SPF, DKIM & DMARC – A triple band aid

Following on from my previous article and because I’ve got to write this anyway I thought I’d take a look at the roles of SPF, DKIM and DMARC for people who don’t really need to know the technicalities. There are many articles out there that cover the technical workings of SPF, DKIM and DMARC and some looking at them all together. Hopefully I’m not going to cover the same ground as those too much. Hopefully though this will provide a reasonable over view of what these records are trying to achieve and how they work together. Firstly the problem all of these things are trying to solve is that e-mail is insecure and easily abused. This is in part because it was designed in an earlier more trusting time and in part because it is designed to allow anyone to reach out and contact anyone else. Much like telephones if… Continue reading

The state of DNS security records 2017

These days there are quite a few security initiatives that depends upon DNS, and to keep those secure you need to implement DNSSEC. Many people across the board from Google, to security advisory firms are encouraging the uptake of these initiatives many of which are getting quite long in the tooth (SPF is over a decade old). However, I’ve for a long time thought that many of these “enhancements” are far from trivial to implement, if you’re a small operator it’s a lot of work for small gains, and if your large then unless you can automate it it’s just not viable. Looking at implementing many of these enhancements myself, and the work involved I started wondering what deployment looked like amongst other people, so I thought I’d do a quick survey and on the whole it’s not a pretty sight. From my far from scientific survey the only thing… Continue reading

DNS trouble shooting for beginners

Introduction DNS generally just works (at least as far as you’re concerned), which is good as the internet would be far less fun without it. However this does mean that many people don’t really know how to tell if a problem is a DNS error or something else – this makes life difficult for support desks and even worse causes work for DNS admins. It needn’t be so! Telling if something is a DNS issue is actually quite simple, and trouble shooting it isn’t much more difficult. To start with there are really only a very few ways that DNS can go wrong ( from a user perspective – from an admin perspective DNS can go wrong in many and varied ways ). Not responding at all Returning the wrong data Not returning a record when it should That from an end users point of view are really the only… Continue reading

Shell access via PDNS LUA

I’ve been spending a bit of time playing with the LUA functionality of Power DNS, it was inevitable that I got round to implementing a generic shell over DNS. It’s not very polished it doesn’t like interactive commands or commands with odd characters and it is more insecure than a very insecure thing that isn’t very safe. It is however a surprisingly short amount of code for what it does. There are a very few circumstances I can think of where a very restricted version of this might be useful, but really there’s always going to be a better and more sensible option. However it’s an interesting proof of concept and more importantly it was fun. If you don’t understand this code do not use it , if you do understand this code you know why you don’t want to use it. The code as shown below won’t actually work… Continue reading