Jump to content

Search the Community

Showing results for tags 'dns'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 19 results

  1. A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. A threat actor can use DNS poisoning or DNS spoofing to redirect the victim to a malicious website hosted at an IP address on a server controlled by the attacker instead of the legitimate location. The library uClibc and its fork from the OpenWRT team, uClibc-ng. Both variants are widely used by major vendors like Netgear, Axis, and Linksys, as well as Linux distributions suitable for embedded applications. According to researchers at Nozomi Networks, a fix is not currently available from the developer of the developer of uClibc, leaving products of up to 200 vendors at risk. Vulnerability details The uClibc library is a C standard library for embedded systems that offers various resources needed by functions and configuration modes on these devices. The DNS implementation in that library provides a mechanism for performing DNS-related requests like lookups, translating domain names to IP addresses, etc. Nozomi reviewed the trace of DNS requests performed by a connected device using the uClibc library and found some peculiarities caused by an internal lookup function. After investigating further, the analysts discovered that the DNS lookup request's transaction ID was predictable. Because of this, DNS poisoning might be possible under certain circumstances. DNS lookup function4s in uClibc (Nozomi) Flaw implications If the operating system doesn't use source port randomization, or if it does but the attacker is still capable of brute-forcing the 16-bit source port value, a specially-crafted DNS response sent to devices using uClibc could trigger a DNS poisoning attack. DNS poisoning is practically tricking the target device into pointing to an arbitrarily defined endpoint and engaging in network communications with it. By doing that, the attacker would be able to reroute the traffic to a server under their direct control. "The attacker could then steal or manipulate information transmitted by users and perform other attacks against those devices to completely compromise them. The main issue here is how DNS poisoning attacks can force an authenticated response," - Nozomi Networks Mitigation and fixing Nozomi discovered the flaw in September 2021 and informed CISA about it. Then, in December, it reported to the CERT Coordination Center, and finally, in January 2022, it disclosed the vulnerability to over 200 potentially impacted vendors. As mentioned above, there's currently no fix available for the flaw, which is now tracked under ICS-VU-638779 and VU#473698 (no CVE yet). Currently, all stakeholders are coordinating to develop a viable patch and the community is expected to play a pivotal role in this, as this was precisely the purpose of the disclosure. As the affected vendors will have to apply the patch by implementing the new uClibc version on firmware updates, it will take a while for the fixes to reach end consumers. Even then, end-users will have to apply the firmware updates on their devices, which is another choke point that causes delays in fixing critical security flaws. "Because this vulnerability remains unpatched, for the safety of the community, we cannot disclose the specific devices we tested on," says Nozomi "We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure." Users of IoT and router devices should keep an eye on new firmware releases from vendors and apply the latest updates as soon as they become available. Unpatched DNS bug affects millions of routers and IoT devices
  2. Microsoft's Windows operating system supports several multicast name resolution protocols, including NetBIOS and LLMNR. The state of the art protocol that is widely used today is mDNS, while the protocols NetBIOS and LLMNR are not widely used anymore. In Aligning on mDNS: ramping down NetBIOS name resolution and LLMNR, Microsoft informs Windows system administrators that it plans to disable the old protocols in future versions of Windows to improve device security and decrease the load on the networks they use. Microsoft is aware that there are still scenarios and "real-world deployments" in which these protocols are used, but the company is convinced that disabling the protocols by default is the right direction to take. The company has not started the process of disabling LLMNR by default yet, but it has started the process for NetBIOS. The NetBIOS protocol is already turned off by default on cellular devices according to Microsoft. In the latest Windows Developer and Beta Insider builds, NetBIOS is in learning mode. Learning mode means that NetBIOS is used as a fallback if mDNS and LLMNR queries fail. The change may lead to connectivity issues in some cases. Administrators may modify a Group Policy or a Registry value to change the behavior of the protocol. Note: the Group Policy Editor is only available on Professional and Enterprise editions of Windows. Home edition administrators may modify the behavior in the Registry. Changing NetBIOS in the Group Policy Editor Use the keyboard shortcut Windows-R to open the Run box on the system. Type gpedit.msc and hit Enter; this should load the Group Policy Editor. Navigate to Computer Configuration > Administrative Templates > Network > DNS Client. Double-click on the Configure NetBIOS policy. Set the policy to Enabled. Use the menu that is provided "Configure NetBIOS options" to switch to one of the supported options: Allow NetBIOS name resolution -- Enables full NetBIOS support. Disable NetBIOS name resolution -- Turns off NetBIOS support on the device. Disable NetBIOS name resolution on public networks -- Keeps NetBIOS enabled on private networks, but disables it on public networks. NetBIOS learning mode -- NetBIOS is only used as a fallback if mDNS and LLMNR queries fail. Select OK to save the new policy setting. Changing NetBIOS in the Windows Registry The same options are also available in the Windows Registry. Use the keyboard shortcut Windows-R to open the run box. Type regedit.exe and hit the Enter-key. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters in the Registry Editor. Right-click on Parameters and select New > Dword (32-bit) Value. Name the value EnableNetbios. Double-click on the new Dword and set it to one of the following values: 0 -- Disabled. 1 -- Allowed. 2 -- Disabled on public networks. 3 -- Learning Mode. Close the Registry Editor after you have made the change. Closing Words LLMNR has not been touched yet, but Microsoft plans to make similar changes to this protocol in future builds and versions of the Windows operating system. Now You: do you use NetBIOS or LLMNR? (via Deskmodder) Microsoft starts to phase out NetBIOS and LLMNR to focus on mDNS
  3. Cloudflare DNS’s service has had an important impact on the internet. Here is why it is such a major contributor in the fight for privacy and freedom. On the day when people like to make a fool of each other, Cloudflare launched a service which seemed unbelievable at first. Not because of the features it offered, but because it was launched on a day when most companies would announce fake products in a humorous intention. Cloudflare announcement too, frankly speaking, seemed like one, but it wasn’t so. On 1st April 2018, Cloudflare announced its own DNS service called At first, it seemed just like another DNS service. But Cloudflare made huge improvements to make it among the top DNS services out there. What is DNS? DNS, meaning Domain Name System, is like an address book of the internet. Simply put, all sites on the internet run on a server. Those sites running on individual servers are allotted a specific IP address. That IP address is like a house number on a road. You can read it, but you do not know which road or the area house is located at. This is where an address book comes. It tells you where the house is, so that you can reach. Similarly, when one types an internet site’s address inside their browser, like this site ourdigitech.com for example. A DNS service is contacted by your computer or a mobile and it is asked where this site is. It tells your browser the IP address of the site and leads you to it. All this is done in a fraction of the seconds. Milliseconds to be precise. This makes it very important that the DNS server is not only near you but also fast, so that your browsing is done quickly. Cloudflare plays a very important role here. Cloudflare’s importance Cloudflare’s server locations. Cloudflare’s main product is its CDN, that is, content delivery network service. What a CDN service does is that it makes copies of the sites on the internet and stores it locally near you and on many servers worldwide. Cloudflare is among the top CDN services out there. It has its servers situated in almost every part of the world. This allows Cloudflare to leverage its CDN network to provide DNS services. Allowing it to be quick to contact and deliver. Enter and WARP When Cloudflare originally announced it’s DNS service, the DNS requests were mainly served by two players. One, whatever DNS service your internet service provider (ISP) chose and second, Google DNS. While at start was just like Google DNS – bare-bones. It was not much quick either. But that soon change. A year later, on the same day, Cloudflare announced a VPN service called WARP. It’s a type of VPN service which basically encrypts your traffic on the internet. The problem with DNS protocol was that it was designed decades ago without encryption in mind and that is why normally it is not encrypted, allowing to anyone to spy on you – that is, look at which sites you are opening and also prevent you from accessing that site. This is especially the case with the ISPs which actively stops you from accessing some sites. WARP intended to circumvent that by encrypting the information between you and the DNS provider. Allowing not only