Programming

Background

I am running my own authoritative DNS servers for the last few years. In earlier stages I just used registrar-provided DNS, later moved to “Cloud provider” provided DNS and ultimately settled for running my own auth DNS.

Two major requirements pushed me to self-host auth DNS:

1. Requirement of REST API for DNS needed by the web servers to resolve Letsencrypt certbot DNS-based challenge. This allows me to have internally hosted tools with Letsencrypt issues TLS certificates instead of self-signed ones. The API access is mostly missing in the registrars hosted DNS.
2. Occasional DDoS on my blog. There have been occasional DDoS on my blog (probably from random people who enjoy doing volumetric attacks). This always worried me about DNS bills during DDoS, especially for low TTL records. The last hosted DNS option I had over a year ago was Google Cloud DNS and they charge $0.40 per million queries per month. This can add a significant amount to the bill if under massive DDoS resulting in many millions of DNS queries. Plus per zone 20 cents charge gets expensive at a scale with a half a dozen domains.

After exploring a few options I settled for running PowerDNS with MySQL backend. This is kind of a comfort zone since I ran similar systems for my employers in past and it worked well. PowerDNS is a great option for authoritative DNS as it has nice documented REST API, CLI utility pdnsutil for easy high-level scripting, supports a bunch of backends to store DNS records from BIND like text files to MySQL. It is also good (automated) support to handle DNSSEC for signing the zone.

Came across excellent tool called “bgpq3” from one of recent posts in NANOG mailing list. This tool can general filters for a given ASN for Cisco or Juniper based on RADB’s data.

E.g Juniper style config for AS54456 (1st ASN on which I worked on!) :)

anurag@server7 ~> bgpq3 -Jl Cloudaccess as54456 
policy-options {
replace:
 prefix-list Cloudaccess {
    199.116.76.0/24;
    199.116.77.0/24;
    199.116.78.0/24;
    199.116.79.0/24;
 }
}
anurag@server7 ~> 

Cisco style config:

> anurag@server7:~$ bgpq3 -l Cloudaccess as54456 
no ip prefix-list Cloudaccess 
ip prefix-list Cloudaccess permit 199.116.76.0/24 
ip prefix-list Cloudaccess permit 199.116.77.0/24
ip prefix-list Cloudaccess permit 199.116.78.0/24
ip prefix-list Cloudaccess permit 199.116.79.0/24 
anurag@server7:~$

Cisco XR style config:

Whenever I see a new unknown IP range, it gets hard to find exact source of that IP within command shell. Recently, I found a very interesting source of that information from Team Cymru.

I figured out (with a friend’s help) that using their whois server - v4.whois.cymru.com one can actually grab limited information as required. 

E.g

anurag@laptop:~$ whois -h v4.whois.cymru.com "  -v 8.8.8.8"
AS      | IP               | BGP Prefix          | CC | Registry | Allocated  | AS Name

15169   | 8.8.8.8          | 8.8.8.0/24          | US | arin     | 1992-12-01 | GOOGLE - Google Inc.

As we can see -v gives all possible information. All I needed was AS number, AS Name, BGP Prefix, Country code - this gives enough information for an IP address. Thus command turns out to be with -c & -p.