Consolidating / merge several DNS zone files into one server

March 5th, 2016 by admin | Permalink

I recently worked on a datacenter move including migration of internal and external DNS servers.

the old datacenter had a history of around 20 years.
Unfortunately back in the days it was decided to use the same domain for internal and external records, but split it so that there is two zone files. One holding internal, the other one public records. Each zone file had around 1800 single records. A total mess!

We decided to move for DNS to AWS Route53, so a merge was necessary.

During that journey I found two really helpful tools.

One is dns_compare which helps you checking a zone file against a DNS server. E.g. internal file against external server.

The second tool is cli53, which is literally a command line tool that lets you manipulate and import/export DNS records into Route53.

Unfortunately the import within the AWS interface is only available for the initial import and only supports a maximum of 1000 records. cli53 helps with this as well.

Apple Mail set S/Mime as default before GPGTools

July 30th, 2015 by admin | Permalink

This is fairly simple. Open a Terminal type:

defaults write org.gpgtools.gpgmail DefaultSecurityMethod -int 2

Close Mail, open it again and you are set.

No matter what you prefer either GPG/PGP encryption over S/MIME – it is always a good thing to encrypt your email.
Setting up S/Mime on a Mac is simpler then you think.

Go for example to Comodo, get a free certificate by filling out the simple form (name + email), wait for the email, click on the link, download the certificate, double click, restart Mail – DONE!

SOLVED – tftpd-hpa won’t start after upgrade

July 25th, 2015 by admin | Permalink

I just ran into an old TFTPD-HPA bug from 2009, that is still not fixed.

What happened:

Upgrading my Raspberry PI and using it as a PXE Boot server resulted in TFTPD-HA not starting with an error message like this:

Jul 23 12:12:32 xxxx in.tftpd[27342]: cannot open IPv6 socket, disable IPv6: Address family not supported by protocol
Jul 23 12:12:32 xxxx in.tftpd[27342]: Cannot set nonblock flag on socket: Bad file descriptor

This problem is also mentioned here in more detail.

Apparently the TFTPD-HPA tries to support IPv6 even that the kernel is not. See bug note.

The only thing you need to do is to start the daemon only in IPv4 mode.

edit your /etc/init.d/tftpd-hpa file.

Change the line (in my case 58) from

start-stop-daemon --start --quiet --oknodo --exec ${DAEMON} -- \
--listen --user ${TFTP_USERNAME} --address ${TFTP_ADDRESS} \
${TFTP_OPTIONS} ${TFTP_DIRECTORY}

to

start-stop-daemon --start --quiet --oknodo --exec ${DAEMON} -- \
--listen --ipv4 --user ${TFTP_USERNAME} --address ${TFTP_ADDRESS} \
${TFTP_OPTIONS} ${TFTP_DIRECTORY}

and finally:

service tftp-hpa restart

This should solve the issue and only provide support for IPv4.

Stop spying on us!

February 11th, 2014 by admin | Permalink



Akamai releases numbers on IPv6 usage in Q3/13

January 30th, 2014 by admin | Permalink

Akamai recently released the latest numbers on traffic they see coming from IPv6 networks.

Romania and Switzerland are leading the board, which is pretty impressive.

stateoftheinternet

Source: State of the Internet – Akamai

Why you want to support IPv6 now!

November 17th, 2013 by admin | Permalink

I recently change ISP and surprise I now have a native IPv6 network ending up at my router instead of an IPv4 internet address.

My new ISP uses something called DualStack Lite, which means I can still reach IPv4 (old internet), but I get routed (nat) thru one of their IPs. In fact I am sharing an IPv4 with hundreds of other customers. In the usual case this is not an issue as people do not need fixed IPv4 addresses at their home network.

I switched from 50Mbit/s to 100Mbit/s. The second I reach a website that supports IPv6 I see the content extremely fast, connections are brilliant and everything. The second I access IPv4, I get a feeling that everything feels more slowly.
This is happening because of the DualStack-Lite, as lots and lots of other users have to be re-routed thru my ISPs system.

Beside the fact that there are just no IPv4 addresses left, the user experience using IPv6 is way better now.

If you are in the internet industry, get your stuff finally ready for IPv6. It is shocking how many companies are still only supporting IPv4 out of laziness.

In case you are not sure if your website/service support IPv6 yet, check it at IPv6 Test

What’s the state of IPv6?

October 16th, 2013 by admin | Permalink

I am switching to another ISP in a couple of days. My new ISP will give me an IPv6 address instead of an IPv4 one. In the usual case I should get at least a IPv4 and in addition an IPv6, something called Dual-Stack. My new ISP will run something called DS-Lite, which is an IPv6 and routes IPv4 stuff thru NAT’ting.

