Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Title Page Copyright and Credits
Managing Mission-Critical Domains and DNS
Dedication Packt Upsell
Why subscribe? PacktPub.com
Contributors
About the author Packt is searching for authors like you
Preface
Who this book is for What this book covers To get the most out of this book
Download the color images Conventions used
Get in touch
Reviews
The Domain Name Ecosystem
Why domains are important Domain names 101
Anatomy of a domain name
Registry details Registrar WHOIS server Expiry date The registrant contact set The administrative contact set
Use a domain you control Use a different domain than the name in the record Use an exploder Use a unique address Alternatively, use canaries
The tech contact set The billing contact set DNS details Status Status flags set by the registry
Ok inactive autoRenewPeriod pendingTransfer redemptionPeriod pendingDelete
Status Flags set by the Registrar
clientHold clientDeleteProhibited clientTransferProhibited clientUpdateProhibited clientRenewProhibited
Understanding the domain name expiry cycle
Domain expires (day 0) Domain gets parked (days 3 to 5-ish) RGP – Registrant Grace Period (up to 45 days) Redemption period (day 45-ish) PendingDelete – day 90 (5 days) Never do this What to do if you lose a key domain
Summary References
Registries, Registrars, and Whois
Registries and Registrars
Generic TLDs Country Code TLDs (ccTLDs) New Top-Level Domains IDN TLDs
Online tools for converting punycode
Infrastructure TLDs Registrars and Resellers An effective Registrar should...
What is Whois?
Thin versus thick Whois Whois privacy
RegisterFly – The Lehman Brothers' moment of the domain industry
How to tell whether Whois privacy is enabled Why you should always use Whois privacy Why you should never use Whois privacy Where is Whois going?
Europe's GDPR and its effect on Whois
Registration Data Access Protocol (RDAP) Further reading
Summary
Intellectual Property Issues
Which domains should your organization register?
Asserting Your trademarks within the new TLD landscape
Rollout phases of a new TLD
Sunrise Landrush Premium auction
The Trademark Clearing House
Typo domains
What is "CyberSquatting"? 
Dispute mechanisms
Uniform Domain Name Dispute Resolution Policy (UDRP) How the UDRP works Uniform Rapid Suspension System (URSS)
What if somebody tries to take your domains? What happens when somebody initiates a UDRP against your domain?
Transfer Dispute Resolution Procedure (TDRP) Summary References
Communication Breakdowns
Domain policies you must be aware of
The Whois Accuracy Program (WAP) Incorrect or bad Whois reports
Domain slamming Phishing
Email phishing (spearphishing) Web phishing
Unintentional expiry Search engine/trademark registrations
Domain scams
The Foreign Infringer scam Aftermarket scams
Buy-side scam
Sell-side scams
DNS failures
Summary References
A Tale of Two Nameservers
Introducing resolvers
Differences between stub resolvers, caching resolvers, and full resolvers
Stub resolvers Caching resolvers Full resolvers
Negative caches
Authoritative nameservers
Primary Nameserver
Hidden primaries
Hidden primary considerations
Secondary nameservers
Summary References
DNS Queries in Action
Top-level domain nameservers
Nameserver order
How does a resolver know where the "." nameservers are?
Anatomy of a DNS lookup
Format of a DNS query Transaction ID Number of questions Number of answers Number of authority records Number of additional records Query name Query type Query class Additional section responses in queries
When does DNS use TCP instead of UDP?
Zone transfers happen over TCP EDNS and large responses The anatomy of a DNS query – how nameserver selection actually works
Summary References
Types and Uses of Common Resource Records
Format of an RR
Constructing a zone Start of Authority (SOA)
MNAME (Originating Nameserver) RNAME (Point of Contact) Serial
Date-based Unix timestamp Raw count When the format of the Serial actually matters
The Refresh interval The Retry interval The Expire interval Minimum
Can't You Just Set Your $TTL To 0?
Nameserver (NS) A/IPv4 Address CNAME/Alias When to use Aliases vs Hostnames The Mail Exchanger (MX) record
Preferences, Priorities, and Delivery Order Backup MX handler considerations Special case MX records Managing many MX domains
TXT/Text Records
SPF records
SRV NAPTR DNAME PTR IPv6
AAAA A6
CERT TLSA CAA DNSSEC-specific RR Types
Summary References
Quasi-Record Types
URL Forwards and Redirects The Zone Apex Alias (ANAME)
Updates Multiple A records (RRSets) CNAME chains
POOL records (multiple CNAME RRSet)
Why can't you have a CNAME with other data?
DYN (Dynamic DNS records) Email forwarders
Generic email forwarding Separating forwarders from backup spooling via MX records How to handle a large volume of email – where to cluster?
