Tag: DNS

What is the purpose of a Private DNS server?

No Comments Cyber threats, DNS , , , , , , , , , , , , , , , ,

Purpose of Private DNS server

As the name suggests, a Private DNS server appears to be something personalized. It links your network and the Domain Name System server, protecting data from being intercepted by third parties. They are DNS networks that are not linked to the Public DNS. Consider it a Private library with a small collection of books. This has both advantages and disadvantages. Yes, you will be unable to read certain types of books. Nevertheless, there is one advantage: no one will know what you are reading because your library is secret.

Furthermore, we refer to Private as DNS over TLS (Transport Layer Security) or DNS over HTTPS (Hypertext Transfer Protocol Secure). This is because when you use DoT (DNS over TLS) or DoH (DNS over HTTPS), all DNS queries are encrypted. This makes it far more difficult for malicious third parties to monitor your online activity.

Elements

The followings are the components of the Private DNS server:

  • TLS stands for Transport Layer Security and is used to secure two-way communication between a client and a server on one side and a server on the other. Furthermore, SSL (Security Socket Layer) has been totally replaced with Transport Layer Security (TLS).
  • HTTPS (Hypertext Transfer Protocol Secure) – It generates encryption codes or session keys that must be validated by a third party. Users without authorization will not be able to access the information of others due to the system’s security.

Private DNS server vs. Public DNS server – Differences

  • Companies are in charge of their own Public DNS servers. For example, pages linked to the company’s public website would get components for a website from this Public DNS server.

A Private DNS server, on the other hand, may be only responsible for addressing queries related to the company’s internal assets. System administrators can optimize the performance of each program by configuring the servers and networks.

  • The most important advantage of adopting Private DNS is security. The usage of DNS for public and private purposes is kept separate to avoid confusion. The Public DNS server only provides IP addresses for web servers and other publicly accessible assets. Only a Private DNS protected within the internal network’s perimeter can be used to obtain IP addresses for internal support.

An additional motive for businesses using Private DNS is to protect their employees’ online usage. Public DNS providers gain a comprehensive image of their consumers’ online activities, which they can exploit to create resale profiles. The traffic patterns are disguised via a Private DNS.

Conclusion

Let’s review. Public DNS is one of the most critical security concerns on the Internet. The Private DNS server, on the other hand, is an excellent defense against this. It can be configured to protect you and your devices from malicious Internet actors. So don’t be hesitant to take advantage of this opportunity.

Use DNSSEC to secure your traffic.

No Comments DNS , ,

What is DNSSEC?

Domain Name System Security Extensions or, simply for short, DNSSEC combines several security measures that implement cryptographic authentication of the DNS information. It serves to prove that the DNS data has not been modified, although it still does not encrypt the DNS records. It acts similar to a chain of trust that supports verifying each step that a DNS query makes. 

At its origin, the DNS (Domain Name System) is fast and stable. However, it has one great downside, which is exactly lacking security. When we look back in the days at its creation, it was not that big of a deal. But, unfortunately, things have changed, and more protection is highly required.

Get your DNSSEC service to improve your protection.

Thanks to the DNSSEC, we are able to take benefit from such security. Its main purpose is to keep safe the integrity of the DNS data from various cyber threats. 

DNSSEC is able to provide a higher level of security thanks to the fact it operates with a combination of public and private keys.

From what it keeps you safe?

The main and most important goal of DNSSEC is to produce restrictions for third parties. That way, they would not be able to try to forge any of the DNS records. In addition, when the following situations are limited from happening, DNSSEC is able to protect the integrity of the domain name.

DNS Cache Poisoning

It is a very common and widely used type of man-in-the-middle (MITM)attack. The main purpose of the criminal by initiating this attack is to flood with false DNS data a particular DNS recursive server. However, it is not an unusual situation in which the attack could progress even more. That involves setting a fake end result in the cache memory of the DNS recursive server. Then, the resolver provides that malicious and fraudulent address to each one of the users demanding that specific website. That lasts until the Time-to-Live (TTL) value expires.

Fabricated zones

DNSSEC is able to secure against DNS attacks that unfairly utilize the DNS system, including providing simulation results for DNS zones. They may not exist, really, and criminals take advantage of holes among zones. Therefore, DNSSEC offers tools for these holes not to be used and protects the entire zone. 

How to use DNSSEC? 

DNSSEC is not activated by default, but you could easily change that. The majority of DNS hosting companies have it as an included feature. 

