Managing Mission - Critical Domains and DNS电子书

Title Page

Copyright and Credits

Managing Mission-Critical Domains and DNS

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

The Domain Name Ecosystem

Why domains are important

Domain names 101

Anatomy of a domain name

Registry details

Registrar WHOIS server

Expiry date

The registrant contact set

The administrative contact set

Use a domain you control

Use a different domain than the name in the record

Use an exploder

Use a unique address

Alternatively, use canaries

The tech contact set

The billing contact set

DNS details

Status

Status flags set by the registry

Ok

inactive

autoRenewPeriod

pendingTransfer

redemptionPeriod

pendingDelete

Status Flags set by the Registrar

clientHold

clientDeleteProhibited

clientTransferProhibited

clientUpdateProhibited

clientRenewProhibited

Understanding the domain name expiry cycle

Domain expires (day 0)

Domain gets parked (days 3 to 5-ish)

RGP – Registrant Grace Period (up to 45 days)

Redemption period (day 45-ish)

PendingDelete – day 90 (5 days)

Never do this

What to do if you lose a key domain

Summary

References

Registries, Registrars, and Whois

Registries and Registrars

Generic TLDs

Country Code TLDs (ccTLDs)

New Top-Level Domains

IDN TLDs

Online tools for converting punycode

Infrastructure TLDs

Registrars and Resellers

An effective Registrar should...

What is Whois?

Thin versus thick Whois

Whois privacy

RegisterFly – The Lehman Brothers' moment of the domain industry

How to tell whether Whois privacy is enabled

Why you should always use Whois privacy

Why you should never use Whois privacy

Where is Whois going?

Europe's GDPR and its effect on Whois

Registration Data Access Protocol (RDAP)

Further reading

Summary

Intellectual Property Issues

Which domains should your organization register?

Asserting Your trademarks within the new TLD landscape

Rollout phases of a new TLD

Sunrise

Landrush

Premium auction

The Trademark Clearing House

Typo domains

What is "CyberSquatting"?

Dispute mechanisms

Uniform Domain Name Dispute Resolution Policy (UDRP)

How the UDRP works

Uniform Rapid Suspension System (URSS)

What if somebody tries to take your domains?

What happens when somebody initiates a UDRP against your domain?

Transfer Dispute Resolution Procedure (TDRP)

Summary

References

Communication Breakdowns

Domain policies you must be aware of

The Whois Accuracy Program (WAP)

Incorrect or bad Whois reports

Domain slamming

Phishing

Email phishing (spearphishing)

Web phishing

Unintentional expiry

Search engine/trademark registrations

Domain scams

The Foreign Infringer scam

Aftermarket scams

Buy-side scam

Sell-side scams

DNS failures

Summary

References

A Tale of Two Nameservers

Introducing resolvers

Differences between stub resolvers, caching resolvers, and full resolvers

Stub resolvers

Caching resolvers

Full resolvers

Negative caches

Authoritative nameservers

Primary Nameserver

Hidden primaries

Hidden primary considerations

Secondary nameservers

Summary

References

DNS Queries in Action

Top-level domain nameservers

Nameserver order

How does a resolver know where the "." nameservers are?

Anatomy of a DNS lookup

Format of a DNS query

Transaction ID

Number of questions

Number of answers

Number of authority records

Number of additional records

Query name

Query type

Query class

Additional section responses in queries

When does DNS use TCP instead of UDP?

Zone transfers happen over TCP

EDNS and large responses

The anatomy of a DNS query – how nameserver selection actually works

Summary

References

Types and Uses of Common Resource Records

Format of an RR

Constructing a zone

Start of Authority (SOA)

MNAME (Originating Nameserver)

RNAME (Point of Contact)

Serial

Date-based

Unix timestamp

Raw count

When the format of the Serial actually matters

The Refresh interval

The Retry interval

The Expire interval

Minimum

Can't You Just Set Your $TTL To 0?

Nameserver (NS)

A/IPv4 Address

CNAME/Alias

When to use Aliases vs Hostnames

The Mail Exchanger (MX) record

Preferences, Priorities, and Delivery Order

Backup MX handler considerations

Special case MX records

Managing many MX domains

TXT/Text Records

SPF records

SRV

NAPTR

DNAME

PTR

IPv6

AAAA

A6

CERT

TLSA

CAA

DNSSEC-specific RR Types

Summary

References

Quasi-Record Types

URL Forwards and Redirects

The Zone Apex Alias (ANAME)

Updates

Multiple A records (RRSets)

CNAME chains

POOL records (multiple CNAME RRSet)

Why can't you have a CNAME with other data?

DYN (Dynamic DNS records)

Email forwarders

Generic email forwarding

Separating forwarders from backup spooling via MX records

How to handle a large volume of email – where to cluster?

Summary

References

Common Nameserver Software

BIND

BIND-DLZ

Adding new zones to busy BIND 9 servers (in the olden days)

PowerDNS

Things to know

The Supermaster (auto-adding new zones to secondaries)

Installation

Lua integration

Configuring powerdns

Converting BIND-style zone data into powerdns

Slaving PowerDNS from BIND masters

Using a PowerDNS master to BIND secondaries

Adding custom backends to PowerDNS

PowerDNS wrap-up

NSD

Things to know

No native support for RFC 2136 dynamic DNS

Notifies to slaves

Installation and setup

nsd wrap-up

djbdns/tinydns

Things to know

No native support for DNSSEC

No responses for non-authoritative domains

TCP not supported in main daemon

Supports IPv6, SRV, NATPR, etc, natively, out-of-box (mostly)

All zones in a single datafile

How time is handled

Installation from source

daemontools

ucspi-tcp

Getting your bind data into tinydns

axfr each zone

Using a parser

Slaving from a Bind master

Slaving bind from a tinydns master

tinydns wrap-up

Knot DNS

Installation

Configuration

knotc – the Knot DNS controller

Slaving zones

DNSSEC support

Conclusion

References

Debugging Without Tears – DNS Diagnostic Tools

Command line-based tools

whois

Are we looking at the correct domain?

