Louis Jones

Louis Jones

1625624518

DNS Explained in 100 Seconds

Ever wonder how DNS works? The Domain Name System is one of the most important Internet technologies, but few web developers understand how it actually works behind the scenes.

#webdev #compsci #100SecondsOfCode

🔗 Resources

What is DNS https://www.cloudflare.com/learning/dns/what-is-dns/
Domain Name System https://en.wikipedia.org/wiki/Domain_Name_System

🤓 Install the quiz app

iOS https://itunes.apple.com/us/app/fireship/id1462592372?mt=8
Android https://play.google.com/store/apps/details?id=io.fireship.quizapp

🔥 Watch more with Fireship PRO

Upgrade to Fireship PRO at https://fireship.io/pro
Use code lORhwXd2 for 25% off your first payment.

🎨 My Editor Settings

  • Atom One Dark
  • vscode-icons
  • Fira Code Font

#developer

What is GEEK

Buddha Community

DNS Explained in 100 Seconds
Ray  Patel

Ray Patel

1623940860

Way to find out if DNS is down or your instance with python

DNS-PING

Way to find out if DNS is down or your instance.

Problem: At times it happens that DNS provider services of a website URL is down and so to reduce response time by not diagnosing the infrastructure and informing the user to check with DNS provider.

Functionality: Lambda in python pings the URL to be monitored and fetch the response. If the response code is anything other than 200 it triggers CloudWatch event and send SNS to user.

How to Run the Script : Create a Lambda function called “DNS-PING” the run-time version Python 3.6 and above by using the attach code. Creation of the Lambda function will in turn create CloudWatch Logs groups for its logging. Lamda can be call every 5 mins or as per your business requirement.

#network #way to find out if dns is down or your instance with python #python #dns #way to find out if dns is down or your instance #find out if dns

Mitchel  Carter

Mitchel Carter

1603569600

How to configure external DNS with DigitalOcean DNS extension on Plesk

As a customer-friendly hosting panel, Plesk’s entire architecture and ecosystem are strategically designed to streamline and simplify things for customers. Besides the availability of extensions, the menu empowers clients to self-manage various backend and front-end aspects of their website. One of the very useful extensions in this list is the DigitalOcean DNS extension. In this tutorial, we will learn how to configure an external DNS server quickly and safely with Plesk.

There are good chances that, as a genuine netizen, Domain Name Service shouldn’t be an alien word for you. But sharing more knowledge never hurts. So, let’s dig deeper into this before coming to the main topic.

DNS described in simple language

Think of DNS as a translator between you and the computer. DNS or Domain Name Server converts the simple English names like www.google.com into “computer language” of numerical codes.

This process of changing general domain names into computer language is called Resolving. The entity/agent that obtains the IP address by communicating with other servers is called DNS resolver. Loaded with sophisticated capabilities, Plesk can work as a reliable and competent DNS resolver.

Here is the USPs of Plesk as a DNS server resolver

  • It can act as a backup server
  • Quick and direct translation services
  • Facility to handle translation services on a remote server

How does DNS work?

A specific storage space containing specific domain addresses either in a file or an authorized server is called domain zones. There are two types of DNS servers – Root DNS servers and secondary DNS servers, commonly known as lower-level DNS servers.

Root DNS servers refer to a hierarchically arranged global storage system containing the entire DNS database and corresponding IP addresses for all domain names. When the requesting browser attempts to access, say www.myexample.com it requests the authorized server to get the corresponding IP address.

Next level DNS servers store partial DNS databases. These servers are owned by business entities or ISPs who have registered their computers on the DNS system. They run the DNS server software to initiate and manage the DNS resolution process. Each DNS server comes with a public IP as well as vital databases of other hosts including their network names and addresses.

The visitor enters the desired domain name in the address bar and hits enter. It initiates the communication between visitors’ system and DNS server. Acting as a DNS client the web browser requests DNS data from a DNS server which is run by the user’s Internet service provider. Acting on the request the server looks into the internal DNS database to find a matching IP address.

In case if the server fails to find the match it forwards the request to another secondary DNS server in the network. If the matching IP is not found there the request is then escalated to the root server containing the global DNS database. After getting the domain name and corresponding IP the data is returned to the web browser through the route of DNS network. This is known as forward DNS. There is another process known as reverse DNS but that is beyond the scope of this article. You can read about it here.

Delegating DNS zone responsibilities

As a domain name client, you can either allow your registrar to handle the DNS zone responsibilities or delegate it to Plesk. The latter option enables you to self manage your domain zone through your Plesk interface.

Just like most of us techies, DNS is also a multi-tasker. Along with translating domain names into IP addresses, it also delivers other vital data like information related to mail domain, IP validity status, etc.

Configure an external DNS server quickly and safely with Plesk

By default the Plesk works as a master DNS server for the hosted website, i.e., other DNS servers can directly transfer their zones file from it. You also have the option to use the third party DNS servers. In this guide, we present the step by step instructions on how to install a digital ocean DNS extension on Plesk.