privacy, but also freedom of browsing a free uncensored internet. While it is true that WARP is known to have some problems starting up, as mentioned by the reviewers on it’s Android app page, it’s still a great service when it works correctly. More improvements Since then, Cloudflare has come up with many upgrades to it’s service. Like offering DNS over HTTPS (DoH) and DNS over TLS (DoT) – both of which are intended to encrypt the connection between you and the Cloudflare’s DNS service, to collaborating with various browsers to include build-in support for the DoH inside them. It is important to mention that Google’s DNS service started offering DNS over TLS only a year after Cloudflare. Cloudflare has also started a special version of it’s DNS service which allows people to prevent either adult content or malware or both from being accessed. Allowing a secure internet for everyone. Other DNS providers and alternatives Meanwhile, since the launch of Cloudflare’s, a lot of DNS providers have appeared or upgraded themselves. Google DNS remains the top DNS provider out there, simply because it is the fastest one out there and not many can match the power of Google’s network. There is also another DNS provider around called NextDNS, which offers a lot of features like DoH, DoT, extensive security options, privacy and tracking protection, parental control, deny and allow list, logs and many other things, possibly unmatched by any other provider out there. The problem is that it’s free plan’s extra features are limited to 300,000 queries per month. This is unlike Google DNS and Cloudflare’s DNS, which are by and large completely free, albeit without many features While it’s true that there are many good DNS providers out there. But Cloudflare remains our favorite of them all. Cloudflare’s DNS Service Turns 4: How It Changed The Internet
  4. NAME:WRECK DNS vulnerabilities affect over 100 million devices Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices. Collectively referred to as NAME: WRECK, the flaws could be leveraged to take offline affected devices or to gain control over them. The vulnerabilities were found in widespread TCP/IP stacks that run on a wide range of products, from high-performance servers and networking equipment to operational technology (OT) systems that monitor and control industrial equipment. Issues in four TCP/IP stacks The discovery of NAME:WRECK is a joint effort from Enterprise of Things security company Forescout and Israel-based security research group JSOF and affects the DNS implementations in the following TCP/IP stacks: FreeBSD (vulnerable version: 12.1) - one of the most popular operating system in the BSD family IPnet (vulnerable version: VxWorks 6.6) - initially developed by Interpeak, it is now under WindRiver maintenance and used by VxWorks real-time operating system (RTOS) NetX (vulnerable version: 6.0.1) - part of the ThreadX RTOS, it is now an open-source project maintained by Microsoft under the name Azure RTOS NetX Nucleus NET (vulnerable version: 4.3) - part of the Nucleus RTOS maintained by Mentor Graphics, a Siemens business, it is used in medical, industrial, consumer, aerospace, and Internet of Things devices According to Forescout, in hypothetical but plausible scenarios, threat actors could exploit NAME:WRECK vulnerabilities to deal significant damage to government or enterprise servers, healthcare facilities, retailers, or companies in the manufacturing business by stealing sensitive data, modifying or taking equipment offline for sabotage purposes. Attackers could also tamper with critical building functions in residential or commercial locations to control heating and ventilation, disable security systems or tamper with automated lighting systems The NAME:WRECK vulnerabilities The researchers analyzing the DNS implementations in the above-mentioned TCP/IP stacks looked at the message compression feature of the protocol. It is not uncommon for DNS response packets to include the same domain name or a part of it more than once, so a compression mechanism exists to reduce the size of DNS messages. Not just DNS resolvers benefit from this encoding as it is present in multicast DNS (mDNS), DHCP clients, and IPv6 router advertisements. Forescout explains in a report today that the feature is also present in many implementations, although some protocols do not officially support compression. This occurs “because of code reuse or a specific understanding of the specifications.” The researchers note that implementing the compression mechanism has been a tall order, as highlighted by more than a dozen vulnerabilities discovered since the year 2000. It must be noted that not all NAME:WRECK can be exploited to achieve the same results. The potential impact for the most severe of them is remote code execution, with the highest severity score being calculated to 9.8 out of 10. Below is a rundown of all nine vulnerabilities, their identification numbers, and their severity score. CVE ID Stack Description Affected feature Potential Impact Severity Score CVE-2020-7461 FreeBSD -boundary error when parsing option 119 data in DHCP packets in dhclient(8) - attacker on the network can send crafted data to DHCP client Message compression RCE 7.7 CVE-2016-20009 IPnet - stack-based overflow on the message decompression function Message compression RCE 9.8 CVE-2020-15795 Nucleus NET - DNS domain name label parsing functionality does not properly validate the names in DNS responses - parsing malformed responses could result in a write past the end of an allocated structure Domain name label parsing RCE 8.1 CVE-2020-27009 Nucleus NET - DNS domain name record decompression functionality does not properly validate the pointer offset values - parsing malformed responses could result in a write past the end of an allocated structure Message compression RCE 8.1 CVE-2020-27736 Nucleus NET - DNS domain name label parsing functionality does not properly validate the name in DNS responses - parsing malformed responses could result in a write past the end of an allocated structure Domain name label parsing DoS 6.5 CVE-2020-27737 Nucleus NET - DNS response parsing functionality does not properly validate various length and counts of the records - parsing malformed responses could result in a read past the end of an allocated structure Domain name label parsing DoS 6.5 CVE-2020-27738 Nucleus NET - DNS domain name record decompression functionality does not properly validate the pointer offset values - parsing malformed responses could result in a read access past the end of an allocated structure Message compression DoS 6.5 CVE-2021-25677 Nucleus NET - DNS client does not properly randomize DNS transaction ID (TXID) and UDP port numbers Transaction ID DNS cache poisoning/spoofing 5.3 * NetX - two functions in the DNS resolver fo not check that the compression pointer does not equal the same offset currently being parsed, potentially leading to infinite loop Message compression DoS 6.5 As seen in the table above, not all vulnerabilities relate to message compression. These exceptions are a byproduct of the research and can be chained with the others to amplify the effects of the attack. Another exception is CVE-2016-20009. Originally discovered by Exodus Intelligence in 2016, the bug did not receive a tracking number. Although the product is no longer maintained (end-of-life), it is still in use today. Forescout asked Wind River to file for a CVE but the company did not take any action for months. As such, the company asked Exodus Intelligence for the same thing and the flaw received an identifier in January 2021. An attacker exploiting a single bug may not achieve much but they can potentially wreak havoc by combining them. For instance, they can exploit one flaw to be able to write arbitrary data into sensitive memory locations of a vulnerable device, another to inject code in a packet, and a third one to deliver it to the target. The report from Forescout dives deep into technical details about how exploitation may lead to a successful remote code execution attack by leveraging several of the NAME:WRECK vulnerabilities as well as bugs from the AMNESIA:33 collection, that the company discovered in open source TCP/IP stacks. The company also discusses multiple implementation issues that keep repeating in DNS message parsers, referred to as anti-patterns, which are the cause of the NAME:WRECK vulnerabilities: - Lack of TXID validation, insufficiently random TXID and source UDP port - Lack of domain name character validation - Lack of label and name lengths validation - Lack of NULL-termination validation - Lack of the record count fields validation - Lack of domain name compression pointer and offset validation Patches for NAME:WRECK are available for FreeBSD, Nucleus NET, and NetX, and eliminating the issues is possible if the fixes trickle down to the affected products. As such, it is now up to the device vendors to apply the corrections to the products that can still be updated. This process, however, is unlikely to have a 100% success rate, though, as several obstacles are in the way. First of all, operators need to determine the TCP/IP stack running on affected devices. This is not always an easy task because sometimes even the device vendor does not know. Another hurdle is applying the patch, which, in many cases, needs to be installed manually because there is no centralized management. Add to this a critical device that cannot be taken offline for the update procedure and it becomes clear why a 100% patching rate is virtually impossible. “Even worse, we found that new firmware sometimes runs unsupported versions of an RTOS that may have known vulnerabilities [e.g. CVE-2016-20009]. This is extremely concerning since assuming that a new firmware is not vulnerable might lead to serious blind spots in network risk assessment” - Forescout However, there is mitigation information that security engineers can use to develop signatures that detect DNS vulnerabilities: - Discover and inventory devices running the vulnerable stacks - Enforce segmentation controls and proper network hygiene - Monitor progressive patches released by affected device vendors - Configure devices to rely on internal DNS servers - Monitor all network traffic for malicious packets Furthermore, Forescout makes available two open-source tools that can help determine if a target network device runs a specific embedded TCP/IP stack (Project Memoria Detector) and for detecting issues similar to NAME:WRECK (works with Joern). Source: NAME:WRECK DNS vulnerabilities affect over 100 million devices
