ISC dnsdist Workshop

1 dnsdist workshop

The Ansible scripts used to create the virtual machine environment for this workshop can be found at https://github.com/sys4/ansible-doh-proxy

The virtual machines have a domain name in the form dnsdistXXX.dnsworkshop.cz (for numbers 001 to 040) and dnsdistXXX.dnsworkshop.org (for numbers 041 to 080)

Please login to the machines with a modern web browser under the URL https://dnsdistXXX.dnsworkshop.org:9090 or https://dnsdistXXX.dnsworkshop.cz:9090 with the username user and the password DNSandBIND.

The virtual machines run the cockpit tool (https://cockpit-project.org) to provide a terminal in the web browser.

Then select the terminal (last menue option on the left) and start the tutorial.

1.1 Virtual machines

Every participant has a VM number. Please replace the XXX in the instructions with your participant number from the table below:

Number Name

1.2 Installing dnsdist

  • DNSDIST is a DNS load-balancer and DNS-over-TLS and DNS-over-HTTPS proxy from PowerDNS B.V.
  • From the product website https://dnsdist.org/index.html: 
    dnsdist is a highly DNS-, DoS- and abuse-aware load-balancer. 
Its goal in life is to route traffic to the best server, delivering 
top performance to legitimate users while shunting or blocking abusive traffic.

dnsdist is dynamic, its configuration language is Lua and it can be 
changed at run-time, and its statistics can be queried from a 
console-like interface or an HTTP API.
  • DNSDIST is open source software under the GPL V2
  • The virtual machines are CentOS 8 Linux machines.
  • Become the root user for the installation and configuration (Password DNSandBIND) 
    sudo -s
  • Now we install dnsdist from the PowerDNS software repository for CentOS 8: 
    dnf install -y epel-release
dnf install -y 'dnf-command(config-manager)'
curl -o /etc/yum.repos.d/powerdns-dnsdist-16.repo https://repo.powerdns.com/repo-files/centos-dnsdist-16.repo
dnf install -y dnsdist

2 Session 1 - dnsdist as load balancer for authoritative server

  • In this session we build a load balancer for the isc.org authoritative servers
  • Save and remove a previous dnsdist configuration /etc/dnsdist/dnsdist.conf and start with a clean file
  • We use Port 65053 on the IPv4 loopback address, as port 53 on all IP addresses is currently occupied by the BIND 9 DNS resolver 
    newServer({address="51.75.79.143",   checkType="SOA", checkType=DNSClass.IN, checkName="isc.org"})
newServer({address="199.6.1.52",     checkType="SOA", checkType=DNSClass.IN, checkName="isc.org"})
newServer({address="199.254.63.254", checkType="SOA", checkType=DNSClass.IN, checkName="isc.org"})
newServer({address="149.20.1.73",    checkType="SOA", checkType=DNSClass.IN, checkName="isc.org"})
newServer({address="2001:500:60:d::52", checkType="SOA", checkType=DNSClass.IN, checkName="isc.org"})
newServer({address="2001:4f8:1:f::73",  checkType="SOA", checkType=DNSClass.IN, checkName="isc.org"})
setServerPolicy(leastOutstanding)
setLocal("127.0.0.1:65053")

2.1 Starting dnsdist

  • check the configuration of dnsdist for syntax errors 
    /usr/bin/dnsdist -u dnsdist -g dnsdist --check-config
Configuration '/etc/dnsdist/dnsdist.conf' OK!
  • enable and start the dnsdist service (or restart) 
    systemctl enable --now dnsdist
systemctl restart dnsdist
  • check that the service has been started without errors: 
    # systemctl status dnsdist
● dnsdist.service - DNS Loadbalancer
  Loaded: loaded (/usr/lib/systemd/system/dnsdist.service; enabled; vendor preset: disabled)
  Active: active (running) since Wed 2021-04-21 07:45:47 UTC; 2min 26s ago
    Docs: man:dnsdist(1)
          https://dnsdist.org
 Process: 27803 ExecStartPre=/usr/bin/dnsdist -u dnsdist -g dnsdist --check-config (code=exited, status=0/SUCCESS)
Main PID: 27804 (dnsdist)
   Tasks: 25 (limit: 8192)
  Memory: 159.4M
  CGroup: /system.slice/dnsdist.service
          └─27804 /usr/bin/dnsdist -u dnsdist -g dnsdist --supervised --disable-syslog

