Tuesday, December 30, 2008

Using dnsmasq for DNS and DHCP services

Software for providing DNS and DHCP services have typically come from ISC in the form of BIND and dhcpd.

While these software packages are quite robust and, for the most part, quite secure, there are other alternatives that may work better depending on your situation. For smaller home or office networks, managing BIND and dhcpd may be overkill.

Another solution that provides both services is dnsmasq, which will cache external DNS addresses, provide local DNS names or override external DNS entries, and also provides dynamic IP addresses in the form of DHCP.

It can even provide static IP addresses over DHCP, the same as dhcpd, with the only pre-requisite being the MAC address of the system to assign the static IP to.

Most Linux distributions come with dnsmasq packaged, so it is a simple apt-get, yum, or urpmi away. Otherwise, compiling from source is quite easy. Dnsmasq handles DNS setup differently than BIND and other DNS servers. Everything is configured via a single configuration file, /etc/dnsmasq.conf.

When a request comes in, dnsmasq does not look in zone or similar files; it consults /etc/hosts first and then will look externally for addresses by consulting the name server(s) defined in /etc/resolv.conf. This is a quick and easy way to override external DNS addresses by simply defining them in /etc/hosts on the system that is running dnsmasq.

Dnsmasq also provides DHCP services quite easily. To do so, uncomment and set the following options in /etc/dnsmasq.conf:

expand-hosts

domain=example.com

dhcp-range=192.168.0.50,192.168.0.150,12h

dhcp-option=3,192.168.0.1

This will enable DHCP and set the network domain to "example.com". The DHCP server will offer addresses between 192.168.0.50 and 192.168.0.150 with a lease of 12 hours. Finally, dhcp-option sets the third DHCP option, which sets the default route, pointing to 192.168.0.1 as the router.

There are a lot of dhcp-option values; the configuration file and man pages go through them all with examples.

To set a static IP address for a client, use the dhcp-host keyword:

dhcp-host=11:22:33:44:55:66,foo,192.168.0.10

This will always give the host with the hardware MAC address of 11:22:33:44:55:66 the hostname foo (.example.com) and the IP address 192.168.0.10.

Another useful feature of dnsmasq is that it provides a TFTP server as well. You can enable the TFTP server, point it to the root directory of files to serve, and make use of network booting (PXE).

Dnsmasq provides a number of features that make it a compelling replacement for BIND and dhcpd, or any other DNS or DHCP server software you may be using. It can set default MX records, various caching options, a wide variety of DHCP options, SRV records to provide LDAP information, PTR records, SPF records, and even Zeroconf records.

Source: http://www.zdnetasia.com/techguide/opensource/0,39044899,62048842,00.htm

Tuesday, December 23, 2008

CloudShield Announced deployment of CS-2000 network services platform by DNS

CloudShield today announced deployment of its CS-2000 network services platform by Dynamic Network Services, a global provider of Internet-based domain, zone and email services.

Dynamic Network Services also can use the programmability of the CS-2000 to update, on its own or using software upgrades from CloudShield, to be prepared to handle new threats as they develop.

Dynamic Network Services began as a free DNS service provider for the Perl and open-source communities but has grown to provide both its signature free service as well as commercial DNS services and Dynect, an enterprise-class dynamic DNS offering.

“They’ve got to run cost-effectively, since they have free as well as paid-for services, and they want to make sure that service is up and performing as expected,” said Bill Scull, vice president of marketing at CloudShield. “They are using our product to protect their infrastructure to make sure their online presence is maintained despite botnet attacks or D-DOS attacks.”

Such attacks can generate from 10 times to 500 times or more the average traffic on a site and service providers such as Dynamic Network Services cannot afford to over-provision bandwidth to be able to handle such an attack. The CloudShield CS-2000 uses deep packet inspection to detect malicious traffic and prevent it from overwhelming the Web sites, authentication servers, DNS server farms and other service provider infrastructure.

“If they have a CS-2000 in front of their infrastructure, they have the ability to, at line rates, sort the good packets from the bad packets,” Scull said. “Dynamic Network Services had a number of different centers around the globe and they will be deploying our boxes in each of those.”

Source: http://telephonyonline.com/software/news/cloudshield-dns-deployment-1216/

Tuesday, December 16, 2008

Another DNS Outage Gives OpenDNS Free Advertising

The folks in the OpenDNS marketing department probably huddle together each morning in a meeting room, praying to the digital gods for ISP DNS problems -- given that every time an ISP has a DNS disruption, the increasingly popular company sees an influx of new customers. Since being launched in 2006 by David Ulevitch, the service has developed an almost cult following, and now offers users a slew of services ranging from Internet filters and URL auto-correction to network monitoring and anti-phishing protection.

The company has certainly been helped each time the nation's two largest ISPs, Comcast and AT&T, temporarily forget how to run their DNS servers (which has happened a number of times over the last few years).

It's not clear how many users switched before Time Warner Cable resolved the problem (their LA network status page seems to indicate the problem is ongoing as of mid-day Friday). While probably not a priority for execs at Time Warner Cable, it does eat away at the revenue generated by DNS redirection advertising, which Time Warner Cable began implementing roughly a year ago. A growing number of ISPs have been implementing DNS redirection ad pages that pop-up when a user mistypes a URL, creating a new profit stream off clumsy typing.

OpenDNS is targeting that same profit stream and so far, and seems to be doing a much better job at it -- by including features that users actually find useful. Earlier this year it was estimated that OpenDNS makes $20,000 per day via their search relationship with Yahoo alone. That's money that could be going into ISP pockets, and you can be sure that eventually, should OpenDNS's popularity continue to grow, carriers will start trying to get wayward DNS users back onto their own servers -- one way or another.

DNS Server, DNS Server Support, DNS Problem, Domain Name System

Source: http://www.dslreports.com/shownews/Another-DNS-Outage-Gives-OpenDNS-Free-Advertising-99648?nocomment=1

Monday, December 15, 2008

RED HERRING AWARDS IYOGI FOR THE 2008 RED HERRING ASIA AMERICA 100

Award Recognizes the 100 “Most Promising” Asian Companies Driving the Future of Technology

Silicon Valley, CA, Dec 9th, 2008— Red Herring today announced that iYogi is a winner of the Red Herring 100 Award, a selection of the 100 most innovative private technology companies based in Asia.

IYogi delivers technical support services directly to consumers and small businesses and is the first, global, technical support brand based out of India with more than 50,000 customers. The company offers consumers an unlimited, annual subscription service for $119.99 per desktop that includes support for a wide range of technologies, including PC hardware, Microsoft Products Support, Windows Operating systems, Computer Support, Software applications, MP3 players, Networking devices, Digital camera, Printers and scanners etc.

The Red Herring editorial board diligently surveyed the entrepreneurial scene throughout Asia and identified the top 100 out of more than 1,000 closely evaluated companies that are leading the next wave of innovation.