  5. Security upgrade — Firefox turns encrypted DNS on by default to thwart snooping ISPs US-based Firefox users get encrypted DNS lookups today or within a few weeks. Enlarge Getty Images | Anadolu Agency Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks. "Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users." DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads. Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017. ISPs protested encrypted-DNS plans Mozilla has not been deterred by a broadband-industry lobbying campaign against encrypted DNS. The ISPs' lobbying targeted Google's plan for the Chrome browser, even though Firefox is deploying DNS over HTTPS more aggressively. With Web users already being tracked heavily by companies like Google and Facebook, Mozilla has said it is embracing DNS over HTTPS because "we don't want to see that business model duplicated in the middle of the network" and "it's just a mistake to use DNS for those purposes." "Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the Internet to make the shift to more secure alternatives," Mozilla said in its announcement today. "We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, [and] helps prevent data collection by third parties on the network that ties your computer to websites you visit." While Firefox's encrypted DNS uses Cloudflare by default, users can change that to NextDNS in the Firefox settings or manually enter the address of another encrypted-DNS service. Firefox users can also disable the new default setting if they don't want to use any of the encrypted-DNS options. Mozilla has said it is open to adding more encrypted-DNS providers as long as they meet a list of requirements for privacy and transparency and don't block or filter domains by default "unless specifically required by law in the jurisdiction in which the resolver operates." Mozilla isn't turning encrypted DNS on automatically outside the United States. But users outside the US and US-based users who haven't gotten the new default setting yet can enable DNS over HTTPS in the Firefox settings. To do that, go to Firefox "Preferences," then "General," scroll all the way down to "Network Settings," click "Settings," then click "Enable DNS over HTTPS." After clicking that box, you can choose Cloudflare, choose NextDNS, or enter a custom server. There's a list of encrypted-DNS servers at this Github page. Encrypted DNS will not be turned on by default in certain cases, such as when Firefox detects that enterprise policies have been set on the device or when it detects the presence of parental controls. Those and other questions about how DNS over HTTPS works in Firefox are answered in this FAQ. Google's plan for encrypted DNS in Chrome—which is still in the experimental phase and hasn't been deployed to everyone—is a little different from Mozilla's. Instead of automatically switching users to a DNS provider chosen by Google, Chrome sticks with whichever DNS provider the user has selected. If the user-selected DNS provider offers encrypted lookups and is in this list of providers, Chrome automatically upgrades the user to that DNS provider's encrypted service. If the user-selected DNS provider isn't in the list, Chrome makes no changes. Source: Firefox turns encrypted DNS on by default to thwart snooping ISPs (Ars Technica)
  6. Microsoft will integrate DNS over HTTPS in Windows 10 Microsoft revealed plans to integrate native support for DNS over HTTPS in the company's Windows 10 operating system in November 2019. The announcement was made on Microsoft's Networking blog on November 17, 2019. DNS over HTTPS is designed to improve privacy, security and the reliability by encrypting DNS queries that are handled in plaintext currently. DNS over HTTPS has been on the rise lately. Mozilla, Google, Opera as as well as several public DNS providers announced support for the standard. Support in programs, e.g. a web browser, means that the DNS queries that originate from that program are encrypted. Other queries, e.g. from another browser that does not support DNS over HTTPS or is configured not to use it, won't benefit from that integration however. Microsoft's announcement brings DNS over HTTPS support to the Windows operating system. The company plans to introduce it to preview builds of Windows 10 in the future before it releases it in a final version of the operating system. Microsoft plans to follow Google's implementation, at least initially. Google revealed some time ago that it will roll out DNS over HTTPS in Chrome, but only on systems that use a DNS service that supports DNS over HTTPS. In other words: Google won't alter the DNS provider of the system. Mozilla and Opera decided to pick a provider, at least initially, and that means that the local DNS provider may be overridden in the browser. Microsoft notes that it won't be making changes to the DNS server configuration of the Windows machine. Administrators (and users) are in control when it comes to the selection of the DNS provider on Windows and the introduction of support for DNS over HTTPS on Windows won't change that. The change may benefit users without them knowing about it. If a system is configured to use a DNS provider that supports DNS over HTTPS, that system will automatically use the new standard so that DNS data is encrypted. The company plans to introduce "more privacy-friendly ways" for its customers to discover DNS settings in Windows and raise awareness for DNS over HTTPS in the operating system. Microsoft revealed four guiding principles for the implementation: Windows DNS needs to be as private and functional as possible by default without the need for user or admin configuration because Windows DNS traffic represents a snapshot of the user’s browsing history. Privacy-minded Windows users and administrators need to be guided to DNS settings even if they don't know what DNS is yet. Windows users and administrators need to be able to improve their DNS configuration with as few simple actions as possible. Windows users and administrators need to explicitly allow fallback from encrypted DNS once configured. Closing words Microsoft did not reveal a schedule for the integration but it is clear that it will land in a future Insider build for Windows 10 first. Integration in Windows -- and other client operating systems -- makes more sense than integrating the functionality into individual programs. Users who want to use DNS over HTTPS may simply pick a DNS provider that supports it to enable the feature for all applications that run on the system. Source: Microsoft will integrate DNS over HTTPS in Windows 10 (gHacks - Martin Brinkmann)
  7. Jime234

    Changing Mobile Data DNS

    Hi, I wanted to change the DNS of the Mobile Data of my Android Smart Phone. Its a simple process to Change DNS of WiFi but Mobile Data is just something else.. I've searched and tried some apps to change DNS but then I don't know it worked or not, there is no way to check ! Has anyone here tried it ?
  8. TCP alternative QUIC reaches IETF's Standards Track after eight years of evolution Google spawned it, Cloudflare backed it, Microsoft made its own cut. Boffins worry it didn't improve privacy Quick UDP Internet Connections (QUIC) have graduated to Internet Engineering Task Force’s standards track. The QUIC spec, aka RFC 9000, appeared on May 27th, marking the end of the beginning for a story that started in 2013 when Google revealed it was playing with QUIC, which it then described as "an early-stage network protocol we are experimenting with that runs a stream multiplexing protocol over a new flavor of Transport Layer Security (TLS) on top of UDP instead of TCP." QUIC’s best trick is to allow a client and server to send data, even if they have never connected. Cutting out the extra round trips needed to establish a TCP link means less traffic and faster connections. That’s especially welcome on wireless networks, which are nearly always shared and see contention for resources. Just in case you haven’t noticed, there’s about three billion wireless devices out there on cellular networks, so anything that makes networks behave better for them is welcome by users, network operators, content providers, and plenty of other stakeholders. Internet-grooming company Cloudflare liked QUIC so much it’s offered it as a service for a few years now. Microsoft has used QUIC to carry SMB traffic and proclaimed it “the future of distributed systems.” True to form, Microsoft has also created its own version of QUIC and open-sourced it. Google’s already baked QUIC into its Chrome browser and that gives it a presence on hundreds of millions of devices. But QUIC has not been widely adopted elsewhere. A Cloudflare post celebrating QUIC’s ascension to the standard track says it can detect “around 12% of Internet traffic using QUIC with HTTP/3”. QUIC’s new status has seen Cloudflare take its QUIC service out of beta and offer it to all comers, in the hope of making it more prevalent. It’s hard to argue against anything that speeds networks. But be careful what you wish for, because in January 2021 networking boffins rated QUIC as more vulnerable to web fingerprinting than HTTPS, a technology QUIC was intended to supplant. ® Source
