc/dhcp/dhclient-enter-hooks.d/resolvoptions)
if [ "$new_resolv_options" ]; then
echo "options $new_resolv_options" >> /etc/resolv.conf
fi
20Wednesday 7 December 16

36. © Men & Mice http://menandmice,com
Windows Stub Resolver
21Wednesday 7 December 16

37. © Men & Mice http://menandmice,com
22Wednesday 7 December 16

38. © Men & Mice http://menandmice,com
Obtain DNS servers via DHCP
22Wednesday 7 December 16

39. © Men & Mice http://menandmice,com
Obtain DNS servers via DHCP
Configure listed DNS servers
manually
22Wednesday 7 December 16

40. © Men & Mice http://menandmice,com
23Wednesday 7 December 16

41. © Men & Mice http://menandmice,com
23Wednesday 7 December 16

42. © Men & Mice http://menandmice,com
24Wednesday 7 December 16

43. © Men & Mice http://menandmice,com
List of additional DNS-Resolver
to query
24Wednesday 7 December 16

44. © Men & Mice http://menandmice,com
Windows DNS-Client Resolver
Timeouts, 1 DNS-Server
Time DNS Query
0s initial query, wait 1s
1s 2nd query, wait 1s
2s 3rd query, wait 2s
4s 4th query, wait 4s
8s 5th query, wait 4s
12s Client-Resolver gives up
https://support.microsoft.com/de-de/kb/2834226
25Wednesday 7 December 16

45. © Men & Mice http://menandmice,com
Windows DNS-Client Resolver
Timeouts, 2 DNS-Server
Time DNS Query
0s
initial query to 1st DNS server in the
list, wait 1s
1s
initial query to the 2nd DNS server in the
list, wait 1s
2s
2nd query to the 2nd DNS server in the
list, wait 2s
4s
query to all DNS server in the list,
wait 4s
8s
query to all DNS server in the list,
wait 4s
12s Client-Resolver gives up
https://support.microsoft.com/de-de/kb/2834226
26Wednesday 7 December 16

46. © Men & Mice http://menandmice,com
Windows DNS-Client Resolver
Timeouts, 3+ DNS-Server
Time DNS Query
0s
initial query to 1st DNS server in the
list, wait 1s
1s
initial query to the 2nd DNS server in the
list, wait 1s
2s
initial query to the 3rd DNS server in the
list, wait 2s
4s
query to all DNS server in the list,
wait 4s
8s
query to all DNS server in the list,
wait 4s
12s Client-Resolver gives up
https://support.microsoft.com/de-de/kb/2834226
27Wednesday 7 December 16

47. © Men & Mice http://menandmice,com
Adjusting the Windows DNS-
CLient timeouts
•The DNS-Client timeouts can be customized using the
registry value
HKLMSystemCurrentControlSetServicesdnscacheParametersDNSQueryTimeouts
•This value does not exist by default and then the pre-
defined default values are used
• https://blogs.technet.microsoft.com/stdqry/2011/12/02/dns-clients-and-timeouts-part-1/
• https://blogs.technet.microsoft.com/stdqry/2011/12/14/dns-clients-and-timeouts-part-2/
28Wednesday 7 December 16

48. © Men & Mice http://menandmice,com
Demo Setup
29Wednesday 7 December 16

49. © Men & Mice http://menandmice.com
DNS-Resolver without HA
30
Internet
30Wednesday 7 December 16

50. © Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
172.22.1.210 172.22.1.217
31Wednesday 7 December 16

51. © Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
/etc/resolv.conf
nameserver 172.22.1.210
nameserver 172.22.1.217
172.22.1.210 172.22.1.217
31Wednesday 7 December 16

52. © Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
/etc/resolv.conf
nameserver 172.22.1.210
nameserver 172.22.1.217
172.22.1.210 172.22.1.217
31Wednesday 7 December 16

53. © Men & Mice http://menandmice.com
DNS-Resolver without HA
31
Internet
/etc/resolv.conf
nameserver 172.22.1.210
nameserver 172.22.1.217
172.22.1.210 172.22.1.217
31Wednesday 7 December 16

54. © Men & Mice http://menandmice,com
Unix resolver demo
32Wednesday 7 December 16

55. © Men & Mice http://menandmice,com
OpenBSD relayd
33Wednesday 7 December 16

56. © Men & Mice http://menandmice,com
relayd
•relayd is a daemon to relay and dynamically redirect
incoming connections to a target host
•available on OpenBSD (and older versions on
FreeBSD)
•relayd can dynamically reconfigure the OpenBSD
firewall “pf” to redirect traffic
•relayd can also work as an application layer proxy
34Wednesday 7 December 16

57. © Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
172.22.1.210
172.22.1.206
172.22.1.217
172.22.1.206
CARP-Protocol
35Wednesday 7 December 16

58. © Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
/etc/resolv.conf
nameserver 172.22.1.206
nameserver 172.22.1.210
nameserver 172.22.1.217
172.22.1.210
172.22.1.206
172.22.1.217
172.22.1.206
CARP-Protocol
35Wednesday 7 December 16

59. © Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
/etc/resolv.conf
nameserver 172.22.1.206
nameserver 172.22.1.210
nameserver 172.22.1.217
172.22.1.210
172.22.1.206
172.22.1.217
172.22.1.206
CARP-Protocol
35Wednesday 7 December 16

60. © Men & Mice http://menandmice.com
DNS-Resolver with relayd
35
Internet
/etc/resolv.conf
nameserver 172.22.1.206
nameserver 172.22.1.210
nameserver 172.22.1.217
172.22.1.210
172.22.1.206
172.22.1.217
172.22.1.206
CARP-Protocol
35Wednesday 7 December 16

61. © Men & Mice http://menandmice.com
relayd redirect configuration
36
# Layer 3 forwarding
table <dnsserver> {
172.22.1.210,
172.22.1.217 }
redirect dnsbalance {
listen on 172.22.1.206 tcp port 53
listen on 172.22.1.206 udp port 53
forward to <dnsserver> check tcp
}
file /etc/relayd.conf
36Wednesday 7 December 16

62. © Men & Mice http://menandmice.com
OpenBSD relayd
37
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
Layer 3 redirect
37Wednesday 7 December 16

63. © Men & Mice http://menandmice.com
OpenBSD relayd
38
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
Layer 3 redirect
38Wednesday 7 December 16

64. © Men & Mice http://menandmice.com
OpenBSD relayd
39
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
OK
configures
PF rules
Layer 3 redirect
39Wednesday 7 December 16

65. © Men & Mice http://menandmice.com
OpenBSD relayd
40
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
OK
configures
PF rules
DNS-Query
Layer 3 redirect
40Wednesday 7 December 16

66. © Men & Mice http://menandmice.com
OpenBSD relayd
41
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
OK
configures
PF rules
DNS-Query
DNS-Query
Layer 3 redirect
41Wednesday 7 December 16

67. © Men & Mice http://menandmice.com
OpenBSD relayd
42
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
DOWN
relayd
PF-Firewall
probes
Layer 3 redirect
42Wednesday 7 December 16

68. © Men & Mice http://menandmice.com
OpenBSD relayd
43
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
configures
PF rules
DNS-Server
(BIND 9)
DOWN
Layer 3 redirect
43Wednesday 7 December 16

69. © Men & Mice http://menandmice.com
OpenBSD relayd
44
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
configures
PF rules
DNS-Query
DNS-Server
(BIND 9)
DOWN
Layer 3 redirect
44Wednesday 7 December 16

70. © Men & Mice http://menandmice.com
OpenBSD relayd
45
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
configures
PF rules
DNS-Query
DNS-Query
DNS-Server
(BIND 9)
DOWN
Layer 3 redirect
45Wednesday 7 December 16

71. © Men & Mice http://menandmice.com
relayd relay configuration
46
# Layer 7 Application Layer Proxy
table <dnsserver> { 172.22.1.210, 172.22.1.217 }
dns protocol "dnsproto"
relay dnsbalance {
protocol dnsproto
listen on 172.22.1.206 port 53
forward to <dnsserver> check tcp
}
file /etc/relayd.conf
46Wednesday 7 December 16

72. © Men & Mice http://menandmice.com
OpenBSD relayd
47
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
Layer 7 proxy
47Wednesday 7 December 16

73. © Men & Mice http://menandmice.com
OpenBSD relayd
48
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
Layer 7 proxy
48Wednesday 7 December 16

74. © Men & Mice http://menandmice.com
OpenBSD relayd
49
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
OK
Layer 7 proxy
49Wednesday 7 December 16

75. © Men & Mice http://menandmice.com
OpenBSD relayd
50
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
OK
DNS-Query
DNS-Query
Layer 7 proxy
50Wednesday 7 December 16

76. © Men & Mice http://menandmice.com
OpenBSD relayd
51
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
relayd
PF-Firewall
probes
OK
DNS-Query
DNS-Query
Layer 7 proxy
DNS-Query
51Wednesday 7 December 16

77. © Men & Mice http://menandmice.com
OpenBSD relayd
52
OpenBSD Kernel
Userspace
DNS-Server
(BIND 9)
DOWN
relayd
PF-Firewall
probes
Layer 7 proxy
52Wednesday 7 December 16

78. © Men & Mice http://menandmice.com
OpenBSD relayd
53
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
DNS-Server
(BIND 9)
DOWN
Layer 7 proxy
53Wednesday 7 December 16

79. © Men & Mice http://menandmice.com
OpenBSD relayd
54
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
DNS-Query
DNS-Server
(BIND 9)
DOWN
Layer 7 proxy
DNS-Query
54Wednesday 7 December 16

80. © Men & Mice http://menandmice.com
OpenBSD relayd
55
OpenBSD Kernel
Userspace
relayd
PF-Firewall
probes
Not-OK
DNS-Query
DNS-Query
DNS-Server
(BIND 9)
DOWN
Layer 7 proxy
DNS-Query
55Wednesday 7 December 16

