Lab Guide Cacheserve7.6-Rev D
Lab Guide Cacheserve7.6-Rev D
Lab Guide
Software Release 7.6 | Revision D
© 2021 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any
form or medium without express written permission is prohibited. Akamai and the Akamai wave
logo are registered trademarks or service marks in the United States (Reg. U.S. Pat. & Tm. Off).
Akamai Intelligent Edge Platform is a trademark in the United States. All other trademarks
contained herein are the property of their respective owners. Akamai believes that the
information in this publication is accurate as of its publication date; such information is subject
to change without notice.
Published 1/2021.
Solaris™ is a registered trademark of Oracle and/or its affiliates. All rights reserved.
Java™ is a registered trademark of Oracle and/or its affiliates. All rights reserved.
Windows® is a registered trademark of Microsoft, Inc. All rights reserved.
Python is copyright © 2001, 2002 Python Software Foundation; All rights reserved.
Introduction DNSi CacheServe
Table of Contents
Introduction .........................................................................................................................iii
Introduction
This guide should be used with the CacheServe slide presentation. The student should have
understood the concepts presented in the seminar in order to benefit from the material in this
guide.
Exercises help illustrate basic features of resolvers such as preload. The contents of the cache
are explored and troubleshooting tools such as server.query are introduced.
Troubleshooting tools such as the “inspect(-delegation)” commands for reading cache entries
are demonstrated. Use of the recursing command to help recognize domains toward which a
PRSD attack is directed is shown. More sophisticated, but general purpose, configuration such as
policy creation for ignoring (“blackhole”) specific clients, rate-limiting client activity overall and
to specific domains are introduced. Uses of policy for very specific purposes such as DNS64 can
be demonstrated if there is audience interest. Real Time Visibility for detailed inspection of DNS
query patterns and statistics gathering is shown. The use of CacheServe events and their relation
to the SNMP agent are explored.
A framework for simulating a cache poisoning attack is described at the end of this introduction.
An overview of the Command Channel API using Perl is included to acquaint the reader with
sample utilities included with the Software Development Kit (SDK) package, and to demonstrate
how simple programs can fetch CacheServe data. No programming experience is required to
complete these exercises.
It is assumed the student has root access on a Red Hat or Solaris host with the Akamai DNSi
CacheServe version 7.6 or higher installed with a valid license key, and that Internet access is
available. CacheServe installation instructions appear in the Appendix. It is also assumed that a
recent version of dig (higher than 9.6) is installed on the student’s host. This utility is usually
found at /usr/local/bin/dig or /usr/bin/dig. It is further recommended that Adobe
Acrobat Reader be available to access the product documentation (Akamai CacheServe
Administrator’s Manual) which is available from Akamai Carrier support portal
(support.nominum.com), the same location from which a customer downloads CacheServe.
Link local IPv6 addresses should not be used for inter-host communication.
Instead, permanently add unique local (RFC 4193) addresses by including
NETWORKING_IPV6=yes in the /etc/sysconfig/network file and
including IPV6INIT=yes and a suitably chosen
IPV6ADDR="fd0c:a43a:811f:00ac:10bb::10/64" entry in the
/etc/sysconfig/network-scripts/ifcfg-eth0 (or other interface)
file.
2. An SNMP trap watcher verifies that the snmp_agent is configured adequately for
traps.
3. OPTIONAL: A collection of querystore files which represents results of DNS activity
against a CacheServe instance in Nominum’s lab.
4. OPTIONAL: The Metasploit framework can be used to create “spoofed” DNS responses
to help illustrate certain aspects of CacheServe’s cache poisoning defenses. Some of the
facilities used include
a. the “spoofhelper” service—an authoritative server which responds to any TXT
query with the client’s query source port
b. the “spoof bailiwicked domain” module. It requires options as shown here:
# export PATH=$PATH:/usr/local/msf32/trunk
Answers and Hints for the Exercises (where applicable) appear at the end of this document.
DNSi CacheServe has built-in root hints. If Internet access is unavailable, the root
servers will be unreachable, and name resolution will fail.
STEP-BY-STEP:
1. Login as root.
2. Install DNSi CacheServe, if it is not already installed. Instructions are found in the
Appendix of this guide. See page 108 for the Solaris operating system and page 111 for
Linux.
3. Copy the license file provided by the instructor to the directory
/usr/local/nom/etc/:
# cp /root/cacheserve.license /usr/local/nom/etc/
A typical license file for the DNSi CacheServe product is shown here. It has limited validity
because it is used for the training lab. License files provided for production servers do not have
expiration dates:
product = cacheserve
customerid = 306
reqid = 2
uuid = "ed744313-3d91-47a4-bc98-9684c21b1d69"
--
CJOzcso907lMO1yhs0HJm9ORGcwPybGNL/0ZZVzg4me2mo06PLXkYsQ=
The “concurrency” limit restricts the number of cores used—to one each in this
example—by the CacheServe process for 3 high-intensity tasks: UDP reception,
TCP reception and recursions.
use the provisioning capabilities of the SPS (formerly N2) platform. Special
features such as “threatavert” may be required for some products.
The license used in this course permits up to10 basic policies (having restrictions
on actions and selectors). Lists are confined to a limited quantity of objects: 10
lists, with up to 100 nodes per list.
4. By default, DNSi CacheServe writes log output to the host’s syslog utility. Open a
separate window with your terminal emulation program so that you can monitor DNSi
CacheServe activity by viewing syslog output, with the command:
The “auto Nanny” which starts the actual DNS server is also called cacheserve,
so expect to see two cacheserve processes when viewing the process list with
ps or similar utility.
The process ID field identifies the working DNS server process, not the auto-Nanny.
7. Request the DNSi CacheServe software’s version, then display the server and resolver
objects with the version, server.get, and resolver.mget “Command
Channel” instructions shown here:
In the training environment this has already been done for you. Because
CacheServe’s installer does not modify any environment variables; this must be
done as an extra manual step.
8. Test that the server will answer DNS requests by using dig to query for a name which
we know will resolve. At your shell prompt, type the following:
Because we will use the loopback address repeatedly, we exploit the fact that the
We prefer to be explicit about the target DNS server in the dig command.
Next, find the “routable” IP addresses (v4 and v6) of your CacheServe instance and send
a query to those interfaces, rather than the loopback:
# ip addr
# dig @<your-IPv4-address> google.com
Response should be the same as before, but from the CacheServe resolver’s cache.
CHAOS-class support is available only for the standard names such as id.server
and version.server described in RFC 4892.
10. Try to query for another name which we know does NOT exist:
11. We wish to make a modification to the CacheServe configuration, but before doing so
(in the next step) we backup the current configuration:
# mkdir /var/nom/cacheserve.ex1
# cp -r /var/nom/cacheserve/* /var/nom/cacheserve.ex1/
The restoration procedure is simply to stop DNSi CacheServe, copy archived files
back to their original location, and then start DNSi CacheServe.
For example, to restore the training environment to its initial state using the
backup files created in this exercise, do the following:
# cp -r /var/nom/cacheserve.ex1/* /var/nom/cacheserve/
12. In this step we over-write the default server “listener” configuration. Start nom-tell
in interactive mode:
# nom-tell cacheserve
From the empty nom-tell (“cacheserve”) command line, you can type the “tab”
character to show valid commands. A response is shown here:
cacheserve> <TAB>
most of the above display. They can be recognized by the trailing dots, which
indicate that a method (such as update, add or delete) is expected when
manipulating that type of object.
cacheserve> server.get
Check that you can still send a query to CacheServe on your loopback address, but that a
request to the routable IP address fails:
command is executed. No further operator steps are necessary for the changes to
take effect.
Depending on the change, the server may restart automatically or flush its cache.