  9. How to configure the DNS in iOS We taught you how to configure Safari in iOS to take control of how the browser works. Continuing with our internet tweaks, we are going to tell you how to configure the DNS in iOS. You should know that there is one huge drawback in iOS concerning DNS. You can only set a custom DNS if you are connected to a Wi-Fi connection. You cannot change the DNS on mobile networks, it’s just bizarre. One option around this would be to use a VPN instead that uses its own DNS service. When Android Pie was launched, many praised the addition of a native DNS option. Many iOS users aren’t aware that this option has been in their iPhone/iPad for a long time. The reason why they may not have known about it, is because it isn’t kind of visible in the settings. You’ll understand why we say this in a moment. How to configure the DNS in iOS 1. Open the Settings app on your iPhone or iPad 2. Navigate to the Wi-Fi options on the side-bar. 3. Now, on the right pane, you will see the name of the Wi-Fi network you are connected to. It will have a blue checkmark next to it, to indicate it is working fine. 4. Tap anywhere on the line with the Wi-Fi network’s name or the icons on the edge. This open’s the settings which are specific to the selected network. 5. Scroll down till you say the Configure DNS option. If it says “Automatic”, it means no custom DNS has been enabled, and the network is connecting to your ISP’s DNS servers. 6. Tap on Configure DNS, and then on the “Manual” option. Now you will see an Add server option. 7. Use this to set any DNS that you want to. Don’t forget to hit the save button on the top right corner, to finish adding the DNS server. Okay, you probably guessed this. Yeah, if you have more than one Wi-Fi networks, you’re going to need to setup a DNS for each of those. Here are a few popular public DNS services which are reliable: CloudFlare DNS: and (Cloudflare has DNS apps for Android and iOS as well= AdGuard DNS: and OpenDNS: and Quad9 DNS: and Google DNS: and AdGuard DNS is very useful, because it acts as a system-wide ad blocker. You can check out our Adguard DNS review here. Closing Words Personally, I don’t like Apple’s Settings app and the way it presents the options for changing the DNS. In comparison, on Android Pie, the DNS option is straightforward. You go to Settings > Network & Internet > Advanced > Private DNS. Bam, there it is, it’s a one-time setting and it works across all networks (Wi-Fi and Mobile). Even if you don’t remember the option’s location, you can just open Settings on your Android device and type DNS and it will display the option for you. Do the same thing on iOS, and you get nothing, it’s not a searchable option. Source: How to configure the DNS in iOS (gHacks - Martin Brinkmann)
  10. Google plans to test DNS over HTTPS in Chrome 78 Google revealed plans to test the company's implementation of DNS over HTTPS (DoH) in Chrome 78. DNS over HTTPS aims to improve security and privacy of DNS requests by utilizing HTTPS. The current stable version of Chrome is 77 released on September 10, 2019. Google notes that DoH prevents other WiFi users from seeing visited websites; common attacks such as spoofing or pharming could potentially be prevented by using DoH. Google decided to test the DoH implementation in a different way than Mozilla. Mozilla selected Cloudflare as its partner in the testing phase and will use Cloudflare as the default provider when it rolls out the feature to US users in late September 2019. Firefox users have options to change the DNS over HTTPS provider or turn off the feature entirely in the browser. Google's DNS over HTTPS plan Google picked a different route for the test. The company decided to test the implementation using multiple DoH providers. The company could have used its own DoH service for the tests but decided to select multiple providers instead. Tests will upgrade Chrome installations to use DoH if the DNS service that is used on the system supports DoH. Google circumnavigates any criticism in regards to privacy that Mozilla faced when it announced the partnership with Cloudflare. Google selected the cooperating providers for "their strong stance on security and privacy" and "readiness of their DoH services" and agreement to participate in the test. The following providers were picked by the company: Cleanbrowsing Cloudflare DNS.SB Google OpenDNS Quad9 If Chrome runs on a system that uses one of these services for DNS, it will start using DoH instead when Chrome 78 launches. The experiment will run on all platforms for a fraction of Chrome users with the exception of Chrome on Linux and iOS. Chrome will revert to the regular DNS service in the case of errors. Most managed Chrome deployments will be excluded from the experiment, and Google plans to provide details on DoH policies on the company's Chrome Enterprise blog before release to provide administrators with information on configuring those. Chrome users may use the flag chrome://flags/#dns-over-http to opt in or out of the experiment. The flag is not integrated in any version of the Chrome browser yet. Secure DNS lookups Enables DNS over HTTPS. When this feature is enabled, your browser may try to use a secure HTTPS connection to look up the addresses of websites and other web resources. – Mac, Windows, Chrome OS, Android Closing Words Most Chromium-based browsers and Firefox will start to use DNS over HTTPS in the near future. Firefox provides options to disable the feature and Chrome comes with an experimental flag that offers the same. Experimental flags may be removed at one point in the future however and it is unclear at this point whether Google plans to add a switch to Chrome's preference to enable or disable the feature. Source: Google plans to test DNS over HTTPS in Chrome 78 (gHacks - Martin Brinkmann)
  11. Mozilla plans to roll out DNS over HTTPS to US users in late September 2019 Starting in late September 2019, DNS over HTTPS (DoH) is going to be rolled out to Firefox users in the United States. DNS over HTTPS encrypts DNS requests to improve security and privacy of these requests. Most DNS requests happen in the open currently; anyone listening to the traffic gets records of site and IP addresses that were looked up while using an Internet connection among other things. DoH encrypts the traffic and while that looks good on first glance, it needs to be noted that TLS still gives away the destination in plaintext. One example: Internet providers may block certain DNS requests, e.g. when they have received a court order to block certain resources on the Internet. It is not the best method to prevent people from accessing a site on the Internet but it is used nevertheless. DoH is excellent against censorship that uses DNS manipulation. Tip: check out our detailed guide on configuring DNS over HTTPS in Firefox. Mozilla started to look into the implementation of DoH in Firefox in 2018. The organization ran a controversial Shield study in 2018 to gather data that it needed for the planned implementation of the feature. The study was controversial because Mozilla used the third-party Cloudflare as the DNS over HTTPS service which meant that all user traffic flowed through the Cloudflare network. Mozilla revealed in April 2019 that its plan to enable DoH in Firefox had not changed. The organization created a list of policies that DoH providers had to conform to if they wanted their service to be integrated in Firefox. In "What's next in making encrypted DNS-over-HTTPS the Default", Mozilla confirmed that it would begin to enable DoH in Firefox starting in late September 2019. The feature will be enabled for some users from the United States and Mozilla plans to monitor the implementation before DoH is rolled out to a larger part of the user base and eventually all users from the United States. We plan to gradually roll out DoH in the USA starting in late September. Our plan is to start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience. If this goes well, we will let you know when we’re ready for 100% deployment. While DNS over HTTPS will be the default for the majority of Firefox installations in the United States, it won't be enabled for some configurations: If parental controls are used, DoH won't be enabled provided that Mozilla detects the use correctly. Enterprise configurations are respected as well and DoH is disabled unless "explicitly enabled by enterprise configuration". Fall back option if DNS issues or split horizon configuration cause lookup failures. Network administrations may configure their networks in the following way to highlight to Firefox that the network is unsuitable for DoH usage: DNS queries for the A and AAAA records for the domain “use-application-dns.net” must respond with NXDOMAIN rather than the IP address retrieved from the authoritative nameserver. How to block DNS over HTTPS You have two options when it comes to DoH in Firefox. You can change the default provider -- Cloudflare is the default -- to another provider (for whatever reason) or block the entire feature so that it won't be used. If you don't want to use it, set the value of network.trr.mode to 0 5 on about:config. Source: Mozilla plans to roll out DNS over HTTPS to US users in late September 2019 (gHacks - Martin Brinkmann)
  12. I have a domain name ending in .TK, from freenom and webhosting supplied by bplaced. Do I use freenom's DNS to add info. from bplaced or vice-versa? In other words do I tell the host of the web site about the domain, the other way around or do I have to tell each about the other? The host of the website offer their own domain buying service which confuses things (for me). freenom talk about 20202020 or 20202121 as servers and bplace talk about DNS Crec or records? I'd appreciate someone familiar running through the setup procedure as although they have tried to translate from German to English their instructions are not very clear to me. is this right?
