DANE featured image

How to use DANE/TLSA

DNS-based Authentication of Named Entities (DANE) is a great feature that uses the advantages of a DNSSEC signed zone in order to tell the client which TLS certificate he has to expect when connecting to a secure destination over HTTPS or SMTPS. Via a secure channel (DNSSEC) the client can request the public key of the server. This means, that a Man-in-the-Middle attack (MITM) with a spoofed certificate would be exposed directly, i.e., is not possible anymore. Furthermore, the trust to certificate authorities (CAs) is not needed anymore.

In this blog post I will show how to use DANE and its DNS records within an authoritative DNS server to provide enhanced security features for the public.

Continue reading How to use DANE/TLSA


DNSSEC Signing w/ BIND

To solve the chicken-or-egg problem for DNSSEC from the other side, let’s use an authoritative DNS server (BIND) for signing DNS zones. This tutorial describes how to generate the keys and configure the “Berkeley Internet Name Domain” (BIND) server in order to automatically sign zones. I am not explaining many details of DNSSEC at all, but only the configuration and verification steps for a concrete BIND server.

It is really easy to tell BIND to do the inline signing. With this option enabled, the admin can still configure the static database for his zone files without any relation to DNSSEC. Everything with signing and maintaining is fully done by BIND without any user interaction. Great.

Continue reading DNSSEC Signing w/ BIND

Unbound RPi featured image

DNSSEC Validation with Unbound on a Raspberry

To overcome the chicken-or-egg problem for DNSSEC (“I don’t need a DNSSEC validating resolver if there are no signed zones”), let’s install the DNS server Unbound on a Raspberry Pi for home usage. Up then, domain names are DNSSEC validated. I am listing the commands to install Unbound on a Raspberry Pi as well as some further commands to test and troubleshoot it. Finally I am showing a few Wireshark screenshots from a sample iterative DNS capture. Here we go:

Continue reading DNSSEC Validation with Unbound on a Raspberry

dnssec-validation auto - featured image

BIND DNSSEC Validation

If you are searching for a DNSSEC validating DNS server, you can use BIND to do that. In fact, with a current version of BIND, e.g. version 9.10, the dnssec-validation is enabled by default. If you are already using BIND as a recursive or forwarding/caching server, you’re almost done. If not, this is a very basic installation guide for BIND with DNSSEC validation enabled and some notes on how to test it.

Continue reading BIND DNSSEC Validation

Basic BIND Installation - featured image

Basic BIND Installation

This is a basic tutorial on how to install BIND, the Berkeley Internet Name Domain server, on a Ubuntu server in order to run it as an authoritative DNS server. It differs from other tutorials because I am using three servers (one as a hidden primary and two slaves as the public accessible ones), as well as some security such as denying recursive lookups and public zone transfers, as well as using TSIG for authenticating internal zone transfers. That is, this post is not an absolute beginner’s guide.

Continue reading Basic BIND Installation

Palo Alto DNS Proxy Rule featured image

Palo Alto DNS Proxy Rule for Reverse DNS

I am using the DNS Proxy on a Palo Alto Networks firewall for some user subnets. Beside the default/primary DNS server it can be configured with proxy rules (sometimes called conditional forwarding) which I am using for reverse DNS lookups, i.e., PTR records, that are answered by a BIND DNS server. While it is easy and well-known to configure the legacy IP (IPv4) reverse records, the IPv6 ones are slightly more difficult. Fortunately there are some good tools on the Internet to help reversing IPv6 addresses.

Continue reading Palo Alto DNS Proxy Rule for Reverse DNS

Palo Alto FQDN Objects featured image

Palo Alto FQDN Objects

While I tested the FQDN objects with a Palo Alto Networks firewall, I ran into some strange behaviours which I could not reproduce, but have documented them. I furthermore tested the usage of FQDN objects with more than 32 IP addresses, which are the maximum that are supported due to the official Palo Alto documentation. Here we go:

Continue reading Palo Alto FQDN Objects

Elterngeld featured image 2

Wie man als arbeitender Familienvater 399 € Elterngeld bekommt

Unser erstes Kind kam während des Studiums. Sprich: Elternzeit konnte ich mir keine nehmen (oder ich hätte ein ganzes Semester verlängern müssen) und fürs Elterngeld gab es immerhin den Mindestsatz von 300,- €/Monat. Gut geplant kam also das zweite Kind zu einem Zeitpunkt, an dem ich bereits einige Monate voll verdienend unterwegs war. Entsprechend höher erwarteten wir auch das Elterngeld. Schock und große Ärgernis dann aber, als ich auch dieses mal lediglich den Mindestsatz bekommen sollte, da die Berechnung des Elterngeldes nicht meinen richtigen Job, sondern meinen Nebenjob während es Studiums als Grundlage nahm. Arg! Was sollte das denn???