There are a number of domains that are not able to implement DNSSEC at all. However, their amount is not significant. Popular, well-known generic top-level domains (gTLDs) and country-code top-level domains (ccTLDs) are capable of using it.

To start implementing it, you should just open your DNS hosting provider’s control panel and activate it. Then, simply find the DNSSEC and click “enable” for every DNS zone you want. Next, you will receive a DS (Delegation Signer) record and place it where your domain is registered. 

Primary DNS Zone – Everything you need to know

No Comments DNS , , ,

Primary DNS Zone is one of the essential parts when it comes to managing your domain name. Let’s break it down and explain a little bit more about it.

DNS – meaning 

The Domain Name System (DNS) is a hierarchical system. It helps with managing data correlated with Internet domain names. For humans is easier to memorize domain names rather than numbers. So DNS is making things simple, and one of its main tasks is also known as name resolution. That is the assignment of domain names to IP addresses. The Domain Name System is essential and one of the bases of the technical structure of the Internet.

On the technical side, the DNS is a network of nameservers. The connection between nameservers and domain names is, in other words explaining where the data is really located. Therefore, it is important to understand the concept of the DNS zone.

Why do you need a Primary (Master) DNS zone?

DNS Zone explained.

The DNS server you are using can hold numerous zones to manage the DNS namespace more appropriately. The DNS zone is a segment or region of that namespace. It is applied as an organizational section to achieve more control over some DNS elements, like authoritative namespaces.

If you want to have a domain that operates properly, you have to point it to several servers, such as web servers, mail servers, and so on. This can be accomplished by creating various types of DNS records in the DNS zone.

The DNS zone is the place where all DNS records are stored. Also, it is the one piece that is responsible for the existence of the Domain Name System (DNS).

For example, a DNS zone can be relevant for .com, example.cominfo.example.com, and so on. Although if we inspect a subdomain as a website on its own, that will require dedicated administration. Therefore the subdomain will need a separate zone.

The DNS zone contains information about the DNS records, DNS zone administrative contact, and zone parameters like Refresh and Retry rate. The last two are defined in the SOA (Start of Authority) record. 

What is a Primary DNS Zone?

The Primary DNS Zone is also known as a Master DNS Zone. It is that specific part of the namespace that is in your control. There you can remove and add DNS records and manage your domain name in precisely the way you want. Every part of the domain, meaning every host you want to manage, could be a separate Primary DNS Zone if you’re going to administrate it. Also, a domain name is able to operate with only one Primary DNS Zone.

This DNS zone is the place where your zone file is. On the other hand, the zone file is the text document that includes the whole packet of DNS records for your domain name.

The Primary DNS Zone allows read and write, and it is placed inside a Master (Primary) authoritative nameserver. 

If you want to provide better availability, security, and overall redundancy, you can consider implementing Secondary DNS Zones. They are read-only copies of the original Primary DNS Zone, and they are located in Secondary DNS servers.

Conclusion.

Having a more precise understanding of DNS infrastructure purpose and the components, it is constructed with will be helpful for you to manage it more effortlessly.

What is a DDoS attack?

No Comments DNS , , ,

It is Black Friday, Christmas, or Easter, and you are expecting to sell thousands of products on your e-commerce site. You check the site and, what do you see? It is down! It does not load, and all those potential clients can’t spend their money there. They will go elsewhere, and just because a DDoS attack completely brought down your site. 

You should have been prepared! 

What is a DDoS attack?

DDoS – Denial of service. The DDoS attack has a variety of forms, but they all are a deliberate attempt to harm the target computer/server, usually with massive traffic towards the targeted. The cybercriminals are most commonly creating a botnet, a group of infected devices, long before the attack. They build this network and keep it on standby until they are hired to target a specific site.  

Different DDoS attacks

There are 3 categories, the typical volume-based attacks, the protocol type attacks, and the application layer attacks. Let’s check an example of each type of DDoS attack. 

Teardrop attack (volume-based)

The hackers are preparing corrupted packets. They exploit a bug that exists in the TCP/IP fragmentation re-assembly. The packets reach the targeted server, but the server can’t understand them. Finally, the server can’t take it anymore and goes down. 

ICMP Flood, a.k.a Ping Flood (protocol-based)

First, there is malware that infects many devices all around the world. They become a part of the hackers’ botnet. When the criminals want to use those bots, they can redirect the traffic to the selected server (the target). Each of the bots starts to ping the target (send packets of data) continuously without carrying about the answers. The server gets overwhelmed by the traffic and can’t react to its usual traffic. 

