Clik here to view.
Palo Alto VPN Speedtests
Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200...
View ArticleClik here to view.
FortiGate Application Traffic Shaping
This is a really cool and easy to use feature of the FortiGate firewall: the traffic shaper. Once an application category uses too much traffic, the bandwidth consumption can be decreased with it. Just...
View ArticleClik here to view.
Using NetFlow with nProbe for ntopng
This blog post is about using NetFlow for sending network traffic statistics to an nProbe collector which forwards the flows to the network analyzer ntopng. It refers to my blog post about installing...
View ArticleClik here to view.
Palo Alto FQDN Objects
While I tested the FQDN objects with a Palo Alto Networks firewall, I ran into some strange behaviours which I could not reproduce, but have documented them. I furthermore tested the usage of FQDN...
View ArticleClik here to view.
Palo Alto DNS Proxy Rule for Reverse DNS
I am using the DNS Proxy on a Palo Alto Networks firewall for some user subnets. Beside the default/primary DNS server it can be configured with proxy rules (sometimes called conditional forwarding)...
View ArticleClik here to view.
Basic BIND Installation
This is a basic tutorial on how to install BIND, the Berkeley Internet Name Domain server, on a Ubuntu server in order to run it as an authoritative DNS server. It differs from other tutorials because...
View ArticleClik here to view.
BIND DNSSEC Validation
If you are searching for a DNSSEC validating DNS server, you can use BIND to do that. In fact, with a current version of BIND, e.g. version 9.10, the dnssec-validation is enabled by default. If you are...
View ArticleClik here to view.
DNSSEC Validation with Unbound on a Raspberry
To overcome the chicken-or-egg problem for DNSSEC (“I don’t need a DNSSEC validating resolver if there are no signed zones”), let’s install the DNS server Unbound on a Raspberry Pi for home usage. Up...
View ArticleClik here to view.
DNSSEC Signing w/ BIND
To solve the chicken-or-egg problem for DNSSEC from the other side, let’s use an authoritative DNS server (BIND) for signing DNS zones. This tutorial describes how to generate the keys and configure...
View ArticleClik here to view.
How to use DANE/TLSA
DNS-based Authentication of Named Entities (DANE) is a great feature that uses the advantages of a DNSSEC signed zone in order to tell the client which TLS certificate he has to expect when connecting...
View ArticleClik here to view.
SSHFP: Authenticate SSH Fingerprints via DNSSEC
This is really cool. After DNSSEC is used to sign a complete zone, SSH connections can be authenticated via checking the SSH fingerprint against the SSHFP resource record on the DNS server. With this...
View ArticleClik here to view.
DNSSEC ZSK Key Rollover
One important maintenance requirement for DNSSEC is the key rollover of the zone signing key (ZSK). With this procedure a new public/private key pair is used for signing the resource records, of course...
View ArticleClik here to view.
DNSSEC with NSEC3
By default DNSSEC uses the next secure (NSEC) resource record “to provide authenticated denial of existence for DNS data”, RFC 4034. This feature creates a complete chain of all resource records of a...
View ArticleClik here to view.
How to walk DNSSEC Zones: dnsrecon
After the implementation of DNS and DNSSEC (see the last posts) it is good to do some reconnaissance attacks against the own DNS servers. Especially to see the NSEC or NSEC3 differences, i.e., whether...
View ArticleClik here to view.
Compare & Troubleshoot DNS Servers: dnseval
The third tool out of the DNSDiag toolkit from Babak is dnseval. “dnseval is a bulk ping utility that sends an arbitrary DNS query to a given list of DNS servers. This script is meant for comparing...
View ArticleClik here to view.
Detect DNS Spoofing: dnstraceroute
Another great tool from Babak Farrokhi is dnstraceroute. It is part of the DNSDiag toolkit from which I already showed the dnsping feature. With dnstraceroute you can verify whether a DNS request is...
View ArticleClik here to view.
Idea: On-the-Fly TLSA Record Spoofing
It is quite common that organizations use some kind of TLS decryption to have a look at the client traffic in order to protect against malware or evasion. (Some synonyms are SSL/TLS interception,...
View ArticleClik here to view.
Idea: SSHFP Validator
The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great...
View ArticleClik here to view.
BIND Inline-Signing Serial Numbers Cruncher
I know that BIND correctly changes the serial numbers of zones when it is enabled with inline signing and auto-dnssec. However, I got confused one more time as I looked on some of my SOA records. So,...
View ArticleClik here to view.
CLI Commands for Troubleshooting Juniper ScreenOS Firewalls
Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands...
View Article