售 价:¥
温馨提示:数字商品不支持退换货,不提供源文件,不支持导出打印
为你推荐
Title Page
Copyright and Credits
Managing Mission-Critical Domains and DNS
Dedication
Packt Upsell
Why subscribe?
PacktPub.com
Contributors
About the author
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Reviews
The Domain Name Ecosystem
Why domains are important
Domain names 101
Anatomy of a domain name
Registry details
Registrar WHOIS server
Expiry date
The registrant contact set
The administrative contact set
Use a domain you control
Use a different domain than the name in the record
Use an exploder
Use a unique address
Alternatively, use canaries
The tech contact set
The billing contact set
DNS details
Status
Status flags set by the registry
Ok
inactive
autoRenewPeriod
pendingTransfer
redemptionPeriod
pendingDelete
Status Flags set by the Registrar
clientHold
clientDeleteProhibited
clientTransferProhibited
clientUpdateProhibited
clientRenewProhibited
Understanding the domain name expiry cycle
Domain expires (day 0)
Domain gets parked (days 3 to 5-ish)
RGP – Registrant Grace Period (up to 45 days)
Redemption period (day 45-ish)
PendingDelete – day 90 (5 days)
Never do this
What to do if you lose a key domain
Summary
References
Registries, Registrars, and Whois
Registries and Registrars
Generic TLDs
Country Code TLDs (ccTLDs)
New Top-Level Domains
IDN TLDs
Online tools for converting punycode
Infrastructure TLDs
Registrars and Resellers
An effective Registrar should...
What is Whois?
Thin versus thick Whois
Whois privacy
RegisterFly – The Lehman Brothers' moment of the domain industry
How to tell whether Whois privacy is enabled
Why you should always use Whois privacy
Why you should never use Whois privacy
Where is Whois going?
Europe's GDPR and its effect on Whois
Registration Data Access Protocol (RDAP)
Further reading
Summary
Intellectual Property Issues
Which domains should your organization register?
Asserting Your trademarks within the new TLD landscape
Rollout phases of a new TLD
Sunrise
Landrush
Premium auction
The Trademark Clearing House
Typo domains
What is "CyberSquatting"?
Dispute mechanisms
Uniform Domain Name Dispute Resolution Policy (UDRP)
How the UDRP works
Uniform Rapid Suspension System (URSS)
What if somebody tries to take your domains?
What happens when somebody initiates a UDRP against your domain?
Transfer Dispute Resolution Procedure (TDRP)
Summary
References
Communication Breakdowns
Domain policies you must be aware of
The Whois Accuracy Program (WAP)
Incorrect or bad Whois reports
Domain slamming
Phishing
Email phishing (spearphishing)
Web phishing
Unintentional expiry
Search engine/trademark registrations
Domain scams
The Foreign Infringer scam
Aftermarket scams
Buy-side scam
Sell-side scams
DNS failures
Summary
References
A Tale of Two Nameservers
Introducing resolvers
Differences between stub resolvers, caching resolvers, and full resolvers
Stub resolvers
Caching resolvers
Full resolvers
Negative caches
Authoritative nameservers
Primary Nameserver
Hidden primaries
Hidden primary considerations
Secondary nameservers
Summary
References
DNS Queries in Action
Top-level domain nameservers
Nameserver order
How does a resolver know where the "." nameservers are?
Anatomy of a DNS lookup
Format of a DNS query
Transaction ID
Number of questions
Number of answers
Number of authority records
Number of additional records
Query name
Query type
Query class
Additional section responses in queries
When does DNS use TCP instead of UDP?
Zone transfers happen over TCP
EDNS and large responses
The anatomy of a DNS query – how nameserver selection actually works
Summary
References
Types and Uses of Common Resource Records
Format of an RR
Constructing a zone
Start of Authority (SOA)
MNAME (Originating Nameserver)
RNAME (Point of Contact)
Serial
Date-based
Unix timestamp
Raw count
When the format of the Serial actually matters
The Refresh interval
The Retry interval
The Expire interval
Minimum
Can't You Just Set Your $TTL To 0?
Nameserver (NS)
A/IPv4 Address
CNAME/Alias
When to use Aliases vs Hostnames
The Mail Exchanger (MX) record
Preferences, Priorities, and Delivery Order
Backup MX handler considerations
Special case MX records
Managing many MX domains
TXT/Text Records
SPF records
SRV
NAPTR
DNAME
PTR
IPv6
AAAA
A6
CERT
TLSA
CAA
DNSSEC-specific RR Types
Summary
References
Quasi-Record Types
URL Forwards and Redirects
The Zone Apex Alias (ANAME)
Updates
Multiple A records (RRSets)
CNAME chains
POOL records (multiple CNAME RRSet)
Why can't you have a CNAME with other data?
DYN (Dynamic DNS records)
Email forwarders
Generic email forwarding
Separating forwarders from backup spooling via MX records
How to handle a large volume of email – where to cluster?
Summary
References
Common Nameserver Software
BIND
BIND-DLZ
Adding new zones to busy BIND 9 servers (in the olden days)
PowerDNS
Things to know
The Supermaster (auto-adding new zones to secondaries)
Installation
Lua integration
Configuring powerdns
Converting BIND-style zone data into powerdns
Slaving PowerDNS from BIND masters
Using a PowerDNS master to BIND secondaries
Adding custom backends to PowerDNS
PowerDNS wrap-up
NSD
Things to know
No native support for RFC 2136 dynamic DNS
Notifies to slaves
Installation and setup
nsd wrap-up
djbdns/tinydns
Things to know
No native support for DNSSEC
No responses for non-authoritative domains
TCP not supported in main daemon
Supports IPv6, SRV, NATPR, etc, natively, out-of-box (mostly)
All zones in a single datafile
How time is handled
Installation from source
daemontools
ucspi-tcp
Getting your bind data into tinydns
axfr each zone
Using a parser
Slaving from a Bind master
Slaving bind from a tinydns master
tinydns wrap-up
Knot DNS
Installation
Configuration
knotc – the Knot DNS controller
Slaving zones
DNSSEC support
Conclusion
References
Debugging Without Tears – DNS Diagnostic Tools
Command line-based tools
whois
Are we looking at the correct domain?