81. © Men & Mice http://menandmice,com
relayd demo
56Wednesday 7 December 16

82. © Men & Mice http://menandmice,com
PowerDNS dnsdist
57Wednesday 7 December 16

83. © Men & Mice http://menandmice.com
dnsdist
“dnsdist” is an DNS aware application level gateway
• part of PowerDNS, but DNS server agnostic (can
be used with any DNS resolver or authoritative
server)
• supports various load-balancing schemes (least
outstanding, firstAvailable, weighted hash,
weighted random, round-robin ...)
• can do more than load balancing (filter, block,
rewrite DNS traffic ...)
58
58Wednesday 7 December 16

84. © Men & Mice http://menandmice.com
dnsdist
“dnsdist” is an DNS aware application level gateway
• Lua-configuration and Lua-scriptable
• available for Linux (Debian, Raspbian, Suse,
Ubuntu, CentOS), FreeBSD
• should work on other Unix-ish systems
• Free Software (GPLv2 License)
59
http://dnsdist.org
59Wednesday 7 December 16

85. © Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
172.22.1.210 172.22.1.217
Heartbeat
172.22.1.200
(dnsdist)
172.22.1.200
(dnsdist)
60Wednesday 7 December 16

86. © Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.conf
nameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat
172.22.1.200
(dnsdist)
172.22.1.200
(dnsdist)
60Wednesday 7 December 16

87. © Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.conf
nameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat
172.22.1.200
(dnsdist)
172.22.1.200
(dnsdist)
60Wednesday 7 December 16

88. © Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.conf
nameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat
172.22.1.200
(dnsdist)
172.22.1.200
(dnsdist)
60Wednesday 7 December 16

89. © Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.conf
nameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat
172.22.1.200
(dnsdist)
172.22.1.200
(dnsdist)
60Wednesday 7 December 16

90. © Men & Mice http://menandmice.com
DNS-Resolver with dnsdist
60
Internet
/etc/resolv.conf
nameserver 172.22.1.200
172.22.1.210 172.22.1.217
Heartbeat
172.22.1.200
(dnsdist)
172.22.1.200
(dnsdist)
60Wednesday 7 December 16

91. © Men & Mice http://menandmice.com
starting dnsdist
simple dnsdist startup without configuration file
# dnsdist -l 172.22.1.200 172.22.1.210 172.22.1.217
61
local IP to
listen for
DNS
queries
DNS server
to forward
queries
61Wednesday 7 December 16

92. © Men & Mice http://menandmice,com
dnsdist demo
62Wednesday 7 December 16

93. © Men & Mice http://menandmice,com
dnsdist statistics demo
63Wednesday 7 December 16

94. © Men & Mice http://menandmice,com
comparing relayd and dnsdist
64Wednesday 7 December 16

95. © Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- only available on OpenBSD (FreeBSD)
•dnsdist -- available on many Linux/Unix systems
65Wednesday 7 December 16

96. © Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- fast layer 3 forwarding in kernel space and
userspace proxying
•dnsdist -- only userspace proxying (but still pretty fast)
66Wednesday 7 December 16

97. © Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- simple health monitoring and reporting
•dnsdist -- online DNS statistics and Web-UI statistics
67Wednesday 7 December 16

98. © Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- filtering with “pf” firewall
•dnsdist -- DNS aware filtering with Lua-Scripting
option
68Wednesday 7 December 16

99. © Men & Mice http://menandmice,com
relayd vs. dnsdist
•relayd -- BSD license
•dnsdist -- GPLv3 License
69Wednesday 7 December 16

100. © Men & Mice http://menandmice,com
Men & Mice Training
• February 13 – 17 -- Redwood City, California, US
Introduction to DNS & BIND Hands-On class and
Introduction & Advanced DNS and BIND Topics Hands-on
•March 6 – 10, -- Amsterdam (NL) or Osnabrueck (DE)
Introduction to DNS & BIND Hands-On class and
Introduction & Advanced DNS and BIND Topics Hands-on
https://www.menandmice.com/support-training/training/
70Wednesday 7 December 16

101. © Men & Mice http://menandmice.com
Webinar schedule 2017
This is our schedule for the webinars in the beginning
of 2017
• 2nd Feb 2017
BIND 9 logging best practices
• 23rd March 2017
DNSSEC zone signing tutorial
• 13th April 2017
SMTP STS (Strict Transport Security) vs. SMTP with DANE
71
71Wednesday 7 December 16

102. © Men & Mice http://menandmice.com
Webinar schedule 2017
Additional webinar topics coming in 2017
• DNSSEC key management with BIND 9 "keymgr"
• BIND 9 (and Men & Mice) on Docker (Linux)
• Men & Mice Suite on Docker with Windows 2016 Server
• How to manage DMARC-, SPF-, DKIM-, multi-part TXT-,
CAA-, DANE-records in DNS zones
• DNS over TCP: new developments from the IETF
• DNS Server with SQL-Databases: PowerDNS and BIND 9
72
72Wednesday 7 December 16

103. © Men & Mice http://menandmice,com
Thank you!
Questions? Comments?
73
73Wednesday 7 December 16