Managing mission-critical domains and DNS demystifying nameservers, DNS, and domain names
This book will give you an all encompassing view of the domain name ecosystem combined with a comprehensive set of operations strategies. About This Book Manage infrastructure, risk, and management of DNS name servers. Get hands-on with factors like types of name servers, DNS queries and so on. Prac...
| Otros Autores: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Birmingham ; Mumbai :
Packt
2018.
|
| Edición: | 1st edition |
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009630434706719 |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright and Credits
- Dedication
- Packt Upsell
- Contributors
- Table of Contents
- Preface
- Chapter 1: The Domain Name Ecosystem
- Why domains are important
- Domain names 101
- Anatomy of a domain name
- Registry details
- Registrar WHOIS server
- Expiry date
- The registrant contact set
- The administrative contact set
- Use a domain you control
- Use a different domain than the name in the record
- Use an exploder
- Use a unique address
- Alternatively, use canaries
- The tech contact set
- The billing contact set
- DNS details
- Status
- Status flags set by the registry
- Ok
- inactive
- autoRenewPeriod
- pendingTransfer
- redemptionPeriod
- pendingDelete
- Status Flags set by the Registrar
- clientHold
- clientDeleteProhibited
- clientTransferProhibited
- clientUpdateProhibited
- clientRenewProhibited
- Understanding the domain name expiry cycle
- Domain expires (day 0)
- Domain gets parked (days 3 to 5-ish)
- RGP - Registrant Grace Period (up to 45 days)
- Redemption period (day 45-ish)
- PendingDelete - day 90 (5 days)
- Never do this
- What to do if you lose a key domain
- Summary
- References
- Chapter 2: Registries, Registrars, and Whois
- Registries and Registrars
- Generic TLDs
- Country Code TLDs (ccTLDs)
- New Top-Level Domains
- IDN TLDs
- Online tools for converting punycode
- Infrastructure TLDs
- Registrars and Resellers
- An effective Registrar should...
- What is Whois?
- Thin versus thick Whois
- Whois privacy
- RegisterFly - The Lehman Brothers' moment of the domain industry
- How to tell whether Whois privacy is enabled
- Why you should always use Whois privacy
- Why you should never use Whois privacy
- Where is Whois going?
- Europe's GDPR and its effect on Whois
- Registration Data Access Protocol (RDAP)
- Further reading.
- Summary
- Chapter 3: Intellectual Property Issues
- Which domains should your organization register?
- Asserting Your trademarks within the new TLD landscape
- Rollout phases of a new TLD
- Sunrise
- Landrush
- Premium auction
- The Trademark Clearing House
- Typo domains
- What is "CyberSquatting"?
- Dispute mechanisms
- Uniform Domain Name Dispute Resolution Policy (UDRP)
- How the UDRP works
- Uniform Rapid Suspension System (URSS)
- What if somebody tries to take your domains?
- What happens when somebody initiates a UDRP against your domain?
- Transfer Dispute Resolution Procedure (TDRP)
- Summary
- References
- Chapter 4: Communication Breakdowns
- Domain policies you must be aware of
- The Whois Accuracy Program (WAP)
- Incorrect or bad Whois reports
- Domain slamming
- Phishing
- Email phishing (spearphishing)
- Web phishing
- Unintentional expiry
- Search engine/trademark registrations
- Domain scams
- The Foreign Infringer scam
- Buy-side scam
- Sell-side scams
- DNS failures
- Summary
- References
- Chapter 5: A Tale of Two Nameservers
- Introducing resolvers
- Differences between stub resolvers, caching resolvers, and full resolvers
- Stub resolvers
- Caching resolvers
- Full resolvers
- Negative caches
- Authoritative nameservers
- Primary Nameserver
- Hidden primaries
- Hidden primary considerations
- Secondary nameservers
- Summary
- References
- Chapter 6: DNS Queries in Action
- Top-level domain nameservers
- Nameserver order
- How does a resolver know where the "." nameservers are?
- Anatomy of a DNS lookup
- Format of a DNS query
- Transaction ID
- Number of questions
- Number of answers
- Number of authority records
- Number of additional records
- Query name
- Query type
- Query class
- Additional section responses in queries
- When does DNS use TCP instead of UDP?.
- Zone transfers happen over TCP
- EDNS and large responses
- The anatomy of a DNS query - how nameserver selection actually works
- Summary
- References
- Chapter 7: Types and Uses of Common Resource Records
- Format of an RR
- Constructing a zone
- Start of Authority (SOA)
- MNAME (Originating Nameserver)
- RNAME (Point of Contact)
- Serial
- Date-based
- Unix timestamp
- Raw count
- When the format of the Serial actually matters
- The Refresh interval
- The Retry interval
- The Expire interval
- Minimum
- Can't You Just Set Your TTL To 0?