Has the domain expired at the registry?
What is the Registry/Registrar status of the domain?
Is the domain using the expected nameservers?
Is it DNSSEC-signed?
How to look at a Whois record for a new TLD
dig
Understanding dig responses
The HEADER section
The ANSWER section
The AUTHORITY section
The ADDITIONAL section
Using dig
DNSSEC
Reverse lookups
Delegation chains
host
named-checkzone and named-checkconf
dnstop
Web-based debugging tools
DNS stuff
whatismydns
dnsviz
easywhois
domaintools
Summary
References
DNS Operations and Use Cases
Transferring domain names
Change of registrant
Nameserver redelegations
Redelegating DNSSEC-signed domains
Registrar transfer (without changing nameservers)
IMPORTANT – make sure your new registrar knows what to do with the nameservers
Beware! Transfers may trigger the WAP!
Steps of a registrar transfer
Registrar transfer and nameserver redelegation
Adding additional nameservers
External secondaries
External masters
Other considerations
Structuring secondary DNS arrangements
Securing zone transfers with TSIG
Syncing zone data across secondaries
Planning migrations with DNS updates
Moving to new nameservers
Moving single zones
Have the new nameservers slave from the current master
Setting up a new master to serve the new nameservers
Moving entire portfolios of domains
Round Robin DNS
Load-balancing/global weighted load-balancing
DNS failover
The target resource must be monitored
Its health must be measured and evaluated
The standby resource must be ready
There must be a reversion strategy
Dynamic DNS
Standards-based dynamic DNS (RFC 2136)
Dynamic DNS via web requests
Geo DNS
Edns-client-subnet
Native support for Geo DNS
PowerDNS and GeoIP backend
BIND and Geo IP
A GeoIP fork for djbdns
GeoDNS-centric nameservers
Anycast method
Custom PowerDNS backend method
Zone apex aliasing
Reverse DNS and netblock subdelegations
Classless reverse DNS
The proper way to do sub-/24 PTR records
The RFC 2317 method
RFC2317 modified
Implementing SPF, DKIM, and DMARC
SPF
SPF – things to know
SPF breaks email-forwarding
Overcomplicated SPF records can lead to bounces
DKIM
DMARC
Summary
References
Nameserver Considerations
Anycast versus Unicast
Unicast architectures
Anycast DNS
Your own Autonomous System Number (ASN)
Address space to announce
Transit providers
The aftermarket
Transit providers who will route you
Nameserver configurations
Debugging under anycast
Anycast DNS and DDoS mitigation
Heterogeneity vs homogeneity in nameserver deployments
Nameserver records
IP space
Numbering and delegation schemes
Vanity nameservers
TLD redundancy
Resolvers
Summary
References
Securing Your Domains and DNS
Protecting your domains from unauthorized manipulation
Cybercriminals hack DNS provider to take over Brazilian bank
Account ACLs
Multi-factor authentication
Event notifications
Transfer locks
Registry locks
DNS Security Extensions (DNSSEC)
What DNSSEC does
Is DNSSEC really a magic bullet for DNS security?
Drawbacks of using DNSSEC
When to use DNSSEC
Signing your zones
Preparing a DNSSEC deployment
Key structure
Key rollover policy
Trust chains
How is the internet root authenticated?
Operational ramifications of DNSSEC
Zone updates
Using multiple providers with DNSSEC
DNSSEC Resource Record Types
RRSIG
DNSKEY
DS (Delegation Signer)
Effect of key rollovers on the DS
How do I get my DS records into the parent zone?
Maintaining DS keys after initial setup (CDS/CDNSKEY)
NSEC/NSEC3
Implementing DNSSEC on your nameservers
PowerDNS
pre-signed
front-signing
BIND
NSD
Tinydns
Key rollovers
Double-signing method
Prepublish method
Key-rolling utilities
Further resources
Securing DNS lookups
DNSCurve
DNS over TLS
Summary
References
DNS and DDoS Attacks
What DNS operators can do to mitigate attacks
Separating the target
Response-Rate Limiting (RRL)
Dnsdist – the Swiss Army knife of DNS middleware
Kernel filtering of queries
Mitigation devices
Mitigation services
Colocated gear
Via BGP
Via glue records
Reverse proxy
GRE Tunnels
DDoS mitigation services
What individual domain owners can do
Using multiple DNS solutions
Keeping your data in sync across those deployments
Monitoring the health of your nameserver delegation
Open source monitoring tools
Monitoring services
The ability to change delegations when required
For DNS providers
Summary
References
IPv6 Considerations
IPv6-enabled nameservers
Adding IPv6 to your zones
Reverse DNS for IPv6
Queries for IPv6
Operational considerations
Transport-independent
Avoiding IPv4/IPv6 fragmentation
TTL considerations
Resolver considerations
Summary
References
Other Books You May Enjoy
Leave a review - let other readers know what you think
买过这本书的人还买过
读了这本书的人还在读
同类图书排行榜