DNS Tutorial – A Guide to Understanding DNS and Zone Records

DNS in a nutshell

As I said above, DNS is a translation service from computer readable names, to human readable names. The theory is similar to a phone book, or directory assistance, which translate phone numbers to names. The DNS system is distributed across the whole Internet, virtually every Internet provider has two or more DNS servers, most hosting companies do as well, and a lot of large businesses, ie Microsoft, Dell, HP all have their own servers. (of course, having 30,000+ employees, they probably have their own directory assistance too).

Every single person on the Internet uses DNS, 99% of them without even knowing. Every time you go to a website, you do a search of the DNS system to find the location of the site. Every time you send an email, your ISP’s mail server does a DNS search to find the mail server for that domain. As I said, DNS works on a distributed basis, no one server holds the records for every single domain. There are a lucky 13 master servers, that contain a list of which DNS servers handle which domains, when you look for a domain that your ISP’s DNS server does not know, it asks the master servers, which DNS server does know about this domain, then it asks that DNS server for the information it needs, before passing it back to you.

Changing DNS Servers

When you change hosting providers, the normal procedure is to also change your domain’s delegation to the new hosting providers DNS servers. This procedure, known as redelegation, is best, as it means one company handles everything for you, and if they make a change to the location of your website, for instance moving it onto a faster server, they can also update the DNS records straight away, so no one notices. To find out who your domain is delegated to, you need to do a ”whois search”. A whois search will not show you where your website is, but it will show you which DNS servers know where it is. Customers of Anchor should always see ”’ns1.anchor.net.au”’ and ”’ns2.anchor.net.au”’ in their whois information. If your domain is currently with another company, and you need to bring it to Anchor, you need to change that information. Generally, this is done through a web page of the company that you registered the domain with, it is a simple change.

Once the change is made, depending on the type of domain, it can take up to 3 days for the rest of the Internet to notice you have moved. (The same as when you move house, it can take quite a while for other people to realize). The reason for this is explained in the next paragraph. Suffice to say, for a period of 3 days, some people will see the new site, some people will still see the old one. Some email will go to the new server, some will go to the old server. This is avoidable through careful planning, and a week long changeover.

Buzzwords & Geek words, translated!

Often when talking about DNS, the words (and abbreviations), ”’TTL”’, ”’Cache”’ and ”’Propagation”’ come up, but what do they mean? In plain English, the DNS server responsible for your domain has a file with all the information about your domain in it, and when another DNS needs information about your domain it is pulled from this file, along with a TTL value. TTL stands for ”’Time To Live”’, and it is the maximum time a foreign DNS server can store this information locally, without asking if it has changed (the process known as caching). When you redelegate your domain from one DNS server to another, the amount of time it takes depends on the TTL value in the old server. If this value is high, which it generally is (around the 1 day mark) then any DNS server that has requested information on your domain in the past 24hrs will still see the old records; once the TTL period expires the servers will then see the new details.

Additionally for ”’.com, .net, .org”’ domains, no server will see the change until the DNS system reloads at midnight, USA time, whilst the ”’.au”’ domains are updated instantly. This process of waiting for all the Internet to see your move is called propagation. As I said above, there is a way to speed up the process, and that is to redelegate a week early with your new hosting company copying the old records, with a very low TTL, (ten minutes or so), and then when you are ready for the website and email to go to the new server, changing them on the new DNS server. This means the whole Internet will see the change in 10 minutes, regardless of the domain name (note, some ISP’s do not confirm to the standard for DNS caching, and may not update instantly).

So what does a domain record look like

@ IN SOA ns1.anchor.net.au. hostmaster.anchor.net.au. (

2004030401 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

@ IN NS ns1.anchor.net.au.

IN NS ns2.anchor.net.au.

IN MX 50 smtp1.anchor.net.au.

IN MX 100 smtp2.anchor.net.au.

IN A 202.4.234.122

smtp IN A 203.98.94.10

www IN CNAME @

ftp IN CNAME @

mail IN CNAME smtp

pop IN CNAME smtp

pop3 IN CNAME smtp

That looks scary! What does it all mean?

Lets breakdown the file one line at a time

@ IN SOA ns1.anchor.net.au. hostmaster.anchor.net.au. (

This line, the Start of Authority, states that ns1.anchor.net.au is the domain server responsible for your domain, and that
[email protected] is the contact for this server

Skip the next 4 lines: ”’Expire, Retry, Maximum and Serial”’, as these are not important in this situation

86400 ) ; Minimum

The value of minimum is the TTL, ie the length of time, other servers can cache the information for your domain

@ IN NS ns1.anchor.net.au.

The third column on this line, NS, means nameserver, this line means that your server is listed in ns1.anchor.net.au (and below that in ns2.anchor.net.au). NS lines give a list of all the nameservers responsible for your domain.

IN MX 50 smtp1.anchor.net.au.

Again, the column after IN is important, (all your records should say IN), MX stands for Mail eXchange, and MX lines are a list of servers that handle your email, the number after MX is the priority, the lower the number, the higher the priority

IN A 202.4.234.122

On this line, A means Address. All A records are direct translations of names to numbers. If the line starts with a word, that is a host name, ie ”’http://www.yourdomain.com.au”’. If it doesn’t have a word, it means just ”’yourdomainname.com.au”’. If it has a * it means every subdomain of ”’yourdomainname.com.au”’ that’s
available.

mail IN CNAME smtp

The final record type is CNAME, whilst this stands for Canonical Name, it is often easier to think of it phonetically, ie; See-Name. As thats what it means, in this case, the record tells computers looking for mail.yourdomain.com.au to go look for smtp.yourdomain.com.au instead.

Now don’t you feel enlightened?

Do I have to have this? It all seems so complicated

If you want people to see your website, and email you, you must have DNS records. It is unavoidable. However as I said at the start of this article, you only need to have an understanding of the top level of the system, ie, when I redelegate, it takes 3 days, my email will be scattered. You do not need to understand how the entire system works, that is the job of your DNS administrator (often called hostmaster), who is typically your web hosting company.

Can I do this myself?

If you have a static IP address and a permanent Internet connection you can host your own DNS, and if that doesn’t make any sense to you, you are probably better off letting someone else handle it. You may notice in a whois search that most domains have 2 DNS servers listed, and some have up to 10. This is for redundancy: if one server dies, but the others are still working, then your website and email are unaffected; but if you only have one server, and it goes down for whatever reason, then your email and website are offline too.