Modify the listen-on-matching field to contain two patterns for the routable IP
addresses of your host:
The IP addresses used here are examples; your value for the IP addresses may differ.
Note the “+=” instead of a simple “=”. This is called the command channel’s
incremental syntax for manipulating elements of a list:
cacheserve> server.get
Confirm you can use dig to successfully query on any of the three IP addresses:
13. Although the domain name localhost is not a valid top-level domain (TLD), it has a
conventional interpretation as the name of the loopback interface, for which the IPv4
address is 127.0.0.1. When a preload statement is configured, CacheServe provides
this address to clients directly, avoiding lookups to the root servers.
Type a resolver.update instruction as shown below. Then, verify that the change
was successfully implemented with the resolver.get command:
You should find that the result is now “127.0.0.1” instead of NXDOMAIN.
SUMMARY:
Congratulations! You installed, started, backed-up, modified, and stopped DNSi CacheServe.
You learned:
Using a port other than the default DNS (53) requires another description in the
1) Resolver objects, which consist of a cache and instructions for looking up names which
do not appear that cache.
2) Creating new View-selectors, Views and Resolvers. Views help return alternative DNS
data based on information such as the client IP address. We learn that View-selectors
determine which View should be used to resolve the query.
3) View-selectors without criteria match all requests that do not match more specific View-
selectors.
4) Output of the resolver.statistics command helps confirm requests are
satisfied from the desired View(s).
STEP-BY-STEP:
1. Restart CacheServe:
If DNSi CacheServe is not running, it is not possible to use nom-tell (i.e. the
To directly edit the configuration when DNSi CacheServe is not running, use the
cacheserve-editconf tool. More on this utility in a later exercise.
2. Using dig, confirm that DNSi CacheServe responds to a few queries (e.g. localhost,
google.com, akamai.com) in the same way as before.
4. Check that the Resolver has been added by using a “multiple get” (mget) command:
cacheserve> resolver.mget
♦ What is the result of querying the server for localhost again? You should find no
change.
properties are removed with it, and the only way to restore the Resolver is to
recreate it.
5. Create a View called “internal” that uses the Resolver you just created, and then specify
that queries from the loopback address should use the “internal” View:
♦ Is the response for the A record of localhost still determined by our preload
statement in the “world” Resolver? In other words, is the response still 127.0.0.1?
Why?
♦ Find the IP address of another student’s CacheServer instance. Use dig to query for
localhost against their machine. Explain your results.
7. The instructor can use a traffic generator to send a few queries to your DNSi CacheServe
server. Use the resolver.statistics command to display information about
DNSi CacheServe activity for each of the resolvers:
From the output, you will be able to answer the next question.
The previous steps illustrate that CacheServe uses the most-specific view-
selector when processing DNS requests. During the lecture, the instructor
will demonstrate the results of NO matching view-selector: the REFUSED
response.
In the statmon traffic analysis tool we meet later in the course, this condition
(no matching view-selector for a query) is represented by
view=<none>. In the nom-kafka traffic analysis tool used for the SPS
(Security and Personalization Services) products, the view tag is simply absent.
cacheserve> start
SUMMARY:
You have now completed a basic introduction to the configuration of DNSi CacheServe.
STEP-BY-STEP:
1. Restart your CacheServe instance:
2. Assuming the instructor is sending queries to your server, you will see counters for
“requests-received” and “responses-sent” in the output from server.statistics:
cacheserve> server.statistics
3. Each Resolver maintains its own statistics. Compare the memory in use for each of the
two caches
4. Fetch the object you just created to see that the Resolver currently has no options set.
5. Constrain the amount of memory CacheServe uses for the internal Resolver’s cache to
an artificially small size:
This value is much smaller than the defaults in DNSi CacheServe 7 (1 GB).
beneficial.
cacheserve> server.usage
# cacheserve-stats
demonstrate the Nominum SDK. See the appendix “Installing the Python API”
for details.
# cacheserve-stats --cpu
10. In some circumstances, multiple Views are used to provide alternative policy behavior
(such as malicious domain redirection) but otherwise do not differ in their resolution of
DNS names.
For the purposes of this course, we will create a View which uses the “world” Resolver,
but exists solely to isolate an individual client which has behaved suspiciously in the
past:
11. Bind the “instructor” View to the instructor’s traffic generator source IP with a view-
selector.add command:
12. A benefit of using a shared Resolver is its shared cache for clients. Any customizations of
the Resolver object are also shared. Here is an example: to make DNSi CacheServe
return the loopback address for both IPv4 and IPv6, update the Resolver object as
follows:
The instructor will verify that the behavior is correct for the “instructor” view.
SUMMARY:
You have learned how memory is used and reported in CacheServe. Determining overall server
activity is facilitated by a script that fetches statistics periodically. You have added a view which
can hold policies specific to a particular user, without the inefficiency of a separate Resolver.
STEP-BY-STEP:
1. Active resolutions are visible with the recursing command:
Under light load—such as in the training lab—repeated use of the command may be
needed to produce any output.
2. To determine the status of specific contents of the cache you can use the “inspect”
command channel instructions. Assuming the instructor has queried your server with a
traffic generator, you will almost certainly have an entry for www.google.com. Enter the
following command:
If the records for the name have expired, the name will exist—however, the type
information will be absent.
♦ Does the output indicate what clients have requested this name?
3. Compare the result of searching the “world” Resolver cache for a never-queried name
such as www.giggle.com:
4. To delete all records throughout the domain google.com enter the following command:
Check for entries in the flushed domain using inspect to confirm the operation:
♦ What impact does this have for users of the “internal” Resolver?
♦ What is the IP address of the fastest-responding nameserver for the com zone?
Now that we can look into the cache, the next question to explore is “How did data get
into the cache in the first place?”
♦ What View and Resolver is used to lookup the result? Repeat. Is the result cached?
7. To simulate behavior of a query to the “world” View , add its name to the command:
You should get the preloaded answer this time, rather than the natural Internet’s
answer.
Previously you saw that server.query resulted in the caching of the names it
fetches. Likewise server.query USES the appropriate Resolver’s cache to PROVIDE
responses. To suppress the use of the cache, server.query supports the force-
resolution option.
♦ Repeat the command a few times. How can you tell the result is not from the cache?
9. Tracing mode allows the administrator to examine in detail what CacheServe does to
resolve names that cannot be found in the cache. The amount of detail can be
overwhelming as well as instructive, so we interpret a few simple examples to show
how it works:
The detailed result in the trace-messages field shows the receipt and processing of
the query.
10. If you repeat the command with force-resolution, you will find trace-
messages output that corresponds to the server’s query to the root servers:
SUMMARY:
You have seen how to access and remove name and delegation information from the DNSi
CacheServe cache.
The server.query instruction can provide helpful diagnostic information, particularly when
combined with force-resolution.
Note that force-resolution does not completely start a resolution from scratch, as any
delegations that might exist can and will be used. To demonstrate the difference, flush the
“internal” resolver’s cache and execute the command again. You will find a new entry in the
trace, specifically: 'closest known zone cut is root hints'. This shows that from a completely fresh
start, the root name servers themselves must first be located from the built-in (or explicitly
defined) root hints.
STEP-BY-STEP:
1. A simple example is used here to implement a kind of “black-hole” behavior where the
ignored clients are maintained on an address list. Create the list as shown here:
2. Add the instructor’s IP address (often 10.128.0.4) to the list of blocked clients:
cacheserve> address-node.mget
cacheserve> address-list.mget
To write the list of IP addresses in the blocked_clients list to disk, you can
use the command:
The list will appear in the file address-list.dump in the DNSi CacheServe
working directory, which is usually /var/nom/cacheserve.
4. Next, create a policy that drops all requests from a client if its IP address appears in the
blocked-clients list:
# cacheserve-stats
In the display above, the instructor sends 19 queries. Note that none of them get a
response.
