Dns
Debian 13 Anycast Node
Building Debian 13 anycast nodes from cloud images with cloud-init support: configuring multiple loopback addresses using netplan instead of /etc/network/interfaces, exabgp service configuration for anycast BGP route announcements, and deploying redundant anycasted DNS infrastructure.RPKI w/ RouterOS v7
Implementing RPKI route validation on RouterOS v7 with routinator RTR server: configuring RTR connections with preference/failover, validating routes with routing filter rules, rejecting invalid routes while preferencing valid routes, and managing ROA growth tracking.exabgp 4.x, anycast, and healthchecks
Implementing exabgp 4.x built-in healthchecks for anycasted DNS: configuring health check intervals, rise/fall thresholds, withdraw-on-down behavior for automatic route removal on service failure, and multi-address-family BGP sessions for IPv4/IPv6 anycast announcements.AS112 and BIRD
Implementing AS112 reverse DNS sinkhole using BIRD BGP daemon: installing kernel routes from BGP, configuring prefix filters for RFC1918/RFC6890 anycast addresses, and using arouteserver to automate IXP AS112 deployments with BIRD.AS112 and Exabgp
Deploying RFC1918/RFC6890 reverse DNS sinkhole with AS112 using exabgp: configuring anycasted 192.175.48.0/24 and 2620:4f:8000::/48 prefixes, implementing exabgp-healthcheck for DNS service monitoring, and advertising BLACKHOLE routes only when service is operational.HA Recursive DNS with dnsdist and exabgp
Building anycasted highly-available recursive DNS with dnsdist load balancers and exabgp: using BGP MED-based failover across 4 dnsdist nodes with PowerDNS recursor backends, custom orderedwrandom load balancing policy, and automated healthchecks for route withdrawal.HA Authoritative DNS w/ dnsdist
I ran into an obscure limitation in PowerDNS 4.0 authoritative server recently. I have one nameserver which also acts as a slave to two other sets of zones with are transfered using AXFR. Some of those zones are DNSSEC enabled, and PowerDNS is only able to handle DNSSEC on the first backend loaded. This was causing several forward and reverse zones to fail to serve the DNSSEC records along with the queried records, and DNSSEC validation to partially fail.dnsdist with pdns recursors
PowerDNS makes a mighty fine authoritative, and also recursive DNS server. They also recently added a DNS-aware DNS load balancer. This article deals with load balancing multiple backend caches to keep all of them hot and working the most efficiently.Load Balancing DNS with dnsdist
I first came across dnsdist in a NANOG post in the discussion of exploitation of a BIND DOS bug last summer. Jared Mauch had recommended dnsdist to easily implement DNS backend diversity.Phased Service Moves
Multi-phase migration to BGP-announced IP space: AS62758 turnup, moving LMS and external services from provider IPs, pre-change testing with reduced DNS TTLs, 1:1 NAT configs, and phased rollout strategy.ARIN on the Road
Attending ARIN on the Road in Winnipeg: IPv6-focused presentations, hands-on with RESTful web services API, discussions on DNSSEC/RPKI implementation, and networking with ARIN leadership.Fully IPv6 Enabled
Personal milestone: all public-facing services now dual-stack IPv6—anycast web, mail (SMTP/IMAP/POP3), DNS (authoritative/recursive), SSH/FTP, SSL VPN, SaltStack, Nagios, plus native home connectivity via HE tunnel.Deploying a Nameserver at DigitalOcean in 2 minutes
Rapid deployment of slave nameservers on DigitalOcean VMs using SaltStack automation: scripted setup from initial VM creation through salt-minion configuration and state.highstate execution across multiple regions.check-soa
check-soa is a CLI tool written in go which lets a DNS name server administrator easily verify that all servers listed as authoritative are in sync and serving the same zone by verifying the SOA record. I use this tool nearly every day at work to verify that changes have propagated to all slave nameservers.GeoDNS
Comparing GeoDNS approaches: BIND with GeoIP patches versus the Go-based abh/geodns, tradeoffs between package maintenance and flexibility, and plans to pair GeoDNS with traditional authoritative DNS.Raspberry Pi DNS/DHCP Server
Building a home lab DNS/DHCP appliance on Raspberry Pi: installing ISC DHCP and BIND, wiring dynamic DNS updates, and serving multiple VLANs with relay helpers.exabgp: first lab
Building an exabgp lab to explore route injection, anycast/HA services, route servers, and DDoS mitigation scenarios using Python-based BGP automation.My IPv6 Services
Overview of native IPv6-enabled services including web (nginx/Apache), email (Postfix/Dovecot), XMPP (Prosody), and DNS. Covers configuration and operational challenges.IPAM: NIPAP
Switching from subnetsmngr to NIPAP for improved IP address management. NIPAP offers flexible subnet allocation, IPv4/IPv6 parity, VRF support, and both CLI and web interfaces.I'm doing AnyCast!
Setting up anycast services using Bird OSPF to inject /32 and /128 routes across multiple locations. Using FreeBSD VMs for redundant IPv4/IPv6 anycast DNS and web services.An MX Record, Finally!
Setting up self-hosted email with iRedMail on FreeBSD. A polished mail server solution with ClamAV, policyd, and DKIM support that integrates well with system packaging.IPAM: IP Address Management
Setting up subnetsmngr, an open source IPAM solution for small ISPs.