bind
First, a short side note. Personal viewpoint: I’m not a fan of DNS over HTTPS (DoH). The main reason is not encryption itself—encryption is a good thing—but how DoH is implemented and deployed. Facts: DoH encapsulates DNS queries inside regular HTTPS traffic (TCP/443), making DNS traffic
bind
Traditional DNS queries travel in plaintext, exposing your browsing habits to network observers. DNS over TLS (DoT) encrypts DNS traffic between clients and resolvers, providing privacy and preventing tampering. This post covers implementing DoT on BIND 9 for both resolver and forwarder configurations. Understanding DNS over TLS How DoT Works
bind
After configuring DNSSEC validation on your resolvers, the next step is signing your own authoritative zones. This post covers the complete process of implementing DNSSEC on BIND authoritative servers, from key generation to zone signing and key rollovers. Understanding DNSSEC Keys DNSSEC uses two types of cryptographic keys: Key Signing
bind
DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS responses, protecting against cache poisoning and man-in-the-middle attacks. When your resolver validates DNSSEC, it verifies that DNS responses haven't been tampered with between the authoritative server and your clients. How DNSSEC Validation Works DNSSEC creates a chain
bind
Response Policy Zones (RPZ) provide DNS-level security by allowing you to override DNS responses for specific domains. This enables blocking malicious domains, implementing content filtering, and protecting your network from phishing, malware, and other threats at the DNS layer - before connections are even established. How RPZ Works RPZ intercepts
bind
External-DNS is a Kubernetes controller that automatically creates and manages DNS records based on Kubernetes resources like Services and Ingresses. When combined with BIND using the RFC2136 (dynamic DNS) provider, you get fully automated DNS management for your Kubernetes workloads without relying on cloud DNS providers. How External-DNS Works External-DNS
bind
Dynamic DNS (DDNS) allows automated systems to update DNS records in real-time. This is essential for DHCP servers registering client hostnames, Kubernetes services updating their endpoints, or any system that needs programmatic DNS record management. BIND supports secure dynamic updates using TSIG (Transaction Signature) authentication. How Dynamic DNS Works Dynamic
bind
A properly secured DNS server is critical infrastructure. An open resolver can be abused for DNS amplification attacks, leak internal network information, or serve as a reconnaissance tool for attackers. This guide covers BIND's security features: Access Control Lists (ACLs), views for split-horizon DNS, and query restrictions to
bind
RNDC (Remote Name Daemon Control) is the administrative tool for managing BIND DNS servers. It allows you to reload zones, flush caches, view statistics, and perform other administrative tasks without restarting the entire service. RNDC uses TSIG (Transaction Signature) keys for authentication, ensuring only authorized administrators can control your DNS
Linux
An authoritative DNS server is the definitive source of DNS records for the domains it hosts. Unlike recursive resolvers that query other servers, authoritative servers directly answer queries with the records they maintain. In this guide, we'll configure BIND 9 as an authoritative-only DNS server. 1. Authoritative vs
Linux
A recursive DNS resolver is the workhorse of DNS infrastructure, handling client queries by recursively querying authoritative nameservers until it finds the answer. BIND 9 is the most widely deployed DNS software and makes an excellent choice for running your own resolver. In this guide, we'll set up
Linux
Multipathing (MPIO - Multipath I/O) is essential for high availability and performance in iSCSI storage environments. It allows multiple network paths between an initiator (client) and a target (storage), ensuring failover and load balancing. In this guide, we will set up iSCSI multipathing on Linux using Ansible, automating installation,