Domain Name System (DNS) and Cyber Security Vulnerability

DNS- At the Heart of the Internet

It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.

In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google). As the internet grew number strings became more cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.

To simplify this process, a solution was developed based on a data solution (flat file) that related each IP address to a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.

By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today-a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network. Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.

DNS is very effective and works in the background of search activity. Internet users are assured that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box. Many commercial companies developed brand strategies based on this functionality in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a.com or.net extension. The Federal government adopted a.gov or.mil extension.

DNS Brand Implications

The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.

An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry. Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.

Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches. Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success. But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.

DNS is inherently Insecure

The original design of the Domain Name System (DNS) did not include robust security features; instead it was designed to be a scalable distributed system and attempts to add security, while maintaining backwards compatibility were rudimentary and did not keep pace with the skills of malicious hackers. As a result cyber attacks created Internet chaos.

Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood. In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.

Consequently, any commercial company that uses the Internet for sales, e-commerce, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.

As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem-whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates) or devastating denial of service (DoS) attacks..

It became very evident that enterprises and ISPs must protect their users and networks-sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism. One of the most vulnerable, critical areas was DNS. Cyber attacks are expected to increase and have a bigger impact as the Internet grows.

The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet. Many Internet security mechanisms, including host access control and defenses against spam and phishing, heavily depend on the integrity of the DNS infrastructure and DNS Servers.

DNS Servers

DNS servers running the software known as BIND (for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain), is one of the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims it to be so.

Presently, BIND is the de facto standard DNS server. It is a free software product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now considered technically obsolete. BIND9 is a ground-up rewrite of BIND featuring complete Domain Name System Security Extensions (DNSSEC) support in addition to other features and enhancements. But even with the rewrite BIND, in all versions, remains vulnerable.

A new version, BIND 10 is under development but the effectiveness of it its security features are untested. Its first release was in April 2010, and is expected to be a five-year project to complete its feature set.

Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers at no cost, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on http://www.kb.cert.org/vuls/

Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service

The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.

Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses. Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, the DNS protocol is intrinsically vulnerable to cache poisoning. Cache poisoning allows the perpetrator to gain access to proprietary information like bank records and social security numbers.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is focused on making computer resources unavailable to its intended users. A DDoS consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks. Of particular concern are DoS or DDoS attacks on large government networks like the Department of Defense or Veteran’s administration networks.

One way of compromising the network for a DDoS attack is through the vulnerabilities of CNS.

Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.

Internet Protocol Version 6 (IPv6)

It was inevitable that the Internet capacity would be exhausted and it is near that point now.

The Internet is rapidly running out of capacity and solutions in the form of expanded Internet Protocols for this problem may create additional vulnerability. A phenomenon known as IPv4 address exhaustion results and Internet space disappears.

A new Internet Protocol, Version 6 (IPv6), is a replacement for Internet Protocol version 4 (IPv4), as the primary Internet Protocol in operation since 1981. The driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. In effect, without new protocols, the Internet will run out of capacity.

IPv6 has a significantly larger address space than IPv4. IPv6 uses a 128-bit address while the present IPv4 uses 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the growing need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.

IPv6 protocol expansion however, also opens new vulnerabilities for malicious cyber attacks as more and more users and applications gain access to the Internet.

DNSSEC

Some analysts believe that the Domain Name System Security Extensions (DNSSEC) provides an effective and comprehensive solution for DNS vulnerability issues. This is not the case however.

DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This helps combat attacks such as pharming, cache poisoning, DDoS and DNS redirection that are used to commit fraud, identity theft and the distribution of malware but does not guarantee secure data in the system.

It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by several procedural difficulties not the least of which is the lack of universal deployment and overcoming the perceived complexity of deployment.

Some of these problems are in the process of being resolved, and deployment in various domains is in progress. This may take an extended period of time however and during the process DNS continues to be vulnerable.

Even with the technical limitations, progress in implementing DNSSEC has been slow particularly in the Federal Government. Although the Federal Office of Management and Budget mandated that all government agencies will adopt DNSSEC by December 2009, nine months after the deadline for federal agencies to implement DNSSEC, only 30-40% of agencies have complied.

Government Network Solutions

Today’s complex government networks must deliver the utmost security and reliability to protect against potential national security threats. A poorly architected DNS service infrastructure poses one of the greatest security vulnerabilities for any government network.

Likewise, choosing the wrong DNS solution can turn an otherwise well-architected service infrastructure into a compromised system capable of undermining data integrity and network stability.

Security against cyber attack is mandatory for government networks. More than any other networks, government networks demand the highest level of monitoring and visibility, security fortification, alerting and blocking to ensure appropriate corrective action. Without this protection, National Security and other nationwide infrastructure can be compromised.

Government Networks Have Unique Needs but Face Cumbersome Solutions

Until recently, federal cyber security efforts have been fragmented and cumbersome. Greater attention was paid to time consuming reporting requirements in order to meet standards. Although standards are important for establishing a baseline of security and meeting standards in order to reduce cyber attack damage, overly restrictive reporting requirements diminish their effectiveness.

In many ways, for government organizations, the information superhighway has become a virtual minefield. Government networks face this new global problem as much, if not more than other networks.

Not only do they have to support their users’ performing the tasks necessary to complete their missions with uninterrupted Internet access, but they also have to ensure that this access remains uncompromised. Network administrators must continuously balance the need for open access for critical users against the need to keep the network secure.

When a user at a government organization goes to a Website (on multiple types of networks), they need to know that the content they receive is exactly what they were expecting. And just like subscribers on a Service Provider network, they need to be protected from known and suspected sites used to break into computers. The critically of very large networks and the drive to interconnect agencies make many federal networks particularly vulnerable.

All of this has to be done with the highest possible level of performance and availability. Government organizations also need to be absolutely certain that they can comply with DNSSEC and IPv6 mandates.

The government recognizes is addressing the needs of cyber security. Recent step include the creation of Cyber Command for DOD and Intelligence Agencies, a streamlining by the Office of Management and Budget of reporting requirements and an elevation of cyber security to a priority effort by the administration.