“Our winners and Finalists demonstrate that Asia is increasingly becoming a leader in innovation, contrary to common stereotypes", said Joel Dreyfuss, editor-in-chief of Red Herring. " It was tough to choose just the top 100 finalists from such a large list of excellent contenders, and we are very happy with the quality of the companies we selected as finalists."

“We believe consumers and small business owners should have low-cost access to the highest quality support available on the planet", said Uday Challu, CEO of iYogi. “We are thrilled that our innovative approach to solving everyday technology problems for consumers and our managed services for small businesses has been recognized by Red Herring’s keen-eyed leadership. We are continuously innovating in adding new services that includes PC recovery, anti-virus, anti-spyware, data back-up and PC optimization in providing the best tech support experience for our customers”, adds Uday.

The 100 winning companies have been announced at the Red Herring Asia event in Hong Kong. The CEOs of the winning start ups presented their innovative ideas and technologies to an audience of leading entrepreneurs, financiers, and corporate strategists at the event at the Hong Kong, JW Marriott Hotel earlier this week.

About iYogi

iYogi is the first direct-to-consumer and small business technical support service from India. Providing an annual unlimited subscription to technical support, iYogi now boasts of more than 50,000 customers. The company employs 600 professionals servicing customers in the US, UK, Canada, Australia and fast expanding to 12 new geographies across the globe. iYogi’s resolution rate of 87 percent and customer satisfaction rate of 93 percent are amongst the highest published benchmarks in the industry. For further information, please visit www.iyogi.net.

iYogi Contact

Vishal Dhar
President Marketing, iYogi Inc.
Phone: 212 229 0901
Email: vishal@iyogi.net

Tuesday, December 9, 2008

Beware of Scoundrel DHCP servers, warns Symantec

DHCP is a mechanism commonly used to automatically assign IP addresses to computers and other devices on a local network. It also provides the client systems with the address of the DNS server they should use.

Using a malicious DNS server to divert traffic to malicious sites is known as pharming. A pharmed user may type a bank URL directly into the browser (as recommended by most financial institutions), but may end up on a fake site designed to capture login details to aid in making fraudulent transactions.

According to Symantec, a Trojan it has dubbed Flush.M sets up a rogue DHCP server on the victim's PC.

When other systems on the LAN make a DHCP request to receive or renew an IP address, Flush.M responds.

If the requesting system receives Flush.M's response before that of the real DHCP server, it will start using the malicious DNS server(s) rather than those specified by the real network administrator.

This can be done by infecting just one PC on the LAN, and it can potentially divert the traffic from any other device, regardless of its operating system.

Furthermore, security software running on those other devices is unlikely to find anything wrong.

Symantec suggests network administrators should watch for DHCP offers originating from addresses other than their DHCP servers, and that they monitor or block traffic to the IP address range 85.255.112.0 to 85.255.127.255, which includes known malicious DNS servers.

If you are suffering from these type of rogue DNS then no need to worry just give us a call at 1-866-914-9838 and talk to a Microsoft certified professionals within a minute & get DNS server support.

Source:itwire.com

Wednesday, November 26, 2008

Using dnsmasq for DNS and DHCP services

Software for providing DNS and DHCP services have typically come from ISC in the form of BIND and dhcpd. While these software packages are quite robust and, for the most part, quite secure, there are other alternatives that may work better depending on your situation. For smaller home or office networks, managing BIND and dhcpd may be overkill.

Another solution that provides both services is dnsmasq, which will cache external DNS addresses, provide local DNS names or override external DNS entries, and also provides dynamic IP addresses in the form of DHCP. It can even provide static IP addresses over DHCP, the same as dhcpd, with the only pre-requisite being the MAC address of the system to assign the static IP to.

Most Linux distributions come with dnsmasq packaged, so it is a simple apt-get, yum, or urpmi away. Otherwise, compiling from source is quite easy. Dnsmasq handles DNS setup differently than BIND and other DNS servers. Everything is configured via a single configuration file, /etc/dnsmasq.conf.

When a request comes in, dnsmasq does not look in zone or similar files; it consults /etc/hosts first and then will look externally for addresses by consulting the name server(s) defined in /etc/resolv.conf. This is a quick and easy way to override external DNS addresses by simply defining them in /etc/hosts on the system that is running dnsmasq.

Dnsmasq also provides DHCP services quite easily. To do so, uncomment and set the following options in /etc/dnsmasq.conf:

expand-hosts

domain=example.com

dhcp-range=192.168.0.50,192.168.0.150,12h

dhcp-option=3,192.168.0.1

This will enable DHCP and set the network domain to “example.com.” The DHCP server will offer addresses between 192.168.0.50 and 192.168.0.150 with a lease of 12 hours. Finally, dhcp-option sets the third (3) DHCP option, which sets the default route, pointing to 192.168.0.1 as the router. There are a lot of dhcp-option values; the configuration file and man pages go through them all with examples.

To set a static IP address for a client, use the dhcp-host keyword:

dhcp-host=11:22:33:44:55:66,foo,192.168.0.10

This will always give the host with the hardware MAC address of 11:22:33:44:55:66 the hostname foo (.example.com) and the IP address 192.168.0.10.

Another useful feature of dnsmasq is that it provides a TFTP server as well. You can enable the TFTP server, point it to the root directory of files to serve, and make use of network booting.

Dnsmasq provides a number of features that make it a compelling replacement for BIND and dhcpd, or any other DNS or DHCP server software you may be using. It can set default MX records, various caching options, a wide variety of DHCP options, SRV records to provide LDAP information, PTR records, SPF records, and even Zeroconf records.

For small office and home networks, dnsmasq is hard to beat in terms of simplicity and power. The configuration file is loaded with examples and information so, while initial setup for a larger network will require a commitment of some time, it is all very straightforward.

Get the PDF version of this tip here.

