I use Rdesktop to RDP into Windows machines, but I needed something to set all my default options and I wanted a GUI for it so I didn't have to remember all the server names. I tried out Remmina and TSclient, but nothing so far has been just right. So I made my own, which is attached below. The rdp-servers.conf file is just a simple, unordered list of server names or IP addresses.

#!/bin/bash servers="${HOME}/local/rdp-servers.conf" resolution="1014x758" args="-g ${resolution} -n $(hostname) -r clipboard:CLIPBOARD -a 8 -x b" host="${1}" if [ "x$host" = "x" ] then hosts=$(cat ${servers} | sort | while read s; do echo "${s} ${s}"; done) host=$(zenity --list --text "Select an RDP server" --radiolist --width 300 --height 400 --column '' --column 'Server' ${hosts}) if [ "x$host" = "x" ] then exit 1 fi fi if [ "x${2}" != "x" ] then host="${2}" args="${args} -0" fi rdesktop ${args} -T "${host}" "${host}" AttachmentSize rdp.txt540 bytes

Just the other day, Spamhaus was subject to a DDoS attack from an ISP who got upset at being blacklisted. That's par for the course, but what's interesting is that the ISP used a DNS amplification to boost their DDoS capabilities. Lately at work we've been working on shutting down our open DNS proxies. Once upon a time, on the naive Internet, they were fine. But as evidenced by this latest attack, such is not the case any longer.

Shutting down the DNS servers we knew about was easy, of course. But what about the ones we didn't know of? Well that's where a handy port scanner comes into play. There are a number of DNS scanners out there but I found them all lacking in some regard. So I whipped up my own.

I had just a few requirements:

• Recursive DNS query
• Easily parseable text output
• Multithreaded. Non-blocking sockets would have been awesome too, but this worked well enough so I didn't go there.

Overall, very satisfied. With 60 threads it chews up a ridiculous amount of RAM (about 700MB), but can scan a /18 in 30 minutes. Better than the 800 minutes a single threaded app would take.

Usage: dns-scan.pl [options] [CIDR block] --threads [20] - how many threads to use --quiet - don't print anything --timeout [3] - how many seconds to wait before assuming the port is closed --search [www.google.com] - what domain to use in the DNS search.

tags: 

• dns
• perl

AttachmentSize dns-scan.txt1.99 KB

I haven't done anything with DNSSEC for a while, not since I messed around with signing my domain in 2008. That was a success, by the way, but I changed around my nameservers and it's not signed any more.

Today's project was to see if I could enable DNSSEC validation on my server. The goal being to ignore any zones which are supposed to be signed, but don't contain correct data.

The configuration in Bind is pretty easy. Just add this to your options config and reload:

dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;

You can verify it's working by doing a search for a domain that's signed, which should return a result as normal:

dig a isc.org

And do a query for a domain which is signed incorrectly (and on purpose). If you get an A record, that means you missed something.

dig a www.dnssec-failed.org

Furthermore, if you're a real glutton for punishment, you can enable DNSSEC debugging in your logs.

channel dnssec_log { file "/var/log/bind/dnssec.log"; print-time yes; print-category yes; print-severity yes; severity debug 3; }; category dnssec { dnssec_log; };

Where you would see something such as:

26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: no DNSKEY matching DS
26-Mar-2013 15:08:32.572 dnssec: info: validating @0xb7bbb568: dnssec-failed.org DNSKEY: no valid signature found (DS)
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: falling back to insecurity proof
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: checking existence of DS at 'org'
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: checking existence of DS at 'dnssec-failed.org'
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: insecurity proof failed

I haven't done anything with DNSSEC for a while, not since I messed around with signing my domain in 2008. That was a success, by the way, but I changed around my nameservers and it's not signed any more.

Today's project was to see if I could enable DNSSEC validation on my server. The goal being to ignore any zones which are supposed to be signed, but don't contain correct data.

The configuration in Bind is pretty easy. Just add this to your options config and reload:

dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;

You can verify it's working by doing a search for a domain that's signed, which should return a result as normal:

dig a isc.org

And do a query for a domain which is signed incorrectly (and on purpose). If you get an A record, that means you missed something.

dig a www.dnssec-failed.org

Furthermore, if you're a real glutton for punishment, you can enable DNSSEC debugging in your logs.

channel dnssec_log { file "/var/log/bind/dnssec.log"; print-time yes; print-category yes; print-severity yes; severity debug 3; }; category dnssec { dnssec_log; };

Where you would see something such as:

26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: no DNSKEY matching DS
26-Mar-2013 15:08:32.572 dnssec: info: validating @0xb7bbb568: dnssec-failed.org DNSKEY: no valid signature found (DS)
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: falling back to insecurity proof
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: checking existence of DS at 'org'
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: checking existence of DS at 'dnssec-failed.org'
26-Mar-2013 15:08:32.572 dnssec: debug 3: validating @0xb7bbb568: dnssec-failed.org DNSKEY: insecurity proof failed