Apr 21 07:47:21 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'down'
Apr 21 07:47:24 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'up'
Apr 21 07:47:37 dnsdist001 dnsdist[27804]: Marking downstream [2001:4f8:1:f::73]:53 as 'down'
Apr 21 07:47:38 dnsdist001 dnsdist[27804]: Marking downstream [2001:4f8:1:f::73]:53 as 'up'
Apr 21 07:47:50 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'down'
Apr 21 07:47:51 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'up'
Apr 21 07:47:58 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'down'
Apr 21 07:47:59 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'up'
Apr 21 07:48:05 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'down'
Apr 21 07:48:06 dnsdist001 dnsdist[27804]: Marking downstream 149.20.1.73:53 as 'up'

2.2 Testing the load-balancing setup

  • we send the request to the port 65053 where dnsdist is listening 
# dig -p 65053 @localhost isc.org

; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> -p 65053 @localhost isc.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31394
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a32da90421420f5001000000607fd98b625dc95973203ccc (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                60      IN      A       149.20.1.66

;; Query time: 74 msec
;; SERVER: 127.0.0.1#65053(127.0.0.1)
;; WHEN: Wed Apr 21 07:51:39 UTC 2021
;; MSG SIZE  rcvd: 80
  • The AA Flag tell us that the response comes indeed from an authoritative DNS server

2.3 Configuring the dnsdist webserver

  • Add the following lines to the dnsdist configuration 
    webserver("0.0.0.0:8053")
setWebserverConfig({acl="0.0.0.0/0",password="dnsdist-is-great"})
  • Reload the dnsdist 
    systemctl restart dnsdist
  • Open port 8053 for the web-interface 
    firewall-cmd --add-port=8053/tcp --permanent
firewall-cmd --reload
  • Access the web-interface 
    http://dnsdistXXX.dnsworkshop.org:8053/

3 Session 2 - dnsdist as load balancer for DNS resolver

  • In this session we build a load balancer for multiple DNS resolver. We use the local BIND 9 DNS resolver together with a selection of public DNS resolver
  • Save and remove a previous dnsdist configuration /etc/dnsdist/dnsdist.conf and start with a clean file
  • We use Port 65053 on the IPv4 loopback address, as port 53 on all IP addresses is currently occupied by the BIND 9 DNS resolver 
    newServer({address="127.0.0.1", qps=10000, order=1}) -- our local BIND 9
newServer({address="1.1.1.1",   qps=100, order=3})   -- Cloudflare Public DNS
newServer({address="8.8.8.8",   qps=100, order=2})   -- Google Public DNS 
-- Cache 
pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
-- Load-balancing Policy
setServerPolicy(leastOutstanding)
-- local IP address for dnsdist
setLocal("127.0.0.1:65053")

3.1 (Re-)start dnsdist

  • check the configuration of dnsdist for syntax errors 
    /usr/bin/dnsdist -u dnsdist -g dnsdist --check-config
Configuration '/etc/dnsdist/dnsdist.conf' OK!
  • enable and start the dnsdist service (or restart) 
    systemctl enable --now dnsdist
systemctl restart dnsdist
  • check that the service has been started without errors: 
       # systemctl status dnsdist
   ● dnsdist.service - DNS Loadbalancer
   Loaded: loaded (/usr/lib/systemd/system/dnsdist.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-04-21 08:20:01 UTC; 1min 34s ago
     Docs: man:dnsdist(1)
           https://dnsdist.org
  Process: 29682 ExecStartPre=/usr/bin/dnsdist -u dnsdist -g dnsdist --check-config (code=exited, status=0/SUCCESS)
 Main PID: 29684 (dnsdist)
    Tasks: 23 (limit: 8192)
   Memory: 106.1M
   CGroup: /system.slice/dnsdist.service
           └─29684 /usr/bin/dnsdist -u dnsdist -g dnsdist --supervised --disable-syslog

Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Listening on 127.0.0.1:65053
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: dnsdist 1.6.0-rc1 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to>
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: ACL allowing queries from: 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, ::1/128, fc00>
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Console ACL allowing connections from: 127.0.0.0/8, ::1/128
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Webserver launched on 0.0.0.0:8053
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Marking downstream 8.8.8.8:53 as 'up'
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Marking downstream 1.1.1.1:53 as 'up'
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Marking downstream 127.0.0.1:53 as 'up'
Apr 21 08:20:01 dnsdist001 systemd[1]: Started DNS Loadbalancer.
Apr 21 08:20:01 dnsdist001 dnsdist[29684]: Polled security status of version 1.6.0-rc1 at startup, no known issues reported: OK

