Managing Mission - Critical Domains and DNS

Managing Mission - Critical Domains and DNS

by Mark E. Jeftovic
Released June 2018
Publisher(s): Packt Publishing
ISBN: 9781789135077

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This book will give you an all encompassing view of the domain name ecosystem combined with a comprehensive set of operations strategies.

About This Book
  • Manage infrastructure, risk, and management of DNS name servers. Get hands-on with factors like types of name servers, DNS queries and and so on.
  • Practical guide for system administrators to manage mission-critical servers
  • Based on real-world experience - Written by an industry veteran who has made every possible mistake within this field.
Who This Book Is For

Ideal for sysadmins, webmasters, IT consultants, and developers-anyone responsible for maintaining your organization's core DNS

What You Will Learn
  • Anatomy of a domain - how a domain is the sum of both its DNS zone and its registration data, and why that matters.
  • The domain name ecosystem - the role of registries, registrars and oversight bodies and their effect on your names.
  • How DNS queries work - queries and responses are examined including debugging techniques to zero in on problems.
  • Nameserver considerations - alternative nameserver daemons, numbering considerations, and deployment architectures.
  • DNS use cases - the right way for basic operations such as domain transfers, large scale migrations, GeoDNS, Anycast DNS.
  • Securing your domains - All aspects of security from registrar vendor selection, to DNSSEC and DDOS mitigation strategies.
In Detail

Managing your organization's naming architecture and mitigating risks within complex naming environments is very important. This book will go beyond looking at “how to run a name server” or “how to DNSSEC sign a domain”, Managing Mission Critical Domains & DNS looks across the entire spectrum of naming; from external factors that exert influence on your domains to all the internal factors to consider when operating your DNS. The readers are taken on a comprehensive guided tour through the world of naming: from understanding the role of registrars and how they interact with registries, to what exactly is it that ICANN does anyway? Once the prerequisite knowledge of the domain name ecosystem is acquired, the readers are taken through all aspects of DNS operations. Whether your organization operates its own nameservers or utilizes an outsourced vendor, or both, we examine the complex web of interlocking factors that must be taken into account but are too frequently overlooked. By the end of this book, our readers will have an end to end to understanding of all the aspects covered in DNS name servers.

Style and approach

The book is divided into two parts, the first part looks at the wider domain name ecosystem: registries, registrars and oversight policies.

The second and larger part goes into operations. Every aspect of naming is considered from the viewpoint of how this affects ones domains, what are the ramifications of different operating methods as portfolios scale.