Source: blogs.techrepublic.com.com/opensource/?p=293

Thursday, November 20, 2008

Manage Windows Server 2008 DHCP Servers From Command Line

Installing the DHCP Feature from the Command Line

A Windows Server 2008 system can only act as a DHCP server if the DHCP feature has been installed. This can be achieved from the command prompt using the servermanagercmd utility as follows:

servermanagercmd -install dhcp

[edit] Authorizing DHCP Servers in Active Directory

If a DHCP server is to operate within an Active Directory domain (and is not running on a domain controller) it must first be authorized. This can be achieved either as part of the DHCP Server role installation, or subsequently using either DHCP console or at the command prompt using the netsh tool. To achieve this, open a command prompt and enter the following command:

netsh dhcp server serverID initiate auth

In the above command syntax, serverID is replaced by the IP address or full UNC name of system on which the DHCP server is installed.
[edit] Configuring Scopes at the Command Prompt

DHCP scopes may be configured from the command prompt using the netsh tool. netsh may be run as a single command, or interactively. To run interactively. To run in interactive mode follow these steps:
  1. At the command prompt enter netsh.
  2. At the netsh> prompt enter dhcp.
  3. At the netsh dhcp> prompt enter server \\servername where servername is the UNC name or IP address of the server to be managed. For example:
  4. netsh dhcp>server \\winserver-1
  5. At the netsh dhcp server prompt, enter the commands to be executed.
Alternatively, run each netsh command separately, using the following syntax:

netsh dhcp server \\servername commands

To create a new DHCP scope the command syntax is as follows:

netsh dhcp server \\servername scope subnetID add iprange startIP endIP

For example, to create a scope on subnet 192.168.2.0 ranging from 192.168.2.1 through 192.168.2.100:

netsh dhcp server \\winserver-1 scope 192.168.2.0 add iprange 192.168.2.1
192.168.2.100

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

To list a scope IP address range:

netsh dhcp server \\winserver-1 scope 192.168.2.0 show iprange

Changed the current scope context to 192.168.2.0 scope.

=========================================================
Start Address - End Address - Address type
=========================================================
192.168.2.1 - 192.168.2.100 - DHCP ONLY

Number of IP Ranges : 1 in the Scope : 192.168.2.0.

Command completed successfully.

To delete a scope using netsh:

netsh dhcp server \\winserver-1 scope 192.168.2.0 delete iprange 192.168.2.1
192.168.2.100

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

To display the current state of a scope:

netsh dhcp server \\winserver-1 scope 192.168.2.0 show state

Changed the current scope context to 192.168.2.0 scope.

Current State of the Scope 192.168.2.0 : Active

Command completed successfully.

To add an exclude range to a scope:

netsh dhcp server \\winserver-1 scope 192.168.2.0 add excluderange
192.168.2.10 192.168.2.20

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

To display an exclude ranges:

netsh dhcp server \\winserver-1 scope 192.168.2.0 show excluderange

Changed the current scope context to 192.168.2.0 scope.

=====================================
Start Address - End Address
=====================================
192.168.2.10 - 192.168.2.20

Number of ExcludeRanges : 1 in the Scope : 192.168.2.0.

Command completed successfully.

To list the clients using a DHCP scope:

netsh dhcp server \\winserver-1 scope 192.168.2.0 show clients

Changed the current scope context to 192.168.2.0 scope.

Type : N - NONE, D - DHCP B - BOOTP, U - UNSPECIFIED, R - RESERVATION IP
==================================================================================
IP Address - Subnet Mask - Unique ID - Lease Expires -Type
==================================================================================


No of Clients(version 4): 0 in the Scope : 192.168.2.0.

Command completed successfully.

[edit] Activating and Deactivating DHCP Scopes using Netsh

DHCP scopes must be activated before they can be used and may also be deactivated at any time. Both of these tasks may be performed at the command prompt using the 'netsh tool. For example, to activate a scope the following command line syntax is used:

netsh dhcp server serverID scope subnetID state status

where serverID is the name or IP address of the computer running the DHCP server, subnetID is the network ID of the subnet on which the scope is to be configured, and status is either 1 or 0 depending on whether the scope is to activated (1) or deactivated (0). On a switched network with multiple virtual networks are hosts on a single network use 2 and 3 respectively to deactivate and activate the scope.
[edit] Terminating a DHCP Lease using Netsh

The lease associated with an IP address may be terminated at the command prompt using the following command syntax:

netsh dhcp server serverID scope subnetID delete lease IPaddress

where serverID is the name or IP address of the computer running the DHCP server, subnetID is the network ID of the subnet on which the IP address resides, and IPaddress is the IP address on which the lease is to be terminated. For example,

netsh dhcp server \\winserver-1 scope 192.168.2.0 delete lease 192.168.2.101

[edit] Configuring DHCP Reservations using Netsh

DHCP reservations provide a mechanism by which IP addresses may be permanently assigned to a specific client based on the MAC address of that client.

The MAC address of a Windows client can be found running the ipconfig /all command. For Linux systems the corresponding command is ifconfig -a. Once the MAC address has been identified, the reservation may be configured using either the DHCP console or at the command prompt using the netsh tool.

To add a reservation using netsh the following syntax is used:

netsh dhcp server \\servername scope subnetID add reservedip IPaddress MacAddress ReservationName Comment

For example the following command reserves an IP address for a specific MAC address (note that the MAC address must be entered without any delimiters):

C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 add reservedip
192.168.2.12 0013720B1457 "CEO Printer" "Printer in Exec Suite"

Changed the current scope context to 192.168.2.0 scope.

Command completed successfully.

To list the current reserved IP addresses for a particular scope the following netsh command may be used:

C:\Users\Administrator>netsh dhcp server \\winserver-2 scope 192.168.2.0 show
reservedip

Changed the current scope context to 192.168.2.0 scope.

===============================================================
Reservation Address - Unique ID
===============================================================

192.168.2.10 - 00-0b-db-18-a0-db-
192.168.2.11 - 06-ec-e6-11-47-bd-
192.168.2.12 - 00-13-72-0b-14-57-


No of ReservedIPs : 3 in the Scope : 192.168.2.0.

Command completed successfully.

[edit] Configuring DHCP Conflist Detection

By default, if a DHCP server assigns an IP address to a client which conficts with another client, it is the job of the client to decline the assigned address and request that the DHCP server send another. A faster option is to enable DHCP Conflict Detection on the DHCP server, whereby the server checks that there are no conflicts associated with an IP address before it is assigned to a client. The DHCP server will repeat this process until a valid IP address is found, or a specified number of attempts to find a non-conflicting IP address is reached. The syntax to enable conflict detection and specify the number of retry attempts is as follows:

netsh dhcp server servername set detectionconflictretry no_of_attempts

where servername is the name or IP address of the DHCP server and no_of_attempts is the maximum number of times the DHCP server will attempt to find a non-conflicting IP address. To disable confict detection simpy run the above command setting no_of_attempts to 0. For example:

netsh dhcp server \\winserver-1 set detectionconflictretry 0

[edit] Backing Up and Restoring DHCP Configuration Information

The current configuration of a DHCP server can quickly and easily be saved and restored using the dump option of the netsh tool. This enables a server to be quickly restored to its original state in the case of a system failure, or for the configuration to be duplicated on another server.