7. Other IP addresses can be included in the “blackhole” by adding them with the
Command Channel instruction:
8. You can check the policy’s behavior by requesting a “simulation” of a particular client:
Removing the instructor IP address leaves the policy (and its binding) in place.
SUMMARY:
Client blacklisting can be implemented with the help of the policy engine in CacheServe.
STEP-BY-STEP:
1. In the previous exercises we have used nom-tell in interactive mode as a
convenience. Here, we are required to use interactive mode so that messages sent by
CacheServe will have a destination (your terminal). If you have not already done so,
establish a Command Channel connection with your running DNSi CacheServe instance:
# nom-tell cacheserve
2. From the cacheserve prompt, request the Connection object. It represents the
current TCP session that nom-tell uses to communicate with your CacheServe
instance:
cacheserve> connection.get
3. Register for all possible events by using the special subscribe-all instruction:
cacheserve> connection.subscribe-all
4. Check that your instance of nom-tell now displays the complete list of possible
events in its events field:
cacheserve> connection.get
5. From another terminal window, send the DNSi CacheServe server the command to
delete the entire cache:
To make DNSi CacheServe events more useful, they can be relayed to an SNMP
tool by a standalone application called snmpagent. The use of snmpagent is
6. Install the snmpagent package that is included in the DNSi CacheServe distribution. In
most classroom environments this will already have been done.
masteragent
trap2sink <IP_addr_of_trap_receiver>
Follow your vendor’s instructions to configure your SNMP application with the
Nominum and DNSi CacheServe MIBs (included in the
/usr/local/nom/share/snmp/mibs directory). Then, the management
application will display descriptive information about events it has recorded.
The appendix illustrates the use of standard SNMP utilities to fetch various
statistics, as well as the structure of some of the SNMP objects available.
12. By itself, the ratelimiter only establishes that statistics be collected according to the
specified rule. In this case, “client-network” mask values of 32 and 128 mean that each
client is tracked individually.
Current values can be fetched at any time, but you will see that currently the ratelimiter
has no “uses”:
Setting all=true displays all statistics, even those that have zero counts.
13. Create a policy which truncates the responses when the rate is higher than the
threshold:
15. Ask the instructor to send a stream of traffic that exceeds the threshold specified in the
previous step (for example, 4 QPS). Depending on the rate, after a few seconds you
should receive an event similar to the following:
event:
For queries in excess of the threshold, CacheServe sends truncated responses to this
client.
16. If you were not receiving the events corresponding to rate limiting, you could probe the
ratelimiter for abusive clients with the following command:
You should find the number of “indications” increases at the rate of excess queries.
18. To help understand how the statistics are interpreted, adjust the ratelimiter’s threshold
to a high value, say 10, so the instructor’s traffic no longer exceeds it:
19. Check the statistics again. Not only should you find they are reset, but the number of
indications should remain zero:
statistics => {
A general problem with setting thresholds of any kind is determining what a “normal”
rate is without disrupting legitimate service. The next step shows how to do this.
After making this change, confirm a query excess is reported by an event (or ratelimiter
statistics).
However, in this (unenforced) mode, the server answers queries normally. Inspection of
the RTV querystore, which we introduce in another exercise, allows you to prove this.
SUMMARY:
You have seen how to subscribe to events and configure the Nominum SNMP Agent to relay
Command Channel data to an SNMP tool. The rate-limiting feature can be enabled to truncate
DNSi CacheServe’s responses to those clients with very high query rates. The rate-limiting
apparatus demonstrated in this exercise is somewhat “blunt”. A more surgical approach is
described later.
STEP-BY-STEP:
♦ How many source ports are open on your instance of DNSi CacheServe?
2. Using more source ports than the default will reduce the probability of a given spoofing
attack succeeding but doing so requires more file descriptors.
Your IP address will probably be different. The #0 tells DNSi CacheServe to choose any
ports:
3. Again use “lsof” to find the number of source ports for DNSi CacheServe now that it has
the new resolver configuration. NOTE THE PID SHOULD BE THE SAME AS BEFORE:
4. It can be useful to log information about possible spoofing attacks. Enable the log-
id-spoofing resolver configuration statement:
5. Several different behaviors are configurable. The unenforced option tells CacheServe
to send mixed-case, and then log a message if the corresponding response does not
match:
6. To make sure that CacheServe sends new (mixed-case) lookups to the authorities, and
does not simply answer from its cache, flush the resolver’s cache with:
7. Examine your syslog and look for case mismatches. For example, you might find
something like this:
8. Pick one of these, and use dig to verify directly for yourself that a query to that
nameserver does not echo the original query case. For the example we have chosen:
Here, dig’s +qr flag causes the outgoing DNS request to be printed.
10. You saw the offending authoritative server fails to preserve case, so we now want to see
how DNSi CacheServe responds when you ask it to resolve a mis-matched name when it
enforces case matching. Check the response, being sure your query hits the correct
resolver:
Notice that DNSi CacheServe resolves the name. However, behind the scenes, it has
looked up the name using TCP to avoid falling victim to a potential UDP spoofing
attempt.
More on the use of the Authoritative Querystore (also called Authoritative RTV)
later.
11. To work around deficient authoritative servers, you can place problem domains in a kind
of whitelist called qname-case-randomization-exclusions. It is especially
useful because some domains have nameservers that do not respond at all to mixed
case queries:
Try another query for the problem domain. CacheServe resolves it, but no mismatch is
logged.
SUMMARY:
DNSi CacheServe offers several kinds of defenses against spoofing. By increasing the number of
source ports, the likelihood of a spoof succeeding is made smaller, at the cost of additional
machine resources. By randomizing the case of lookups sent to authoritative servers (and
requiring that responses match the randomized case), an attacker’s job is made even more
difficult, but this method has drawbacks because some authorities do not reply (at all) to mixed-
case requests. An exclusions list can be used to suppress mixed-case requests for domains
sending using those servers.
STEP-BY-STEP:
1. Use dig +dnssec to demonstrate that validation is not offered by default, and
DNSSEC records are not returned by DNSi CacheServe without further configuration:
If your response has the flag “ad” set, your DNSi CacheServe instance has
2. Look in the “internal” view’s cache (in the “internal” resolver) at the content for these
two names:
Note the absence of a “trust” field, which would have been populated if DNSSEC were
enabled.
3. Next we enable DNSSEC processing (but without providing any keys, which are required
for validation):
5. Repeat queries to the domains used previously and note the difference in the response:
♦ What records (types) appear in the responses now? Does the cache show the trust
field?
sufficient to actually validate any data.
To perform validation, DNSi CacheServe needs trusted data in the form of a public
key to be configured via an out-of-band (that is, non-DNS) mechanism. For
CacheServe, that mechanism is to compile the current root zone key in the binary.
6. CacheServe has a built-in root-zone public key. To activate validation, set the managed –
key field for the resolver as shown in the following:
Verify the root key, and its state, now appears in the managed-keys field.
The hash of the root zone’s public key is available from the IANA site. If you want
to confirm that the built-in public key CacheServe used is legitimate, compute the
hash of the key and compare it to trusted data.
♦ Does dig report that DNSi CacheServe provides a validated answer now? Does DNSi
CacheServe’s cache?
♦ Use resolver.get to determine the next time this key will be checked for
changes. What is the frequency of checks to the root server?
9. If a domain should be excluded from DNSSEC verification, use a “negative” trust anchor:
A negative trust anchor has the same effect as removing the DS record from the
parent zone.
SUMMARY:
Now that the root zone is signed, the best approach for providing DNSSEC support is to
configure managed-keys, which provide for automated public key maintenance via RFC 5011.
Troubleshooting can be aided by enabling the DNSi CacheServe resolver statement “log-dnssec”.
It is not necessary to use the built-in root key. Arbitrary managed keys can be configured with:
resolver.update managed-keys=(('example' ('257 3 8 AwEagAIKl...')
Real Time Visibility is not configured by default. The tools described in this section can only be
used after changing DNSi CacheServe’s monitoring object to activate storage and begin data
acquisition to a querystore.
DNSi CacheServe’s querystore is an on-disk archive of all queries with corresponding result
codes. DNSi CacheServe’s statistics monitor service provides a set of command-channel
instructions to retrieve information from the store, such as filtering by various criteria, or
determining the top N most active clients or domains, where N and the time period within the
store can be user-specified.
Automated data processing with RTV frequently involves periodic fetches using the same search
again and again. In some of these cases the searches may be computationally intensive, so DNSi
CacheServe provides “reports”: a mechanism for analyzing data as it accrues in the
querystore.
STEP-BY-STEP:
1. With a new installation, the statmon service is by default not running. We start it
here:
If you use neither RTV nor RTA, you need neither the statmon service nor its
cacheserve-statmon process.
cacheserve> monitoring.get
If an empty configuration for the monitoring object appears, Real Time Visibility is not
enabled.
4. To avoid resource exhaustion, Real Time Visibility works with a finite amount of space
dedicated to query analysis. As an example, suppose we wanted to maintain only the
most recent 5 minutes of traffic and allow the file to grow to be no more than 100 MB in
size. The following command sets up the querystore to those specifications:
5. Now that you have established an active repository of data in the querystore, it can
be queried with an instruction to the monitor process (not to the DNSi CacheServe
instance itself). Notice here a new nom-tell session is opened to the service called
statmon.
# nom-tell statmon
statmon> querystore.status
configuration => {
6. The instructor will send a stream of DNS traffic to your DNSi CacheServe server, which is
now collecting data with RTV. Use cacheserve-stats or similar to verify traffic is
appearing at your server.
RTV is perhaps most useful when accessed through the Command Channel API
For more information, see the Exercises which cover the Perl API.
7. With our first example we retrieve the count or total number of queries that have been
recorded in the querystore This number represents the number of DNS requests
statmon> querystore.count
8. Next, fetch the derived rate of queries per second over that time:
statmon> querystore.qps
9. The user can constrain the time period to consider when determining the number or
rate of queries. The first way to do this uses the duration tag. The following
command gets the numbers of queries in the most recent 5 second interval:
If the traffic stream to your server has stopped, you will find zero (0) counts.
10. To find the number of queries occurring in a specific period of time delimited by two
dates, use the interval tag. Here we count the number of queries between 1:30pm
and 1:33pm (local time of the server, which in our lab is often UTC) on September 28,
2020:
It is not an error to describe the time interval with endpoints outside the window
of the active querystore. In such a case, a request for the query count would
simply return zero. Adjust the date/time shown above to extract data for an
interval appropriate for your querystore.
11. The most frequently requested domains in the querystore can be returned with the
following command:
statmon> querystore.top-domains
By default, the 20 most-queried domains are returned. In the next step we modify this
quantity.
12. To restrict the output to just the top 10 domains, use the max-results tag.
13. All data related to individual queries collected in the querystore can be listed
through the statistics monitor. This capability is called replay and the example below
shows how to display every query in the current querystore:
statmon> querystore.replay
14. The results of any search can be constrained by almost any criteria included in DNS
messages. A query filter is a list of rules. As soon as one rule decides that a query should
be filtered out, filtering stops and the query is dropped. Therefore to pass through the
filter a query must pass all rules. The following examples will attempt to show some of
the capabilities:
This filter is a null operation. No queries are dropped because none match a rule.
A list of rules can be found in the man page or PDF documentation. When using
nom_tell, have the monitor provide a list of criteria by using the “tab” key to
display valid syntax, or specify an invalid filter such as filter=(( )).
15. Suppose we wish to get the number of queries for the arpa domain (and all its
subdomains):
If you want to find the number of queries to names outside the arpa domain we can
reverse the logic by setting the filter condition to false:
An additional rule can select the type of query (eg PTR): as described above, the second
rule is treated as a logical “and”:
16. Logical “or” can be implemented within a single property of a filter as in this example,
which searches for queries in the arpa domain or the com domain:
17. A powerful way of “sorting” the data in the querystore uses the “group-count”
commands.
Suppose we wanted to know how many clients were sending traffic to this querystore.
While it is possible to generate “top-clients” requests until the maximum number does
not change, it is more practical to use the group-count and group-count-size
commands:
The group-count-size gives the raw number of UNIQUE client-addresses, while the
group-count enumerates each one and provides a count of queries each is responsible
for.
18. To characterize the DNS data found in the querystore, it can be useful to introduce the
“core domain” concept of a domain name. The core domain is an “effective top-level
domain” plus one label:
The core-domain treats all queries of the form <any-label>.google.com as if they were
for the same name, google.com. This of course means that in this sorting,
www.google.com and google.com are counted as the same name.
19. Suppose we need to know the number of queries to the domain netflix.com (which of
course includes both www.netflix.com and netflix.com) in a 100-second window. The
command which searches the archive for these requests is:
If the same data must be collected for consecutive windows, over an indefinite period of
time, it can be useful to create a DNSi CacheServe “report”:
statmon> report.mget
search => (
'count'
status => (
21. To get the number of counts that matched the filter, you must retrieve the value by
indicating the specific start time of the interval of interest:
The amount of memory devoted to reports can be clamped with the DNSi CacheServe
monitoring object’s report-max-memory configuration.
22. To record the CacheServe responses in addition to the queries, modify the monitoring
object by adding include-answers=1 in the list of its properties:
Verify with a replay command that your querystore now contains responses.
23. If long term storage of querystore data in text format is required, a dumper utility is
available:
# statmon_export
This causes the log to be output in the Nominum “nxdomain log” format:
Note that the msecs field of the time value will always be zero.
SUMMARY:
The statistics monitor (statmon) process can record query information to a local querystore.
This allows analysis after the data is collected, or with the help of “reports”, real-time analysis
STEP-BY-STEP:
1. A simple use of Real Time Alerts is alerting if the total query rate received by the server
exceeds a given value, as demonstrated with the following:
The keyword “total” in the above declaration causes DNSi CacheServe to watch all
server traffic.
seconds), its “onset” (in queries per second) and “abate” (also in queries per
second).
cacheserve> monitoring.get
statmon> querythreshold.statistics
4. The instructor will send a traffic stream which exceeds the threshold of 10 queries per
second over a 15-second duration. Verify that your system issues a log message similar
to the following:
When the rate drops below 5 qps, another message (containing “active 0”) will
appear.
will not affect what the monitoring writes to its querystore repository, or
what it returns to search requests.
5. In the next example, we are interested to know when any single name is queried more
than 5 times per second. This is accomplished by declaring that we wish to track the
“name” attribute, but do not specify any particular target domain name:
DNSi CacheServe tracks rates of all unique names during the most recent 15-second
window.
statmon> querythreshold.statistics
Setting all to true can make this command slow and memory-intensive, and it
may fail if the number of targets is so great that the message exceeds command-
channel size limits.
8. If only the query rate for a specific name is of interest, add a target qualifier as shown
here:
9. It can be more practical to express thresholds as ratios rather than absolute query rates.
In this example, we configure an alert which fires when the fraction of queries to any
view is more than 70% of the total server queries:
10. Besides log messages, threshold crossings can also generate events. Examine the events
supported by the statistics monitor with the list-events instruction:
statmon> list-events
The variety of statmon events is significantly less than those supported in the
DNSi CacheServe Base Server itself.
statmon> show-events
13. Here is an example of adding another targeted name with a filter, which restricts the
trigger to NS queries:
SUMMARY:
Real Time Alerts can be used to trigger an event when a query rate (for a particular type of
query or the queries as a whole) exceeds a configured threshold. These events, like other DNSi
CacheServe events, can be processed by the SNMP agent and sent to a network management
tool.