3.2 Testing the load-balancing setup

  • we send the request to the port 65053 where dnsdist is listening 
 # dig -p 65053 @localhost isc.org
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> -p 65053 @localhost isc.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2118
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 43eb1091ab82dca920cdeb35607fe0dc3fa2a2297ffccfce (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                60      IN      A       149.20.1.66

;; AUTHORITY SECTION:
isc.org.                4169    IN      NS      ns2.isc.org.
isc.org.                4169    IN      NS      ns1.isc.org.
isc.org.                4169    IN      NS      ns.isc.afilias-nst.info.
isc.org.                4169    IN      NS      ns3.isc.org.

;; ADDITIONAL SECTION:
ns1.isc.org.            82288   IN      A       149.20.1.73
ns2.isc.org.            82288   IN      A       199.6.1.52
ns3.isc.org.            82288   IN      A       51.75.79.143
ns1.isc.org.            82288   IN      AAAA    2001:4f8:1:f::73
ns2.isc.org.            82288   IN      AAAA    2001:500:60:d::52

;; Query time: 76 msec
;; SERVER: 127.0.0.1#65053(127.0.0.1)
;; WHEN: Wed Apr 21 08:22:52 UTC 2021
;; MSG SIZE  rcvd: 275
  • The RD and AD Flags tell us that the response comes indeed from a DNS resolver

3.3 Configuring the dnsdist webserver

  • Add the following lines to the dnsdist configuration 
    webserver("0.0.0.0:8053")
setWebserverConfig({acl="0.0.0.0/0",password="dnsdist-is-great"})
  • Reload the dnsdist 
    systemctl restart dnsdist
  • Open port 8053 for the web-interface 
    firewall-cmd --add-port=8053/tcp --permanent
firewall-cmd --reload
  • Access the web-interface 
    http://dnsdistXXX.dnsworkshop.org:8053/

3.4 More tests

  • Performance testing a DNS resolver with dnsblast
  • dnsblast is a simple tool that sends random DNS queries for the com TLD
  • compiling dnsblast 
dnf -y install gcc make
git clone https://github.com/jedisct1/dnsblast
cd dnsblast
make
  • We use dnsblast to send 5,000 queries at a rate of 100 qps to our dnsdist load-balancer at port 65053 
./dnsblast 127.0.0.1 5000 100 65053

4 Session 3 - dnsdist as a DoT/DoH proxy

  • The VM has a BIND 9 DNS resolver installed and configured (default configuration)
  • In this workshop session, we will configure dnsdist as a DoH/DoT proxy for the BIND 9 DNS resolver
  • The instructions below are for servers in the dnsworkshop.org domain. Users of the VMs 001 to 040 replace dnsworkshop.org with dnsworkshop.cz.
  • Save and remove a previous dnsdist configuration /etc/dnsdist/dnsdist.conf and start with a clean file
  • check that the BIND 9 DNS server is up and running (our pre-installed DNS resolver serving classic DNS over Port 53): 
    dig @localhost isc.org
  • the response should look like this 
    ; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> @localhost isc.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30473
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b196be9cbadc1f5d73bc365c607fd0cd5ae9b561bfe91290 (good)
;; QUESTION SECTION:
;isc.org.                       IN      A

;; ANSWER SECTION:
isc.org.                60      IN      A       149.20.1.66

;; Query time: 513 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Apr 21 07:14:21 UTC 2021
;; MSG SIZE  rcvd: 80

4.1 TLS x509 certificates

  • Our server already has x509 certificates for TLS from Let's Encrypt. We need to copy the certificate file and the private key file into the dnsdist configuration directory and adjust the file permissions, so that dnsdist can read the files (replace XXX with your participant number and the domain dnsworkshop.org or dnsworkshop.cz): 
    cp /root/.acme.sh/dnsdistXXX.dnsworkshop.org/dnsdistXXX.dnsworkshop.org.* /etc/dnsdist/
chown dnsdist: /etc/dnsdist/*

4.2 Configuration for the "upstream" DNS resolver

  • first we need to tell dnsdist where to find the upstream (existing) DNS resolver. In our case, it is the BIND 9 instance running on the same machine.
    • in dnsdist, you can specify any number of upstream servers with load-balancing parameters, please see the dnsdist website for documentation.
  • we create the file /etc/dnsdist/dnsdist.conf with one line of configuration that defines one upstream DNS resolver (use your favorite text editor nano, emacs, vim): 
    newServer({address="127.0.0.1"})