  13. A Chrome feature is creating enormous load on global root DNS servers Google is doing to DNS what D-Link once did to NTP. 181 with 87 posters participating, including story author The Chromium browser—open source, upstream parent to both Google Chrome and the new Microsoft Edge—is getting some serious negative attention for a well-intentioned feature that checks to see if a user's ISP is "hijacking" non-existent domain results. The Intranet Redirect Detector, which makes spurious queries for random "domains" statistically unlikely to exist, is responsible for roughly half of the total traffic the world's root DNS servers receive. Verisign engineer Matt Thomas wrote a lengthy APNIC blog post outlining the problem and defining its scope. How DNS resolution normally works Enlarge / These servers are the final authority which must be consulted to resolve .com, .net, and so forth—and to tell you that 'frglxrtmpuf' isn't a real TLD. Jim Salter DNS, or the Domain Name System, is how computers translate relatively memorable domain names like arstechnica.com into far less memorable IP addresses, like Without DNS, the Internet couldn't exist in a human-usable form—which means unnecessary load on its top-level infrastructure is a real problem. Loading a single modern webpage can require a dizzying number of DNS lookups. When we analyzed ESPN's front page, we counted 93 separate domain names—from a.espncdn.com to z.motads.com—which needed to be performed in order to fully load the page! In order to keep the load manageable for a lookup system that must service the entire world, DNS is designed as a many-stage hierarchy. At the top of this pyramid are the root servers—each top-level domain, such as .com, has its own family of servers that are the ultimate authority for every domain beneath it. One step above those are the actual root servers, a.root-servers.net through m.root-servers.net. How often does this happen? A very small percentage of the world's DNS queries actually reaches the root servers, due to the DNS infrastructure's multilevel caching hierarchy. Most people will get their DNS resolver information directly from their ISP. When their device needs to know how to reach arstechnica.com, the query first goes to that local ISP-managed DNS server. If the local DNS server doesn't know the answer, it will forward the query to its own "forwarders," if any are defined. If neither the ISP's local DNS server nor any "forwarders" defined in its configuration have the answer cached, the query eventually bubbles up directly to the authoritative servers for the domain above the one you're trying to resolve—for arstechnica.com, that would mean querying the authoritative servers for com itself, at gtld-servers.net. The gtld-servers system queried responds with a list of authoritative nameservers for the arstechnica.com domain, along with at least one "glue" record containing the IP address for one such nameserver. Now, the answers percolate back down the chain—each forwarder passes those answers down to the server that queried it until the answer finally reaches both the local ISP server and the user's computer—and all of them along the line cache that answer to avoid bothering any "upstream" systems unnecessarily. For the vast majority of such queries, the NS records for arstechnica.com will already be cached at one of those forwarding servers, so the root servers needn't be bothered. So far, though, we're talking about a more familiar sort of URL—one that resolves to a normal website. Chrome's queries hit a level above that, at the actual root-servers.net clusters themselves. Chromium and the NXDomain hijack test Enlarge / Chromium's "is this DNS server f'ng with me?" probes represent about half of all the traffic reaching Verisign's DNS root-server cluster. Matthew Thomas The Chromium browser—parent project to Google Chrome, the new Microsoft Edge, and countless other lesser-known browsers—wants to offer users the simplicity of a single-box search, sometimes known as an "Omnibox." In other words, you type both real URLs and search engine queries into the same text box in the top of your browser. Taking ease-of-use one step further, it doesn't force you to actually type the http:// or https:// part of the URL, either. As convenient as it might be, this approach requires the browser to understand what should be treated as a URL and what should be treated as a search query. For the most part, this is fairly obvious—anything with spaces in it won't be a URL, for example. But it gets tricky when you consider intranets—private networks, which may use equally private TLDs that resolve to actual websites. If a user on a company intranet types in "marketing" and that company's intranet has an internal website by the same name, Chromium displays an infobar asking the user whether they intended to search for "marketing" or browse to https://marketing. So far, so good—but many ISPs and shared Wi-Fi providers hijack every mistyped URL, redirecting the user to an ad-laden landing page of some sort. Generate randomly Chromium's authors didn't want to have to see "did you mean" infobars on every single-word search in those common environments, so they implemented a test: on startup or change of network, Chromium issues DNS lookups for three randomly generated seven-to-15-character top-level "domains." If any two of those requests come back with the same IP address, Chromium assumes the local network is hijacking the NXDOMAIN errors it should be receiving—so it just treats all single-word entries as search attempts until further notice. Unfortunately, on networks that aren't hijacking DNS query results, those three lookups tend to propagate all the way up to the root nameservers: the local server doesn't know how to resolve qwajuixk, so it bounces that query up to its forwarder, which returns the favor, until eventually a.root-servers.net or one of its siblings has to say "Sorry, that's not a domain." Since there are about 1.67*10^21 possible seven-to-15-character fake domain names, for the most part every one of these probes issued on an honest network bothers a root server eventually. This adds up to a whopping half the total load on the root DNS servers, if we go by the statistics from Verisign's portion of the root-servers.net clusters. History repeats itself This isn't the first time a well-meaning project has swamped or nearly swamped a public resource with unnecessary traffic—we were immediately reminded of the long, sad story of D-Link and Poul-Henning Kamp's NTP (Network Time Protocol) server, from the mid-2000s. In 2005, Poul-Henning Kamp—a FreeBSD developer, who also ran Denmark's only Stratum 1 Network Time Protocol server—got an enormous unexpected bandwidth bill. To make a long story short, D-Link developers hardcoded Stratum 1 NTP server addresses, including Kamp's, into firmware for the company's line of switches, routers, and access points. This immediately increased the bandwidth usage of Kamp's server ninefold, causing the Danish Internet Exchange to change his bill from "Free" to "That'll be $9,000 per year, please." The problem wasn't that there were too many D-Link routers—it was that they were "jumping the chain of command." Much like DNS, NTP is intended to operate in a hierarchical fashion—Stratum 0 servers feed Stratum 1 servers, which feed Stratum 2 servers, and on down the line. A simple home router, switch, or access point like the ones D-Link had hardcoded these NTP servers into should be querying a Stratum 2 or Stratum 3 server. The Chromium project, presumably with the best intentions in mind, has translated the NTP problem into a DNS problem by loading down the Internet's root servers with queries they should never have to process. Resolution hopefully in sight There's an open bug in the Chromium project requesting that the Intranet Redirect Detector be disabled by default to resolve this issue. To be fair to the Chromium project, the bug was actually opened before Verisign's Matt Thomas drew a giant red circle around the issue in his APNIC blog post. The bug was opened in June but languished until Thomas' post; since Thomas' post, it has received daily attention. Hopefully, the issue will soon be resolved—and the world's root DNS servers will no longer need to answer about 60 billion bogus queries every day. Listing image by Matthew Thomas A Chrome feature is creating enormous load on global root DNS servers
  14. Hack Brief: Microsoft Warns of a 17-Year-Old ‘Wormable’ Bug The SigRed vulnerability exists in Windows DNS, used by practically every small and medium-sized organization in the world. Photograph: JEENAH MOON/New York Times/Redux Since WannaCry and NotPetya struck the internet just over three years ago, the security industry has scrutinized every new Windows bug that could be used to create a similar world-shaking worm. Now one potentially "wormable" vulnerability—meaning an attack can spread from one machine to another with no human interaction—has appeared in Microsoft's implementation of the domain name system protocol, one of the fundamental building blocks of the internet. As part of its Patch Tuesday batch of software updates, Microsoft today released a fix for a bug discovered by Israeli security firm Check Point, which the company's researchers have named SigRed. The SigRed bug exploits Windows DNS, one of the most popular kinds of DNS software that translates domain names into IP addresses. Windows DNS runs on the DNS servers of practically every small and medium-sized organization around the world. The bug, Check Point says, has existed in that software for a remarkable 17 years. Check Point and Microsoft warn that the flaw is critical, a 10 out of 10 on the common vulnerability scoring system, an industry-standard severity rating. Not only is the bug wormable, Windows DNS software often runs on the powerful servers known as domain controllers that set the rules for networks. Many of those machines are particularly sensitive; a foothold in one would allow further penetration into other devices inside an organization. On top of all of that, says Check Point's head of vulnerability research Omri Herscovici, the Windows DNS bug can in some cases be exploited with no action on the part of the target user, creating a seamless and powerful attack. "It requires no interaction. And not only that, once you’re inside the domain