However, progress has been slow. Officials from key federal agencies, including the departments of Defense, Homeland Security and the Office of Management and Budget say they’re moving too slowly to implement most of the 24 recommendations President Barack Obama outlined in his May 2009 cyber policy review.

Enterprises Are Not Taking DNS Seriously

DNS (Domain Name Service) is the key technology in modern IT infrastructures – without it, your business stops. Every single application now relies on DNS in some way or another.

Want to send an email? Your email program uses DNS to find the IP address of your mail server so it can send the email.

Want to print something? Your PC will use DNS to find the IP address of the printer.

Want to access your company’s corporate database? Your application will use DNS to find the IP address of the database server.

DNS acts as a big electronic phonebook that catalogues all the IP addresses of the servers and printers on your network. Without it your PC will struggle to access these other systems.

So when I visit sites that are still running DNS on an ageing Windows NT server under someone’s desk, I am horrified.

In many cases, DNS servers have been deployed in response to a specific requirement – someone needed a DNS server in order to implement a proxy server or a specific application required a DNS server. But as more applications and services are deployed, the DNS infrastructure is often the last thing that is considered. DNS servers and domains have often been deployed without an overall strategy, leading to an unstructured, non-resilient, and badly configured mess.

Install an Active Directory Domain Controller, and it will attempt to resolve the AD domain name in DNS. If you don’t have a DNS server on your network, or it can’t contact one, it will automatically install one on the DC. “Great” you might think, “it’s doing all the hard work for me”, but this is implementing DNS in an ad-hoc approach that might not best suit the business in the long term. For instance, the DC you just installed might be in a remote location or on a network segment that is not resilient. The fact that DNS is running on a DC means that it is not on dedicated hardware, so other applications may impact performance or the availability of the server. Installation of critical Microsoft security updates is crucial but in many cases requires a reboot that will affect the availability of the DNS service running on that DC.

When your infrastructure has grown to rely on DNS servers co-hosted on Microsoft servers, it soon becomes apparent that applying Microsoft security updates and service packs impacts the availability of not just that single DC, but every application that relies on DNS. Reboots have to be meticulously planned in order to determine which applications will be affected, and to ensure that those applications can reach backup DNS servers. Without adequate planning of the DNS infrastructure, you start to discover incorrectly configured application servers that have no secondary or tertiary DNS servers configured, or have servers configured that no longer run a DNS service. Furthermore, without any monitoring, you may discover servers where the DNS service has stopped or crashed.

These misconfigured systems only become visible when a DNS server fails or is rebooted for maintenance, and the impact can range from a minor inconvenience (the CEO can’t get his email) to disastrous (a bank’s trading floor suddenly incapacitated for 15 minutes while the stock market is falling).

In order to prevent these issues from impacting the availability of the DNS service, some larger enterprises are starting to take their DNS infrastructures seriously by taking a holistic approach. This involves making an individual or team responsible for the entire DNS infrastructure and deploying dedicated DNS server appliances that are managed by that team. Taking this approach enables the “DNS team” to arbitrate between different projects’ DNS requirements and ensure that a structured approach is taking to the configuration of new DNS domains and servers. Quite often, companies will deploy an IP Address Management (IPAM) product to help them manage the assignment of IP addresses and automate updates to the DNS environment.

Unfortunately these companies are in the minority rather than the majority. Too often DNS is seen as a service that belongs neither with the networks team nor the server nor application teams, and so often “falls between the cracks”. For such an important service, it simply isn’t good enough.

I believe that taking a holistic approach to your DNS infrastructure will help improve application availability:

o Nominate a person or team who is responsible for the DNS and can support and co-ordinate DNS requirements from different projects

o Use dedicated servers or appliances to reduce outages due to maintenance

o Place DNS servers in your data centres or at the core of your network (e.g. make sure they are “well connected”) so everyone knows which servers to use

o Ensure all your WAN links are resilient

o If you have locations where this is not possible, you may need to consider installing a local DNS server

o Ensure the server/appliance hardware you install is resilient

o RAID 1 disk mirroring or solid state storage

o Dual PSU’s (connected to different power feeds)

o UPS

o Ensure the server has out-of-band management capabilities to assist with upgrades and troubleshooting (RILO, DRAC etc.)

o Monitor the DNS servers to ensure they are operating within normal parameters

o Graph CPU and memory utilization, network throughput, DNS availability and DNS queries per second

Following this approach will enable you to reduce DNS outages to a minimum and provide a higher level of service to your business.

Domain Name System (DNS) and Cyber Security Vulnerability

DNS- At the Heart of the Internet

It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.

In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google). As the internet grew number strings became more cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.

To simplify this process, a solution was developed based on a data solution (flat file) that related each IP address to a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.

By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today-a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network. Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.

DNS is very effective and works in the background of search activity. Internet users are assured that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box. Many commercial companies developed brand strategies based on this functionality in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a.com or.net extension. The Federal government adopted a.gov or.mil extension.

DNS Brand Implications

The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.

An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry. Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.

Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches. Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success. But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.

DNS is inherently Insecure

The original design of the Domain Name System (DNS) did not include robust security features; instead it was designed to be a scalable distributed system and attempts to add security, while maintaining backwards compatibility were rudimentary and did not keep pace with the skills of malicious hackers. As a result cyber attacks created Internet chaos.

Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood. In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.

Consequently, any commercial company that uses the Internet for sales, e-commerce, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.

As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem-whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates) or devastating denial of service (DoS) attacks..

It became very evident that enterprises and ISPs must protect their users and networks-sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism. One of the most vulnerable, critical areas was DNS. Cyber attacks are expected to increase and have a bigger impact as the Internet grows.

The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet. Many Internet security mechanisms, including host access control and defenses against spam and phishing, heavily depend on the integrity of the DNS infrastructure and DNS Servers.

DNS Servers

DNS servers running the software known as BIND (for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain), is one of the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims it to be so.

Presently, BIND is the de facto standard DNS server. It is a free software product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now considered technically obsolete. BIND9 is a ground-up rewrite of BIND featuring complete Domain Name System Security Extensions (DNSSEC) support in addition to other features and enhancements. But even with the rewrite BIND, in all versions, remains vulnerable.

A new version, BIND 10 is under development but the effectiveness of it its security features are untested. Its first release was in April 2010, and is expected to be a five-year project to complete its feature set.

Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers at no cost, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on http://www.kb.cert.org/vuls/

Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service

The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.

Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses. Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, the DNS protocol is intrinsically vulnerable to cache poisoning. Cache poisoning allows the perpetrator to gain access to proprietary information like bank records and social security numbers.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is focused on making computer resources unavailable to its intended users. A DDoS consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks. Of particular concern are DoS or DDoS attacks on large government networks like the Department of Defense or Veteran’s administration networks.

One way of compromising the network for a DDoS attack is through the vulnerabilities of CNS.

Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.

Internet Protocol Version 6 (IPv6)

It was inevitable that the Internet capacity would be exhausted and it is near that point now.

The Internet is rapidly running out of capacity and solutions in the form of expanded Internet Protocols for this problem may create additional vulnerability. A phenomenon known as IPv4 address exhaustion results and Internet space disappears.

A new Internet Protocol, Version 6 (IPv6), is a replacement for Internet Protocol version 4 (IPv4), as the primary Internet Protocol in operation since 1981. The driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. In effect, without new protocols, the Internet will run out of capacity.

IPv6 has a significantly larger address space than IPv4. IPv6 uses a 128-bit address while the present IPv4 uses 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the growing need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.

IPv6 protocol expansion however, also opens new vulnerabilities for malicious cyber attacks as more and more users and applications gain access to the Internet.

DNSSEC

Some analysts believe that the Domain Name System Security Extensions (DNSSEC) provides an effective and comprehensive solution for DNS vulnerability issues. This is not the case however.

DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This helps combat attacks such as pharming, cache poisoning, DDoS and DNS redirection that are used to commit fraud, identity theft and the distribution of malware but does not guarantee secure data in the system.

It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by several procedural difficulties not the least of which is the lack of universal deployment and overcoming the perceived complexity of deployment.

Some of these problems are in the process of being resolved, and deployment in various domains is in progress. This may take an extended period of time however and during the process DNS continues to be vulnerable.

Even with the technical limitations, progress in implementing DNSSEC has been slow particularly in the Federal Government. Although the Federal Office of Management and Budget mandated that all government agencies will adopt DNSSEC by December 2009, nine months after the deadline for federal agencies to implement DNSSEC, only 30-40% of agencies have complied.

Government Network Solutions

Today’s complex government networks must deliver the utmost security and reliability to protect against potential national security threats. A poorly architected DNS service infrastructure poses one of the greatest security vulnerabilities for any government network.

Likewise, choosing the wrong DNS solution can turn an otherwise well-architected service infrastructure into a compromised system capable of undermining data integrity and network stability.

Security against cyber attack is mandatory for government networks. More than any other networks, government networks demand the highest level of monitoring and visibility, security fortification, alerting and blocking to ensure appropriate corrective action. Without this protection, National Security and other nationwide infrastructure can be compromised.

Government Networks Have Unique Needs but Face Cumbersome Solutions

Until recently, federal cyber security efforts have been fragmented and cumbersome. Greater attention was paid to time consuming reporting requirements in order to meet standards. Although standards are important for establishing a baseline of security and meeting standards in order to reduce cyber attack damage, overly restrictive reporting requirements diminish their effectiveness.

In many ways, for government organizations, the information superhighway has become a virtual minefield. Government networks face this new global problem as much, if not more than other networks.

Not only do they have to support their users’ performing the tasks necessary to complete their missions with uninterrupted Internet access, but they also have to ensure that this access remains uncompromised. Network administrators must continuously balance the need for open access for critical users against the need to keep the network secure.

When a user at a government organization goes to a Website (on multiple types of networks), they need to know that the content they receive is exactly what they were expecting. And just like subscribers on a Service Provider network, they need to be protected from known and suspected sites used to break into computers. The critically of very large networks and the drive to interconnect agencies make many federal networks particularly vulnerable.

All of this has to be done with the highest possible level of performance and availability. Government organizations also need to be absolutely certain that they can comply with DNSSEC and IPv6 mandates.

The government recognizes is addressing the needs of cyber security. Recent step include the creation of Cyber Command for DOD and Intelligence Agencies, a streamlining by the Office of Management and Budget of reporting requirements and an elevation of cyber security to a priority effort by the administration.

However, progress has been slow. Officials from key federal agencies, including the departments of Defense, Homeland Security and the Office of Management and Budget say they’re moving too slowly to implement most of the 24 recommendations President Barack Obama outlined in his May 2009 cyber policy review.

DNS Propagation Explained – or Why You Have to Wait the 72 Hours

So you found a perfect domain name that was not already taken, figured out how to register it, paid for hosting (leasing space to store all the files that will be publicly accessed as web pages) with a WHP – aka Web Hosting Provider (such as bsleek.com) and even uploaded your website to the WHP’s servers, or had a professional design firm create a web site for you.

Alas, it looks like the results of your hard work, of your money spending and of the headaches you got from trying to make sense of all the technobabble were in vain? Why can’t you see your website instantly – after all, is’t this the promise of the e-commerce age?? Hey, when they took your credit card payment, that went pretty fast!! Is it that nobody really cares about customer service anymore? And what is this “propagation” nonsense those techies are trying to bamboozle you with?

Is your new Web Host Provider a lemon? Did you make a big mistake chosing it??

All this has to be very frustrating, unless you understand exactly how things work. Over the next few paragraphs, I will try to demistify the DNS propagation process, by telling you in plain English, what DNS propagation is, how it works, and why is it that the only thing we can do to speed the process up is…. wait.

DNS stands for Domain Name Server. I know the word Server is intimidating and you are thinking “oh sure, another article written in technicalese language”. Think of a server as a regular computer, like the one you are using now to read this. That’s right! Your beloved computer can be a server too. We call a computer a server when that machine is up and running and providing a service (“serving” something, whether a web page, a text document, etc.)

With the language barier lowered, I will tell you that DNS can be tricky, especially when first registering a domain name or transferring your website to a web hosting provider. The strangest things can happen that would lead you to believe that your new web hosting provider is at fault.

99.99% of the time the Web Hosting Provider is not to blame and I will explain why.

There are a number of things involved in DNS that I will familiarize you with. Sorry, but it has to be done. Again, like everything else in life, once you understand how things work, things will look much brighter.

