DNS Workshop @ M3AAWG 58 Dublin 4th June 2023

1 Setup and VMs

  • We have prepared virtual machines for you to work with us on the hands-on lab parts of this training
  • Username: user
  • Passwort: m3aawg-2023
  • Hostname: see the paper slip we're handing out. Use a browser on you laptop/tablet to login into the server, then select the "Terminal" in the lower left corner to access the Linux command line shell. You can also use SSH to access the server.

2 DNS Delegation - Session 1 (approx. 8 minutes)

  • Navigate in the browser to https://www.zonecut.net/dns. Check the domains m3aawg.com, ibm.com, twitter.com, lame.dnssec.works on this website. Try to understand the graphics.
  • Compare the output from the website with the output from dig <domain.tld> +nssearch and dig <domain.tld> +trace

3 IPv6-only DNS - Session 2 (approx. 5 minutes)

  • Check the IPv6 Addresses of wikipedia.org using the command dig wikipedia.org AAAA
  • Find the names of the DNS server for wikipedia.org witg dig ns wikipedia.org. Pick one of the DNS server names and try to resolve the IPv6 addresses of Wikipedia using DNS-over-IPv6-only: dig -6 @<name-of-the-server> wikipedia.org AAAA.
  • Check the Addresses of the DNS Server for wikipedia.org with dig wikipedia.org +nssearch. Compare with the set of name server for m3aawg.com

4 Large TXT record sets - Session 3 (approx. 5 minutes)

  • Check the TXT record sets of twitter.com, oracle.com and microsoft.com with dig TXT <domain.tld>. Pay attention to the size of the responses (shown in the response footer).
  • Is there a special message on the top of the output? What does this message mean?
  • What issues do you see with these responses?
  • Is there any impact on mail security technologies such as SPF or DKIM/DMARC?

5 DNS over TCP - Session 4 (approx. 5 minutes)

  • Query the SOA record from all authoritative DNS Servers of the domain wechat.com via TCP: dig wechat.com +nssearch +tcp
  • Compare with the same query over UDP: dig wechat.com +nssearch
  • What problems can this configuration create?

6 DNS Hygiene - Session 5 (approx. 5 minutes)

  • The two authoritative DNS server for the domain dane.onl (ns3.myinfrastructure.org and ns5.myinfrastructure.org) serve the same zone content
  • Still, the responses from the DNS zone are different. Try the following DNS queries and compare the responses:
    • dig @ns3.myinfrastructure.org mx dane.onl
    • dig @ns5.myinfrastructure.org mx dane.onl
    • dig @ns3.myinfrastructure.org ANY dane.onl +notcp
    • dig @ns5.myinfrastructure.org ANY dane.onl +notcp
  • Which response-behavior do you prefer? Why?