Continue reading Wie man als arbeitender Familienvater 399 € Elterngeld bekommt

ownCloud Data Directory

ownCloud Data Directory

I initially stored my ownCloud data on an external NTFS hard disk. (Yes, this was not a good idea at all.) After some time now I wanted to move the files to a bigger ext4 drive on the same machine. Unluckily there are many posts and articles that are really irritating on the Internet, such as: 1, 2, 3, 4, 5. At least I found some promising hints at the official GitHub forums (this and that) and gave it a try:

Continue reading ownCloud Data Directory

CPU Usage FortiGate 100D - 90D featured image

CPU Usage Increase FortiGate 100D -> 90D

A few weeks ago I swapped a FortiGate 100D firewall to a 90D firewall. The 100D was defective and needed to be replaced. Since the customer only has a 20 Mbps ISP connection, I thought that a FortiGate 90D would fit for the moment, since it has a firewall throughput of 3,5 Gbps, compared to the lower value of 2,5 Gbps from the 100D.

Indeed, it worked. However, the CPU usage increase was huge, almost related to the NGFW throughput. Here are some graphs:

Continue reading CPU Usage Increase FortiGate 100D -> 90D

nProbe ntopng featured image

Using NetFlow with nProbe for ntopng

This blog post is about using NetFlow for sending network traffic statistics to an nProbe collector which forwards the flows to the network analyzer ntopng. It refers to my blog post about installing ntopng on a Linux machine. I am sending the NetFlow packets from a Palo Alto Networks firewall.

My current ntopng installation uses a dedicated monitoring ethernet port (mirror port) in order to “see” everything that happens in that net. This has the major disadvantage that it only gets packets from directly connected layer 2 networks and vlans. NetFlow on the other hand can be used to send traffic statistics from different locations to a NetFlow flow collector, in this case to the tool nProbe. This single flow collector can receive flows from different subnets and routers/firewalls and even VPN tunnel interfaces, etc. However, it turned out that the “real-time” functionalities of NetFlow are limited since it only refreshes flows every few seconds/bytes, but does not give a real-time look at the network. It should be used only for statistics but not for real-time troubleshooting.

Continue reading Using NetFlow with nProbe for ntopng

Fortinet Feature Requests featured image

Fortinet Feature Requests

I really like the FortiGate firewalls. They are easy to manage and have lots of functionality. However, I am also aware of some other firewall products and therefore have some feature requests to Fortinet that are not currently implemented in their firewalls. I am sometimes forwarding these FRs to the Fortinet support or to an SE, but they are not really interested in that. ;( So here is a list of my ideas that could improve the firewall. Hopefully/maybe some of them will be implemented one day…

Continue reading Fortinet Feature Requests

Palo Alto VPN Speedtests featured image

Palo Alto VPN Speedtests

Once more some throughput tests, this time the Palo Alto Networks firewalls site-to-site IPsec VPN. Similar to my VPN speedtests for the FortiGate firewall, I set up a small lab with two PA-200 firewalls and tested the bandwidth of different IPsec phase 2 algorithms. Compared to the official data sheet information from Palo Alto that state an IPsec VPN throughput of 50 Mbps, the results are really astonishing.

Continue reading Palo Alto VPN Speedtests

Palo IPv4 vs IPv6 featured image

Palo Alto IPv4 vs. IPv6 Performance Speedtests

After I have done some speedtests on the FortiGate firewall I was interested in doing the same tests on a Palo Alto. That is: What are the throughput differences of IPv4 vs. IPv6, measured with and without security profiles, i.e., with and without threat prevention.

It turned out that the throughput is much higher than the official information from Palo Alto. Furthermore, I was not able to test the threat prevention at all, because non of my traffic (Iperf and mere HTTP) went through the antivirus engines. I have to test this again. However, here are the measured values so far:

Continue reading Palo Alto IPv4 vs. IPv6 Performance Speedtests