WE DO ASCII

Detox: sys4 and BSI make DNS more secure

The vulnerability of the Domain Name System may come across as astonishing. Of course, this vulnerability was never the intention of the DNS’s inventors, and it can be seen as an expression of the innocence of a bygone era.

There are many ways to manipulate the DNS. One notorious method is what is known as DNS cache poisoning. This involves manipulating entries in the DNS in order to misdirect address queries.

The attack vector has been known since 2013. Appropriate name server patches temporarily gave cause for hope that the problem had been eliminated. However, it quickly became clear that DNS cache poisoning is still taking place. On behalf of the German Federal Office for Information Security (BSI), sys4 investigated the extent of the problem and what can act as an antidote. In the process, sys4 identified an effective measure to immunize the DNS against cache poisoning: Limiting DNS responses via the User Datagram Protocol (UDP) to a maximum size of 1232 bytes.

Getting the dose right: Gradually dispensing email authentication

Email authentication with SPF, DKIM and DMARC is a powerful tool in the fight against phishing and spammers. Those who opt for this trinity strengthen their reputation and their ability to act on the Internet – as long as its introduction in production is done with the necessary caution.

Those who act too rashly run the risk of inadvertently strangulating their company's email communications. The precisely orchestrated staging of SPF, DKIM and DMARC is a necessary condition for success. The policy must be made progressively more stringent.

This often reveals things that were previously in the shadows – at least from the IT perspective. A classic example is the server on which half-forgotten email forms are running. Or external mailing lists, used by colleagues in the company, where contributions are forwarded using their sender addresses. Or: The external email marketing platform used by the marketing department without the knowledge of the IT department.

Modern Internet

Email

The use of email continues to grow. We are a global leader in high-performance platforms that combine high delivery rates, stability, and optimal protection against malware.

DNS

The DNS is the key to identity management. We are the specialists for the setup and modernization of a future-proof and resilient DNS.

IP

IPv6 makes IT more powerful, robust, and cost-effective. We help with the migration. With world-leading expertise.

Platforms

We design and build platforms for the critical infrastructure (CI) sector. Our strength is solution design based on extensive practical experience.

Abuse

Abuse jeopardizes business. On the national and international level, we develop industry standards for countermeasures. We have reduced the system load of one provider by a factor of 1000.

Blog

Michael Schwartzkopff
Feb 6, 2026

StrongSwan VPN with Windows Native Client

If you have a strongSwan VPN server, is is quite easy to connect from hosts that have the strongSwan client installed. This client exists for a wide variety of operating systems and especially for the mobile platforms like Android. But sometimes you want to use the native VPN client of the OS. In this blog article I want to describe the setup of the Windows 11 native client when using certificates. The setup is not quite straight forward since authentication methods, certificate attributes and …
Peter Eckel
Dec 19, 2025

Advanced search forms in NetBox

NetBox has powerful search and filter functions that make it possible to find objects in its managed data. These functions have long been available to scripts, API requests and automation tools such as Ansible. The only exception – and the one that hurts the most in everyday use – is the GUI. Or rather, was the GUI, because NetBox 4.5 is making a big breakthrough here. Status QuoUp to and including NetBox 4.4, the filter form for DNS records in the NetBox DNS plugin looks like this: Old DNS …
Michael Schwartzkopff
Dec 5, 2025

Netbox Custom Links Next Level

Netbox offers a variety of customisation features so help with your daily operational work. One possibility is to add Custom Links to objects as a shortcut. In this blog article I want to present two links that make life easier. First I add a ssh link to device objects, so I can open a one-click ssh console to the device. The second custom link refers to the Zabbix monitoring system. So with one click you can open the website with the recent problems for a device. The SSH Console LinkA very …
Contact