For example, to back up the configuration on a local server to a file named DHCPconfig.cfg:

netsh dhcp server dump > DHCPconfig.cfg

The configuration on a remote system may be similarly saved by specifying the name or IP address of the server:

netsh dhcp server winserver-1 dump > DHCPconfig.cfg

Source:techotopia.com/index.php/Managing_a_Windows_Server_2008_DHCP_Server_from_the_Command_Line

Wednesday, November 12, 2008

DHCP Server Security

Although DHCP servers are critical to the operation of most enterprise networks, DHCP server security is often one of the most overlooked areas of network security. One reason for this might be the simplicity of how DHCP works: DHCP clients broadcast discovery messages (DHCPDISCOVER) containing their MAC addresses and DHCP servers respond by offering (DHCPOFFER) to lease an IP address and other TCP/IP settings that the client can use to communicate on the network. The client responds (DHCPREQUEST) to the first lease offer it receives and the server acknowledges (DHCPACK) the request and marks the address as leased in its DHCP database. That's all there is to it—who needs to worry about security?

Attacking DHCP

Unfortunately it's the very simplicity of DHCP that's actually the problem as far as security goes. No authentication or authorization takes place during an exchange between a DHCP server and DCHP client, so the server has no way of knowing if the client requesting the address is a legitimate client on the network, and the client has no way of knowing if the server that assigned the address is a legitimate DHCP server. The possibility of rogue clients and servers on your network can create all kinds of problems.

For example, a rogue DHCP server could provide legitimate clients with bogus TCP/IP information that prevents the clients from communicating on the network. A denial of service (DoS) condition then results, and users are unable to connect to network resources to perform their work. Setting up a rogue DHCP server could be as simple as conducting a social engineering attack to gain physical access to your network and plugging in a laptop configured as a DHCP server.

Another scenario might involve an attacker compromising a client computer on your network and installing software that repeatedly requests new IP addresses using spoofed MAC addresses until the entire pool of addresses in your DHCP server's scope is leased. When this happens, legitimate clients that boot onto the network can't acquire an address and again users are unable to access the network and can't do their work.

A more sinister result happens when an attacker breaches network security and gains control of your own DHCP servers. At that point the attacker might proceed to modify the DHCP server to assign clients an incorrect subnet setting and thus create another DoS condition. Or they might modify the server to assign clients incorrect DNS settings and redirect clients to rogue or hijacked DNS servers, which could then redirect clients to hostile websites where they unknowingly download a trojan.

Worse yet, if you're running your DHCP server on a domain controller then an attacker who compromises your DHCP server gains access to your accounts database and can cause all sorts of further problems. The result is usually your worst nightmare. Fortunately, there are some measures you can take to protect your DHCP servers and avoid many of these scenarios, provided you're also following all the usual best practices for securing Windows-based networks. Let's look at some specific threats to DHCP on your network and the countermeasures you can take to mitigate these different threats.

Threats and Countermeasures

On the face of it, the requirement that Windows 2000 and Windows Server 2003 DHCP servers be authorized in Active Directory before they can start leasing addresses to requesting clients seems to mitigate the threat of rogue DHCP servers on your network. Authorization means that when a Windows 2000 or Windows Server 2003 DHCP server boots onto an Active Directory network it first contacts a domain controller to check if its own IP address is found on the list of authorized DHCP servers maintained by the domain controller. If the DHCP server determines that it is authorized to lease addresses to clients, it begins to do so. If it's not authorized, Windows shuts down the DHCP Server service on the machine so it won't be able to lease addresses.

The real benefit of this is to protect your network against legitimate DHCP servers that are badly configured, though it has the added side effect of guarding against accidental or rogue DHCP servers running Windows 2000 or Windows Server 2003. What happens though if an attacker compromises your network with a rogue DHCP server not running Windows 2000 or Windows Server 2003? In this case authorization won't help because non-Microsoft DHCP servers may not respond the same way as Microsoft ones to the DHCPINFORM messages Windows uses to check if DHCP servers are authorized.

Rogue clients is another problem entirely though, as DHCP is designed to make it easy for clients to obtain IP addresses so they can participate on a network. The obvious way of dealing with the problem of rogue clients would seem at first to be DHCP reservation, though on large networks this entails considerable administrative overhead. A reservation is a predefined setting that maps a MAC address to an IP address so that only a client with a particular MAC address can lease the IP address associated with that reservation. If security is critical an administrator could create reservations for each and every client machine on the network, and if unreserved IP addresses still remain in the DHCP server's cope then these could be reserved using invalid or non-existing MAC addresses. Then when a rogue client tries to boot on the network the result is that the DHCP server has no free addresses to lease and the client can't connect.

If only it were that simple. While this approach might foil a casual attack, sophisticated attackers have ways for circumventing DHCP reservations. The simplest approach is for the attacker to run a program that listens for DHCPDISCOVER broadcasts from clients and harvests their MAC addresses. Then when a legitimate client shuts down the rogue client can reconfigure its MAC address to match that of the legitimate client and hijack the legitimate client's lease or try to disrupt communications for the client. Considering this, security-conscious administrators might consider dropping DHCP entirely in favor of static addressing, but what's to stop an attacker who has physical access to your network from assigning a static address to their own machine and joining the network?

Via:windowsecurity.com/articles/DHCP-Security-Part1.html

Friday, November 7, 2008

How to reinstall a dynamic DNS Active Directory-integrated zone

Under the following situations you may want to reinstall the dynamic DNS in a Windows 2000 Active Directory:


  • Multiple DNS errors have occurred and methods have been unsuccessful.

  • Services that depend upon DNS, such as, the File Replication service (FRS) and/or Active Directory are failing. Also, the standard troubleshooting procedures have been unable to locate the exact cause of the problem.

  • DNS had been built as a secondary DNS server or files copied from a DNS server do not support dynamic updates.
To create a better name space design, such as, splitting the internal and external name spaces.
You have to remove DNS and the DNS cache. Then, you must rebuild one Active Directory DNS server to set up long term stability.

The following steps can remove the defective information in Active Directory-integrated DNS:

  • Go to the properties of the DNS zone files and change them to be a "Standard Primary".

  • In the %Systemroot%\Winnt\System32\DNS folder, delete the text DNS Zones files.

  • Delete the object in Active Directory Users and Computers.

  • On the View menu, click Advanced Features, expand the System folder, click MicrosoftDNS, and then delete the zone file objects.

  • For each Active Directory-integrated DNS server, repeat steps 1-3.

  • In the Transmission Control Protocol/Internet Protocol (TCP/IP) properties of the first Active Directory-integrated DNS server, point it to itself.

  • To obtain proper resolution, you must clear the Caching Resolver, which is the DNS client on the DNS server. At the command prompt, type: ipconfig /flushdns.

  • Stop and restart DNS and the NetLogon service. Then, remove and re-add the DNS service.
You have completed the process to clear out a DNS server. You must complete the process for any additional DNS servers that you plan to integrate with Active Directory.

The following steps can assist you to build a strong foundation for DNS, Active Directory, and FRS:


  • Configure all DNS servers to point to the same DNS server in the domain or forest under TCP/IP properties in DNS: Right-click My Network Places, click Local Area

    Connection
    , right-click Local Area Connection, click Properties, select the properties of TCP/IP, and then point all DNS servers to the same DNS server. Also, click the Advanced DNS tab, and then confirm that secondary DNS servers are not configured.