Summary References
Common Nameserver Software
BIND BIND-DLZ
Adding new zones to busy BIND 9 servers (in the olden days) 
PowerDNS
Things to know The Supermaster (auto-adding new zones to secondaries) Installation Lua integration Configuring powerdns Converting BIND-style zone data into powerdns Slaving PowerDNS from BIND masters Using a PowerDNS master to BIND secondaries Adding custom backends to PowerDNS PowerDNS wrap-up
NSD
Things to know
No native support for RFC 2136 dynamic DNS Notifies to slaves
Installation and setup nsd wrap-up
djbdns/tinydns
Things to know
No native support for DNSSEC No responses for non-authoritative domains TCP not supported in main daemon Supports IPv6, SRV, NATPR, etc, natively, out-of-box (mostly) All zones in a single datafile How time is handled Installation from source
daemontools ucspi-tcp
Getting your bind data into tinydns
axfr each zone Using a parser
Slaving from a Bind master Slaving bind from a tinydns master tinydns wrap-up Knot DNS
Installation Configuration knotc – the Knot DNS controller Slaving zones DNSSEC support
Conclusion References
Debugging Without Tears – DNS Diagnostic Tools
Command line-based tools
whois
Are we looking at the correct domain? Has the domain expired at the registry? What is the Registry/Registrar status of the domain? Is the domain using the expected nameservers? Is it DNSSEC-signed?
How to look at a Whois record for a new TLD dig
Understanding dig responses The HEADER section The ANSWER section The AUTHORITY section The ADDITIONAL section Using dig DNSSEC Reverse lookups Delegation chains
host named-checkzone and named-checkconf dnstop
Web-based debugging tools
DNS stuff whatismydns dnsviz easywhois domaintools
Summary References
DNS Operations and Use Cases
Transferring domain names
Change of registrant
Nameserver redelegations Redelegating DNSSEC-signed domains Registrar transfer (without changing nameservers)
IMPORTANT – make sure your new registrar knows what to do with the nameservers Beware! Transfers may trigger the WAP! Steps of a registrar transfer
Registrar transfer and nameserver redelegation
Adding additional nameservers
External secondaries External masters Other considerations
Structuring secondary DNS arrangements Securing zone transfers with TSIG
Syncing zone data across secondaries Planning migrations with DNS updates Moving to new nameservers
Moving single zones
Have the new nameservers slave from the current master Setting up a new master to serve the new nameservers
Moving entire portfolios of domains
Round Robin DNS Load-balancing/global weighted load-balancing DNS failover
The target resource must be monitored Its health must be measured and evaluated The standby resource must be ready There must be a reversion strategy
Dynamic DNS
Standards-based dynamic DNS (RFC 2136) Dynamic DNS via web requests
Geo DNS
Edns-client-subnet Native support for Geo DNS
PowerDNS and GeoIP backend BIND and Geo IP A GeoIP fork for djbdns GeoDNS-centric nameservers Anycast method
Custom PowerDNS backend method
Zone apex aliasing Reverse DNS and netblock subdelegations
Classless reverse DNS
The proper way to do sub-/24 PTR records The RFC 2317 method RFC2317 modified
Implementing SPF, DKIM, and DMARC
SPF SPF – things to know
SPF breaks email-forwarding Overcomplicated SPF records can lead to bounces
DKIM DMARC
Summary References
Nameserver Considerations
Anycast versus Unicast
Unicast architectures
Anycast DNS
Your own Autonomous System Number (ASN) Address space to announce Transit providers The aftermarket Transit providers who will route you Nameserver configurations
Debugging under anycast
Anycast DNS and DDoS mitigation Heterogeneity vs homogeneity in nameserver deployments Nameserver records IP space Numbering and delegation schemes Vanity nameservers
TLD redundancy
Resolvers
Summary References
Securing Your Domains and DNS
Protecting your domains from unauthorized manipulation
Cybercriminals hack DNS provider to take over Brazilian bank
Account ACLs Multi-factor authentication Event notifications Transfer locks Registry locks
DNS Security Extensions (DNSSEC)
What DNSSEC does Is DNSSEC really a magic bullet for DNS security? Drawbacks of using DNSSEC When to use DNSSEC Signing your zones Preparing a DNSSEC deployment
Key structure Key rollover policy Trust chains How is the internet root authenticated?
Operational ramifications of DNSSEC
Zone updates Using multiple providers with DNSSEC
DNSSEC Resource Record Types
RRSIG DNSKEY DS (Delegation Signer) Effect of key rollovers on the DS  How do I get my DS records into the parent zone?
Maintaining DS keys after initial setup (CDS/CDNSKEY) NSEC/NSEC3
Implementing DNSSEC on your nameservers
PowerDNS
pre-signed front-signing
BIND NSD Tinydns
Key rollovers
Double-signing method Prepublish method Key-rolling utilities Further resources
Securing DNS lookups
DNSCurve DNS over TLS
Summary References
DNS and DDoS Attacks
What DNS operators can do to mitigate attacks
Separating the target Response-Rate Limiting (RRL) Dnsdist – the Swiss Army knife of DNS middleware Kernel filtering of queries Mitigation devices Mitigation services
Colocated gear Via BGP Via glue records Reverse proxy GRE Tunnels
DDoS mitigation services
What individual domain owners can do
Using multiple DNS solutions
Keeping your data in sync across those deployments
Monitoring the health of your nameserver delegation Open source monitoring tools Monitoring services The ability to change delegations when required
For DNS providers Summary References
IPv6 Considerations
IPv6-enabled nameservers Adding IPv6 to your zones
Reverse DNS for IPv6 Queries for IPv6 Operational considerations
Transport-independent Avoiding IPv4/IPv6 fragmentation TTL considerations Resolver considerations
Summary References
Other Books You May Enjoy
Leave a review - let other readers know what you think
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion