Regulatory Developments

Last updated: 
3 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Detecting DNS configuration errors

Tuesday, June 11, 2013 - 09:12

The Domain Name Service (DNS) which translates names to IP addresses (among many other things) is critical for humans using the Internet. Research by Slavko Gajin and Petar Bojovic presented at the TERENA Networking Conference indicates that mis-configurations are more common than we might hope. Getting DNS right often requires different organisations to have matching configurations: if my name server says that part of the name space is delegated to your name server then your name server needs to agree! So it’s easy for human error creep in. Often the redundancy and resilience that we build into the DNS can hide these problems: so long as there is one way to resolve a name then users may only experience slowness or intermittent failures, which they may not report. Only when a component in that critical path fails will we discover that mis-configurations mean we have less resilience than we thought, after all our websites have become invisible and all e-mail is being returned as wrongly addressed.

Discovering these hidden problems requires a tool that checks all advertised routes to resolve a name, rather than just seeking out one working one. The University of Belgrade team have written such a tool and used it to check more than ten thousand domains across European NRENs. As well as looking for errors that may cause DNS to be less reliable than intended they investigated support for DNSSEC and IPv6, as well as servers that provided public zone transfers or open recursion that can be used by attackers. It is good to see evidence of Janet CSIRT’s recent campaign to reduce the number of open recursive resolvers, in that the percentage of servers in .ac.uk is lower than many other networks. However it is still well above zero! Results per NREN for various tests are shown in the slides: to check your own domain a web interface to the tool is available at http://live.icmynet.com/icmynet-dns

Domain Names
#tnc2013
DDOS
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo

Comments

I have in the past looked at some of the common configuration problems using a static analysis of zone files in .ac.uk. Common critical problems include:

  • NS records pointing to incorrect servers
  • NS records pointing to unreachable servers
  • NS records pointing to RFC1918 address space
  • Expire timer set to Microsoft's unreasonably low default value

We recommend http://www.zonecheck.fr/ as a tool to check the configuration of domains. The downloadable version can be configured to supress errors and checks that are not applicable in Janet's unique environment such as warnings about all nameservers being hosted on the same AS.

Submitted by James Davis on Tue, 2013-06-11 10:11