To configure SNMP traps corresponding to RTA activity, add the line indicated in
bold below to the /etc/snmpagent.conf file:
masteragent
driver cacheserve cacheserve
driver cacheserve-statmon cacheserve-statmon
STEP-BY-STEP:
1. We can read the Server’s (as well as Resolvers’ and Views’) configuration with the
database utility cacheserve-dumpconf as shown with these commands:
2. In addition to displaying the current contents of these objects, we can edit them as well
with the cacheserve-editconf tool. For practice, change one of the server’s
listeners:
a. Run cacheserve-editconf against the server object:
b. The configuration will appear in your environment’s default text editor (usually
vi). Use the text editor to remove or modify a listen-on-matching value.
c. Write and save the file.
d. Check that the change succeeded by again dumping the server configuration:
The tools demonstrated above provide access to information that could have
been read (or written) with nom-tell or other command channel client, and
More commonly, these tools are used with DNSi CacheServe stopped. We will
learn next that they can access the database files directly.
If you attempt to use this tool while DNSi CacheServe is running, you will get an
listen-on-matching => (
SUMMARY:
The database utilities allow text editor-based configuration when DNSi CacheServe is running or
stopped. cacheserve-loadconf can even be used to create a new database from a text
input file with the command cacheserve-loadconf --object-type server -c
/tmp/new_cacheserve_database_directory_name <infile>.
STEP-BY-STEP:
1. In the previous exercise you created the Akamai configuration file for the snmpagent
application. By default, snmpagent will use the configuration it finds in
/etc/snmpagent.conf. It is usually easiest to run it as the master agent, as shown
here:
masteragent
2. To show the status of the Agent, use a command channel client such as nom-tell:
3. The status of drivers can be fetched over the command channel also:
masteragent
trap2sink 10.128.0.4
rocommunity public
rwcommunity private
Note that the Agent supports only version SNMP 2c, not SNMP 3.
6. We are now ready to collect information from the SNMP Agent. Using an SNMP tool
such as one of those included in /usr/local/nom/bin, we can test GET access:
bit counters. Because SNMPv1 does not support 64-bit integers, be careful
when using SNMPv1-only tools such as Getif
(http://www.wtcs.org/snmp4tpc/getif.htm)
SUMMARY:
We have given basic troubleshooting and access tips with the Akamai SNMP Agent. See the
Appendix for some helpful information regarding OIDs for the various configuration and
statistics objects in CacheServe.
STEP-BY-STEP:
1. Configure DNSi CacheServe to return NXDOMAIN for 10.in-addr.arpa and everything
beneath it for the internal view:
2. Use dig to query for the PTR record for 10.in-addr.arpa and 1.0.0.10.in-addr.arpa.
You should find your DNSi CacheServe returns NXDOMAIN to both queries.
b. Test the results by first using dig to get “any” record for wpad:
You should get NXDOMAIN.
Although the answer is still NXDOMAIN, you will find this answer from the Internet.
To respond with NXDOMAIN for every name under a given domain, use
Neither is intended for claiming the nonexistence of records that actually exist.
4. The following example demonstrates how to add stubs. The target of the stub could be
a locally administered Vantio AuthServe (at 1.2.3.4) that publishes the zone movie.edu.
a. Add a new entry for the domain movie.edu:
b. Use dig to again check the result of your configuration change movie.edu. The
domain is resolved according to the local authoritative server. The answers
should come from the local name server instance, not the Internet.
SUMMARY:
The configured resolution instructions might contain synthesize-nxdomain, preload-
nxdomain, or even preload-nxrrset (for specific types of data). Configuring DNSi
CacheServe to find answers from name servers specified by the administrator include forward
and stub statements. If a stub appears within a forwarded domain, DNSi CacheServe uses the
stub only if forwarding is turned “off”.
STEP-BY-STEP:
1. Initiate recording of authoritative data by updating DNSi CacheServe’s auth-
monitoring:
2. Confirm that the auth-querystore is active by checking its status in the statistics
monitor:
# nom-tell statmon
statmon> auth-querystore.status
3. Send a single query to your DNSi CacheServe instance using dig to populate the auth-
querystore. For example, we will look up google.es:
4. Check that you have captured traffic in the auth-querystore by verifying the count
is non-zero, and then show the details for the name just queried:
statmon> auth-querystore.count
Depending on the contents of your cache, there may be many authoritative requests, or
none!
Note the use of client-qname rather than name in the filter. In this context,
name refers to the Authority Server’s name.
6. The next Authority Querystore analysis sorts the TIMED OUT queries by the authority
server’s IP address and client query name (that is, the original request that led to the
authoritative request):
7. If you have a specific name which is resolving erratically, a variation of the above
approach is to apply a filter to that domain and sort by servers and indicators of their
behavior:
8. You can filter on the authoritative server’s IP address. To create an example, send a
request for a name in the stubbed domain 16.172.in-addr.arpa. As long as the name is
not in DNSi CacheServe’s cache, the query should force recursion to the server we
referred to as <YOUR-IP-ADDRESS> above:
9. Looking back into the auth-querystore, we can search for all lookups that went to
the server with the IP address of our stub:
SUMMARY:
The auth-querystore is a separate recording mechanism specifically designed for analyzing
traffic between DNSi CacheServe and authoritative DNS servers with which it communicates.
This feature can be especially useful for troubleshooting. Some of this information can be
learned from the cache, but the searching and analysis features of the statmon do not exist with
the inspect commands.
The first application provides mitigation of DNS amplification attacks by dropping selected
queries for domains which have been identified as vectors in these circumstances.
The second part of the exercise shows how to implement a policy which favors (in the sense of
promoting to first response in the list) those returned A records which fall within IP address
boundaries configured by the administrator.
STEP-BY-STEP:
2. The list of domain names which will be subject to dropping is created first. We arbitrarily
call the list “amplification-domains” in this example:
5. The last step is to restrict the action to those queries processed by the internal view:
6. To verify the policy is enforced, send another request to DNSi CacheServe for isc.org
ANY. The query should time-out:
Other domains can be added and deleted as needed without changing the
definitions associated with the policy or binding. All that is needed is to
modify the list of names as suggested by the following commands:
7. Remove the name isc.org from the list because we will apply a better remediation for
this in a later exercise:
benefit by applying environment-specific policies which are implemented with policies as shown
in the following example.
8. As an example we will use the domain amazon.com to illustrate how certain addresses
can be promoted. A few queries for this name should demonstrate that by default,
address records are returned in cyclic order:
Repeat the query several times to show that the top-most IP address varies for each
response.
9. Use nom-tell to create an address list which will contain those network blocks to
favor:
IP addresses (or blocks in CIDR notation) will be added in the next step. This step only
creates the list.
10. Populate the list you just created with some IP addresses which you wish to influence.
For example:
cacheserve> address-node.list
12. We now need to inform the system what action should be taken when one of these
addresses appears in a response. This is done with a policy, which in this example we
call “sortlist”:
13. The last step is to associate the policy with a scope, which for this example applies to
the entire server (that is, all views) and that the execution takes place AFTER resolution:
A binding executes at the point in processing defined by the “when” field. The
default is “prequery.”
If a selector or action only makes sense at some subset of times, and is invoked at
some other time, it has no effect.
Since our policy only makes sense after the A records have been fetched, the
binding must be defined as a “postquery” one.