Publisher resources

View/Submit Errata

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Managing Mission-Critical Domains and DNS
  3. Dedication
  4. Packt Upsell
    1. Why subscribe?
    2. PacktPub.com
  5. Contributors
    1. About the author
    2. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the color images
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. The Domain Name Ecosystem
    1. Why domains are important
    2. Domain names 101
      1. Anatomy of a domain name
        1. Registry details
        2. Registrar WHOIS server
        3. Expiry date
        4. The registrant contact set
        5. The administrative contact set
          1. Use a domain you control
          2. Use a different domain than the name in the record
          3. Use an exploder
          4. Use a unique address
          5. Alternatively, use canaries
        6. The tech contact set
        7. The billing contact set
        8. DNS details
        9. Status
        10. Status flags set by the registry
          1. Ok
          2. inactive
          3. autoRenewPeriod
          4. pendingTransfer
          5. redemptionPeriod
          6. pendingDelete
        11. Status Flags set by the Registrar
          1. clientHold
          2. clientDeleteProhibited
          3. clientTransferProhibited
          4. clientUpdateProhibited
          5. clientRenewProhibited
      2. Understanding the domain name expiry cycle
        1. Domain expires (day 0)
        2. Domain gets parked (days 3 to 5-ish)
        3. RGP – Registrant Grace Period (up to 45 days)
        4. Redemption period (day 45-ish)
        5. PendingDelete – day 90 (5 days)
        6. Never do this
        7. What to do if you lose a key domain
    3. Summary
    4. References
  8. Registries, Registrars, and Whois
    1. Registries and Registrars
      1. Generic TLDs
      2. Country Code TLDs (ccTLDs)
      3. New Top-Level Domains
      4. IDN TLDs
        1. Online tools for converting punycode
      5. Infrastructure TLDs
      6. Registrars and Resellers
      7. An effective Registrar should...
    2. What is Whois?
      1. Thin versus thick Whois
      2. Whois privacy
        1. RegisterFly – The Lehman Brothers' moment of the domain industry
      3. How to tell whether Whois privacy is enabled
      4. Why you should always use Whois privacy
      5. Why you should never use Whois privacy
      6. Where is Whois going?
        1. Europe's GDPR and its effect on Whois
      7. Registration Data Access Protocol (RDAP)
      8. Further reading
    3. Summary
  9. Intellectual Property Issues
    1. Which domains should your organization register?
      1. Asserting Your trademarks within the new TLD landscape
    2. Rollout phases of a new TLD
      1. Sunrise
      2. Landrush
      3. Premium auction
    3. The Trademark Clearing House
      1. Typo domains
        1. What is "CyberSquatting"?
      2. Dispute mechanisms
        1. Uniform Domain Name Dispute Resolution Policy (UDRP)
        2. How the UDRP works
        3. Uniform Rapid Suspension System (URSS)
      3. What if somebody tries to take your domains?
      4. What happens when somebody initiates a UDRP against your domain?
    4. Transfer Dispute Resolution Procedure (TDRP)
    5. Summary
    6. References
  10. Communication Breakdowns
    1. Domain policies you must be aware of
      1. The Whois Accuracy Program (WAP)
      2. Incorrect or bad Whois reports
        1. Domain slamming
        2. Phishing
          1. Email phishing (spearphishing)
          2. Web phishing
        3. Unintentional expiry
        4. Search engine/trademark registrations
      3. Domain scams
        1. The Foreign Infringer scam
        2. Aftermarket scams
          1. Buy-side scam
        3. Sell-side scams
      4. DNS failures
    2. Summary
    3. References
  11. A Tale of Two Nameservers
    1. Introducing resolvers
      1. Differences between stub resolvers, caching resolvers, and full resolvers
        1. Stub resolvers
        2. Caching resolvers
        3. Full resolvers
      2. Negative caches
    2. Authoritative nameservers
      1. Primary Nameserver
        1. Hidden primaries
          1. Hidden primary considerations
        2. Secondary nameservers
    3. Summary
    4. References
  12. DNS Queries in Action
    1. Top-level domain nameservers
      1. Nameserver order
        1. How does a resolver know where the "." nameservers are?
      2. Anatomy of a DNS lookup
        1. Format of a DNS query
        2. Transaction ID
        3. Number of questions
        4. Number of answers
        5. Number of authority records
        6. Number of additional records
        7. Query name
        8. Query type
        9. Query class
        10. Additional section responses in queries
    2. When does DNS use TCP instead of UDP?
      1. Zone transfers happen over TCP
      2. EDNS and large responses
      3. The anatomy of a DNS query – how nameserver selection actually works
    3. Summary