4.3 Configuration for DNS-over-TLS (DoT)

  • our DNS-over-TLS service will run on the (loop-back) IP-Address 127.0.0.10. In an production environment, this would be one of the external addresses of the proxy machine that is reachable from DNS clients.
    • the new configuration line for DoT defines the listen address, the x509 certificate and the private key matching the certificate
  • our configuration file /etc/dnsdist/dnsdist.conf should now look like this: 
    newServer({address="127.0.0.1"})
addTLSLocal('127.0.0.10', 
      '/etc/dnsdist/dnsdistXXX.dnsworkshop.org.cer', 
      '/etc/dnsdist/dnsdistXXX.dnsworkshop.org.key')

4.4 Starting dnsdist

  • check the configuration of dnsdist for syntax errors 
    /usr/bin/dnsdist -u dnsdist -g dnsdist --check-config
Configuration '/etc/dnsdist/dnsdist.conf' OK!
  • enable and start the dnsdist service (or restart) 
    systemctl enable --now dnsdist
systemctl restart dnsdist
  • check that the service has been started without errors: 
    # systemctl status dnsdist
● dnsdist.service - DNS Loadbalancer
   Loaded: loaded (/usr/lib/systemd/system/dnsdist.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-02-09 09:05:34 UTC; 17s ago
     Docs: man:dnsdist(1)
           https://dnsdist.org
  Process: 111443 ExecStartPre=/usr/bin/dnsdist -u dnsdist -g dnsdist --check-config (code=exited, status=0/SUCCESS)
 Main PID: 111445 (dnsdist)
    Tasks: 19 (limit: 8192)
   Memory: 28.2M
   CGroup: /system.slice/dnsdist.service
            └─111445 /usr/bin/dnsdist -u dnsdist -g dnsdist --supervised --disable-syslog

Feb 09 09:05:34 doh01 systemd[1]: Stopped DNS Loadbalancer.
Feb 09 09:05:34 doh01 systemd[1]: Starting DNS Loadbalancer...
Feb 09 09:05:34 doh01 dnsdist[111445]: Added downstream server 127.0.0.1:53
Feb 09 09:05:34 doh01 dnsdist[111445]: Listening on 127.0.0.10:853 for TLS
Feb 09 09:05:34 doh01 dnsdist[111445]: dnsdist 1.6.0-alpha1 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are we>
Feb 09 09:05:34 doh01 dnsdist[111445]: ACL allowing queries from: 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0>
Feb 09 09:05:34 doh01 dnsdist[111445]: Console ACL allowing connections from: 127.0.0.0/8, ::1/128
Feb 09 09:05:34 doh01 dnsdist[111445]: Marking downstream 127.0.0.1:53 as 'up'
Feb 09 09:05:34 doh01 systemd[1]: Started DNS Loadbalancer.
Feb 09 09:05:35 doh01 dnsdist[111445]: Polled security status of version 1.6.0-alpha1 at startup, no known issues reported: OK

4.5 Testing the DoT setup

  • we use kdig, the DNS query tool from the Knot DNS Server, to send DNS over TLS queries to our server. But first we install kdig 
    dnf install knot-utils
  • and now we test DNS-over-TLS 
     # kdig @127.0.0.10 isc.org +tls
 ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
 ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36388
 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 4; ADDITIONAL: 6

 ;; EDNS PSEUDOSECTION:
 ;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR

 ;; QUESTION SECTION:
 ;; isc.org.                     IN      A

 ;; ANSWER SECTION:
 isc.org.                60      IN      A       149.20.1.66

 ;; AUTHORITY SECTION:
 isc.org.                85545   IN      NS      ns2.isc.org.
 isc.org.                85545   IN      NS      ns1.isc.org.
 isc.org.                85545   IN      NS      ns3.isc.org.
 isc.org.                85545   IN      NS      ns.isc.afilias-nst.info.