Things you need to hear about are:

– IP Addresses

– Service Providers

– Domain Names

– Domain Name Registrars

– DNS

– The Propagation Process

1. IP Addresses

Our computers talk to each other by identifying themselves using numerical addresses much like the address on your home or for your telephone. When one computer wants to speak to another computer, it all boils down to an address or what we call an “IP Address”.

Here is an example: 64.247.43.26

As you would imagine, the number of possible addresses, while immense to the untrained eye, is actually limited and we are almost on the verge of exhausting all the numbers…. Here’s a piece of trivia for all interested in cool facts: Typically, service providers (see below) receive thousands of IP addresses to be used on their networks. IP addresses in the United States are assigned by ARIN, the American Registry for Internet Numbers. They are the assigned numbers authority and they control who gets IP addresses in the US.

2. Service Providers

The service providers will use IP addresses to identify their network equipment so that they can conduct business on the internet.

There are many different types of service providers but for the purpose of this article, I will only discuss two of them.

The ISP (or Internet Service Provider) is the company that provides you with access to the internet. Without them, you would not be able to send email or surf the world wide web. When you connect to your ISP, they will assign your computer one of their IP addresses. This IP address will be used to identify your computer while you are connected to the internet.

The WHP (or Web Host Provider, such as bsleek.com) is a company that provides a means for individuals or businesses to publish a website on the internet. When the website is published, it is placed on a special computer known as a server that is connected to the internet via a high-speed connection. The WHP has already assigned this server one of their IP addresses.

Now, let’s summarize what we have learned so far by looking at a typical internet users experience:

Let’s say that you want to surf your newly published website. You connect to the internet and your computer gets an IP address (much like a phone number, a license plate, etc) from your ISP. You then open up your web browser and type in your website’s domain name: yourdomain.com.

Then you hit enter. Your computer sends a request. That request is blasted across the internet jumping through routers and gateways, across wires and beamed to satellites and back down to Earth again. After traveling several thousand miles in just a few milliseconds, it finally arrives at your WHP’s web server because it contains the IP address of the computer you are looking for.

The server then responds by sending a copy of the website’s home page back to your computer because it knows the IP address of the computer that made the request. You are now looking at your published home page in merely a few seconds and being proud of the pretty colors you picked for your menu buttons.

How did this all happen? Read on:

3. Domain Names.

A domain name is what you typically enter into your web browser when you want to visit a website. We also use them when sending email.

Website: [http://www.yourdomain.com] / Email: [email protected]com

Domain names provide a fast and convenient way of reaching our favorite websites and sending email to each other. It is easy to remember the name of a friend’s website or a company that you like to shop with rather than trying to remember a number like: 64.247.43.26

What are we missing here? The mechanism that translates numbers into names (that is, IP addresses into domain names) and vice versa. Suspense….

4. Domain Name Registrar

If you want to have your own domain name you will need to register one through a company called a Domain Name Registrar. The domain registrar has tools that allow you to search for and register an available domain of your choosing. The registrar is more or less at the top of the whole naming scheme chain.

If you were able to read this far and even stay focus, congratulations – you ar a very determined individual. And now, as a reward for reading this much of my article, I will talk about… DNS, which is the topic you came here to read about in the first place.

5. DNS

DNS is a software program that runs on a dedicated computer known as a DNS server. DNS serves two primary functions:

1) To translate domain names into IP addresses.

It’s much easier to remember a domain like mydomain.com than a sixteen digit number like 64.247.43.26. DNS servers make translating or “Resolving” this information fast and seamless. When your computer needs to know the IP address for yourdomain.com it asks a DNS server (usually the one provided by your ISP.)

2) To act as authority for designated domain names.

Wherever you decide to host your website, the network you are on must have its own DNS servers. In fact, it is an industry-wide standard to have at least two DNS servers or more. These servers will act as the authority for your domain name because your network provider will put a special entry in their DNS server as it relates to your domain name that says: YOU ARE HERE! Technically this is known as an “A” record for “Authority”.

There are literally hundreds of thousands of these DNS machines world wide. They ARE the yellow pages of the internet and they contain information about your domain name. Keep in mind that no single DNS server holds all the domain names for the internet; they only hold the names that they are responsible for, and a few pointers to find the rest.

Some DNS servers strictly store names while others are doing the work of providing lookup services for computers that need to look up names. Many DNS servers do both. Technically, the server that is responsible for a particular domain is called the “Authority”. Remember the “A” record?

There are a few pieces of crucial information stored in a DNS server with regard to your domain name. This information as a whole is known as your “DNS Record”. In it you can find a variety of other pieces of information (or records) about your domain name. For the purposes of not altering your sanity, in this article I will focus only on the domain name, the ‘A’ record (or your WHP’s DNS servers).

6. The Propagation Process

As I said before, your domain registrar is the one responsible for publishing your domain name at the very first (called root) DNS level. When it is published, it is placed into a directory that is broadcast out to primary DNS servers around the world.

The primary DNS servers broadcast out to secondary DNS servers and so on and so forth.

This process is known as propagation and it can take upwards of 72 hours to complete. Propagation refers to the amount of time it takes for all the DNS servers everywhere around the world to recognize the fact that either a new domain is being registered, a domain name has been changed, or that the authority for that domain has changed.

Other reasons why it takes so long is obviously the size of our planet and the total number of DNS servers that require updated information. DNS servers are always updating themselves and changing dynamically during the course of any given day. When or why one DNS server will receive updated information before another is a complete mystery – really!

In most cases, your DNS propagation will complete well within the 72 hour period but you can’t be sure that everything is fine until you wait out the 72 hours! Once propagation is complete, anyone, anywhere on the internet should be able to visit your hosted website.

During that time you may experience strange occurrences. This is because not every DNS server that needs to know, knows about your domain name. Take your ISP for example. They use two DNS servers, well, 24 hours after making your nameserver changes, only one of your ISP’s DNS servers might receive the update regarding your domain name and the other might not.

If only one of these servers can resolve your domain to an IP address and the other can not, what you will experience would be as though your website was going up and down. One moment it is there, the next it is not.

Here is another example:

A friend of yours can see your new website and you can not. This is most likely because his ISP’s DNS servers are able to get the information at that time, where your ISP’s DNS servers can not.and wait another 72 hours. Ouch!