    4. References
  13. Types and Uses of Common Resource Records
    1. Format of an RR
      1. Constructing a zone
      2. Start of Authority (SOA)
        1. MNAME (Originating Nameserver)
        2. RNAME (Point of Contact)
        3. Serial
          1. Date-based
          2. Unix timestamp
          3. Raw count
          4. When the format of the Serial actually matters
        4. The Refresh interval
        5. The Retry interval
        6. The Expire interval
        7. Minimum
          1. Can't You Just Set Your $TTL To 0?
      3. Nameserver (NS)
      4. A/IPv4 Address
      5. CNAME/Alias
      6. When to use Aliases vs Hostnames
      7. The Mail Exchanger (MX) record
        1. Preferences, Priorities, and Delivery Order
        2. Backup MX handler considerations
        3. Special case MX records
        4. Managing many MX domains
      8. TXT/Text Records
        1. SPF records
      9. SRV
      10. NAPTR
      11. DNAME
      12. PTR
      13. IPv6
        1. AAAA
        2. A6
      14. CERT
      15. TLSA
      16. CAA
      17. DNSSEC-specific RR Types
    2. Summary
    3. References
  14. Quasi-Record Types
    1. URL Forwards and Redirects
    2. The Zone Apex Alias (ANAME)
      1. Updates
      2. Multiple A records (RRSets)
      3. CNAME chains
    3. POOL records (multiple CNAME RRSet)
      1. Why can't you have a CNAME with other data?
    4. DYN (Dynamic DNS records)
    5. Email forwarders
      1. Generic email forwarding
      2. Separating forwarders from backup spooling via MX records
      3. How to handle a large volume of email – where to cluster?
    6. Summary
    7. References
  15. Common Nameserver Software
    1. BIND
    2. BIND-DLZ
      1. Adding new zones to busy BIND 9 servers (in the olden days)
    3. PowerDNS
      1. Things to know
      2. The Supermaster (auto-adding new zones to secondaries)
      3. Installation
      4. Lua integration
      5. Configuring powerdns
      6. Converting BIND-style zone data into powerdns
      7. Slaving PowerDNS from BIND masters
      8. Using a PowerDNS master to BIND secondaries
      9. Adding custom backends to PowerDNS
      10. PowerDNS wrap-up
    4. NSD
      1. Things to know
        1. No native support for RFC 2136 dynamic DNS
        2. Notifies to slaves
      2. Installation and setup
      3. nsd wrap-up
    5. djbdns/tinydns
      1. Things to know
        1. No native support for DNSSEC
        2. No responses for non-authoritative domains
        3. TCP not supported in main daemon
        4. Supports IPv6, SRV, NATPR, etc, natively, out-of-box (mostly)
        5. All zones in a single datafile
        6. How time is handled
        7. Installation from source
          1. daemontools
          2. ucspi-tcp
      2. Getting your bind data into tinydns
        1. axfr each zone
        2. Using a parser
      3. Slaving from a Bind master
      4. Slaving bind from a tinydns master
      5. tinydns wrap-up
      6. Knot DNS
        1. Installation
        2. Configuration
        3. knotc – the Knot DNS controller
        4. Slaving zones
        5. DNSSEC support
    6. Conclusion
    7. References
  16. Debugging Without Tears – DNS Diagnostic Tools
    1. Command line-based tools
      1. whois
        1. Are we looking at the correct domain?
        2. Has the domain expired at the registry?
        3. What is the Registry/Registrar status of the domain?
        4. Is the domain using the expected nameservers?
        5. Is it DNSSEC-signed?
      2. How to look at a Whois record for a new TLD
      3. dig
        1. Understanding dig responses
        2. The HEADER section
        3. The ANSWER section
        4. The AUTHORITY section
        5. The ADDITIONAL section
        6. Using dig
        7. DNSSEC
        8. Reverse lookups
        9. Delegation chains
      4. host
      5. named-checkzone and named-checkconf
      6. dnstop
    2. Web-based debugging tools
      1. DNS stuff
      2. whatismydns
      3. dnsviz
      4. easywhois
      5. domaintools
    3. Summary
    4. References
  17. DNS Operations and Use Cases
    1. Transferring domain names
      1. Change of registrant
        1. Nameserver redelegations
        2. Redelegating DNSSEC-signed domains
        3. Registrar transfer (without changing nameservers)
          1. IMPORTANT – make sure your new registrar knows what to do with the nameservers
          2. Beware! Transfers may trigger the WAP!
          3. Steps of a registrar transfer
        4. Registrar transfer and nameserver redelegation
      2. Adding additional nameservers
        1. External secondaries
        2. External masters
        3. Other considerations
          1. Structuring secondary DNS arrangements
          2. Securing zone transfers with TSIG
      3. Syncing zone data across secondaries
      4. Planning migrations with DNS updates
      5. Moving to new nameservers
        1. Moving single zones
          1. Have the new nameservers slave from the current master