14. Repeat the query to DNSi CacheServe for amazon.com. You should find that any
addresses in the 176.32.0.0/16 network are always returned first:
Addresses can be added and deleted as needed without changing the definitions
associated with the policy or binding. All that is needed is to modify the list
of IP networks as suggested by the following command:
SUMMARY:
The ability to manipulate DNSi CacheServe behavior with policies has been demonstrated by
dropping ANY queries to selected domains and using preferred address sorting to manipulate all
responses. Other features, such as per-client and address-synthesis behaviors, are intended for
use with Akamai’s SPS platform and require an additional license with the “N2” feature enabled.
STEP-BY-STEP:
1. In a previous exercise we used policies to drop the ANY type query for isc.org, and
described how a list of domain names could be maintained in Vantio for which that same
policy applies.
But how did we know to “block” isc.org?
Identifying those domains names for which queries generated large responses is
possible using the analysis capabilities of the statmon:
2. If unexpected names appear in the list, you might want to check for the size of the
responses by applying an additional filter. Here we look at response sizes greater than
1kB:
3. After you have identified those names which are responsible for consuming the greatest
amount of response traffic, analyze their request types:
You should find a few types of query dominate; these may change at attacks evolve.
Because it may not always be obvious what the purpose of a domain is; that is,
whether a name has both legitimate use and is also attractive to attackers, other
approaches are useful.
4. Suppose we suspect that the domains we identified earlier were “dual use” in the sense
that their large-sized responses were sometimes legitimate, and that it was possible your
clients require (un-truncated) responses at rates of a few QPS, but not more. In this case
we can use a ratelimiter object combined with the query selection capability. First
create a list for exact and sub-domain matches:
6. Add a ratelimiter which allows 1qps for type A (and any other type) requests:
7. The creation of the ratelimiter itself has no effect on anything. You can verify it does
nothing by looking at the ratelimiter’s statistics:
You will find only zeroes in the statistics field of the output
8. Create the policy that will apply the ratelimiter only for the domains on the lists:
You can also check the response bandwidth and verify it has decreased.
SUMMARY:
Using a ratelimiter with a policy is targeted and efficient but suffers from the drawback that the
lists of domains must be maintained.
The use of ECS and an optimization Nominum calls “Equivalence Classes” are described in this
lab.
STEP-BY-STEP:
1. By default, ECS is not enabled for any part of the DNS name space. One reason for this is
not every authoritative server supports it, but more importantly the use of ECS can
significantly increase resource needs of CacheServe.
We begin by enabling ECS on all queries to the google.com domain:
3. Use resolver.inspect to verify that your server cached two distinct entries for the
two different client IP addresses:
♦ What is the scope (network mask) for each of these cache entries?
4. In the case where the administrator knows that client networks should receive the same
responses, he can create an equivalence class. For our example, we create an
equivalence class consisting of the two networks above by creating an address-
list:
6. Inspect the cache for www.google.com. You should find that it has been cleared.
7. Repeat the server.query commands from before:
8. Once more look in the cache. Notice that the cache no longer contains separate entries:
consolidating the networks results in much more efficient cache use.
SUMMARY:
The ECS feature can result in MUCH more caching and recursion, requiring more resources than
if it was not enabled. Equivalence classes provide a way around this, at the cost of creating and
maintaining address lists.
Before enabling DNS64, it is useful to review how diagnostic tools are used with IPv6.
STEP-BY-STEP:
1. Verify that you can successfully use ping6 with the loopback address configured on the
local interface:
# ping6 ::1
2. Repeat with one or more of the addresses bound to the Ethernet interface (substitute
addresses from your local host, which can be displayed with the /sbin/ip addr
command):
# ping6 fd0c:a43a:811f:40:59eb::12
The second address is a link-local (not global) address, so ping6 requires that the user supply
an interface.
argument. Other tools express the interface as a numbered suffix on the IPv6
address.
3. Use dig to verify that your server can respond to a DNS request for A and AAAA
records when carried over IPv6 (your address may be different):
♦ What address could an IPv6-only client use to reach the espn.com website?
5. The existence of the prefix by itself does not enable the DNS64 functionality. Create a
policy which examines the result of a query and does DNS64 synthesis according to the
mapping rules found in the dns64 object configured above:
6. Bind the policy (at postquery time) with prefix 64:ff9b::/96 to the entire server:
7. Repeat your IPv6 query to your DNSi CacheServe instance for nominum.com’s AAAA
record:
You should now find a list of AAAA records, where the previous response was
NOANSWER/NOERROR.
8. Picking one of the IPv6 addresses from the response above, find out whether reverse
DNS64 responses are also synthesized:
Reverse record (PTR) request processing for DNS64 prefixes must be configured
separately with a policy that performs the dns64-reverse action. Completion
of this is left as a challenge for the reader.
SUMMARY:
The DNS64 feature enables additional processing for queries of type AAAA in any view with
DNS64 configuration. If no AAAA records exist for the queried name, but A records do exist,
AAAA records may be generated from A records according to a set of mapping rules, and the
synthesized answer returned to the client. Additional configuration of the DNS64 feature allows
further refinement of which clients are affected and what addresses are returned to them.
STEP-BY-STEP:
1. Before we begin let’s make a backup of the database:
# mkdir /var/nom/cacheserve.ex18
# cp -r /var/nom/cacheserve /* /var/nom/cacheserve.ex18/
# vi /usr/local/nom/etc/sysconfig/cacheserve
3. Add the following line of text to the file and save it:
CACHESERVE_OPTIONS="--license /root/cacheserve.license"
SUMMARY:
You have customized the command-line argument for CacheServe by applying an environment
variable in the sysconfig file.
All Akamai products support this mechanism for customization. You must
•
•
Replace the file name with the appropriate product name and
Change the environment variable name to the product
STEP-BY-STEP:
1. Login as root.
2. Confirm that a version of Perl on the host is 5.6 or above. Use the following command to
check the version:
# perl -v
Multiple Perl installations may exist on some machines. The default instance
might be older than other versions on the system. For example, it is not
uncommon for the default installation to appear in /usr/bin/perl, and
another version at /usr/local/bin/perl.
Examples in this guide will invoke the Perl binary without an absolute path.
Your path may be different.
3. Add the SDK to your environment by uncompressing and extracting the files needed for
all the Command Channel language bindings to your system to a temporary directory.
When this step is completed, you will find a number of files related to programming
languages supported by the Akamai Command Channel API:
# cd /tmp
# cd nomsdk-3.0.0.1-1
4. The Akamai Perl CC API installation requires steps that will be familiar to you if you have
ever manually installed (that is, not using CPAN) a Perl module. To begin the process,
change to the Perl subdirectory where the API files were copied in the previous step:
# cd perl
5. We now execute Perl on makefile.PL in preparation for installing the Perl module.
Run the following command
# perl Makefile.PL
# make
# make install
8. The output of the make install command should conclude with installation
information. Confirm that the installation succeeded by typing a command:
The command should execute without error. If there are errors, something went wrong.
SUMMARY:
We have installed the CC API for Perl. In the next section we read some of the ANS configuration
from a Perl program as a simple illustration of a typical script.
STEP-BY-STEP:
1. In /tmp you will have a tar file called cacheserve_perl.tar. Extract its contents
as shown here:
# cd /tmp
# perl cacheserve_stats.pl
If you send two queries to DNSi CacheServe, you might find output similar to this:
0 0 0 0 0 0 0
0 0 0 0 0 0 0
1 1 3 3 0 0 0
1 1 11 11 0 0 0
0 0 0 0 0 0 0
SUMMARY:
The script repeatedly fetches statistics from DNSi CacheServe, displaying—for each 1-second
interval—the following:
STEP-BY-STEP:
1. In the /tmp directory find the file cc_test.pl. For your reference this is the
contents of the file:
#!/usr/local/bin/perl
use Nom::CC::Message;
use Nom::CC::Channel;
my $response = $chan->send($request);
2. Run the program. You should see the version of the DNSi CacheServe server printed to
standard output.