Here is a neat one:

You are transferring your hosting to a new WHP. During propagation you are working on development of some pages in your website. But you notice that when trying to view your most recent changes, they appear and then vanish or they don’t appear at all.

Think about the load-balancing DNS servers again. One server has information about your OLD WHP and the other has information about your NEW WHP! This can be a weird experience and may take some time to figure out. What you really need to do is WAIT OUT THE 72 HOURS!

You see, if you avoid making changes to your website during a transfer/propagation period, you will always have a consistent functional website available to your visitors. They won’t know that you have switched WHP’s because as far as they can tell, they are just browsing your website. They won’t realize that you are in a state of propagation and that from one minute to the next, they are potentially browsing your site from two different WHPs.

All of these occurrences are very common and each one of them will result in a phone call to the WHP asking why the server is going up and down. In reality the server is fine and your WSP is one of the finest. The problem is that the domain owner has not let 72 hours pass by, after which these and other similar problems will have vanished.

So as you can see, your Web Service Provider is not at fault, you just must have patience and wait the full three days before you can try to determine if your website is experiencing a problem or not.

How to Troubleshoot DNS Problems

Domain Name System (DNS) is a database system that translates a computer’s fully qualified domain name into an IP address.The DNS makes it possible to assign domain names to organizations independent of the routing of the numerical IP address. In other words, DNS is a system that translates domain names into IP addresses. This is necessary because computers only make use of IP addresses yet we use only human readable names since the names are easier to remember than IP addresses.

Setting up DNS in your network does not necessarily require you to become an expert DNS administrator. Setting up a DNS server typically involves configuring the DNS server with DNS zones to administer the DNS domain names in a network, adding DNS resource records for the hosts in your network to your DNS zones, and delegating administration for these zones by creating a delegation from the parent DNS server previously authoritative for a domain name to the child DNS server that is accepting responsibility for a domain name. Lastly, a DNS server administrator should maintain the integrity of DNS zone data by securing the DNS in the network. You can also set up a DNS server from the command line. For more information

To correct DNS settings and troubleshoot DNS problems, you can

1. Run nslookup from a command line is the default dns server the one you expect.

2. use ipconfig /all on client to make sure the client point to correct DNS server and the the DC server points to only itself for DNS by its actual tcp/ip address, and make sure no any ISP DNS listed in tcp/ip properties of any W2K/XP.

3. When the machine loads it should register itself with the DNS. If not, use ipconfig /regiesterdns command.

4. Check Event Viewer to see whether the event logs contain any error information. On both the client and the server, check the System log for failures during the logon process. Also, check the Directory Service logs on the server and the DNS logs on the DNS server.

5. Use the nltest /dsgetdc: domainname command to verify that a domain controller can be located for a specific domain. The NLTest tool is installed with the Windows XP support tools.

6. If you suspect that a particular domain controller has problems, turn on the Netlogon debug logging. Use the NLTest utility by typing nltest /dbflag:0x2000ffff at a command prompt. The information is logged in the Debug folder in the Netlogon.log file.

7. Use DC Diagnosis tool, dcdiag /v to diagnose any errors. If you still have not isolated the problem, use Network Monitor to monitor network traffic between the client and the domain controller.

Under the following situations you may want to reinstall the DDNS in a Windows 2000 Active Directory:
Some weird DNS errors have occurred and clearing DNS information has been unsuccessful.
Services that depend upon DNS, such as, the File Replication service (FRS) and/or Active Directory are failing. The secondary DNS server doesn’t support dynamic updates.

To reinstall the dynamic DNS in a Windows 2000 Active Directory

1. Clear the DNS information.

2. Clear the Caching Reslover.

3. Point all DNS to the first DNS server under TCP/IP properties.

4. Re-add the zones and configure them to be Active Directory integrated.

5. Register a resource record for DNS as well as your start of authority (SOA).

Why Is Proper DNS Functionality Essential for Website Uptime and Performance?

Whether you are hosting your website on your own server or with a web hosting service, proper functionality of Domain Name System (DNS) is essential for ensuring uptime and performance of your website. Even if your entire web server infrastructure is working fine, a tricky DNS problem can result in an unresponsive site. Thus, it is important to include DNS monitoring in your website monitoring strategy to protect your online presence as well as to enhance end-user experience.

Role of DNS:
DNS is responsible for translating an easy-to-remember website name into its respective IP address of the web server that hosts the site. When a user requests for your website by typing its name in the browser, the DNS infrastructure points it to the address of the web server. If the site is hosted in multiple locations, it will point to the one closest to the requesting user. Once the browser has the IP address of the web server, it will then issue an HTTP request for the web page. Thus, you can see how DNS is crucial in making your website reach your customer.

DNS related issues – what may go wrong:
DNS configuration and resolution is often complex and tricky. Since a DNS resolution includes a series of steps, a problem during any of the steps can fail the entire process.

•Unavailability of DNS server: The DNS server is like any other technological infrastructure that may go down due to scheduled or unscheduled outages. When the DNS server serving information about your website goes down, the client will be unable to get details of your web server to issue an HTTP request.

•Improper DNS configuration: Improper configuration of a DNS server can occur during initial set up of the domain, or later as needs change and configuration changes become necessary. You may have heard about sites not working for users from specific locations. This is the result of erroneous DNS configuration where the DNS servers will not return IP addresses for requests coming from impacted areas. Other configuration errors may result in lost e-mail or complete inaccessibility of the site.

•Latency in DNS resolution: Latency results in slow loading of the site, though your web hosting infrastructure is working perfectly. If a request cannot be served from DNS cache, it has to recursively query other nameservers, resulting in latency. Overload of a DNS server can also result in latency of DNS requests.

•DNS cache poisoning: Local DNS resolvers with less security can often fall prey to an attacker who can insert a fake address record for your domain name into the DNS. Using this, the attacker can tamper with cache records of the resolver to point your domain name to a phishing site. Such attacks are difficult to detect, especially from data centers.

Continuous monitoring of DNS:
When you opt for a website monitoring service, make sure that it also includes monitoring of DNS resolution of your website. DNS monitoring includes a series of tests like HostName test, MX lookup, Reverse DNS, Blacklist check, etc., to ensure that your website visibility is not impacted because of some DNS error. Conducting these tests from multiple locations will ensure that your site is not impacted due to some erroneous DNS configuration, and is working perfectly for users all across the world.

