Set Up and Monitor Authoritative DNS

February 10, 2021

I run an authoritative name server for my domain. Each registry seems to have different ways to handle glue records. But configurating OpenBSD’s nsd is refreshingly simple.

File: Master server’s /var/nsd/etc/nsd.conf

server:
        hide-version: yes
        verbosity: 1
        database: "" # disable database

remote-control:
        control-enable: yes
        control-interface: /var/run/nsd.sock

key:
        name: "tsig1.randy7.com."
        algorithm: hmac-sha256
        secret: "[redacted]"

zone:
        name: "randy7.com"
        zonefile: "master/randy7.com.zone"
        notify: sl.a.ve.ip tsig1.randy7.com.
        provide-xfr: sl.a.ve.ip tsig1.randy7.com.

File: Slave server’s /var/nsd/etc/nsd.conf is similar to master’s, but the zone section has these changes:

        zonefile: "slave/randy7.com.zone"
        allow-notify: ma.st.er.ip tsig1.randy7.com.
        request-xfr: ma.st.er.ip tsig1.randy7.com.

However, I went through some trial and error creating the zonefile and checking it with nsd-checkzone.

Monitoring with tshark

Being curious, I decided to watch the incoming DNS queries to the authoritative DNS server. So I asked tshark to show me the time, source IP, and the name asked for in the query. I did this on both servers, ns1 and ns2.

Notice this also shows requests to recursive resolvers, keep that in mind if you try this.

$ tshark -n -T text -T fields \
         -e frame.time -e ip.src -e ipv6.src -e dns.qry.name \
         port 53 and not src (ser.ver.ip.v4 or se:r:ve:r:i:p:v:6)
...
[Snip]        208.54.85.119      randy7.com
[Snip]        44.192.32.185      mAil.rAndY7.COM
[Snip]        83.97.20.25        VERSION.BIND
[Snip]        141.212.123.191    researchscan541.eecs.umich.edu
^C

And it gave me some interesting output. Many of the requests were for addresses that I had no authority over and many were from peculiar addresses. I used dig to check forward & reverse DNS which led me on some adventures. Then I’d use whois to check who owned domains and IPs.

Let’s see who was looking for researchscan541.eecs.umich.edu.

# Source IP
$ dig +short -x 141.212.123.191
researchscan701.eecs.umich.edu.

# Query Name
$ dig +short researchscan541.eecs.umich.edu
141.212.123.31

I’m sure researchscan701.eecs.umich.edu didn’t accidentally ask for researchscan541.eecs.umich.edu. I also noticed some version requests, so I temporarily set hide-version: no in /var/nsd/etc/nsd.conf to see a response:

# Check server version
$ dig +short @localhost version.bind chaos txt
"NSD 4.3.2"

Where are scans coming from?

DDOS & Security Services: Arbor Networks, Censys, Cloudflare, DediPath, Qrator Labs
Universities & Organizations: Case Western Reserve University, Communication and Distributed Systems at RWTH Aachen University, Electrical Engineering and Computer Science at University of Michigan, Georgia Institute of Technology, OpenIntel, Shadowserver Foundation, Inc., Technical University of Munich
Miscellaneous: IPIP, Russian Foundation for Technological Development, Shodan, T-Mobile, Various VPSs

Thank you dig, nsd, OpenBSD, and tshark.

Documentation for nsd is available at NLNet Labs’ Github.

I wonder if I could match DNS lookups with their intentions.

OpenBSD Amsterdam may let me do authoritative reverse DNS for an IPv6 /64.

nsd.conf’s example TSIG password decoded to mekmitasdigoat.

“version.bind chaos txt” is explained in RFC 4892, Requirements for a Mechanism Identifying a Name Server Instance.