I’m sure you already know what DNSViz is, but for those two or three of you over there who still don’t, here is a summary:

“DNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC).

It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.”

DNSViz is sponsored by Sandia National Laboratories and Verisign. The man behind the software is Casey Deccio, senior research scientist at Verisign Labs.

Recently Casey announced a major release of his code and called for a participation in hosting a DNS looking glass for the DNSViz Web site. Take a deeper insight here: https://www.caida.org/workshops/aims/1602/slides/aims1602_cdeccio.pdf.

This is how I did it on a fresh installed box with FreeBSD 10.2.

[Casey Deccio pointed me to a DNSViz FreeBSD port. I didn’t try it, but if you wish go to this github page]

Let’s start installing some prerequisite software:

pkg install python-2.7_2,2
pkg install py27-dnspython-1.12.0
pkg install lighttpd-1.4.38

make lighttpd start at boot:

echo 'lighttpd_enable=YES' >> /etc/rc.conf

create a document-root directory for lighttpd

mkdir /usr/local/www/data

Now grab the latest DNSViz software from github (currently version 0.5.1):

fetch --no-verify-peer https://github.com/dnsviz/dnsviz/archive/v0.5.1.zip

extract the software:

unzip v0.5.1.zip

copy the looking glass program to the document-root of lighttpd:

cd dnsviz-0.5.1
cp contrib/dnsviz-lg/dnsviz-lg.cgi /usr/local/www/data/

set owner and permissions accordingly
chown -R www:www /usr/local/www/data*

chown -R root:wheel /usr/local/www/data
chmod 0751 /usr/local/www/data
chmod 0444 /usr/local/www/data/dnsviz-lg.cgi

*[Thank you Casey for having spotted that and for your wise suggestions]

build and install DNSViz on the system:

python setup.py build
python setup.py install

It’s time to adjust lighttpd configuration files to serve what Casey Deccio coded:

cd /usr/local/etc/lighttpd

in modules.conf uncomment the following line:

include "conf.d/cgi.conf"

then go in conf.d

cd /usr/local/etc/lighttpd/conf.d

here edit cgi.conf and change the following line:

".cgi" => "/usr/bin/perl",

to

".cgi" => "/usr/local/bin/python",

now .cgi files are handled by python language.

That’s it, restart the webserver:

/usr/local/etc/rc.d/lighttpd restart

verify that your daemon is listening

netstat -anfinet|grep '*.80'

tcp4       0      0 *.80                   *.*         LISTEN

and serving the page dnsviz-lg.cgi

curl http://localhost/dnsviz-lg.cgi

{"version": 1.0, "error": "Request method GET not supported"}

It’s alright because you’re not supposed to call the script using a GET method. I just wanted to be sure that the server was correctly configured.

Last thing to do is to make a real query:

cd ~/dnsviz-0.5.1
python contrib/digviz +lg=http://localhost/dnsviz-lg.cgi @8.8.8.8 example.com

;; Got answer:
;; >>HEADER<

It’s working as expected, no error shown.

If you want to restrict access to your lighttpd server in order to permit only some IPs, you can use something like this in lighttpd.conf:

$HTTP["remoteip"] !~ "198.51.100.1|203.0.113.254" {
  url.access-deny = ("")
}

and to let lighttpd answering only requests with method POST:

$HTTP["request-method"] !~ "^POST$" {
  url.access-deny = ("")
}

If you want to restrict more:

you can tell lighttpd to serve only dnsviz-lg.cgi file

$HTTP["url"] !~ "\/dnsviz-lg\.cgi$" {
  url.access-deny = ("")
}

and/or block every user-agent except DNSViz/0.5.1 (remember to edit this if the version changes)

$HTTP["useragent"] !~ "^DNSViz\/0\.5\.1$" {
  url.access-deny = ("")
}

This is just a simple and straight how-to, I encourage you to read all the related documentation and manuals.