# perl cc_test.pl
7.6.0.2
For clarity, no error handling is provided in this sample script. In the next
exercise we add a line of code which gives an indication of problems.
Now let’s get our first look at a configuration object, and provide examples of extracting various
known elements from the configuration.
#!/usr/bin/perl
use Nom::CC::Channel;
use Nom::CC::Message;
my $chan = new Nom::CC::Channel("cacheserve");
# perl cacheserve_getserver.pl
The previous page shows that a DNSi CacheServe server configuration is returned as a hash, and
that the keys to the hash are familiar fields of the server object. The same is true of all objects
we might request. As a concrete example, we’ll next modify the code to get the “world”
resolver’s configuration.
Some commands, such as the list method, return a sequence. A sequence is a set of data
items, returned one at a time, that can be identified by the appearance of the tag _more in the
control section of the message.
You can use nom-tell in verbose mode (-v option) to see an example of
processing a command channel sequence. Issue this command at the shell
prompt:
# nom-tell –v cacheserve resolver.list
This approach does not work with non-interactive mode (the “cacheserve”
prompt).
The programmer can detect and request items in a sequence with code that is illustrated in the
example file cacheserve_ listresolvers.pl.
SUMMARY:
A few sample scripts included on your lab instance should inspire some of your own ideas for
programs.
Answers to Exercises
ANSWER TO EXERCISE 1
Sample output from nom-tell when DNSi CacheServe responds to the “version” command.
request:
{
type => 'version'
}
response:
{
type => 'version'
vendor => 'Akamai'
product => 'Vantio CacheServe'
platform => 'rhel-7-x86_64'
version => '7.6.0.2'
build => '234542'
expiration => 'Wed Sep 30 23:59:59 2020'
}
Expiration dates only appear for temporary license files, such as those issued
for product evaluations and training.
Because the server object is in its default configuration, the server.get response does not
include any fields:
request:
response:
Modifications to the server will result in the appearance of the applied values. The same is true
of all object types, such as Resolvers. As shown below, the default world resolver appears to
have only one default property: its name.
response:
{
type => 'resolver.mget'
name => 'world'
}
After modifying the server configuration with the listen-on-matching statement, the
response to server.get response is no longer empty:
cacheserve> server.get
listen-on-matching => (
cacheserve>
ANSWER TO EXERCISE 2
What is the result of querying the server for localhost again? You should find no change
The command still consulted the “world” resolver. The presence of the second
(“internal”) has no effect until we direct queries to be answered from it.
Is the response for the A record of localhost still determined by our preload statement in the
“world” resolver? In other words, is the response still 127.0.0.1? Why?
No longer, because a query sent to 127.0.0.1 appears to be coming FROM 127.0.0.1, and
so is answered through the internal view, which means the “internal” resolver.
Use dig to query for localhost on another student’s instance of DNSi CacheServe. Explain
your results.
Should get the “world” resolvers answer, which is the preloaded data. The query arrives
on the routed interface.
What is the result of sending a command channel instruction after DNSi CacheServe has
stopped?
ANSWER TO EXERCISE 3
Are the counters for responses-sent and requests-received equal?
The traffic (and therefore variety of query names) to the world resolver is much greater.
If the exact same name was being requested over and over in both cases, the RATE itself
would not affect the size of the cache.
ANSWER TO EXERCISE 4
Does the output indicate what clients have requested this name?
No. The cache does not record what clients made requests to a specific name. It can be
recorded with other mechanisms like the querystore.
What result do you expect with resolver.inspect name=internal for this domain?
Does not exist (in that cache) because it has not been requested.
What impact does this have for users of the internal resolver?
What view and resolver is used to lookup the result? Repeat. Is the result cached?
The server.query command assumes the source IP is 127.0.0.1, so the internal view (and
therefore internal resolver) is used. The NXDOMAIN is cached.
Repeat the command a few times. How can you tell the result displayed is not from the cache?
ANSWER TO EXERCISE 7
How many source ports are open on your instance of DNSi CacheServe??
How many source ports are open on your instance of DNSi CacheServe now?
1024. The number is capped at 2048 so even if you configure more, it will not exceed this
value.
ANSWER TO EXERCISE 8
What records (types) appear in the responses?
Only A records.
What records (types) appear in the responses now? Does the cache show the trust field?
Does dig report that DNSi CacheServe provides a validated answer now? Does DNSi
CacheServe’s cache?
ANSWER TO EXERCISE 10
What statistics appear?
The name statistics (because there is a property to look for, unlike the total number)
appear empty at first. As new names are queried, their statistics appear.
statistics => (
id => 'server_qps'
}}
dig is a DNS client: a command-line program which implements the query mode of DNS
operation. Other operations defined in the DNS can be exercised with different client programs.
For example, nsupdate provides support for DNS update (often called DDNS) which allows a
client to modify a DNS zone entry.
In the illustrations which follow, several important elements of the dig display are identified.
Consider a query for the “A” record (IPv4 address) of akamai.com. Note that dig uses type A
for its default if no explicit type is declared on the command line. It is assumed that a recursive
name server (e.g. DNSi CacheServe) is listening for DNS requests on the loopback interface
127.0.0.1:
; (1 server found)
;; Got answer:
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;akamai.com. IN A
;; ANSWER SECTION:
akamai.com. 20 IN A 184.50.167.23
;; SERVER: 127.0.0.1#53(127.0.0.1)
Referring to the response above (which includes the question, per the DNS specification), we
see the result code is NOERROR (the server was able to process the query) and the contents are
summarized as follows:
QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
This means the response has one (1) question entry and one (1) answer entry. The answer
section consists of the TTL (time-to-live, in this case 20 seconds) and the IP address (in this case,
184.50.167.23). If more than one A records (addresses) were available, they would be included
as separate entries. The collection of all records at a name of a specific type is called a resource
record set (RRSET).
It is sometimes useful to examine greater detail about the response. The flags field in a DNS
message indicates how a client wishes a request to be handled as well as what action the server
has taken. In our example, only three flags are set and they show the following:
Note also the reduced TTL in the example below. It was originally 20 seconds, but as data in the
cache ages, this number decreases.
; (1 server found)
;; Got answer:
;; OPT PSEUDOSECTION:
;; QUESTION SECTION:
;akamai.com. IN A
;; ANSWER SECTION:
akamai.com. 6 IN A 184.50.167.23
;; SERVER: 127.0.0.1#53(127.0.0.1)
Standard SNMP utilities were used to generate the output shown below. Some text produced by
running these commands has been edited. For example, structures appropriate to authoritative
name servers (e.g., ANS) are suppressed for clarity.
The Ratelimiting Drops, Top Client and Top Domain tables (and the StatsControl parameter that
enables them) are not supported in CacheServe 7; these appear in the MIBS because they are
shared with Vantio 5.
An example of fetching a specific value for the current count of Recursion Contexts appears
here:
NOMINUM-NSM-MIB::nnsmServerCacheRecursionContextsActive.1 = Gauge32: 95
This command returns the list of DNSi CacheServe’s views and corresponding resolvers:
NOMINUM-NSM-MIB::nnsmViewResolverID.1.1 = Gauge32: 1
NOMINUM-NSM-MIB::nnsmViewResolverID.1.2 = Gauge32: 2
fetches the nnsmViewTable which tells us that the view called internal has view ID 1, is a “light-
weight” (lwCache) view type—the only type of view that exists in DNSi CacheServe 7—and it
points to a resolver with ID 1.