The vitality of proper DNS management increases as the business grows in terms of online presence. Effective DNS monitoring ensures that your website is not facing outages or degraded performance due to DNS related problems.

Domain Name System (DNS) and Cyber Security Vulnerability

DNS- At the Heart of the Internet

It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.

In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google). As the internet grew number strings became more cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.

To simplify this process, a solution was developed based on a data solution (flat file) that related each IP address to a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.

By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today-a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network. Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.

DNS is very effective and works in the background of search activity. Internet users are assured that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box. Many commercial companies developed brand strategies based on this functionality in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a.com or.net extension. The Federal government adopted a.gov or.mil extension.

DNS Brand Implications

The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.

An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry. Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.

Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches. Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success. But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.

DNS is inherently Insecure

The original design of the Domain Name System (DNS) did not include robust security features; instead it was designed to be a scalable distributed system and attempts to add security, while maintaining backwards compatibility were rudimentary and did not keep pace with the skills of malicious hackers. As a result cyber attacks created Internet chaos.

Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood. In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.

Consequently, any commercial company that uses the Internet for sales, e-commerce, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.

As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem-whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates) or devastating denial of service (DoS) attacks..

It became very evident that enterprises and ISPs must protect their users and networks-sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism. One of the most vulnerable, critical areas was DNS. Cyber attacks are expected to increase and have a bigger impact as the Internet grows.

The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet. Many Internet security mechanisms, including host access control and defenses against spam and phishing, heavily depend on the integrity of the DNS infrastructure and DNS Servers.

DNS Servers

DNS servers running the software known as BIND (for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain), is one of the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims it to be so.

Presently, BIND is the de facto standard DNS server. It is a free software product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now considered technically obsolete. BIND9 is a ground-up rewrite of BIND featuring complete Domain Name System Security Extensions (DNSSEC) support in addition to other features and enhancements. But even with the rewrite BIND, in all versions, remains vulnerable.

A new version, BIND 10 is under development but the effectiveness of it its security features are untested. Its first release was in April 2010, and is expected to be a five-year project to complete its feature set.

Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers at no cost, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on http://www.kb.cert.org/vuls/

Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service

The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.

Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses. Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, the DNS protocol is intrinsically vulnerable to cache poisoning. Cache poisoning allows the perpetrator to gain access to proprietary information like bank records and social security numbers.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is focused on making computer resources unavailable to its intended users. A DDoS consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks. Of particular concern are DoS or DDoS attacks on large government networks like the Department of Defense or Veteran’s administration networks.

One way of compromising the network for a DDoS attack is through the vulnerabilities of CNS.

Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.

Internet Protocol Version 6 (IPv6)

It was inevitable that the Internet capacity would be exhausted and it is near that point now.

The Internet is rapidly running out of capacity and solutions in the form of expanded Internet Protocols for this problem may create additional vulnerability. A phenomenon known as IPv4 address exhaustion results and Internet space disappears.

A new Internet Protocol, Version 6 (IPv6), is a replacement for Internet Protocol version 4 (IPv4), as the primary Internet Protocol in operation since 1981. The driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. In effect, without new protocols, the Internet will run out of capacity.

IPv6 has a significantly larger address space than IPv4. IPv6 uses a 128-bit address while the present IPv4 uses 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the growing need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.

IPv6 protocol expansion however, also opens new vulnerabilities for malicious cyber attacks as more and more users and applications gain access to the Internet.

DNSSEC

Some analysts believe that the Domain Name System Security Extensions (DNSSEC) provides an effective and comprehensive solution for DNS vulnerability issues. This is not the case however.

DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This helps combat attacks such as pharming, cache poisoning, DDoS and DNS redirection that are used to commit fraud, identity theft and the distribution of malware but does not guarantee secure data in the system.

It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by several procedural difficulties not the least of which is the lack of universal deployment and overcoming the perceived complexity of deployment.

Some of these problems are in the process of being resolved, and deployment in various domains is in progress. This may take an extended period of time however and during the process DNS continues to be vulnerable.

Even with the technical limitations, progress in implementing DNSSEC has been slow particularly in the Federal Government. Although the Federal Office of Management and Budget mandated that all government agencies will adopt DNSSEC by December 2009, nine months after the deadline for federal agencies to implement DNSSEC, only 30-40% of agencies have complied.

Government Network Solutions

Today’s complex government networks must deliver the utmost security and reliability to protect against potential national security threats. A poorly architected DNS service infrastructure poses one of the greatest security vulnerabilities for any government network.

Likewise, choosing the wrong DNS solution can turn an otherwise well-architected service infrastructure into a compromised system capable of undermining data integrity and network stability.

Security against cyber attack is mandatory for government networks. More than any other networks, government networks demand the highest level of monitoring and visibility, security fortification, alerting and blocking to ensure appropriate corrective action. Without this protection, National Security and other nationwide infrastructure can be compromised.

Government Networks Have Unique Needs but Face Cumbersome Solutions

Until recently, federal cyber security efforts have been fragmented and cumbersome. Greater attention was paid to time consuming reporting requirements in order to meet standards. Although standards are important for establishing a baseline of security and meeting standards in order to reduce cyber attack damage, overly restrictive reporting requirements diminish their effectiveness.

In many ways, for government organizations, the information superhighway has become a virtual minefield. Government networks face this new global problem as much, if not more than other networks.

Not only do they have to support their users’ performing the tasks necessary to complete their missions with uninterrupted Internet access, but they also have to ensure that this access remains uncompromised. Network administrators must continuously balance the need for open access for critical users against the need to keep the network secure.

When a user at a government organization goes to a Website (on multiple types of networks), they need to know that the content they receive is exactly what they were expecting. And just like subscribers on a Service Provider network, they need to be protected from known and suspected sites used to break into computers. The critically of very large networks and the drive to interconnect agencies make many federal networks particularly vulnerable.

All of this has to be done with the highest possible level of performance and availability. Government organizations also need to be absolutely certain that they can comply with DNSSEC and IPv6 mandates.

The government recognizes is addressing the needs of cyber security. Recent step include the creation of Cyber Command for DOD and Intelligence Agencies, a streamlining by the Office of Management and Budget of reporting requirements and an elevation of cyber security to a priority effort by the administration.