Slowloris (application layer attack)

Just a single computer could bring down a server. You can’t believe it? In this DDoS attack, the attacker uses one device to open as many connections as possible. The trick is that the cybercriminal keeps them open for as long as possible. It does that with incomplete HTTP requests. This attack’s final goal is to open many connections and not leave any possibility for regular clients to connect.  

Other popular names of attack you can see on the Internet are Ping of Death, Smurf Attack, SYN Flood, UDP Flood, HTTP Flood, SNMP Reflection Attack, Fork Bomb, and many more. Some have cool names, others no, but all of them can severely cripple your server. 

There are even newer that has no name yet. They are called Zero-day DDoS attacks and are potentially the worse. 

So you better watch out and find a way to truly protect your server and not let any downtime caused by DDoS attacks. 

Phishing attacks – what are they and how to protect yourself

Can we really protect ourselves from DDoS attacks? 

Ok, I got you scared but, now you take a breath. There is a way to protect yourself from DDoS attacks and keep up your precious e-commerce site. You will need a DDoS protected DNS. It is a network of servers that are strategically located in important points. They can intelligently balance the load. If one gets an attack, the rest of the network could distribute the load. Even if a server goes down completely, the rest will still resolve your domain for all of your eager clients. 

Anycast DNS – Why start using it today?

Conclusion 

The DDoS attacks are a serious matter. They are capable to completely bring down your website for a long period of time. Be prepared! Find a DDoS protected DNS provider with a sufficiently large network of servers. Only with such protection, you can be calmer.

Anycast DNS – Why start using it today?

No Comments DNS ,

Have you heard about Anycast DNS? You haven’t? No worries, here it is everything you need to know about it. Why it is really an important tech that should not be missed. Together will explore, other types of communication too. So, buckle up, and let’s start! 

Here, I won’t go deep, explaining what DNS is. DNS is the solution that we use to facilitate the Internet. It helps us resolve domain names, and we don’t need to remember countless IP addresses.  

Types of communication/routing methods 

When you want to send or receive data, you have a few options. Each has its specifications and can be used for a different purpose. 

Unicast

Unicast is one-to-one communication. It is the simplest method; the traffic is directed to a single host. The rest of the hosts will just ignore the traffic. When we talked about DNS, the request must go all the way to the single host who has the information. The host (DNS server) can be far away, and this will create high latency. 

Broadcast

Broadcast is a term that we all know from TV and radio. It means that the information is sent from one point to all. As you probably guessed, if DNS was using the broadcast method, the whole Internet would be impossible to use.

Multicast

Multicast is also one-to-many, not to all, but the group who is interested in the traffic. It is useful when there are no local nameservers. If a computer from this type of group needs a new IP address, it will send a query, and the answer will get back to all of the connected devices to that group. The IP address will be saved in the mDNS cache on the devices. 

Anycast

It can be seen as similar to Unicast, but with one very big difference, there are multiple hosts. A query will travel, searching for the host, but it will be redirected to the closest host (sever). That way, the query will get resolved a lot faster

What is Anycast DNS?

In the Anycast DNS scenario, there are multiple servers with the same IP address. A DNS query will start its journey, hopping from a server to another. But contrary to the Unicast DNS, there are a lot more servers who can answer the query. The closest server will resolve the DNS query and give a fast result. In case that the closest server is down, there are many other servers that can answer. Anycast DNS can also be used as a load-balancing method to distribute the traffic and lower the precision of a single server, which is located in a busier area. 

Setting it up is fast too. You need a single IP address that you will put in a DNS record and share it among the servers. 

So Anycast DNS is fast, provides redundancy, and it is easy to set up. 

Why start using Anycast DNS today?

If you have an international website, app, or service, you want speed and reliability in each location. You don’t want angry customers, do you? Anycast can provide excellent performance at different locations and manage the traffic more efficiently. Better network performance can translate into happier customers and probably more sales. If you have suffered from bad DNS performance in the past, you should check it now!

If you want to learn more about Anycast DNS, I recommend you to check this article – What is Anycast DNS and how does it work?

Conclusion:

So, what do you think about Anycast DNS now? It sure has advantages and can boost network performance significantly. It is also easy to set up and practical for scaling. Definitely, a tech that you must check!

Sources:

https://serverfault.com/questions/279482/what-is-the-difference-between-unicast-anycast-broadcast-and-multicast-traffic

https://ma.ttias.be/address-types-unicast-multicast-anycast

https://en.wikipedia.org/wiki/Anycast