DNS & network news

Monthly Archive: December 2015

Domain delegation records cached as answer to NS query?

I have run across a situation that has challenged my previous understanding of how this is supposed to work. I have two cases. I had an understanding of how this worked based on the first case, then the second case has come along and challenged that understanding. I’m seeking clarification.

The first case was something like this… The authoritative name servers for a domain became inaccessible due to an erroneous firewall configuration in an ISP network. I did an NS type query for the domain, assuming that if the delegation records on the com servers were correct, I would get that information as an answer. I did not get an answer, and believed that this indicated a problem with delegation to the authoritative name servers. Not so. The delegation was fine, but I did not receive an answer for the query because the answer needed to come from one of the name servers for that child domain I was querying for. In other words, even though I (or, the client I was using) could see the delegation information from the com servers, this information was not, and should not have been, used to actually answer the query. I read some RFCs as well which helped lead me to this understanding. (I think 2181 and 4697, but maybe others/newer ones as well)

Now comes case 2. In this case, someone misconfigured DNS so that delegation goes to one set of name servers (say, ns1,2,3.delegated.com), but then they set NS records on those servers to some other set of servers (say, ns1,2,3.authoritative.com).

Now, if I configure a DNS server with no forwarders, and do an NS query for this domain, it will work its way down the hierarchy and finally query ns[x].authoritative.com and return ns1,2,3.authoritative.com for the answer to the NS query. That is consistent with my previous understanding.

If I configure this same DNS server to use certain caching servers, then (most of the time) instead of getting the answer ns1,2,3.authoritative.com for the NS query, I get ns1,2,3.delegated.com from the caching server, which seems to me to suggest that the caching server is returning delegation records as answers to the NS query.

I understand this is purely an academic question, since this is all due to a misconfiguration, but I would like to know whether this caching server is doing something it should not by returning these delegation records (which never originated from any authoritative server for the domain) as answers to the NS query? I am just assuming that if the delegation records shouldn’t be used to answer a query, they also shouldn’t be cached and then later used to answer a query… but I guess I could be wrong in that assumption.

TLDR: A caching DNS server should NOT cache delegation information from com servers and use it to answer NS queries for a child of com, right?

Hopefully I am understanding this correctly. I did a brief search of this subreddit but didn’t find a similar question and answer.

submitted by permitipanyany
[link] [1 comment]

Powered by WPeMatico

Risk of having 2 DNS servers configured in Network Settings?

If this is the wrong sub, please point me in the right direction.

I am a new to DNS and DNS management. I recently had a customer with a DNS issue. Basically, the server that they were using had a cache issue. I recommended that they configure a secondary dns server in their network settings so that should the problem come back they wouldn’t have any issues. I was kind of surprised when they refused because it presents a security risk.

I Have been googling, but I haven’t found anything yet that makes me go “huh, imagine that”.

Can anyone explain to me why having two DNS servers configured in network settings is a security risk?

submitted by midniteslice
[link] [5 comments]

Powered by WPeMatico

Does encrypting DNS prevent DNS leaks?

I was reading about DNS leaks and some articles seem to imply that DNS encryption via DNSCrypt seem to prevent DNS leaks ( See here and here), yet on other articles about preventing DNS leaks, I see several options available for dealing with DNS leaks (OpenVPN plugin, using the VPN’s DNS resolvers, etc.) but makes no mention of DNSCrypt (see here. In fact, someone explicitly states that DNSCrypt does not prevent DNS leaks on the OpenDNS forums.

P.S. Can anyone recommend a reasonably fast and privacy-oriented DNS server to use? Google Public DNS server and OpenDNS obviously fail to satisfy the latter. I am currently considering OpenNIC and CloudNS since they both don’t seem to log. The former seems to be a popular choice for privacy-oriented users while the latter seems to be one of the few DNS servers that support both DNSCrypt and DNSSEC (OpenNIC support both of these too?).

Thanks!

submitted by immortal192
[link] [3 comments]

Powered by WPeMatico

Noob here–is this what I'm looking for?

I originally looked into DNS servers for privacy reasons (along with a VPN for a complete privacy solution) then read that it is recommended to use Acrylic DNS Proxy to enforce a host file for Windows.

I looked into some DNS servers for privacy reasons (one that doesn’t log websites that you visit, redirect you to other pages, etc.) and it seems that people are using these. I also read that along with a trustable DNS server, DNS encryption is necessary to prevent third-parties from seeing or altering queries.