However, progress has been slow. Officials from key federal agencies, including the departments of Defense, Homeland Security and the Office of Management and Budget say they’re moving too slowly to implement most of the 24 recommendations President Barack Obama outlined in his May 2009 cyber policy review.

How to Troubleshoot DNS Problems

Domain Name System (DNS) is a database system that translates a computer’s fully qualified domain name into an IP address.The DNS makes it possible to assign domain names to organizations independent of the routing of the numerical IP address. In other words, DNS is a system that translates domain names into IP addresses. This is necessary because computers only make use of IP addresses yet we use only human readable names since the names are easier to remember than IP addresses.

Setting up DNS in your network does not necessarily require you to become an expert DNS administrator. Setting up a DNS server typically involves configuring the DNS server with DNS zones to administer the DNS domain names in a network, adding DNS resource records for the hosts in your network to your DNS zones, and delegating administration for these zones by creating a delegation from the parent DNS server previously authoritative for a domain name to the child DNS server that is accepting responsibility for a domain name. Lastly, a DNS server administrator should maintain the integrity of DNS zone data by securing the DNS in the network. You can also set up a DNS server from the command line. For more information

To correct DNS settings and troubleshoot DNS problems, you can

1. Run nslookup from a command line is the default dns server the one you expect.

2. use ipconfig /all on client to make sure the client point to correct DNS server and the the DC server points to only itself for DNS by its actual tcp/ip address, and make sure no any ISP DNS listed in tcp/ip properties of any W2K/XP.

3. When the machine loads it should register itself with the DNS. If not, use ipconfig /regiesterdns command.

4. Check Event Viewer to see whether the event logs contain any error information. On both the client and the server, check the System log for failures during the logon process. Also, check the Directory Service logs on the server and the DNS logs on the DNS server.

5. Use the nltest /dsgetdc: domainname command to verify that a domain controller can be located for a specific domain. The NLTest tool is installed with the Windows XP support tools.

6. If you suspect that a particular domain controller has problems, turn on the Netlogon debug logging. Use the NLTest utility by typing nltest /dbflag:0x2000ffff at a command prompt. The information is logged in the Debug folder in the Netlogon.log file.

7. Use DC Diagnosis tool, dcdiag /v to diagnose any errors. If you still have not isolated the problem, use Network Monitor to monitor network traffic between the client and the domain controller.

Under the following situations you may want to reinstall the DDNS in a Windows 2000 Active Directory:
Some weird DNS errors have occurred and clearing DNS information has been unsuccessful.
Services that depend upon DNS, such as, the File Replication service (FRS) and/or Active Directory are failing. The secondary DNS server doesn’t support dynamic updates.

To reinstall the dynamic DNS in a Windows 2000 Active Directory

1. Clear the DNS information.

2. Clear the Caching Reslover.

3. Point all DNS to the first DNS server under TCP/IP properties.

4. Re-add the zones and configure them to be Active Directory integrated.

5. Register a resource record for DNS as well as your start of authority (SOA).

B K Dash [http://www.techs24x7.com] is dedicated to provide latest NEWS and information on Emerging Technology & also we are updating Latest Technology NEWS on our Technology BLOG [http://www.blog.techs24x7.com] to serve the World 24×7 Online…

How to Troubleshoot DNS Problems

Domain Name System (DNS) is a database system that translates a computer’s fully qualified domain name into an IP address.The DNS makes it possible to assign domain names to organizations independent of the routing of the numerical IP address. In other words, DNS is a system that translates domain names into IP addresses. This is necessary because computers only make use of IP addresses yet we use only human readable names since the names are easier to remember than IP addresses.

Setting up DNS in your network does not necessarily require you to become an expert DNS administrator. Setting up a DNS server typically involves configuring the DNS server with DNS zones to administer the DNS domain names in a network, adding DNS resource records for the hosts in your network to your DNS zones, and delegating administration for these zones by creating a delegation from the parent DNS server previously authoritative for a domain name to the child DNS server that is accepting responsibility for a domain name. Lastly, a DNS server administrator should maintain the integrity of DNS zone data by securing the DNS in the network. You can also set up a DNS server from the command line. For more information

To correct DNS settings and troubleshoot DNS problems, you can

1. Run nslookup from a command line is the default dns server the one you expect.

2. use ipconfig /all on client to make sure the client point to correct DNS server and the the DC server points to only itself for DNS by its actual tcp/ip address, and make sure no any ISP DNS listed in tcp/ip properties of any W2K/XP.

3. When the machine loads it should register itself with the DNS. If not, use ipconfig /regiesterdns command.

4. Check Event Viewer to see whether the event logs contain any error information. On both the client and the server, check the System log for failures during the logon process. Also, check the Directory Service logs on the server and the DNS logs on the DNS server.

5. Use the nltest /dsgetdc: domainname command to verify that a domain controller can be located for a specific domain. The NLTest tool is installed with the Windows XP support tools.

6. If you suspect that a particular domain controller has problems, turn on the Netlogon debug logging. Use the NLTest utility by typing nltest /dbflag:0x2000ffff at a command prompt. The information is logged in the Debug folder in the Netlogon.log file.

7. Use DC Diagnosis tool, dcdiag /v to diagnose any errors. If you still have not isolated the problem, use Network Monitor to monitor network traffic between the client and the domain controller.

Under the following situations you may want to reinstall the DDNS in a Windows 2000 Active Directory:
Some weird DNS errors have occurred and clearing DNS information has been unsuccessful.
Services that depend upon DNS, such as, the File Replication service (FRS) and/or Active Directory are failing. The secondary DNS server doesn’t support dynamic updates.

To reinstall the dynamic DNS in a Windows 2000 Active Directory

1. Clear the DNS information.

2. Clear the Caching Reslover.

3. Point all DNS to the first DNS server under TCP/IP properties.

4. Re-add the zones and configure them to be Active Directory integrated.

5. Register a resource record for DNS as well as your start of authority (SOA).

B K Dash [http://www.techs24x7.com] is dedicated to provide latest NEWS and information on Emerging Technology & also we are updating Latest Technology NEWS on our Technology BLOG [http://www.blog.techs24x7.com] to serve the World 24×7 Online…