Month: August 2014

Taking Advantage of DNSSEC

Great overview of what’s coming (eventually) to DNS and the internet.

SWITCH Security-Blog

According to measurements by APNIC’s Geoff Hustoncurrently 16 percent of Swiss Internet users use a DNSSEC validating DNS resolver. If you want to benefit from the added security with DNSSEC in your network then I suggest you enable DNSSEC validation in your network as well. SurfNet published a deployment guide recently that takes BIND 9.x, Unbound and Microsoft Windows Server 2012 into account.

Enabling DNSSEC validation on your DNS resolvers is one simple step and it protects you from DNS Cache Poisoning. However, if it were only for this, then the DNSSEC protocol complexity would come at a high cost for only providing this one benefit. In fact, DNSSEC is much more than only a protection from Cache Poisoning. It’s a new PKI in DNS and if you have signed your zone and are already validating then you can take advantage of that PKI. Some use cases are…

View original post 582 more words

How to Test DNSSEC and DANE on a Domain

Here’s a simple way to check if DANE is properly setup on a site:

# echo -n | openssl s_client -connect spdysync.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | tr -d :
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
SHA256 Fingerprint=461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD530BF2C2

And then compare that value against published TLSA record:

# dig +short TLSA _443._tcp.spdysync.com
3 0 1 461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD 530BF2C2

These value should match. If they don’t assume the site has been compromised.

This assumes of course the domain is also signed with DNSSEC. A properly configured domain: http://dnssec-debugger.verisignlabs.com/spdysync.com

Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap

Background:

So I host a variety of small websites on a VPS at Ramnode (affiliate link). I’ve been extremely happy with their service, and their performance per dollar ratio. Previously I had been using DigitalOcean, but their VPS performance lately was a bit lacking compared to other providers (sorry DigitalOcean, I still love ya). As part of my evaluation of a handful of providers I performed extensive benchmarking to determine which VPS provider would be best for my (amateur) needs. It was also an excuse to use Excel again — oh Excel how I miss thee — but I digress.

I’ve been a very happy camper at Ramnode until I realized the weaknesses of having picked OpenVZ Linux containers vs. KVM virtualization which I’ve used in the past. Long story short, with OpenVZ containers the user (me) does not have access to much of the low-level system (including the kernel). This leads to problems with things like iptables logging, syslog, or when trying to access information about a given partition within your container. This lack of partition information unfortunately means that when you try to backup your data with a traditional backup solution like R1Soft you — as a lowly user — do not have the right permissions to read and then backup your data within your own container. Not a problem I said — Ramnode provides customers with regular backups. That was one of the reasons I picked them. 

Well, that was the case until recently: https://clientarea.ramnode.com/announcements.php?id=368 They casually announced that they had disabled the weekly automated backup system. So that sucks, a lot. 

My VPS provider decided to stop backing up my data (even though they sold me plan saying they would) and due to OpenVZ limitations many of the common automated backup tools simply won’t work.

So I needed to come up with a solution.

Continue reading “Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap”