The state of DNS security records 2020

Not quite the third year running, but a third edition at least. This years state of DNS security records survey has seen a few changes – so is a bit of a transition report. I’ve dropped all of my self generated lists, except for DoH providers, in favour of more robust lists. I’ve also got a new generation of my domain quality tool in the works. This report was produced using the new version of the tool as it produces more reliable results, captured more data and is a tad more efficient allowing me to increase my sample size. TLDR: Summary The adoption rates of security related records provisioned continues to stagnate, though I suspect the drops from 2017 may be artefacts of improved methodology and larger sample size. Comparing just to last year any gains made are marginal at best. Despite all the attention DNS security has got this… Continue reading

IPv6 with Zen internet and Ubiquiti

Having recently moved over to a Ubiquiti UDM for my home router I wanted to get my IPv6 connection back and working. Searching for advice on how to do this there were quite a few articles describing the trials and tribulations involved in getting things working. It turns out that with the latest firmware release getting IPv6 working is really very easy. Unfortunately nothing in the management UI actually lets you know it’s working. So even if you have it configured correctly you’ll only be able to tell by checking if you can reach things via IPv6. So to help anyone else who was in my position here are the really very simple instructions for configuring IPv6 on a UDM running firmware 1.8.3 with Zen Internet. Continue reading

DNS discovery

Sadly even in this day and age of data portability many DNS providers don’t like to let you export your own DNS data. Having finally received one too many PDF exports of a zone file I thought there must be an easier way to make my life simpler. Whilst I’m aware of some DNS providers that will make a stab at pre-populating your domain for you when you transfer domains, there doesn’t seem to be a general tool for achieving this task. The closest thing I could find was DNSdumpster which misses some of the obvious things and isn’t in the friendliest of formats. At this point there was only one thing to do. Write a quick and dirty tool for finding the well known RR’s for any given domain and present them in a BIND friendly format. From far too many years of transferring domains from a variety of… Continue reading

Mitigating against and observing DoH – a real world deployment

DoH data flow

Whilst there has been a lot of discussion about the impact and usage of DNS-over-HTTPs there is so far very little data on how widely its usage has been adopted let alone what the traffic looks like. By adopting a layered approach using response policy zones and an internal DNS-over-HTTPS infrastructure it’s possible to start to get a clearer picture of DoH usage. Within a typical Enterprise environment, you would expect the use of external DNS servers to already be prohibited. The use of DNS-over-HTTPS is thus no different from any other tunnelling software that is used to circumvent such security controls. The simple approach to resolving this issue would be to just block DoH providers at the firewall as they were identified. However, maintaining such a list, as with any black list, will present some challenges and would be better managed by commercial providers. A more layered approach provides… Continue reading