Let's move on. Let's suppose you want to put up a web site on your new domain name? You find a suitable, reliable web hosting company, buy an account and visit their control panel and create your web site, even if it is just a simple page with "Hello, world" on it.

Now you have a choice to make - you need to setup your DNS settings. For this example, let's say your DNS is currently hosted at GoDaddy, you can continue with that and go and add records there or you could move your DNS to your web hosting company, it's your choice (dedicated DNS hosting is available from EasyDNS, DNS Made Easy and DynDNS - all excellent companies with good infrastructure). If you want to stay with GoDaddy for DNS, you will need to change a few things, basically, remove your entries from pointing to parking servers to point to real servers. There is nothing inherently wrong with staying with GoDaddy, they have reasonable controls and they seem to work well. But, being IT people we never can leave well enough alone. So let's use our own DNS server, at our hosting company. We will need to use their control panel to add all of our DNS records to the new name server. Minimally, we need to create the following records:

; Zone file for yada123.com
$TTL 14400
@      86400    IN      SOA     ns1.examplehost.com. hostmaster.examplehost.com. (                2009031602      ; serial, todays date+todays
             86400           ; refresh, seconds
             7200            ; retry, seconds
             3600000         ; expire, seconds
             86400 )         ; minimum, seconds

Comment (1) Read More...

Over the past few weeks I have been seeing reports that some ISP's are actually subverting DNS queries to their own DNS server. Oh the humanity! What this means is that when you (your computer) does a UDP or TCP Port 53 DNS query the ISP is intercepting that and directing it to their own servers. Has anyone been told by their ISP that they are doing this? No? I didn't think so. Subversion of DNS, even for your own good, is not a good thing. This has the effect of controlling wherever you go on the internet. It is a good thing our ISP's know better than we do. Not!

I need your help here. I would like you to run some simple tests and report your results to me. I need you to run an NSLOOKUP or DIG to a specific name server on a specific zone that the DNS has not been made aware of. Using the zone for the query will cause any subverted queries to return non-existent domain (NXDOMAIN). If you have a few minutes please go to the following link on my home page and give it a try. Go to http://www.paulparisi.com/queryproject and input your findings. Once we get a critical mass we will start to publish the report. 

 

Comment (1) Read More...

Many DNS issues result from gaps in our knowledge – typically because we do not work with DNS all that much. So I thought it would be good to give you an overview of what happens from the beginning. The premise here is you want to implement a new DNS domain name. Let’s pick something to experiment with, yada123.com, first we need to see if the domain name is available and if so, we need to register it. For this example we are going to use GoDaddy, but any registrar should be fine. Go to www.godaddy.com. Find the search field on the form, GoDaddy’s home page is a bit cluttered but the search is there. Type in yada123.com and hit enter or click go. Congratulations we see that yada123.com is available. We need to buy the domain name. Complete the purchase process and once done, you will have a new domain name.

Now what actually happened here? Once you paid for your domain. GoDaddy added a record to its database, and being that it is a registrar, it sends that information to the root servers for the domain you registered, in this example, the {dot}com domain. The root servers are a collection of servers distributed all over the world that keep the initial pointers to the sub domains for which it is responsible. For example, there are root servers which hold the pointers to the servers responsible for the next level zones. When you read a domain name you read from right to left, and all DNS zones begin with a period, which indicates the root, sometimes people do not type the period when referring to domains but it is implicitly there. So for example, we look at yada123{dot}com{dot} we see that we can start at the {dot} zone, the root, and ask those servers “where do I go to get information on the {dot}com zone?”, the root servers will return a list of server which can be asked about {dot}com zones. These are the servers that GoDaddy has to notify that it has a new domain that has been registered and that the nameservers for that domain are NS57.DOMAINCONTROL.COM and NS58.DOMAINCONTROL.COM, for this example.

Ok, so here is the deal, you open a browser right now and type in www.yada123.com, what happens? Your browser checks its internal DNS cache to see if there is an entry for yada123.com, since there is not, the browser then asks the local resolver if it has an entry for yada123.com, the local resolver says no, but says please hold, it (the local resolver) then asks the DNS server it has been configured with if it knows anything about yada123.com, that DNS server checks its cache, finding nothing, it asks the root servers for the {dot}com servers, it gets the answer then asks the {dot}com servers what they know about the yada123{dot}com zone, if the changes have propagated to the server you asked it should return the SOA record (Start of Authority) for yada123{dot}com, which is NS57.DOMAINCONTROL.COM and NS58.DOMAINCONTROL.COM. Ok now we know which server we have to ask about the www record for yada123{dot}com. Next, the DNS server opens a connection to one of those two servers (NS57 or NS58) and asks for the www record in zone yada123{dot}com – what is the answer? If the record is an A record it will return an IP address. If it is a CNAME (canonical name) it will return another record to lookup, ultimately resulting in an IP address. Now wait, what is the IP address that we are going to get in this specific case? When we registered with GoDaddy, they created a placeholder for the domain and it will direct browsers to a “parking” page hosted by GoDaddy.

Comment (0) Read More...

We are at an inflection point in our lifetimes. The Internet is broken, seriously broken. Why is it broken you ask? The root cause is trust, that there is trust built into the fabric of the Internet. Each “part” that works in the Internet trusts the other parts, think DNS, BGP and the like. When these were designed they were all designed in a framework where they could trust each other. I co-opted Ronald Reagan’s phrase of “trust but verify” for a previous company I started which was involved in corporate email forensics, that we should trust our corporate email users but be able to verify what is passing thru that system. Almost all of the systems currently in use on the Internet are based on implicit trust. This has to change. The problem is that these systems are so embedded in our everyday lives that it would be, sort of like, changing gravity, very difficult. There are many things that can be done and are being done, but the fact is they are almost all “band-aids” and do not really offer any substantial lurch forward. Or we could really fix it, how about we start with not allowing spoofed IP packets to be routed by ISP’s, this would go a long way toward reducing the risk, of course so would IPv6 and DNSSEC. But until something radical is done we should say “Houston, we have a problem”! So, as I said in a recent TV interview, if you are concerned about privacy, identity theft and the like, simply don’t use the Internet. I am out of time for now; I need to go check my bank balance…

Comment (0)