  • Re-add the DNS service, or re-add the zones and configure them to be Active Directory integrated. For troubleshooting purposes, you may want to set "Allow Dynamic Updates?" to Yes. Later, you can change this setting to "Allow Only Secure Updates".

  • Run the ipconfig /flushdns command, and then run the comand. This command can help you to register your A resource record for DNS as well as your start of authority (SOA). You may want to run this command on any other servers that are critical to you.ipconfig /registerdns
  • NOTE: The Dynamic Host Configuration Protocol (DHCP) client service needs to be running on each of these computers to register the records in Dynamic DNS. It is not relevant if the computer is a DHCP client or not. You must have this service set to "start" and the "Start up" type set to "automatic." The DHCP client service is what registers records in Dynamic DNS. (Refer to the description in the Computer Management snap-in.)

  • Active Directory-integrated DNS is now working on your first Dynamic DNS server. You must point additional Dynamic DNS servers to the first DNS server under TCP/IP properties. You must confirm that a full and complete replication process has occurred before you change the TCP/IP properties to point to itself for any additional DNS servers.
Before you configure DNS, you must research the benefits of various DNS name space architectures, such as, internal name spaces, external name spaces, child domains, caching only DNS servers, and reverse look-up zones. Then, you must consider how to develop a design architecture that can work for your organization.

Source:support.microsoft.com/kb/294328

Friday, October 31, 2008

Install a Windows 2003 DNS server

Every network needs a DNS (domain name service) server, right? Windows comes with a DNS server, but it isn’t installed by default. This will tell you how to install a DNS server on a Windows 2003 server.

As an administrator on the system, click Start -> Control Panel -> Add or Remove Programs -> Add/Remove Windows Components.

In the window that opens, click on the Networking Services line (careful not to uncheck the box to the left) and click Details.

Find the line for Domain Name System (DNS), click the checkbox on its left, and Click OK. Click Next.

If Windows asks for a CD-ROM, do as it requests. When it is done, click Finish and you’ll have your very own DNS server.

Source:tech-recipes.com

Friday, September 26, 2008

Boost Email Deliverability With a Static IP Address

DNS stands for Domain Name System, which is basically the protocol computers use to connect to each other across the web. If you sent an email to "JaneDoe@AnySite.com" your mail server would do a DNS lookup on "AnySite.com" so it would know to actually send your message to the mail server at "123.45.67.890". That mail server would then route your message to its user named "JaneDoe". DNS works both ways - the receiving email server has an IP number and the sending email server has an IP number. Until a few years ago, the IP address of the sending email server wasn't all that important. But, with the onslaught of spam, all that has changed.

Today, most mail servers will check the IP address of the sending server before accepting the message, to see if the mail is coming from a static or dynamic IP address. The receiving mail server performs a reverse DNS lookup - it checks the IP address that the email is coming from to make sure that address belongs to the sending mail server.

If an email message is claiming to be from "YourCompany.com" the receiving mail server will make sure the IP address does indeed belong to YourCompany.com. It's easy to check this when the sending IP address is a static one. A static IP address belongs to one particular computer and the address always stays the same.

However, a dynamic IP address changes every time the computer connects to a network or the web. It's not possible to perform a reverse DNS lookup on a dynamic IP address. Dynamic IP addresses are used by individuals with dial-up or DSL accounts on personal computers. Unfortunately, they are also used by spammers. So if a bulk of mail is coming from a dynamic IP address, there's a good chance the mail will be sent immediately to the spam folder.

If you're sending your marketing messages directly from your own computer using the email configuration provided by your internet service provider, you're probably using a dynamic IP address with no reverse DNS lookup. Now, this isn't a problem if you're sending one-off messages to Aunt Betty, but it does become a problem if you're sending a bulk email to your entire client database. If you're using a from address like "JoeSmith@YourCompany.com", since the dynamic IP address assigned by your ISP does not belong to "YourCompany.com", there's a good chance your message will be rejected.

You might think you can resolve this issue simply by using "JoeSmith@YourISP.com" as your from address; unfortunately, this doesn't always work either. In an effort to protect their users from unwanted spam, ISPs treat bulk email differently than they do individual messages. And, since the sending IP address is still a dynamic one, there's a good chance your message will still end up in the spam folder.

The best thing to do is to ensure that your website's DNS entry is complete and is capable of a reverse lookup. Then use your webhost's email server to send all your marketing messages. Check with your web hosting company's technical department to verify that your website and its corresponding email server are both using static IP addresses with complete DNS entries. And while you're at it, ask them to set up an SPF record for your domain.

Using complete DNS entries will not guarantee that your email is delivered 100% of the time, since there are still many more issues that affect deliverability. But it's one step toward reducing the likelihood that your email will be mistaken as spam.

Time to implement: this shouldn't require more than a fast phone to your webhost's technical department. If you've been your ISP's mail configuration, your webhost can walk you through the correct steps for setting up your email client to use your host email server

Sunday, August 31, 2008

iYogi Computer Repair, PC Repair Support Video

Monday, August 4, 2008

MintDNS 2006 Tutorials

MintDNS 2006 is a fully featured server suite that allows you to run your own enterprise level DDNS Server.

Supporting both Dynamic and Static DNS MintDNS also supports several standard update protocols. Which enables support for many existing third party IP address update clients, and many hardware(Firmware) clients. This allows you to provide time tested reliable Dynamic DNS services to most all internet connected computers, or even remote cameras.

MintDNS is completely template based, so the look and feel of your DNS service can easily be adapted to match your existing website or modified to suite your specific needs.

We have provided Dynamic DNS solutions for more than 5 years. MintDNS 2006 Enterprise is our latest product and is also the most dependable, feature rich and scaleable product we have ever offered.

If your interested in custom development you may like to know that MintDNS is almost completely open sourced allowing you to easily expand on the existing system to meet any special needs your company may have. The advantage to having an established time tested platform to build on could save months of development time.

The all new web based administration console gives you instant access to advanced user management features, statistics charts, accounting features and complete control over server settings.

Tuesday, July 29, 2008

Dynamic Host Computer Protocol (DHCP) Tutorials

Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked devices (clients) to obtain the parameters necessary for operation in an Internet Protocol network. This protocol reduces system administration workload, allowing devices to be added to the network with little or no manual configurations.
Dynamic Host Configuration Protocol is a way to manage network parameter assignment from a single DHCP server, or a group of DHCP servers arranged in a fault-tolerant manner. Even in small networks, Dynamic Host Configuration Protocol is useful because it can make it easy to add new machines to the local network.
DHCP is also recommended even in the case of servers whose addresses rarely change, so that if a server needs to be readdressed (RFC2071), changes can be made in as few places as possible. For devices such as routers and firewalls, that should not use DHCP, it can be useful to put Trivial File Transfer Protocol (TFTP) or SSH servers on the same machine that runs DHCP, which also serves to centralize administration.
DHCP can be used to assign addresses directly to servers and desktop machines, and, through a Point-to-Point Protocol (PPP) proxy, to dialup and broadband on-demand hosts, as well as for residential Network address translation (NAT) gateways and routers. DHCP is generally not appropriate for infrastructure such as non-edge routers and DNS servers.