controller that runs the Windows DNS server, expanding your control to the rest of the network is really easy," says Omri Herscovici. "It’s basically game over." The Hack Check Point found the SigRed vulnerability in the part of Windows DNS that handles a certain piece of data that's part of the key exchange used in the more secure version of DNS known as DNSSEC. That one piece of data can be maliciously crafted such that Windows DNS allows a hacker to overwrite chunks of memory they're not meant to have access to, ultimately gaining full remote code execution on the target server. (Check Point says Microsoft asked the company not to publicize too many details of other elements of the technique, including how it bypasses certain security features on Windows servers.) For the remote, no-interaction version of the attack that Check Point's Herscovici describes, the target DNS server would have to be exposed directly to the internet, which is rare in most networks; administrators generally run Windows DNS on servers that they keep behind a firewall. But Herscovici points out that if a hacker can get access to the local network by accessing the corporate Wi-Fi or plugging a computer into the corporate LAN, they can trigger the same DNS server takeover. And it may also be possible to exploit the vulnerability with just a link in a phishing email: Trick a target into clicking that link and their browser will initiate the same key exchange on the DNS server that gives the hacker full control of it. Check Point only demonstrated that it could crash a target DNS server with that phishing trick, not hijack it. But Jake Williams, a former National Security Agency hacker and founder of Rendition Infosec, says it's likely that the phishing trick could be finessed to allow a full takeover of the target DNS server in the vast majority of networks that don't block outbound traffic on their firewalls. "With some careful crafting, you could probably target DNS servers that are behind a firewall," Williams says. Who's Affected? While many large organizations use the BIND implementation of DNS that runs on Linux servers, smaller organizations commonly run Windows DNS, says Williams, so thousands of IT administrators will likely need to rush to patch the SigRed bug. And because the SigRed vulnerability has existed in Windows DNS since 2003, practically every version of the software has been vulnerable. While those organizations rarely expose their Windows DNS servers to the internet, both Check Point and Williams warn that many administrators have made architectural changes to networks—often questionable ones—to better allow employees to work from home since the beginning of the Covid-19 pandemic. That could mean more exposed Windows DNS servers that are open to full remote exploitation. "The threat landscape of internet-exposed things has risen dramatically" in recent months, Williams says. The good news, Check Point says, is that detecting SigRed exploitation of a Windows DNS server is relatively easy, given the noisy communications necessary to trigger the vulnerability. The firm says that despite the 17 years that SigRed has lingered in Windows DNS, it has yet to find any indication of an attack on its clients' networks so far. "We're not aware of anyone using this, but if they did, hopefully now it will stop," Herscovici says. But in the short term at least, Microsoft's patch could also lead to more exploitation of the bug as hackers reverse engineer the patch to discover exactly how the vulnerability can be triggered. How Serious Is This? Check Point's Herscovici argues that the SigRed bug should be taken as seriously as the flaws exploited by older Windows hacking techniques like EternalBlue and BlueKeep. Both of those Windows exploitation methods raised alarms because of their potential to spread from machine to machine over the internet. While BlueKeep never resulted in a worm or any mass hacking incidents beyond some cryptocurrency mining, EternalBlue was integrated into both the WannaCry and NotPetya worms that rampaged across global networks in the spring and summer of 2017, becoming the two most damaging computer worms in history. "I would compare this to BlueKeep or EternalBlue," says Herscovici. "If this vulnerability were to be exploited, we might get a new WannaCry." But Rendition Infosec's Williams argues that the SigRed bug is more likely to be exploited in targeted attacks. Most SigRed techniques likely won't be very reliable, given that a Windows mitigation called "control flow guard" may sometimes cause machines to crash rather than being hijacked, Williams says. And fully exposed Windows DNS servers are relatively rare, so the population of machines vulnerable to a worm isn't comparable to BlueKeep or EternalBlue. The phishing technique to exploit SigRed doesn't lend itself to a worm nearly as well, since it would require users to click a link. SigRed could, however, serve as a powerful tool for more discriminating hackers. And that means Windows administrators should rush to patch it immediately. "Technically, it's wormable, but I don't think there will be a worm based on the mechanics of this," Williams says. "But there's no question in my mind that well-funded adversaries will make an exploit for it." Hack Brief: Microsoft Warns of a 17-Year-Old ‘Wormable’ Bug
  15. Cloudflare Warp: beta clients for Windows and Mac are now available Internet company Cloudflare launched its DNS service to the public on April 1, 2018. Besides using one of the easiest to remember IP addresses, Cloudflare promised that would be one of the fastest DNS services, support DNS-over-HTTPS and DNS-over-TLS, and that it would honor user privacy. Cloudflare is one of the options in many, currently experimental, DNS-over-HTTPS implementations in web browsers (Chrome, Firefox) and operating systems (Windows). Cloudflare added optional filters to its service in April 2020 which block block access to undesirable sites on the DNS level. Cloudflare launched a companion app for its DNS service for Android and iOS in 2018, and extended the functionality with its WARP VPN service in 2019. The application enables the use of the company's DNS service on mobile devices, and users may also connect to the VPN service to improve protection further. Warp users get 100 Megabytes for free but need to subscribe for $4 per month for unlimited data. Warp and apps were only available for mobile operating systems up until now. Cloudflare published the first public beta clients of the programs for Microsoft Windows and Apple Macintosh devices this week. The download page reveals that the program is compatible with 64-bit Windows 10 version 1909 and newer versions of Windows, and Mac OS 10.15 or newer. Installation of the Windows client is straightforward; you need to accept the terms on first run before you can start using the client. Cloudflare Warp sits in the system tray area when it is launched. A click displays the main interface featuring a big toggle to connect or disconnect to the VPN network. Select the settings icon to switch between using Warp and, and only the DNS service The latter may be more convenient than setting up the DNS information manually, but it is better to configure the DNS provider manually as you won't need to run the software on your system for that task. The preferences list some useful options. You can change the DNS protocol from WARP to either DNS-over-HTTPS or DNS-over-TLS, and enable for Families functionality there if you want that. The few remaining options allow you to add networks that you want WARP to be disabled on automatically and to reset the encryption keys. The service worked fine during tests, but since it is labeled beta, it should only be run in test environments. Closing Words The beta Warp client for desktop systems enables you to connect to the WARP network and sue the DNS service. It is easy to use but lacks plenty of options and features, e.g. kill-switch functionality, that dedicated VPN clients from established companies offer. It is a beta version on the other hand and there is a possibility that some options and features will be introduced before it hits stable. Cloudflare Warp: beta clients for Windows and Mac are now available
  16. Understanding DNS—anatomy of a BIND zone file Need a clear, thorough guide to understanding how DNS records work? We got you. Enlarge / What does this stream of binary digits have to do with DNS? Nothing, really—but good luck finding a pretty pic somewhere that does! Santo Heston 73 with 57 posters participating, including story author If you want to be a sysadmin or network administrator of any kind, there's a fundamental technology you really need to understand—DNS, the Domain Name System. There was a time when a sysadmin with no aspirations to managing Internet-accessible services might have gotten by without understanding DNS, but that time is long, long gone. You can't learn everything there is to know about DNS in a single article. But that's not what we're looking to do today; instead, we want to give you a clear, concise guide to the structure and meaning of the most important part of the Domain Name System: a zone file, as seen in BIND, the Berkeley Internet Name Daemon. Sample zone file Enlarge / This sample zone file doesn't have every possible record type in it—but it's a good start. Jim Salter Origin and TTL Above, we have a small but complete example of a typical zone file—in fact, it's an anonymized version of a production zone file on a domain I manage. Let's go through it line by line. $ORIGIN tld. $TTL 5m Whenever you see an $ORIGIN line in a zone file, this is a shortcut that lets BIND know that any unterminated hostname references following that line should be presumed to end in the argument following $ORIGIN. In this case, that's .tld—the fictional Top Level Domain for example.tld. The next line, $TTL 5m, declares that following lines will have a Time To Live of five minutes. This relatively short value means that remote DNS resolvers should only cache records retrieved from this zone for five minutes before requesting them again. If you're relatively certain that your DNS for a given domain won't change very often, you might consider increasing that value in order to reduce the number of times remote hosts must query your nameserver—but keep in mind that a longer TTL also means longer