Has the domain expired at the registry?

What is the Registry/Registrar status of the domain?

Is the domain using the expected nameservers?

Is it DNSSEC-signed?

How to look at a Whois record for a new TLD

dig

Understanding dig responses

The HEADER section

The ANSWER section

The AUTHORITY section

The ADDITIONAL section

Using dig

DNSSEC

Reverse lookups

Delegation chains

host

named-checkzone and named-checkconf

dnstop

Web-based debugging tools

DNS stuff

whatismydns

dnsviz

easywhois

domaintools

Summary

References

DNS Operations and Use Cases

Transferring domain names

Change of registrant

Nameserver redelegations

Redelegating DNSSEC-signed domains

Registrar transfer (without changing nameservers)

IMPORTANT – make sure your new registrar knows what to do with the nameservers

Beware! Transfers may trigger the WAP!

Steps of a registrar transfer

Registrar transfer and nameserver redelegation

Adding additional nameservers

External secondaries

External masters

Other considerations

Structuring secondary DNS arrangements

Securing zone transfers with TSIG

Syncing zone data across secondaries

Planning migrations with DNS updates

Moving to new nameservers

Moving single zones

Have the new nameservers slave from the current master

Setting up a new master to serve the new nameservers

Moving entire portfolios of domains

Round Robin DNS

Load-balancing/global weighted load-balancing

DNS failover

The target resource must be monitored

Its health must be measured and evaluated

The standby resource must be ready

There must be a reversion strategy

Dynamic DNS

Standards-based dynamic DNS (RFC 2136)

Dynamic DNS via web requests

Geo DNS

Edns-client-subnet

Native support for Geo DNS

PowerDNS and GeoIP backend

BIND and Geo IP

A GeoIP fork for djbdns

GeoDNS-centric nameservers

Anycast method

Custom PowerDNS backend method

Zone apex aliasing

Reverse DNS and netblock subdelegations

Classless reverse DNS

The proper way to do sub-/24 PTR records

The RFC 2317 method

RFC2317 modified

Implementing SPF, DKIM, and DMARC

SPF

SPF – things to know

SPF breaks email-forwarding

Overcomplicated SPF records can lead to bounces

DKIM

DMARC

Summary

References

Nameserver Considerations

Anycast versus Unicast

Unicast architectures

Anycast DNS

Your own Autonomous System Number (ASN)

Address space to announce

Transit providers

The aftermarket

Transit providers who will route you

Nameserver configurations

Debugging under anycast

Anycast DNS and DDoS mitigation

Heterogeneity vs homogeneity in nameserver deployments

Nameserver records

IP space

Numbering and delegation schemes

Vanity nameservers

TLD redundancy

Resolvers

Summary

References

Securing Your Domains and DNS

Protecting your domains from unauthorized manipulation

Cybercriminals hack DNS provider to take over Brazilian bank

Account ACLs

Multi-factor authentication

Event notifications

Transfer locks

Registry locks

DNS Security Extensions (DNSSEC)

What DNSSEC does

Is DNSSEC really a magic bullet for DNS security?

Drawbacks of using DNSSEC

When to use DNSSEC

Signing your zones

Preparing a DNSSEC deployment

Key structure

Key rollover policy

Trust chains

How is the internet root authenticated?

Operational ramifications of DNSSEC

Zone updates

Using multiple providers with DNSSEC

DNSSEC Resource Record Types

RRSIG

DNSKEY

DS (Delegation Signer)

Effect of key rollovers on the DS

How do I get my DS records into the parent zone?

Maintaining DS keys after initial setup (CDS/CDNSKEY)

NSEC/NSEC3

Implementing DNSSEC on your nameservers

PowerDNS

pre-signed

front-signing

BIND

NSD

Tinydns

Key rollovers

Double-signing method

Prepublish method

Key-rolling utilities

Further resources

Securing DNS lookups

DNSCurve

DNS over TLS

Summary

References

DNS and DDoS Attacks

What DNS operators can do to mitigate attacks

Separating the target

Response-Rate Limiting (RRL)

Dnsdist – the Swiss Army knife of DNS middleware

Kernel filtering of queries

Mitigation devices

Mitigation services

Colocated gear

Via BGP

Via glue records

Reverse proxy

GRE Tunnels

DDoS mitigation services

What individual domain owners can do

Using multiple DNS solutions

Keeping your data in sync across those deployments

Monitoring the health of your nameserver delegation

Open source monitoring tools

Monitoring services

The ability to change delegations when required

For DNS providers

Summary

References

IPv6 Considerations

IPv6-enabled nameservers

Adding IPv6 to your zones

Reverse DNS for IPv6

Queries for IPv6

Operational considerations

Transport-independent

Avoiding IPv4/IPv6 fragmentation

TTL considerations

Resolver considerations

Summary

References

Other Books You May Enjoy

Leave a review - let other readers know what you think