Wednesday, July 23, 2008

E-mail hosting service

An email hosting service is an Internet hosting service that runs email servers.

Email hosting services usually offer premium email at a cost as opposed to advertising supported free Email Support or free webmail. Email hosting services thus differ from typical end-user email providers such as webmail sites. They cater mostly to demanding email users and Small and Mid Size (SME) businesses, while larger enterprises usually run their own email hosting service. Email hosting providers allow for premium email services along with custom configurations and large number of accounts. In addition, hosting providers manage user's own domain name, including any email authentication scheme that the domain owner wishes to enforce in order to convey the meaning that using a specific domain name identifies and qualifies email senders.

Most email hosting providers offer advanced premium email solutions hosted on dedicated custom email platforms. The technology and offerings of different email hosting providers can therefore vary with different needs. Email offered by most webhosting companies is usually more basic standardized POP3 based email and webmail based on open source webmail applications like Horde or Squirrelmail. Almost all webhosting providers offer standard basic email while not all email hosting providers offer webhosting.

Thursday, July 17, 2008

Email Troubleshooting Tutorial

Email seems simple, but email delivery can fail at any number of places in its journey from the MUA (mail user agent) of the sender to the MUAs of the intended recipients. Delivery may be delayed in a mail queue somewhere in the network cloud, may fail because the email was deleted by a spam filter or rejected for being over file-size limits or having the wrong MIME type content...or the user may be embarrasses to realize that the email that mysteriously vanished is still sitting in their outbox.
Messages sent to mailing lists can be unexpectedly rejected or sent to moderation queues because the sender doesn't understand posting rules, which can vary from list to list and depend on how the sender is classified by each mailing list. Generally, the privilege of direct posting is limited to certain classes of known users to protect the list from spam. Users may think something is wrong when they are unable to post directly to a list when they are actually using a different account from the one under which the posting privileges were granted.
The need to troubleshoot email isn't limited to apparent delivery failure or delays. Sometimes users receive automated email messages they don't understand, or sometimes inappropriate messages get posted to a list.
The existence of so many variables yields so many potential failure points that even though email seems simple in principal, troubleshooting email is an inherently complex process. In the interests of empowering everyone in the online community who would like to understand more about email Support and possibly troubleshoot email themselves, this documentation addresses a wide audience from users experiencing issues when posting to a mailing list to mailing list administrators and site managers. It covers a broad range of topics specific to troubleshooting email but references material scattered throughout the Concepts, Appendix and Tools page help. The purpose of this introduction is to help you get a birds-eye-view of the available documentation, some suggestions as to what might be of most interest to you (depending on whether you are a website user or administrator), plus some pointers that we hope will guide you along the fastest path to the information you need to resolve your issue.

Tuesday, July 8, 2008

E-mail hosting service

An email hosting service is an Internet hosting service that runs email servers.

Email hosting services usually offer premium email at a cost as opposed to advertising supported free email or free webmail. Email hosting services thus differ from typical end-user email providers such as webmail sites. They cater mostly to demanding email users and Small and Mid Size (SME) businesses, while larger enterprises usually run their own email hosting service. Email hosting providers allow for premium email services and Email Support along with custom configurations and large number of accounts. In addition, hosting providers manage user's own domain name, including any email authentication scheme that the domain owner wishes to enforce in order to convey the meaning that using a specific domain name identifies and qualifies email senders.

Most email hosting providers offer advanced premium email solutions hosted on dedicated custom email platforms. The technology and offerings of different email hosting providers can therefore vary with different needs. Email offered by most webhosting companies is usually more basic standardized POP3 based email and webmail based on open source webmail applications like Horde or Squirrelmail. Almost all webhosting providers offer standard basic email while not all email hosting providers offer webhosting.

Thursday, June 26, 2008

DNS hosting service

A DNS hosting service is a service that runs Domain Name System servers. Most, but not all, domain name registrars include DNS hosting service with registration. Free DNS hosting services also exist. Almost all DNS hosting services are "shared"; except for the most popular Internet sites, there is no need to dedicate a server to hosting DNS for a single website. Many third-party DNS hosting services provide Dynamic DNS.

DNS hosting service is better when the provider has multiple servers in various geographic locations that minimize latency for clients around the world.

DNS can also be self-hosted by running DNS software on generic Internet hosting services.

I want to share some link for…..

Email Support

Outlook Support

Monday, June 16, 2008

Dynamic DNS and NAT

There has been tremendous growth in the use of Network Address Translation (NAT) functionality. These devices include Windows machines running Internet Connection Sharing, included in Windows 98SE/Me/2000/XP, or other similar software such as Sygate Home Network. NAT software is also included in most open-source operating systems such as Linux (IP masquerading) or FreeBSD (natd), and is available for other platforms, such as Vicomsoft's Internet Gateway for Macs. More recently, we have seen hardware devices, often referred to as "routers", implementing NAT functionality, such as the Linksys routers, the Netgear Internet Gateway Routers, or the Nexland ISB line.

Many users of various NAT implementations then wonder if it is still possible to use dynamic DNS technology, as implemented in our Dynamic DNS and Custom DNS services, when using NAT. By itself, NAT does not affect dynamic DNS that much, but it does have significant impact on the operation of servers, which is the primary motive for the use of dynamic DNS technology. This white paper will discuss these issues and, whenever possible, make recommendations as to how they can be dealt with. Please note that we do not endorse or provide support for any third-party products that may be mentioned in this article. Also, please note that our discussion of NAT will be limited to the type of NAT where one or more private IPs are converted to one public IP: there are other types of NAT out there, but they are not commonly used in the residential, home office, or small business market.

There are two main challenges involved with using NAT and operating servers with the help of dynamic DNS: ensuring that traffic actually makes it through the NAT and then ensuring that the dynamic DNS hostname/domain is properly updated.

If you are facing any network problem you can contact for Online Email Support and fixing you computer problem get Computer Help.


Tuesday, June 10, 2008

The Structure of a Domain Name

A domain name always has two or more parts separated by dots and typically consists of some form of an organization's name and a three letter or more suffix. For example, the domain name for IBM is "ibm.com"; the United Nations is "un.org."

The domain name suffix is known as a generic top-level domain (gTLD) and it describes the type of organization. However in the last few years, the lines have blurred somewhat between these categories. Currently in use of these gTLDs:
aero--For the air-transport industry

.biz--Reserved for businesses

.com--For businesses, commercial enterprises, or online services like America Online. Most companies use this extension.