If the name of the resolver is known, but not the ID, it is possible to get the ID by fetching the
nrsvResolverNameToResolverID value using the ASCII code representation of the name
as the index:
NOMINUM-RESOLVER-MIB::nrsvResolverNameToResolverID.1."WORLD" = Gauge32: 2
The next commands return total queries processed by DNSi CacheServe’s resolvers with IDs 1
and 2.
The first example displays the server statistics with the nnsmServerCacheStatsTable
object (referring to this object by name gives the same result as referring to it by OID). The
trailing “.1” following the names of individual entries indicates the application index is 1:
NOMINUM-NSM-MIB::nnsmServerCacheStatsControl.1 = BITS: 00
The next example displays the nnsmViewNameToViewIdTable object, which contains the
mapping of view names to ViewIDs:
NOMINUM-NSM-MIB::nnsmViewNameToViewID.1."TEST0" = Gauge32: 2
NOMINUM-NSM-MIB::nnsmViewNameToViewID.1."WORLD" = Gauge32: 1
We see that views “test0” and “world” have been assigned ViewIDs 2 and 1, respectively.
In this example, the right-most “2” specifies the application index, and the “5” refers to the
number of characters in the string.
# gunzip cacheserve-7.6.0.2-234542-solaris-11.3-x86_64.tar.gz
# tar xvf cacheserve-7.6.0.2-234542-solaris-11.3-x86_64.tar
When the process of unpacking the files is complete, you will see a subdirectory called
cacheserve-7.6.0.2-234542. Change to that directory now:
# cd cacheserve-7.6.0.2-234542 /
INSTALL
UPGRADE
NOMbundle-tools-19.1.0.0.234542-sol11.3-x86_64
NOMcacheserve-7.6.0.2.234542-sol11.3-x86_64
NOMipanon-tool-19.1.0.0.234542-sol11.3-x86_64
NOMsnmpagent-19.1.0.0.234542-sol11.3-x86_64
NOMstatmon-19.1.0.0.234542-sol11.3-x86_64
NOMtimezone-data-2019.2.0.0.234542-sol11.3-x86_64
NOMutils-19.1.0.0.234542-sol11.3-x86_64
The files for later versions of the CacheServe package will have slightly different names.
Note that the NOMutils package must be installed first, followed by the
NOMtimezone-data and NOMcacheserve packages. The other packages
There is no option to change the installation location. The only supported location for
CacheServe is in /usr/local/nom/.
Note that the installation creates a service script which will attempt the shutdown of
CacheServe whenever the system terminates gracefully (ie via /sbin/shutdown or similar),
as well as start the CacheServe on boot. These capabilities are controlled through the
/usr/sbin/svcadm enable cacheserve and /usr/sbin/svcadm disable
cacheserve commands. As an alternative use the -t flag which means that start on boot will
not be affected: /usr/sbin/svcadm disable -t cacheserve
A note on logging:
By default, CacheServer writes log output through the host’s syslog utility using the daemon
facility. However, the default configuration of Solaris displays only messages of priority
NOTICE. If it appears that CacheServe logging is not printed to syslog, be sure to confirm
that syslog is configured to record daemon messages at priority INFO:
daemon.info /var/adm/messages
The two fields in the syslog.conf file are TAB separated. See the syslogd
and syslog.conf man pages for more information.
CacheServe installation on Red Hat utilizes the operating system’s “RPM” package facility, but it
is first necessary to uncompress and untar the distribution:
This command can be executed anywhere on the system with sufficient disk space.
# cd cacheserve-7.6.1.0-243307/
You should find the following files (subsequent releases will include components with slightly
different filenames):
INSTALL
UPGRADE
cacheserve-7.6.1.0-243307.el7.x86_64.rpm
ipanon-tool-19.1.2.0-243307.el7.x86_64.rpm
nom-bundle-tools-19.1.2.0-243307.el7.x86_64.rpm
nom-timezone-data-2020.2.0.0-243307.el7.x86_64.rpm
nomutils-19.1.2.0-243307.el7.x86_64.rpm
snmpagent-19.1.2.0-243307.el7.x86_64.rpm
statmon-19.1.2.0-243307.el7.x86_64.rpm
Note that the nomutils package must be added first, followed by other
packages. Do not install the tool to generate anonymous IP addresses from the
querystore (ipanon-tool).
All packages are tagged with the RPM group Nominum, so the following command will list all
Akamai-supplied packages installed on the host:
# rpm –q –g Nominum
There is no option for the installation location. The only supported location is
/usr/local/nom/.
To view the package registration information, use commands such as the following:
# rpm –q –i nomutils
# rpm –q –i ans
To view the list of files installed by the package, use commands such as the following:
# rpm -q -l nomutils
# rpm -q -l cacheserve
Like other Red Hat service scripts, this allows starting and stopping of the application with the
service command /bin/systemctl start cacheserve and /bin/systemctl
stop cacheserve .
Modules which fulfill the prerequisites can be found using yum or CPAN (see note below) and
are installed using the exact same sequence of steps described here for installing the Nominum
CC API:
• Move the distribution to a directory with at least 1 MB of free space (e.g. /tmp)
• Uzip and unpack:
# tar xvzf nomsdk-3.0.0.1-1.tar.gz
• Run make:
# make
If CPAN is installed at your site, you add modules with commands such as
# perl –MCPAN –e 'install Digest::SHA1'
# perl –MCPAN –e 'install Socket6'
# perl -MCPAN -e 'install IO::Socket::INET6'
# perl -MCPAN -e 'install Net::DNS::SEC'
The CPAN web site lists several suggestions for listing the installed modules at
http://cpan.org/misc/cpan-faq.html#How_installed_modules.
#!/usr/local/bin/perl
use ExtUtils::Installed;
my $instmod = ExtUtils::Installed->new();
Typical output, following installation of Nominum’s Perl API, might look something like this:
Digest -- 1.05
Digest::HMAC -- 1.01
Digest::SHA1 -- 2.07
Net -- ???
Net::DNS -- 0.42
Net::Telnet -- 3.03
Nominum -- ???
Perl -- 5.8.8
1 #! /usr/local/bin/perl
3 my $conn1 = Nom::CC::Channel->new('cacheserve');
5 my $response = $conn1->send($request);
1 #! /usr/local/bin/perl
The first line of the program gives the path to a Perl installation to be used if the file containing
your script is executed. The version used with the Nominum CC API must be 5.003 or greater.
3 my $conn1 = Nom::CC::Channel->new('cacheserve');
The local variable $conn1 is assigned a reference to an object defined by the Nominum Perl
API. Some may prefer to use new Nom::CC::Channel->("cacheserve"); either
syntax will work. Instead of declaring a service, it is possible to specify the connection
parameters directly as shown here:
The local variable $request is assigned a reference to an anonymous data structure that
represents the user’s payload in a CC message. The format is a table described by tag/value
pairs, defined in the CC API documentation. The “instruction” is a hash (containing, in this
instance, the single tag/value pair type/version) which itself is a value of a hash member with
the tag _data that is manipulated by the API. If you were to print out this structure using
Dumper($request);you would find something like
$VAR1 = bless( {
}, 'Nom::CC::Message' );
There are several ways to “pretty print” data structures. By formatting the
structures with indentation, it can be easier to visualize their contents and
troubleshoot bugs in your code.
5 my $response = $conn1->send($request);
This invokes the send method with our payload. The message is sent with a timeout of 60
seconds.
The local variable $response is assigned a reference to the received message object. Printing
out the $response we find:
The API shows DNSi CacheServe’s response as a hash containing the result of processing the
request.
$VAR1 = bless( {
}, 'Nom::CC::Message' );
It is instructive to compare the data structures constructed via the API with those
resulting from the “verbose” command nom-tell –v cacheserve
version. For the most part, API developers are concerned with creating and
manipulating the contents of the _data hash.
Elements that are hidden from the API user include the _ctrl and _auth
structures.