periods of downtime, when you must make a change to your DNS (or make a change that accidentally breaks it). Both $ORIGIN and $TTL can be defined multiple times in the same zone—each time you redefine them, you change their value for any lines beneath the new values in the same zone file. SOA record example IN SOA ns1.example.tld. hostmaster.example.tld. ( 90 ; serial 4h ; refresh 15m ; retry 8h ; expire 4m) ; negative caching TTL The first actual record in our sample zone file—or in any normal zone file—is the SOA record, which tells us the Start Of Authority for the domain. It's also easily the most confusing record type in the entire DNS system. For any record listing, including this SOA record, the first argument is the hostname the record applies to—in this case, example. Remember how we set $ORIGIN tld on the first line of the zone file? That means that this unterminated hostname example expands to example.tld—so, we're defining the SOA for the FQDN (fully qualified domain name) example.tld. We're referring to this hostname example as "unterminated" because it doesn't end in a dot. If we wanted to bypass the $ORIGIN setting and refer to a FQDN directly, we'd terminate it with a final dot—eg, example.tld. would be the FQDN here, with the trailing dot. The next argument we see is IN, short for "Internet." This is the record class. There are other DNS record classes, but you can easily go your entire career without seeing one of them (such as CH, for Chaos) in production. The record class is optional; if omitted, BIND will assume that the record being specified is of class IN. We recommend not omitting it, however, lest something change and all your zone files suddenly be broken after a BIND update! The next two arguments are FQDNs—at least, they look like it. The first FQDN really is an FQDN, and it should be the FQDN of the primary name server for the domain itself—in this case, ns1.example.tld. Note that you can use unterminated hostnames here—for example, we could have just used ns1.example for this argument, which would have expanded to ns1.example.tld. thanks to our $ORIGIN .tld line—but it's probably best to be explicit here. The second FQDN, hostmaster.example.tld., isn't actually an FQDN at all. Instead, it's a perverse way of rewriting an email address. @ is a reserved character in zone files, and the original BIND uses the first section of this "FQDN" as the user portion of an email address—so, this would translate to the address [email protected] It's incredibly common to see this screwed up in real-life zone files—thankfully, it doesn't much matter. We're not aware of literally anyone who actually uses this feature of a DNS zone to contact anyone. Moving on, we have serial, refresh, retry, expire, and negative TTL for the zone inside parentheses. Note that the comments you see here labeling them are not required—and in real life, you'll rarely see them. We strongly prefer to put these comments in production zone files in order to make it easier to read them, but BIND itself doesn't care! serial—this is a simple serial number for the zone file, which must be incremented each time the contents of the zone are changed. If you don't update the zone file serial, your changes to the zone will not be picked up by DNS resolvers that have previously cached records from your zone! This used to be a YYMMDDnn format in days gone by—but that format is no longer required, or in some cases even supported. Just start your zones with serial 1, increment to 2 the next time you make a change to the zone, and so forth. refresh—after this period of time, secondary nameservers should query the primary nameserver for this SOA record, to detect changes in serial number. If the serial number has incremented, any cached records must be invalidated and fetched again from the primary nameserver. retry—if the primary nameserver doesn't respond to an SOA request, a secondary nameserver should wait this long before attempting to query the primary nameserver again. expire—if the primary nameserver has failed to respond to a secondary nameserver's SOA request for this period of time, the secondary nameserver should stop offering DNS resolution for the domain entirely. negative caching TTL—this controls how long a "negative" response—eg, "I don't have the record you're asking for"—should be cached. One of the most common areas for confusion in the SOA record is what effect the refresh, retry, and expire arguments have. These arguments don't affect DNS resolvers at all—only secondary authoritative nameservers for the domain. if you don't have one or more secondary nameservers for your domain, which use BIND replication to retrieve updates from the primary, these arguments won't have any effect at all. One final note: older versions of BIND required all of these times to be in seconds... even when the actual time interval was in days, or weeks. BIND9—released almost 20 years ago, in October 2000—supports human-readable time sufffixes such as "m" for minutes, "h" for hours, and "d" for days. Please use these human readable suffixes when writing zone files; nobody should have to break out a calculator to figure out that 86,400 seconds is one day! NS records IN NS ns1.example.tld. IN NS ns2.example.tld. In these two records, we define the hostnames, which are authoritative nameservers for our zone. Once again, we've used dot-terminated FQDNs for these records. Once again, we could have used unterminated hostnames—ns1.example and ns2.example—and relied on our $ORIGIN .tld to expand them. Doing so would make the zone more confusing and difficult to read, though. Note that the NS record specifies hostnames, not IP addresses. This is a common source of confusion for DNS newbies, and it's important to get it right. You cannot specify a bare IP address as the nameserver for a domain; you absolutely must specify a hostname here. Finally, note that we haven't specified the domain name itself on either line—this is because we've inherited it from the SOA record above. We started that line with example, which expands to example.tld. Since we haven't specified another hostname, these new NS records also apply to that hostname by default. In the real world, you may also see zone files with $ORIGIN example.tld., and beginning the SOA and possibly other lines with the special reserved character @. When you see @ as a hostname in a zone file, that just means you're using the bare $ORIGIN without any further qualifiers. MX record(s) IN MX 10 mail.example.tld. In this simple domain, we have a single mailserver, and it's mail.example.tld. The MX record just tells anyone who wants to send email to any address at example.tld to make their SMTP connection to the hostname specified in this record. The preceding argument—10 in this case—is the numeric priority of the mailserver in this specific record. Lower numbers mean higher priority. When multiple SMTP servers are available for a domain, you'll see multiple MX records as well, each with a different priority. In theory, higher priority mailservers should always be tried first, and lower priority mailservers only tried if the higher priority server fails. Well-behaved SMTP servers do follow this protocol—but spammers have a tendency to deliberately target the lower-priority mailservers first, operating on the theory that high-priority servers might be anti-spam gateways, and the lowest priority servers might be the bare, unfiltered end server. Spammers suck. A record(s) IN A A records are the part of a zone file that actually do what most people think of DNS as doing—they translate a hostname to a bare IPv4 address. In this case, this is a sample file only—and our A record for example.tld merely resolves to localhost, on the same principle that phone numbers in movies always start with the exchange 555. In real life, of course, you'd put in the IP address of the server you expected to answer when you ping example.tld, point a Web browser to https://example.tld/, and so forth. In this simple zone file, we only have a single A record for example.tld. In real life, you might encounter several—there could be multiple gateway servers capable of answering Web requests for https://example.tld/; and if so, each would get their own A record on their own line. TXT record(s) IN TXT "v=spf1 a mx a:mail.example.tld a:www.example.tld ?all" This TXT, or text record, is still in the head section of our zone file, under the hostname example.tld. So its scope is the entire example.tld domain. You can put just about anything in a TXT record; this specific one is an SPF record, formatted to give mailservers information about what machines are authorized to emit mail on behalf of example.tld. In this case, we're saying that we're using the SPF1 version of formatting. We then inform anyone querying this record that any valid A record for example.tld is authorized to send mail on its behalf, as is any valid MX for the domain, and finally that the IP addresses associated with the A records for mail.example.tld and www.example.tld are authorized to send mail. Finally, ?all says that if any other machine says it wants to send mail from some address at example.tld, it should be allowed... but it should be examined more closely than specifically authorized hosts are. Hostnames, subdomains, and CNAMEs beneath example.tld $ORIGIN example.tld. ns1 IN A ns2 IN A www IN CNAME example.tld. mail IN AAAA ::1 mail IN A Now that we've defined everything we need to for the domain, we can start adding records for any hostnames and subdomains beneath example.tld itself. The first thing we do here is change our $ORIGIN to example.tld. Again, notice that final terminating dot—if you forget it, things are going to get really strange and you'll tear your hair out wondering why none of your records resolve properly! We see A records here for ns1, ns2, and mail. These A records work the same way that the A record for the domain itself did—we are telling BIND what IP address to resolve requests for that hostname to. We also have an AAAA record for mail.example.tld.