.coop--Reserved for cooperatives

.edu--For educational institutions and universities

.gov--Reserved for United States government agencies

.info--For all uses

.int--For organizations established by international treaties

.mil--For the United States military

.museum--For use by museums

.name--For use by individuals

.net--For networks; usually reserved for organizations such as Internet service providers

.org--For non-commercial organizations

.pro--For use by professionals, such as attorneys and physicians

ICANN, the Internet Corporation for Assigned Names and Numbers, manages the Domain Name System. For the latest news, visit the ICANN website. The more popular TLDs (.com, .net, .org, .biz, .info, .name) are available to the general public for registration of domain names.

I want to share my experience with e-mail Support and Computer Help.

Tuesday, May 6, 2008

Windows Server 2003

Windows Server 2003 (also referred to as Win2K3) is a server operating system produced by Microsoft. Introduced on April 24, 2003 as the successor to Windows 2000 Server, it is considered by Microsoft to be the cornerstone of their Windows Server System line of business server products. An updated version, Windows Server 2003 R2 was released to manufacturing on 6 December 2005. Its successor, Windows Server 2008, was released on February 4, 2008.

Released on April 24, 2003, Windows Server 2003 (which carries the version number 5.2) is the follow-up to Windows 2000 Server, incorporating compatibility and other features from Windows XP. Unlike Windows 2000 Server, Windows Server 2003's default installation has none of the server components enabled, to reduce the attack surface of new machines. Windows Server 2003 includes compatibility modes to allow older applications to run with greater stability. It was made more compatible with Windows NT 4.0 domain-based networking. Incorporating and upgrading a Windows NT 4.0 domain to Windows 2000 was considered difficult and time-consuming, and generally was considered an all-or-nothing upgrade, particularly when dealing with Active Directory. Windows Server 2003 brought in enhanced Active Directory compatibility, and better deployment support, to ease the transition from Windows NT 4.0 to Windows Server 2003 and Windows XP Professional.

Changes to various services include those to the IIS web server, which was almost completely rewritten to improve performance and security, Distributed File System, which now supports hosting multiple DFS roots on a single server, Terminal Server, Active Directory, Print Server, and a number of other areas. Windows Server 2003 was also the first operating system released by Microsoft after the announcement of their Trustworthy Computing initiative, and as a result, contains a number of changes to security defaults and practices.

The product went through several name changes during the course of development. When first announced in 2000, it was known by its codename, "Whistler Server"; it was then named "Windows 2002 Server" for a brief time in mid-2001, before being renamed "Windows .NET Server" as part of Microsoft's effort to promote their new integrated enterprise and development framework, Microsoft .NET. It was later renamed to "Windows .NET Server 2003". Due to fears of confusing the market about what ".NET" represents and responding to criticism, Microsoft removed .NET from the name during the Release Candidate stage in late-2002. This allowed the name .NET to exclusively apply to the .NET Framework, as previously it had appeared that .NET was just a tag for a generation of Microsoft products.

Friday, May 2, 2008

Microsoft Domain Name System (MDNS)

Microsoft DNS is the name given to the implementation of domain name system services provided in Microsoft Windows operating systems.

The Domain Name System support in Microsoft Windows NT, and thus its derivatives Windows 2000, Windows XP, and Windows Server 2003, comprises two clients and a server. Every Microsoft Windows machine has a DNS lookup client, to perform ordinary DNS lookups. Some machines have a Dynamic DNS Update client, to perform Dynamic DNS Update transactions, registering the machines' names and IP addresses. Some machines run a DNS server, to publish DNS data, to service DNS lookup requests from DNS lookup clients, and to service DNS update requests from DNS update clients.

The server software is only supplied with the server versions of Windows. I want to share my experience with DDNS and Computer Help.

Monday, April 28, 2008

DNS hosting service

Dynamic DNS is a service that runs Domain Name System servers. Most, but not all, domain name registrars include DNS hosting service with registration. Free DNS hosting services also exist. Almost all DNS hosting services are "shared"; except for the most popular Internet sites, there is no need to dedicate a server to hosting DNS for a single website. Many third-party DNS hosting services provide Dynamic DNS and Computer Technical Support.

DNS hosting service is better when the provider has multiple servers in various geographic locations that minimize latency for clients around the world.

DNS can also be self-hosted by running DNS software on generic Internet hosting service

Free DNS

A number of sites offer free DNS hosting, either for second level domains registered with registrars which do not offer free (or sufficiently flexible) DNS service, or as third level domains (selection.somedomain.com). These services generally also offer Dynamic DNS. In many cases the free services can be upgraded with various premium services

Sunday, April 20, 2008

Configuring Logging for the DNS Server

There are several categories that log messages fall in to. For instance, all queries fall in to the "queries" category, all notify messages will fall in to the "notify" category, and so on. We are interested in the "dnssec", the "update" and the "security" categories.

The messages for every category are channeled into files or through syslog. The channel phrase can be used to specify which severity level should be logged, how the format of the log message should be, what extra information should be logged, where it should be logged, how many versions should be kept, and how large the zone file may grow.

For this setup we will log all above categories in one place:

logging {
    category dnssec   { security_log; };
    category update   { security_log; };
    category security { security_log; };
 
    channel security_log {
        file "dns-security.log" versions 5 size 20m;
            // every time the log grows over 20 Mbyte, it will
            // backup and rollover. Maximum 5 backups will be kept.
        print-time yes;
        print-category yes;
        print-severity yes;
        severity info;
    };
};

This Blogs Help to work with Dynamic DNS. I want to share here with you is my experience of sharing the DNS Server Configuration and providing a computer support assistance. The most common use for this is in allowing an Internet domain name to be assigned to a computer help with a varying (dynamic) IP address


Source ops.ietf.org

Tuesday, April 15, 2008

What is DNS resolvers

A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

A DNS query may be either a recursive query or a non-recursive query:

  • A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
  • A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.

The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can only communicate with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.

Thursday, April 10, 2008

Domain Name System Security Extensions (DNSSEC)

The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):

  • Origin authentication of DNS data.
  • Data integrity.
  • Authenticated denial of existence.

It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:

  1. Devising a backward-compatible standard that can scale to the size of the Internet.
  2. Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients).
  3. Squabbling among key players, none of whom agree on who should own the .com (etc) root keys

IP-based networks, including the Internet, route information between computers based on their IP address, a multi-byte number (4 bytes in IP version 4, 16 bytes in IP version 6). Directly using these numbers would cause many problems, so DNS is a critical service of such networks. DNS accepts a domain name (such as www.wikipedia.org) and responds with information about that name, such as its matching IP address. DNS can also perform reverse look-ups (given an IP address, return the corresponding name). DNS is implemented as a distributed system, for scalability. (For more information, see Domain Name System.) Unfortunately, DNS was not designed to be secure.