  • Go to the Plesk Extensions Catalog.
  • Search for DigitalOcean DNS and click “Install on my server”
  • Open the extension.
  • It opens the page presenting two options for installation namely “0Auth Authentication” and “API token”

configure an external DNS server quickly and safely with Plesk - Plesk

Setting up your DigitalOcean DNS using Plesk Extension with API Token

Click on “API Token.” You would be prompted to enter a token. To generate the token, log into your digital ocean account and click API (left bottom). Click on “Generate a new token”. Enter your desired token name in the resultant dialogue box and click the button below it. You would see the details of the generated token. Copy the code.

Next, go to the Plesk tab, paste code in the box, and click the button below it. On the next screen, you can confirm that the digital ocean extensions have been connected. Click on the option “Activate all” and the extension will be active on all the connected domains.

#product and technology #tips and easy-reading #0auth authentication #api token #clouds #digitalocean #digitalocean dns #dns #dns servers #plesk extensions #tutorial

Wilford  Pagac

Wilford Pagac

1596848400

Critical DNS Bug Opens Windows Server to Infrastructure Takeover

Microsoft gives the ‘wormable’ flaw a security rating of 10 – the most severe warning possible.

A critical Microsoft Windows Server bug opens company networks to hackers, allowing them to potentially seize control of IT infrastructures. Microsoft issued a patch for the bug on Tuesday as part of its July Patch Tuesday roundup.

It turns out that the bug is 17 years old. Impacted are Windows Server versions from 2003-2019. The bug, found by researchers at Check Point, received a severity warning of 10 – the highest allowed. Most concerning to researchers however is that the bug is wormable, meaning a single exploit of the flaw can trigger a chain reaction that allows attacks to spread from one computer to another.

“[The] security flaw would enable a hacker to craft malicious DNS queries to the Windows DNS server, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure,” according to Check Point researcher Sagi Tzaik, who is credited for finding the flaw.

Microsoft released a patch for the vulnerability, identified as CVE-2020-1350, and urged customers to prioritize an update to their systems. Check Point is calling the bug SigRed – a nod to the vulnerable DNS component and function “dns.exe”.

A hacker can gain Domain Administrator rights over the server, “enabling the hacker to intercept and manipulate users’ emails and network traffic, make services unavailable, harvest users’ credentials and more. In effect, the hacker could seize complete control of a corporation’s IT,” researchers wrote, in a technical analysis of the bug, posted Tuesday.

**Patching Is an Imperative     **

Upping the chance for exploitation by a hacker is the relatively simple prerequisites needed to exploit the vulnerability. “The likelihood of this vulnerability being exploited is high, as we internally found all of the primitives required to exploit this bug, which means a determined hacker could also find the same resources,” researchers noted.

“This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions. Non-Microsoft DNS Servers are not affected,” Microsoft wrote in a post Tuesday. “While this vulnerability is not currently known to be used in active attacks, it is essential that customers apply Windows updates to address this vulnerability as soon as possible.”

Mechele Gruhn, principal security PM manager at the Microsoft Security Response Center, noted that “if applying the update quickly is not practical, a registry-based workaround is available that does not require restarting the server. The update and the workaround are both detailed in CVE-2020-1350.”

“CVE-2020-1350, a wormable remote code execution vulnerability in Windows DNS Server, could very well be the most critical Windows vulnerability released this year, receiving a rare 10 out of 10 CVSS score,” Chris Hass, director of information security and research at Automox, told Threatpost.

“A wormable vulnerability like this is an attacker’s dream. An unauthenticated hacker could send specially crafted packets to the vulnerable Windows DNS Server to exploit the machine, allowing for arbitrary code to be run in the context of the local system account. Not only will the attacker have full control of the system, but they will also be able to leverage the server as a distribution point, allowing the attacker to spread malware between systems without any user interaction. This wormable capability adds a whole other layer of severity and impact, allowing malware authors to write ransomware similar to notable wormable malware such as Wannacry and NotPetya,” Hass said.

Exploiting a 17-Year-Old Bug

The flaw itself is an integer-overflow bug that can trigger a heap-based buffer overflow attack tied to the DNS module called dns.exe, which is responsible for answering DNS queries on Windows Servers.

By abusing the dns.exe module, two attack surfaces were created by researchers. One is a “bug in the way the DNS server parses an incoming query.” And the second is “a bug in the way the DNS server parses a response (answer) for a forwarded query.”

The attack requires researchers to first force a Windows DNS Server to parse responses from a malicious DNS NameServer. This employs the dns.exe module, which parses all supported response types. One of those supported response types is for a Secure Internet Access (SIG) query called SIG(O). Researchers focused their attention on creating a request that exceeded the maximum size request of 65,535 bytes, and causing the overflow. By using compressed data, researcher were able to create a successful crash.

