Monday, April 28, 2008

DNS hosting service

Dynamic DNS is a service that runs Domain Name System servers. Most, but not all, domain name registrars include DNS hosting service with registration. Free DNS hosting services also exist. Almost all DNS hosting services are "shared"; except for the most popular Internet sites, there is no need to dedicate a server to hosting DNS for a single website. Many third-party DNS hosting services provide Dynamic DNS and Computer Technical Support.

DNS hosting service is better when the provider has multiple servers in various geographic locations that minimize latency for clients around the world.

DNS can also be self-hosted by running DNS software on generic Internet hosting service

Free DNS

A number of sites offer free DNS hosting, either for second level domains registered with registrars which do not offer free (or sufficiently flexible) DNS service, or as third level domains (selection.somedomain.com). These services generally also offer Dynamic DNS. In many cases the free services can be upgraded with various premium services

Sunday, April 20, 2008

Configuring Logging for the DNS Server

There are several categories that log messages fall in to. For instance, all queries fall in to the "queries" category, all notify messages will fall in to the "notify" category, and so on. We are interested in the "dnssec", the "update" and the "security" categories.

The messages for every category are channeled into files or through syslog. The channel phrase can be used to specify which severity level should be logged, how the format of the log message should be, what extra information should be logged, where it should be logged, how many versions should be kept, and how large the zone file may grow.

For this setup we will log all above categories in one place:

logging {
    category dnssec   { security_log; };
    category update   { security_log; };
    category security { security_log; };
 
    channel security_log {
        file "dns-security.log" versions 5 size 20m;
            // every time the log grows over 20 Mbyte, it will
            // backup and rollover. Maximum 5 backups will be kept.
        print-time yes;
        print-category yes;
        print-severity yes;
        severity info;
    };
};

This Blogs Help to work with Dynamic DNS. I want to share here with you is my experience of sharing the DNS Server Configuration and providing a computer support assistance. The most common use for this is in allowing an Internet domain name to be assigned to a computer help with a varying (dynamic) IP address


Source ops.ietf.org

Tuesday, April 15, 2008

What is DNS resolvers

A resolver looks up the resource record information associated with nodes. A resolver knows how to communicate with name servers by sending DNS queries and heeding DNS responses.

A DNS query may be either a recursive query or a non-recursive query:

  • A non-recursive query is one where the DNS server may provide a partial answer to the query (or give an error). DNS servers must support non-recursive queries.
  • A recursive query is one where the DNS server will fully answer the query (or give an error). DNS servers are not required to support recursive queries.

The resolver (or another DNS server acting recursively on behalf of the resolver) negotiates use of recursive service using bits in the query headers.

Resolving usually entails iterating through several name servers to find the needed information. However, some resolvers function simplistically and can only communicate with a single name server. These simple resolvers rely on a recursive query to a recursive name server to perform the work of finding information for them.

Thursday, April 10, 2008

Domain Name System Security Extensions (DNSSEC)

The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):

  • Origin authentication of DNS data.
  • Data integrity.
  • Authenticated denial of existence.

It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:

  1. Devising a backward-compatible standard that can scale to the size of the Internet.
  2. Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients).
  3. Squabbling among key players, none of whom agree on who should own the .com (etc) root keys

IP-based networks, including the Internet, route information between computers based on their IP address, a multi-byte number (4 bytes in IP version 4, 16 bytes in IP version 6). Directly using these numbers would cause many problems, so DNS is a critical service of such networks. DNS accepts a domain name (such as www.wikipedia.org) and responds with information about that name, such as its matching IP address. DNS can also perform reverse look-ups (given an IP address, return the corresponding name). DNS is implemented as a distributed system, for scalability. (For more information, see Domain Name System.) Unfortunately, DNS was not designed to be secure.

There are several distinct classes of threats to the DNS, most of which are DNS-related instances of more general problems, but a few of which are specific to peculiarities of the DNS protocol. A Request for Comments document, RFC 3833, attempts to document some of the known threats to the DNS, and, in doing so, attempts to measure to what extent DNSSEC is a useful tool in defending against these threats.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. While protecting IP addresses are the immediate concern for many users, DNSSEC can protect other information such as general-purpose cryptographic certificates stored in DNS. RFC 4398 describes how to distribute certificates via DNS, including those for email, making it possible to use DNSSEC as a world-wide public key infrastructure for email.


DNSSEC does not provide confidentiality of data, in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties). Other standards (not DNSSEC) are used to secure bulk data (such as a zone transfer) sent between DNS servers. As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot cure false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.


source :en.wikipedia.org

Monday, April 7, 2008

Domain Name System Client Behavior in Windows Vista

Microsoft® Windows Vista™ includes both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocol stacks that are installed and enabled by default. Domain Name System (DNS) name queries and registrations can now involve both IPv4 address records (A records) and IPv6 address records (AAAA records). This article describes the behavior of the DNS Client service in Windows Vista for DNS queries and registrations and the possible impact on DNS traffic.