There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. A Request for Comments document, RFC 3833, attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses are the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in DNS. RFC 4398 describes how to distribute certificates via DNS, including those for email, making it possible to use DNSSEC as a world-wide public key infrastructure for email.


DNSSEC does not provide confidentiality of data, in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties). Other standards (not DNSSEC) are used to secure bulk data (such as a zone transfer) sent between DNS servers. As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot cure false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.


source :en.wikipedia.org

Monday, April 7, 2008

Domain Name System Client Behavior in Windows Vista

Microsoft® Windows Vista™ includes both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocol stacks that are installed and enabled by default. Domain Name System (DNS) name queries and registrations can now involve both IPv4 address records (A records) and IPv6 address records (AAAA records). This article describes the behavior of the DNS Client service in Windows Vista for DNS queries and registrations and the possible impact on DNS traffic.

Note: This article does not describe changes to DNS client behavior in versions of Windows released after Windows Vista with Service Pack 1 and Windows Server 2008, including additional service packs or other updates.

DNS Query Behavior

Computers running Windows Vista need to perform both A and AAAA queries to determine the best method of connectivity to the desired endpoint. By obtaining both IPv4 and IPv6 addresses, there is an increased chance of being able to access the desired endpoint if one of the addresses is unreachable.

The DNS Client service in Windows Vista has been designed to minimize the impact on DNS servers when performing DNS name queries through the following behavior:

· If the host has only link-local or Teredo IPv6 addresses assigned, the DNS Client service sends a single query for a records.

· If the host has at least one IPv6 address assigned that is not a link-local or Teredo address, the DNS Client service sends a DNS query for A records and then a separate DNS query to the same DNS server for AAAA records. If an A record query times out or has an error (other than name not found), the corresponding AAAA record query is not sent.

This DNS querying behavior will assist enterprises and ISPs in their transition to IPv6. When AAAA records are added to DNS either manually or through DNS dynamic update, computers running Windows Vista will by default use IPv6 over IPv4, providing proof to IT staff that the IPv6 routing and name resolution infrastructure is working properly for IPv6 connectivity. When organizations transition to an IPv6-only infrastructure and disable IPv4, the DNS Client service will send only AAAA queries.

Computers running Windows Vista can increase DNS traffic and the load on DNS servers when the computers have been configured with a global address:

· On intranets that have deployed IPv6 (either native or ISATAP), there will be additional DNS query traffic. However, deployments of Windows Vista in enterprise networks using IPv6 have not resulted in dramatic increases in the loads on intranet DNS servers. Intranets running at or near capacity for DNS might need to provide additional capacity to better support an enterprise deployment of Windows Vista.

· On the Internet, computers running Windows Vista by default will typically not be configured with a global address from their ISPs or from their gateway devices. At this time, typical ISPs do not support native IPv6 connectivity and typical home routers do not support the 6to4 transition technology. If a computer running Windows Vista is located behind a network address translator (NAT), the Teredo client component will automatically configure a global Teredo address, even if it is in an inactive state. However, a computer running Windows Vista will not send AAAA record queries if it only has a Teredo address assigned.

DNS Registration Behavior

The DNS Client service in Windows Vista uses DNS dynamic update and attempts to register the following records:

· A records for all IPv4 addresses assigned to the interfaces that are configured with a DNS server

· Pointer (PTR) records for IPv4 addresses assigned to interfaces that are configured with a DNS server

· AAAA records for all global IPv6 addresses assigned to interfaces that are configured with a DNS server

Teredo addresses are not registered.

For the typical intranet host configured with a global IPv6 address, additional AAAA records for IPv6 global addresses are registered. However, a DNS dynamic update client includes all of the records that they are registering in a single packet. Therefore, although there are additional records to register, there are no additional packets for AAAA record registration. Therefore, the impact on intranet DNS servers for AAAA registration is minimal.

Typical Internet-based DNS servers do not support DNS dynamic update. However, if an Internet-based DNS server did support DNS dynamic update, there is typically no additional traffic because the typical Windows Vista-based Internet host does not have a global IPv6 address assigned and Teredo addresses are not registered. Therefore, for typical Windows Vista-based hosts on today's Internet, there is no performance impact on Internet DNS servers for DNS registration.


source technet.microsoft.com

Wednesday, April 2, 2008

What is Fast flux DNS

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm is one of the recent malware variants to make use of this technique.

Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on MySpace.

While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.

Single-flux and double-flux

The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.

A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS NS record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.

Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based ACLs. The method can also mask the attackers' systems, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxied, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place


source en.wikipedia.org

Thursday, March 27, 2008

Standard Dynamic DNS Domains

Dynamic DNS hostnames are available in the following domains



  • ath.cx
  • blogdns.com
  • blogdns.net
  • blogdns.org
  • blogsite.org
  • boldlygoingnowhere.org
  • dnsalias.com
  • dnsalias.net
  • dnsalias.org
  • dnsdojo.com
  • dnsdojo.net
  • dnsdojo.org
  • doesntexist.com
  • doesntexist.org
  • dontexist.com
  • dontexist.net
  • dontexist.org
  • dvrdns.org
  • dyn-o-saur.com
  • dynalias.com
  • dynalias.net
  • dynalias.org
  • dyndns.biz
  • dyndns.info
  • dyndns.org
  • dyndns.tv
  • dyndns.ws
  • endofinternet.net
  • endofinternet.org
  • endoftheinternet.org
  • ftpaccess.cc
  • game-host.org
  • game-server.cc
  • getmyip.com
  • go.dyndns.org
  • gotdns.com
  • gotdns.org
  • ham-adio-op.net
  • hobby-site.com
  • hobby-site.org
  • home.dyndns.org
  • homedns.org
  • homeftp.net
  • homeftp.org
  • homeip.net
  • homelinux.com
  • homelinux.net
  • homelinux.org
  • homeunix.com
  • homeunix.net
  • homeunix.org
  • is-a-chef.com
  • is-a-chef.net
  • is-a-chef.org
  • is-a-geek.com
  • is-a-geek.net
  • is-a-geek.org
  • isa-geek.com
  • isa-geek.net
  • isa-geek.org
  • kicks-ass.net
  • icks-ass.org
  • merseine.nu
  • mine.nu
  • mypets.ws
  • myphotos.cc
  • office-on-the.net
  • podzone.net
  • podzone.org
  • scrapper-site.net
  • scrapping.cc
  • selfip.biz
  • selfip.com
  • selfip.info
  • selfip.net
  • selfip.org
  • servebbs.com
  • servebbs.net
  • servebbs.org
  • serveftp.net
  • serveftp.org
  • servegame.org
  • shacknet.nu
  • thruhere.net
  • webhop.biz
  • webhop.info
  • webhop.net
  • webhop.org