 ;; ADDITIONAL SECTION:
 ns1.isc.org.            85545   IN      A       149.20.1.73
 ns2.isc.org.            85545   IN      A       199.6.1.52
 ns3.isc.org.            85545   IN      A       51.75.79.143
 ns1.isc.org.            85545   IN      AAAA    2001:4f8:1:f::73
 ns2.isc.org.            85545   IN      AAAA    2001:500:60:d::52

;; Received 247 B
;; Time 2021-04-21 07:28:35 UTC
;; From 127.0.0.10@853(TCP) in 105.8 ms
  • kdig will print information on the TLS connection in the first line: 
    ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)

4.6 Configuration for DNS-over-HTTPS (DoH)

  • the configuration for DNS-over-HTTPS is very similar to the DoT configuration. Please add the following line (replace the XXX with your participant number) to the file /etc/dnsdist/dnsdist.conf: 
    addDOHLocal('127.0.0.10', 
    '/etc/dnsdist/dnsdistXXX.dnsworkshop.org.cer', 
    '/etc/dnsdist/dnsdistXXX.dnsworkshop.org.key')
  • check the configuration file for errors 
    /usr/bin/dnsdist -u dnsdist -g dnsdist --check-config
  • and if no errors are reported, restart the dnsdist service 
    systemctl restart dnsdist
  • check that the service has been (re-)started 
    # systemctl status dnsdist
● dnsdist.service - DNS Loadbalancer
   Loaded: loaded (/usr/lib/systemd/system/dnsdist.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-02-09 09:12:03 UTC; 5s ago
     Docs: man:dnsdist(1)
           https://dnsdist.org
  Process: 112038 ExecStartPre=/usr/bin/dnsdist -u dnsdist -g dnsdist --check-config (code=exited, status=0/SUCCESS)
 Main PID: 112040 (dnsdist)
    Tasks: 21 (limit: 8192)
   Memory: 31.2M
   CGroup: /system.slice/dnsdist.service
           └─112040 /usr/bin/dnsdist -u dnsdist -g dnsdist --supervised --disable-syslog

Feb 09 09:12:02 doh01 systemd[1]: Starting DNS Loadbalancer...
Feb 09 09:12:03 doh01 dnsdist[112040]: Added downstream server 127.0.0.1:53
Feb 09 09:12:03 doh01 dnsdist[112040]: Listening on 127.0.0.10:853 for TLS
Feb 09 09:12:03 doh01 dnsdist[112040]: Listening on 127.0.0.10:443 for DoH
Feb 09 09:12:03 doh01 dnsdist[112040]: dnsdist 1.6.0-alpha1 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are we>
Feb 09 09:12:03 doh01 dnsdist[112040]: ACL allowing queries from: 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0>
Feb 09 09:12:03 doh01 dnsdist[112040]: Console ACL allowing connections from: 127.0.0.0/8, ::1/128
Feb 09 09:12:03 doh01 dnsdist[112040]: Marking downstream 127.0.0.1:53 as 'up'
Feb 09 09:12:03 doh01 systemd[1]: Started DNS Loadbalancer.
Feb 09 09:12:03 doh01 dnsdist[112040]: Polled security status of version 1.6.0-alpha1 at startup, no known issues reported: OK

4.7 Testing DNS-over-HTTPS

  • Again we use the kdig tool to test our new DNS-over-HTTPS service: 
    # kdig @127.0.0.10 isc.org +https
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; HTTP session (HTTP/2-POST)-(127.0.0.10/dns-query)-(status: 200)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 0
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 4; ADDITIONAL: 6

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; isc.org.                     IN      A

;; ANSWER SECTION:
isc.org.                60      IN      A       149.20.1.66

;; AUTHORITY SECTION:
isc.org.                7200    IN      NS      ns3.isc.org.
isc.org.                7200    IN      NS      ns.isc.afilias-nst.info.
isc.org.                7200    IN      NS      ns1.isc.org.
isc.org.                7200    IN      NS      ns2.isc.org.

;; ADDITIONAL SECTION:
ns1.isc.org.            85319   IN      A       149.20.1.73
ns2.isc.org.            85319   IN      A       199.6.1.52
ns3.isc.org.            85319   IN      A       51.75.79.143
ns1.isc.org.            85319   IN      AAAA    2001:4f8:1:f::73
ns2.isc.org.            85319   IN      AAAA    2001:500:60:d::52

;; Received 247 B
;; Time 2021-04-21 07:32:21 UTC
;; From 127.0.0.10@443(TCP) in 116.9 ms
  • kdig print information about the TLS and HTTPS connection in the first two lines: 
    ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; HTTPS session (HTTP/2-POST)-(127.0.0.10/dns-query)-(status: 200)

4.8 FIN

  • please "raise your hand" in the zoom meeting to indicate that you are done with the workshop part, so that the host gets feedback and knows when to continue
  • Questions can be asked in the chat or at the end of the workshop part