- Nameserver (NS)
- A/IPv4 Address
- CNAME/Alias
- When to use Aliases vs Hostnames
- The Mail Exchanger (MX) record
- Preferences, Priorities, and Delivery Order
- Backup MX handler considerations
- Special case MX records
- Managing many MX domains
- TXT/Text Records
- SPF records
- SRV
- NAPTR
- DNAME
- PTR
- IPv6
- AAAA
- A6
- CERT
- TLSA
- CAA
- DNSSEC-specific RR Types
- Summary
- References
- Chapter 8: Quasi-Record Types
- URL Forwards and Redirects
- The Zone Apex Alias (ANAME)
- Updates
- Multiple A records (RRSets)
- CNAME chains
- POOL records (multiple CNAME RRSet)
- Why can't you have a CNAME with other data?
- DYN (Dynamic DNS records)
- Email forwarders
- Generic email forwarding
- Separating forwarders from backup spooling via MX records
- How to handle a large volume of email - where to cluster?
- Summary
- References
- Chapter 9: Common Nameserver Software
- BIND
- BIND-DLZ
- Adding new zones to busy BIND 9 servers (in the olden days)
- PowerDNS
- Things to know
- The Supermaster (auto-adding new zones to secondaries)
- Installation
- Lua integration
- Configuring powerdns
- Converting BIND-style zone data into powerdns
- Slaving PowerDNS from BIND masters
- Using a PowerDNS master to BIND secondaries.
- Adding custom backends to PowerDNS
- PowerDNS wrap-up
- NSD
- Things to know
- No native support for RFC 2136 dynamic DNS
- Notifies to slaves
- Installation and setup
- nsd wrap-up
- djbdns/tinydns
- Things to know
- No native support for DNSSEC
- No responses for non-authoritative domains
- TCP not supported in main daemon
- Supports IPv6, SRV, NATPR, etc, natively, out-of-box (mostly)
- All zones in a single datafile
- How time is handled
- Installation from source
- daemontools
- ucspi-tcp
- Getting your bind data into tinydns
- axfr each zone
- Using a parser
- Slaving from a Bind master
- Slaving bind from a tinydns master
- tinydns wrap-up
- Knot DNS
- Installation
- Configuration
- knotc - the Knot DNS controller
- Slaving zones
- DNSSEC support
- Conclusion
- References
- Chapter 10: Debugging Without Tears - DNS Diagnostic Tools
- Command line-based tools
- whois
- Are we looking at the correct domain?
- Has the domain expired at the registry?
- What is the Registry/Registrar status of the domain?
- Is the domain using the expected nameservers?
- Is it DNSSEC-signed?
- How to look at a Whois record for a new TLD
- dig
- Understanding dig responses
- The HEADER section
- The ANSWER section
- The AUTHORITY section
- The ADDITIONAL section
- Using dig
- DNSSEC
- Reverse lookups
- Delegation chains
- host
- named-checkzone and named-checkconf
- dnstop
- Web-based debugging tools
- DNS stuff
- whatismydns
- dnsviz
- easywhois
- domaintools
- Summary
- References
- Chapter 11: DNS Operations and Use Cases
- Transferring domain names
- Change of registrant
- Nameserver redelegations
- Redelegating DNSSEC-signed domains
- Registrar transfer (without changing nameservers)
- IMPORTANT - make sure your new registrar knows what to do with the nameservers.
- Beware! Transfers may trigger the WAP!
- Steps of a registrar transfer
- Registrar transfer and nameserver redelegation
- Adding additional nameservers
- External secondaries
- External masters
- Other considerations
- Structuring secondary DNS arrangements
- Securing zone transfers with TSIG
- Syncing zone data across secondaries
- Planning migrations with DNS updates
- Moving to new nameservers
- Moving single zones
- Have the new nameservers slave from the current master
- Setting up a new master to serve the new nameservers
- Moving entire portfolios of domains
- Round Robin DNS
- Load-balancing/global weighted load-balancing
- DNS failover
- The target resource must be monitored
- Its health must be measured and evaluated
- The standby resource must be ready
- There must be a reversion strategy
- Dynamic DNS
- Standards-based dynamic DNS (RFC 2136)
- Dynamic DNS via web requests
- Geo DNS
- Edns-client-subnet
- Native support for Geo DNS
- PowerDNS and GeoIP backend
- BIND and Geo IP
- A GeoIP fork for djbdns
- GeoDNS-centric nameservers
- Anycast method
- Custom PowerDNS backend method
- Zone apex aliasing
- Reverse DNS and netblock subdelegations
- Classless reverse DNS
- The proper way to do sub-/24 PTR records
- The RFC 2317 method
- RFC2317 modified
- Implementing SPF, DKIM, and DMARC
- SPF
- SPF - things to know
- SPF breaks email-forwarding
- Overcomplicated SPF records can lead to bounces
- DKIM
- DMARC
- Summary
- References
- Chapter 12: Nameserver Considerations
- Anycast versus Unicast
- Unicast architectures
- Anycast DNS
- Your own Autonomous System Number (ASN)
- Address space to announce
- Transit providers
- The aftermarket
- Transit providers who will route you
- Nameserver configurations
- Debugging under anycast
- Anycast DNS and DDoS mitigation.
- Heterogeneity vs homogeneity in nameserver deployments.