—AAAA records are just like A records, but they're for resolving IPv6 rather than IPv4. Once again, we've chosen in our example to use a localhost address. You'll need to be familiar with AAAA records if you expect to set up your own mailserver—Google stopped being willing to talk to mailservers without fully working IPv6 DNS a few years ago! The last record type we see here is CNAME, short for Canonical Name. This is an alias—it allows you to tell BIND to always resolve requests for the CNAMEd host using the A or AAAA record specified in the target argument. In this case, www IN CNAME example.tld. means that the IP address for example.tld itself should also be handed out if somebody asks for www.example.tld. CNAME records are handy, but they're a bit funky. It's worth remembering that each level of CNAME necessitates another DNS lookup—in this case, a remote machine that asked to resolve www.example.tld would be told "please look up example.tld. in order to find your answer," and then would need to issue a separate DNS request for the A record associated with example.tld. If you have CNAMEs pointing to CNAMEs pointing to CNAMEs, you'll introduce unnecessary latency into requests for your resources, and your domain will appear "slow" and "laggy" to your users! There are further limitations in CNAME records. Remember how we told you that MX and NS records must point to hostnames, not to raw IP addresses? More specifically, they must point directly to A records, not to CNAME records. If you try to set MX mail.example.tld. followed by mail.example.tld. CNAME example.tld., your zone file will be broken, and MX lookup attempts will return errors. Tools of the trade If you're managing your own DNS, you'll need to be proficient in using command line tools to query your DNS server directly and see how it responds to requests—it's difficult to be certain whether the problem is DNS or something else just by putting https://example.tld/ in a browser and seeing what happens. dig [email protected]:~$ dig @ NS example.tld ; <<>> DiG 9.16.1-Ubuntu <<>> NS example.tld ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51417 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;example.tld. IN NS ;; ANSWER SECTION: example.tld. 300 IN NS ns1.example.tld. example.tld. 300 IN NS ns2.example.tld. ;; Query time: 40 msec ;; SERVER: ;; WHEN: Sat Aug 22 00:54:26 EDT 2020 ;; MSG SIZE rcvd: 74 If you have access to Linux, Mac, or Windows Subsystem for Linux, by far the best command line tool is dig. Using dig is as simple as specifying a server to query, the record type you want to look for, and the FQDN it should be associated with. In the example above, we asked the DNS server at to show us all NS records associated with example.tld. In addition to the answers we wanted, we got a ton of diagnostic information—the DNS server we queried did not return an ERROR when queried, it says it is authoritative for the domain in question, and so forth. You can also supply a +short argument if you want dig to just shut up and give you the answer you're looking for without all the verbose diagnostics: [email protected]:~$ dig +short @ NS example.tld ns1.example.tld. ns2.example.tld. Be aware, though, that if there aren't any answers available for a +short query—for example, if you typo the domain name—you won't get any response at all, even if the DNS server queried returned an error. [email protected]:~$ dig +short @ NS example.tmd [email protected]:~$ If you want to find out why you didn't get an answer, you'll need to lose the +short argument to find out. nslookup If you don't have access to dig, you can generally get by with nslookup. Most commonly, this is a semi-cursed workaround for users sitting at a Windows box without access to Windows Subsystem for Linux, cygwin, or some other way to gain access to more advanced tools than the Windows CLI provides. nslookup is usually invoked without arguments and queried in interactive mode. Here's a sample session: C:\> nslookup > server Default server: Address: > example.tld Server: Address: Non-authoritative answer: Name: example.tld Address: By setting server, we specified to nslookup to use that machine as the DNS server to query. You don't have to specify this; if you don't, nslookup will use whatever the default DNS resolver on your machine would. After optionally setting the server, you can just type a bare hostname into nslookup's interactive prompt, and it will return any A or AAAA records it can find for that hostname. If you want to query the remote server for a different type of record, you'll need to use a set type command. > set type=ns > example.tld Server: Address: Non-authoritative answer: example.tld nameserver = ns1.example.tld. example.tld nameserver = ns2.example.tld. Authoritative answers can be found from: > set type=mx > example.tld Server: Address: Non-authoritative answer: example.tld mail exchanger = 10 mail.example.tld. Authoritative answers can be found from: example.tld nameserver = ns2.example.tld. example.tld nameserver = ns1.example.tld. mail.example.tld internet address = > exit In the above examples, we used set type=ns and set type=mx to query the remote DNS server for NS and MX records for example.tld. It works, and you get your answers... but the syntax is fiddly, there's less diagnostic information available, it's vastly less scriptable, and if you're anything like us, you'll likely curse the antiquated thing once or twice before you're done. The proper way to get out of nslookup's interactive mode is the command exit. Hopefully, you never need to look up information about a top-level domain also named exit—or if you do, you'll have a better tool available than nslookup when you do. Conclusions Hopefully, you picked up something valuable today about how DNS works and how its information is stored. Although BIND is not the only DNS server platform out there—in particular, Windows admins will need to work with Active Directory DNS—the lessons learned here apply near-equally to all platforms and applications. Although the storage format may change somewhat from server to server—such as an Active Directory domain controller literally storing zones inside Active Directory itself, rather than a plain text file—the record types are universal, and the formatting at least near-universal. If you're a budding sysadmin or enthusiast who's interested in running your own DNS server, I highly recommend doing it—and using the original platform when you do; BIND on either Linux or BSD. The system load of running a nameserver is nearly nonexistent at any scale short of truly massive; a $5 Digital Ocean or Linode box can handle the job just fine. In addition to the sheer joy of learning how to manage these things, you may also find you value the ability to set your TTLs absurdly short—most managed DNS servers won't allow a TTL of less than 30m, and most will attempt to default you to TTLs of up to a week. This is fine and dandy for a DNS zone, which is already properly set up and doesn't need changing... but if your IP address changes and your DNS needs to change along with it, a five-minute TTL is a very, very fine thing to have. Understanding DNS—anatomy of a BIND zone file
  17. Giveaway : 3 Months of Smart DNS Proxy Service for FREE. Promoted Subscription : Lifetime 57% Discount No credit card needed! This promotion also includes lifetime special discount of up to 57%. Users will not be effected from any future price increase! Smart DNS Proxy provides access to over 140+ global video and music streaming services including American Netflix, Hulu Plus, BBC iPlayer, Pandora, etc. You can find all List Of Supported Services Here. Service works with multiple devices: PC, Mac, Linux, iPad, iPhone, iPod, Android Tablet/Phone, PS3/4, Xbox One/360, Chromecast, Roku, NowTV, AppleTV and many other Smart TVs. Here is the Promo Link for this Deal. http://www.smartdnsproxy.com/?afid=5ee8cf37a482 (In order to benefit from 3 month giveaway afid has to be kept on the link!) * When you click Sign Up Page, you will see 92 days free service deal information. ** This giveaway promotion is only for nsane forum users *** For any support related queries please contact with Smart DNS Proxy Support Team here or live chat on the website. HAVE FUN! :D
  18. ramonjosegn

    Smart DNS Proxy - Giveaway suscription

    Smart DNS Proxy is a versatile DNS service that works on many devices. You can use it to unblock websites, stream music and videos. It is faster than VPN, and for a limited time it is FREE! I am testing and is works very fine and speedy http://www.smartdnsproxy.com/
  19. Pi-Hole on Raspberry Pi Zero: As more and more things become IoT and stay online and do who knows what about user data, it is right time to back control. This simple program can block ads at DNS level. Meaning you don't need an adblock anymore as ads never reach to you in the first place. This is truly a blackhole for ads! Minimum Requirements: Raspberry Pi Zero Wi-Fi (or new), MicroSD Card 8 GB, USB Drive, Micro USB Charger, Computer (You can use different ISO based on your preference. This looks complex but can be done in minutes! Steps: 1. Raspberry Pi OS (32-bit) Lite: https://downloads.raspberrypi.org/raspios_lite_armhf_latest 2. Write the ISO to USB Drive: https://sourceforge.net/projects/win32diskimager/ 3. In order to connect this over WiFi to your router, we have to create two files: a. wpa_supplicant.conf Create a text file with below info and then add ".conf" extension instead of .txt when you are done.: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=<Insert 2 letter ISO 3166-1 country code here> network={ ssid="<Name of your wireless LAN>" psk="<Password for your wireless LAN>" } Create an empty text file and name it "ssh" without quotes. Remove the .txt extension. 4. Put both files in to "boot" folder of USB drive. Once you have written the ISO image, you will see a boot folder on USB. 5. Connect to Micro USB charger. 6. In order to connect this to your PC over your home Wi-Fi, get PuTTY: https://the.earth.li/~sgtatham/putty/latest/w32/putty-0.74-installer.msi 7. Now we need to find out the address our Pi Zero has been assigned by router. Find it from router. Usually it is in the range of 192.168.0.XXX 8. Now open PuTTY on PC. Enter above address and confirm the prompt to accept the connection from Pi Zero 9. Default username and password are "pi" and "raspberry" without any quotes. 10. Run this command and it is done! curl -sSL https://install.pi-hole.net | bash Now you can manage the Pi-Hole UI from any device over local Wi-Fi and see ads getting blocked. You can also add more adlists. Further detailed config: https://github.com/pi-hole/pi-hole
  • Create New...