“Although it seems that we crashed because we were trying to write values to unmapped memory, the heap can be shaped in a way that allows us to overwrite some meaningful values,” they wrote.

This local attack then was replicated remotely, by “smuggling DNS inside HTTP” requests on Microsoft Explorer and Microsoft Edge browsers (Google Chrome and Firefox are not vulnerable to this type of attack). Because DNS can be transported over TCP — and Windows DNS Server supports this connection type – researchers were able to craft a HTTP payload.

“Even though this is an HTTP payload, sending it to our target DNS server on port 53 causes the Windows DNS Server to interpret this payload as if it was a DNS query,” they wrote. Researchers were able to circumvent HTTP protections against similar malicious HTTP payloads by “smuggling” DNS query data inside the POST data located in the HTTP request.

Chromium-class browsers (Google Chrome and Mozilla Firefox) do not allow HTTP requests to port 53, therefore the bug can only be exploited Internet Explorer and Microsoft Edge.

“Successful exploitation of this vulnerability would have a severe impact, as you can often find unpatched Windows Domain environments, especially Domain Controllers. In addition, some internet service providers (ISPs) may even have set up their public DNS servers as WinDNS,” Check Point wrote.

#vulnerabilities #web security #critical vulnerability #cve-2020-1350 #dns #dns nameserver #dns.exe #domain administrator #http request #july patch tuesday #microsoft patch #microsoft security response center #security bug #sigred #windns #windows server #wormable

Vern  Greenholt

Vern Greenholt

1597820040

Secondary DNS — A faster, more resilient way to serve your DNS records

What is secondary DNS, and why is it important?

In DNS, nameservers are responsible for serving DNS records for a zone. How the DNS records populate into the nameservers differs based on the type of nameserver.

A primary server is a nameserver that manages a zone’s DNS records. This is where the zone file is maintained and where DNS records are added, removed, and modified. However, relying on one DNS server can be risky. What if that server goes down, or your DNS provider has an outage? If you run a storefront, then your customers would have to wait until your DNS server is back up to access your site. If your website were a brick and mortar store, this would be effectively like boarding up the door while customers are trying to get in.This type of outage can be very costly.

Now imagine you have another DNS server that has a replica of your DNS records. Wouldn’t it be great to have it as a back-up if your primary nameserver went down? Or better yet, what if both served your DNS records at all times— this could help decrease the latency of DNS requests, distribute the load between DNS servers, and add resiliency to your infrastructure! And that’s precisely what Secondary DNS nameservers were built for.

As businesses grow, they often scale their DNS infrastructure. We’re seeing more customers move away from two or three on-premise DNS servers to using a managed DNS provider to having multiple DNS vendors—all to increase redundancy against the possibility of a DDoS attack taking down one of their providers. Cloudflare has data centers in over 200 cities, all of which run our DNS software allowing our authoritative DNS customers to benefit from DNS lookups averaging around 11ms globally. So we decided to expand this functionality to customers who want to use more than one DNS provider, or for those that find it too complicated to move away from their on-premise DNS server.

#dns #analytics #secondary dns #data analytic

Trace  Hoeger

Trace Hoeger

1624552260

Ditch Your DNS For Microsoft Azure DNS & Moving On

This is my last post as Associate Architect at Nagarro. I would be moving to a new location and a new position very soon and therefore, I won’t be posting much for about a month. I’ll have a lot more to say about the new organization that I would be joining once I get there, but for now, let me just say that everyone I’ve met at this new place has seemed smart and passionate. I’m very excited to join the team. Of course, I would miss the fantastic people at Nagarro and my laptop, which powers at least five of my peripherals at any point of time and helps me write and publish this blog.

What Else?

There are some interesting things that I am working on and I am sure you would love to be in the loop when they are ready for prime time. I welcome you to subscribe to my mailing list and join many others who love coding and trying out new stuff just like you and me.

Enough… Let’s Start

Do you know how many name servers are available with your domain registrar and whether they are redundant and highly available? Do you wait for DNS records to update after every deployment? Do you experience latency in the name resolution of your application? If you have faced any or all of these issues, then you would want to explore Microsoft’s Route 53 a.k.a Azure DNS.

Azure DNS

Let’s get a few facts in place. A DNS is responsible for resolving a website name to its IP address. A domain name registrar is an organization that registers your domain name in the central registry database. The Azure DNS service does not provide domain name registrations (yet), so you would need to use an affiliated domain name registrar such as GoDaddy to reserve your domain name. You can then rely upon the global reach of Microsoft Azure to resolve the IP addresses of your domains. I encourage you to read about DNS internals in this fun little comics.

A DNS server can store a set of DNS records for each domain in a DNS Zone File. Each DNS record has a name, a predefined type and a value. Two of the most important records are the A record, which maps a name to an IP address and the CNAME record, which basically specifies the alias name of the value of the record (e.g. rahulrai.in is the alias of rahulrai.azurewebsites.net).

#microsoft azure dns #dns