          2. Setting up a new master to serve the new nameservers
        2. Moving entire portfolios of domains
      6. Round Robin DNS
      7. Load-balancing/global weighted load-balancing
      8. DNS failover
        1. The target resource must be monitored
        2. Its health must be measured and evaluated
        3. The standby resource must be ready
        4. There must be a reversion strategy
      9. Dynamic DNS
        1. Standards-based dynamic DNS (RFC 2136)
        2. Dynamic DNS via web requests
      10. Geo DNS
        1. Edns-client-subnet
        2. Native support for Geo DNS
          1. PowerDNS and GeoIP backend
          2. BIND and Geo IP
          3. A GeoIP fork for djbdns
          4. GeoDNS-centric nameservers
          5. Anycast method
        3. Custom PowerDNS backend method
      11. Zone apex aliasing
      12. Reverse DNS and netblock subdelegations
        1. Classless reverse DNS
          1. The proper way to do sub-/24 PTR records
          2. The RFC 2317 method
          3. RFC2317 modified
      13. Implementing SPF, DKIM, and DMARC
        1. SPF
        2. SPF – things to know
          1. SPF breaks email-forwarding
          2. Overcomplicated SPF records can lead to bounces
        3. DKIM
        4. DMARC
    2. Summary
    3. References
  18. Nameserver Considerations
    1. Anycast versus Unicast
      1. Unicast architectures
        1. Anycast DNS
          1. Your own Autonomous System Number (ASN)
          2. Address space to announce
          3. Transit providers
          4. The aftermarket
          5. Transit providers who will route you
          6. Nameserver configurations
    2. Debugging under anycast
      1. Anycast DNS and DDoS mitigation
      2. Heterogeneity vs homogeneity in nameserver deployments
      3. Nameserver records
      4. IP space
      5. Numbering and delegation schemes
      6. Vanity nameservers
        1. TLD redundancy
      7. Resolvers
    3. Summary
    4. References
  19. Securing Your Domains and DNS
    1. Protecting your domains from unauthorized manipulation
      1. Cybercriminals hack DNS provider to take over Brazilian bank
        1. Account ACLs
        2. Multi-factor authentication
        3. Event notifications
        4. Transfer locks
        5. Registry locks
      2. DNS Security Extensions (DNSSEC)
        1. What DNSSEC does
        2. Is DNSSEC really a magic bullet for DNS security?
        3. Drawbacks of using DNSSEC
        4. When to use DNSSEC
        5. Signing your zones
        6. Preparing a DNSSEC deployment
          1. Key structure
          2. Key rollover policy
          3. Trust chains
          4. How is the internet root authenticated?
        7. Operational ramifications of DNSSEC
          1. Zone updates
          2. Using multiple providers with DNSSEC
        8. DNSSEC Resource Record Types
          1. RRSIG
          2. DNSKEY
          3. DS (Delegation Signer)
          4. Effect of key rollovers on the DS
          5. How do I get my DS records into the parent zone?
        9. Maintaining DS keys after initial setup (CDS/CDNSKEY)
        10. NSEC/NSEC3
          1. Implementing DNSSEC on your nameservers
        11. PowerDNS
          1. pre-signed
          2. front-signing
        12. BIND
        13. NSD
        14. Tinydns
      3. Key rollovers
        1. Double-signing method
        2. Prepublish method
        3. Key-rolling utilities
        4. Further resources
      4. Securing DNS lookups
        1. DNSCurve
        2. DNS over TLS
    2. Summary
    3. References
  20. DNS and DDoS Attacks
    1. What DNS operators can do to mitigate attacks
      1. Separating the target
      2. Response-Rate Limiting (RRL)
      3. Dnsdist – the Swiss Army knife of DNS middleware
      4. Kernel filtering of queries
      5. Mitigation devices
      6. Mitigation services
        1. Colocated gear
        2. Via BGP
        3. Via glue records
        4. Reverse proxy
        5. GRE Tunnels
      7. DDoS mitigation services
    2. What individual domain owners can do
      1. Using multiple DNS solutions
        1. Keeping your data in sync across those deployments
          1. Monitoring the health of your nameserver delegation
          2. Open source monitoring tools
          3. Monitoring services
          4. The ability to change delegations when required
    3. For DNS providers
    4. Summary
    5. References
  21. IPv6 Considerations
    1. IPv6-enabled nameservers
    2. Adding IPv6 to your zones
      1. Reverse DNS for IPv6
      2. Queries for IPv6
      3. Operational considerations
        1. Transport-independent
        2. Avoiding IPv4/IPv6 fragmentation
        3. TTL considerations
        4. Resolver considerations
    3. Summary
    4. References
  22. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Managing Mission - Critical Domains and DNS
  • Author(s): Mark E. Jeftovic
  • Release date: June 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781789135077