Note: This article does not describe changes to DNS client behavior in versions of Windows released after Windows Vista with Service Pack 1 and Windows Server 2008, including additional service packs or other updates.

DNS Query Behavior

Computers running Windows Vista need to perform both A and AAAA queries to determine the best method of connectivity to the desired endpoint. By obtaining both IPv4 and IPv6 addresses, there is an increased chance of being able to access the desired endpoint if one of the addresses is unreachable.

The DNS Client service in Windows Vista has been designed to minimize the impact on DNS servers when performing DNS name queries through the following behavior:

· If the host has only link-local or Teredo IPv6 addresses assigned, the DNS Client service sends a single query for a records.

· If the host has at least one IPv6 address assigned that is not a link-local or Teredo address, the DNS Client service sends a DNS query for A records and then a separate DNS query to the same DNS server for AAAA records. If an A record query times out or has an error (other than name not found), the corresponding AAAA record query is not sent.

This DNS querying behavior will assist enterprises and ISPs in their transition to IPv6. When AAAA records are added to DNS either manually or through DNS dynamic update, computers running Windows Vista will by default use IPv6 over IPv4, providing proof to IT staff that the IPv6 routing and name resolution infrastructure is working properly for IPv6 connectivity. When organizations transition to an IPv6-only infrastructure and disable IPv4, the DNS Client service will send only AAAA queries.

Computers running Windows Vista can increase DNS traffic and the load on DNS servers when the computers have been configured with a global address:

· On intranets that have deployed IPv6 (either native or ISATAP), there will be additional DNS query traffic. However, deployments of Windows Vista in enterprise networks using IPv6 have not resulted in dramatic increases in the loads on intranet DNS servers. Intranets running at or near capacity for DNS might need to provide additional capacity to better support an enterprise deployment of Windows Vista.

· On the Internet, computers running Windows Vista by default will typically not be configured with a global address from their ISPs or from their gateway devices. At this time, typical ISPs do not support native IPv6 connectivity and typical home routers do not support the 6to4 transition technology. If a computer running Windows Vista is located behind a network address translator (NAT), the Teredo client component will automatically configure a global Teredo address, even if it is in an inactive state. However, a computer running Windows Vista will not send AAAA record queries if it only has a Teredo address assigned.

DNS Registration Behavior

The DNS Client service in Windows Vista uses DNS dynamic update and attempts to register the following records:

· A records for all IPv4 addresses assigned to the interfaces that are configured with a DNS server

· Pointer (PTR) records for IPv4 addresses assigned to interfaces that are configured with a DNS server

· AAAA records for all global IPv6 addresses assigned to interfaces that are configured with a DNS server

Teredo addresses are not registered.

For the typical intranet host configured with a global IPv6 address, additional AAAA records for IPv6 global addresses are registered. However, a DNS dynamic update client includes all of the records that they are registering in a single packet. Therefore, although there are additional records to register, there are no additional packets for AAAA record registration. Therefore, the impact on intranet DNS servers for AAAA registration is minimal.

Typical Internet-based DNS servers do not support DNS dynamic update. However, if an Internet-based DNS server did support DNS dynamic update, there is typically no additional traffic because the typical Windows Vista-based Internet host does not have a global IPv6 address assigned and Teredo addresses are not registered. Therefore, for typical Windows Vista-based hosts on today's Internet, there is no performance impact on Internet DNS servers for DNS registration.


source technet.microsoft.com

Wednesday, April 2, 2008

What is Fast flux DNS

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load-balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. The Storm Worm is one of the recent malware variants to make use of this technique.

Internet users may see fast flux used in phishing attacks linked to criminal organizations, including attacks on MySpace.

While security researchers have been aware of the technique since at least November 2006, the technique has only received wider attention in the security trade press starting from July 2007.

Single-flux and double-flux

The simplest type of fast flux, referred to as "single-flux", is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.

A more sophisticated type of fast flux, referred to as "double-flux", is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS NS record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.

Within a malware attack, the DNS records will normally point to a compromised system that will act as a proxy. This method prevents some of the traditionally best defense mechanisms from working — e.g., IP-based ACLs. The method can also mask the attackers' systems, which will exploit the network through a series of proxies and make it much more difficult to identify the attackers' network. The record will normally point to an IP where bots go for registration, to receive instructions, or to activate attacks. Because the IPs are proxied, it is possible to disguise the originating source of these instructions, increasing the survival rate as IP-based block lists are put in place


source en.wikipedia.org