So what I can’t do is accessing my home network using IPv4 e.g. from my mobile. For most users that’s not really important and to be honest I am happy to get IPv6.
Why? Because it’s f*cking time to start with it. IPv4 networks are rare and limited. Of course there would be a short-time solution, like taking some of the network ranges from some companies, but at the end this is just limited.

Everyone knew that IPv4 is not there to stay since at least a decade and IPv6 is upcoming. So I am happy that my provider decided to switch, because it is the only natural way to go!

So I thought, lets check who provides IPv6 addresses for DNS queries already and I am shocked.

For the record, what I did is:

user# dig aaaa domain.com

Here is a list that I just made (October 2013):

google.com yes
facebook.com yes
youtube.com yes
yahoo.com no
baidu.com no
wikipedia.org yes
linkedin.com no
live.com no
twitter.com no
amazon.com no
blogspot.com yes
yandex.ru no
bing.com no
ebay.com no
tumblr.com no
pinterest.com no
msn.com no
mail.ru no
microsoft.com no
apple.com no
instagram.com no
blogger.com yes
imdb.com no
craigslist.com no
bbc.co.uk no
cnn.com no
imgur.com no
alibaba.com no
espn.go.com no
huffingtonpost.com no
aol.com no
akamai.com yes
limelight.com yes
wordpress.com no
reddit.com no
netflix.com no
vimeo.com no
nytimes.com no
dropbox.com no
booking.com no
weather.com no
yelp.com no
etsy.com no
github.com no
bitbucket.org no
shopping.com no
expedia.com no

8 out of 48 big internet companies and start ups support IPv6. At least three of them are owned by Google. Microsoft or Apple? Not at all!

Shouldn’t be these technology companies the first ones to start with innovation and always be up to date with technology?

How to redirect all traffic thru Tor by default on Mac OS X

October 2nd, 2013 by admin | Permalink

As in my previous post, sometimes it is necessary to have “full” internet access instead of limited access. Even that Tor is initially done to anonymize you, it also does a great job in such occasions.

To redirect all traffic on Mac OS X thru Tor, follow these steps.

Step 1 – Choose “System Preferences” from the Apple  menu.
Step 2 – Choose “Network” from the menu.
Step 3 – Choose “Edit Locations” from the Location menu.
Step 4 – Click the “+” icon to add an additional location.
Step 5 – Type in a new name for your location (I used Tor), then click “Done”.
Step 6 – Select “Airport” from the list on the left side.
Step 7 – Click “Advanced”
Step 8 – Click on “Proxies” in the list.
Step 9 – Activate “SOCKS Proxy” by ticking the checkbox
Step 10 – In the SOCKS Proxy Server box, type localhost and 9050.
Step 11 – Click “OK” and then click “Apply”.

Now you can easily switch the environments in the upper center menu of the system preferences.

SSH and other protocols via Tor on Mac OS X

October 1st, 2013 by admin | Permalink

I travel a lot and sometimes I end up in hotels that claim to have internet, but after a couple of minutes I realize they mean HTTP and HTTPS, maybe Skype.

I am not sure why some hotels are super paranoid about outgoing protocols, but the second you want to upload something (e.g. GIT over SSH) or administrate your server you need a lot more ports than a usual user.

My way of “tricking” the hotel firewall is using Tor for such things.

Step 1 – Install Tor on the Mac
I am using the Command Line tools for Tor and load them using MacPorts (you will need to download and install MacPorts).

Step 2 – Install the tor components
$ sudo port install tor torsocks

Step 3 – Run tor (could take a couple of seconds)
$ tor &

Step 4 – Connect using torify
$ torify ssh user@spamcollect.com

This will not anonymize your traffic, this is just a way around firewalls etc..

Why Apple is not working on a smart watch!

September 17th, 2013 by admin | Permalink

When the rumor came up that Apple is working on a smart watch, a lot of people got pretty excited. More interesting, a lot of big hardware vendors started working on smart watches, which some just got announced. E.g. Sony and Samsung.

The main question still is, how could a smart watch change your life? I doubt there is a big benefit in having your phone hooked to your watch constantly. Especially as your phone is just 30 centimeters away.

But more important, a watch is something very special to most man (sorry ladies, but I think they are the main audience for a smart watch) wearing one. It is the only peace of jewelry a man is wearing in the usual case. And in addition to that, it is usually a pretty expensive, but classical watch like a Rolex, Patek Philippe or Panerai.

Can you imagine business man running around with a display on there hands just to see the latest Tweet or Facebook update from his mates?

Brings me to the conclusion that such a thing would just be a niche product.
If Apple is really hopping on this wagon they are really lost and out of ideas!