  1. For my purposes, am I looking to use Acrylic DNS Proxy, a DNS server from OpenNIC, and DNSCrypt to encrypt the queries? If so, do I use Acrylic DNS Proxy to both use my host file and tell it to use a DNS server from OpenNIC? And for using DNSCrypt, it’s as simple as running the program and enabling DNS encryption?

  2. Is there a simpler method to achieve what I am looking for, which is a fast/dependable DNS implementation built around privacy/security? I feel like I might have too much unnecessary complexity that will cause issues in stability and it might not even be worth it if there is some privacy issues I am not aware of in terms of how DNS works (assuming I only use a VPN).

Any tips, recommendations, or thoughts are much appreciated. I read a ton online but am still confident what options are available to me and what I can expect to achieve in terms of DNS and privacy (without sacrificing speed/reliability/security, of possible).

Thanks!

submitted by immortal192
[link] [3 comments]

Powered by WPeMatico

Zone delegation

caveats:

  • Linux dns 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
  • BIND 9.9.5-11ubuntu1-Ubuntu (Extended Support Version)

I am trying to set up sub-domain delegation, and according to the numerous FAQs, how-to’s and tutorials on the intergalactic web, apparently all you need to do is to add these lines to the parent domain zone file:

foo IN NS dns1.foo.bar.com. dns1.foo.bar.com. IN A 1.2.3.4 

But no dice. named-checkzone returns ok, same with named-checkconf, as is the syslog. Well, frankly, I’m kind of stumped on this one.

config

options { directory "/var/cache/bind"; forwarders { 192.168.0.23; 192.168.0.20; 1.2.3.4; 1.2.3.5; }; forward only; allow-recursion { any; }; // dnssec-validation auto; dnssec-enable no; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; 

master/example.net.zone

$ORIGIN example.net. $TTL 1D @ 1D IN SOA dns root ( 1 ; Serial 1W ; Refresh 1D ; Retry 4W ; Expire 1D ; Negative Cache TTL ); IN NS dns.example.net. IN A 192.168.0.127 dns IN A 192.168.0.4 jalla IN A 192.168.0.8 fniip IN CNAME jalla sub IN NS dns1.sub.example.net. IN NS dns2.sub.example.net. ;sub IN A 192.168.0.23 ; glue record dns1.sub.example.net. IN A 192.168.0.23 ; glue record dns2.sub.example.net. IN A 192.168.0.23 ; glue record 

The other server answers queries with the correct info of course, but not the main server.

When main dns is queried:

user@dns1 ~/: host fniip.sub.example.ne Host fniip.sub.example.ne not found: 3(NXDOMAIN) 

When second dns is queried directly

user@dns1 ~/: host fniip.sub.example.net 192.168.0.23 Using domain server: Name: 192.168.0.23 Address: 192.168.0.23#53 Aliases: fniip.sub.example.net is an alias for jalla.sub.example.net. jalla.sub.example.net has address 192.168.0.123 

Any input would be appreciated.

submitted by cavetroll3000
[link] [2 comments]

Powered by WPeMatico

Some stable open DNS servers?

I have a lot of requests from Eastern Asia and North America.

But I don’t want to use the free DNS servers in mainland of China because they are poising and spying on your internet traffic. I am looking for some other healthy DNS servers. I used dns.he.net But it fails sometimes if requests are from Eastern Asia. I thought that was not that stable.

So are there any stable free open DNS servers? Mainly for requests from Asia and North America.

Many thanks! Truthfully

submitted by JakeTheMaster
[link] [6 comments]

Powered by WPeMatico

[ELI5]What are the benefits of DNS encryption? DNS servers for privacy?

I tried reading stuff on DNS servers and DNS encryption but I’m having trouble putting it all together. I am interested in it for privacy reasons. I know people change their default DNS server (which is probably something that your ISP provides) for this reason, but doesn’t something like Google’s DNS server then know what domains you are accessing? Would DNS encryption protect you from this or is it to protect from other third parties?

What DNS servers would you recommend for privacy reasons? Or is it easy and practical to set up your own?

Thank you–I don’t know where else to ask these type of questions.

submitted by enory
[link] [10 comments]

Powered by WPeMatico

Is there an open source DNS server that allows alternating responses for the same resource?

I’m implementing the S3 API on Ceph, and was surprised to find that signature validation fails if there are several A records on a domain. Poking s3.amazonaws.com reveals that it resolves to a single different IP address every time (with ridiculously low TTL).

This is for a public web service (non-profit), so the DNS server would have to be “internet quality”. Or should we just cash out for a commercial option (which)? I assume Route53 supports this functionality, but IIRC EasyDNS and PowerDNS don’t.

submitted by omkrets
[link] [comment]

Powered by WPeMatico