Managing mission-critical domains and DNS : demystifying nameservers, DNS, and domain names / Mark E. Jeftovic.

Format:

Book

Author/Creator:

Jeftovic, Mark E., author.

Language:

English

Subjects (All):

Internet domain names.

Internet addresses.

Physical Description:

1 online resource (351 pages) : illustrations

Edition:

1st edition

Place of Publication:

Birmingham ; Mumbai : Packt, 2018.

System Details:

text file

Summary:

This book will give you an all encompassing view of the domain name ecosystem combined with a comprehensive set of operations strategies. About This Book Manage infrastructure, risk, and management of DNS name servers. Get hands-on with factors like types of name servers, DNS queries and so on. Practical guide for system administrators to manage mission-critical servers Based on real-world experience - Written by an industry veteran who has made every possible mistake within this field. Who This Book Is For Ideal for sysadmins, webmasters, IT consultants, and developers-anyone responsible for maintaining your organization's core DNS What You Will Learn Anatomy of a domain - how a domain is the sum of both its DNS zone and its registration data, and why that matters. The domain name ecosystem - the role of registries, registrars and oversight bodies and their effect on your names. How DNS queries work - queries and responses are examined including debugging techniques to zero in on problems. Nameserver considerations - alternative nameserver daemons, numbering considerations, and deployment architectures. DNS use cases - the right way for basic operations such as domain transfers, large scale migrations, GeoDNS, Anycast DNS. Securing your domains - All aspects of security from registrar vendor selection, to DNSSEC and DDOS mitigation strategies. In Detail Managing your organization's naming architecture and mitigating risks within complex naming environments is very important. This book will go beyond looking at ?how to run a name server? or ?how to DNSSEC sign a domain?, Managing Mission Critical Domains & DNS looks across the entire spectrum of naming; from external factors that exert influence on your domains to all the internal factors to consider when operating your DNS. The readers are taken on a comprehensive guided tour through the world of naming: from understanding the role of registrars and how they interact with registries, to what exactly is it that ICANN does anyway? Once the prerequisite knowledge of the domain name ecosystem is acquired, the readers are taken through all aspects of DNS operations. Whether your organization operates its own nameservers or utilizes an outsourced vendor, or both, we examine the complex web of interlocking factors that must be taken into account but are too frequently overlooked. By the end of this book, our readers will have an end to end to understanding of all the aspects covered in DNS name ...

Contents:

Cover

Title Page

Copyright and Credits

Dedication

Packt Upsell

Contributors

Table of Contents

Preface

Chapter 1: The Domain Name Ecosystem

Why domains are important

Domain names 101

Anatomy of a domain name

Registry details

Registrar WHOIS server

Expiry date

The registrant contact set

The administrative contact set

Use a domain you control

Use a different domain than the name in the record

Use an exploder

Use a unique address

Alternatively, use canaries

The tech contact set

The billing contact set

DNS details

Status

Status flags set by the registry

Ok

inactive

autoRenewPeriod

pendingTransfer

redemptionPeriod

pendingDelete

Status Flags set by the Registrar

clientHold

clientDeleteProhibited

clientTransferProhibited

clientUpdateProhibited

clientRenewProhibited

Understanding the domain name expiry cycle

Domain expires (day 0)

Domain gets parked (days 3 to 5-ish)

RGP - Registrant Grace Period (up to 45 days)

Redemption period (day 45-ish)

PendingDelete - day 90 (5 days)

Never do this

What to do if you lose a key domain

Summary

References

Chapter 2: Registries, Registrars, and Whois

Registries and Registrars

Generic TLDs

Country Code TLDs (ccTLDs)

New Top-Level Domains

IDN TLDs

Online tools for converting punycode

Infrastructure TLDs

Registrars and Resellers

An effective Registrar should...

What is Whois?

Thin versus thick Whois

Whois privacy

RegisterFly - The Lehman Brothers' moment of the domain industry

How to tell whether Whois privacy is enabled

Why you should always use Whois privacy

Why you should never use Whois privacy

Where is Whois going?

Europe's GDPR and its effect on Whois

Registration Data Access Protocol (RDAP)

Further reading.

Summary

Chapter 3: Intellectual Property Issues

Which domains should your organization register?

Asserting Your trademarks within the new TLD landscape

Rollout phases of a new TLD

Sunrise

Landrush

Premium auction

The Trademark Clearing House

Typo domains

What is "CyberSquatting"?

Dispute mechanisms

Uniform Domain Name Dispute Resolution Policy (UDRP)

How the UDRP works

Uniform Rapid Suspension System (URSS)

What if somebody tries to take your domains?

What happens when somebody initiates a UDRP against your domain?

Transfer Dispute Resolution Procedure (TDRP)

Chapter 4: Communication Breakdowns

Domain policies you must be aware of

The Whois Accuracy Program (WAP)

Incorrect or bad Whois reports

Domain slamming

Phishing

Email phishing (spearphishing)

Web phishing

Unintentional expiry

Search engine/trademark registrations

Domain scams

The Foreign Infringer scam

Buy-side scam

Sell-side scams

DNS failures

Chapter 5: A Tale of Two Nameservers

Introducing resolvers

Differences between stub resolvers, caching resolvers, and full resolvers

Stub resolvers

Caching resolvers

Full resolvers

Negative caches

Authoritative nameservers

Primary Nameserver

Hidden primaries

Hidden primary considerations

Secondary nameservers

Chapter 6: DNS Queries in Action

Top-level domain nameservers

Nameserver order

How does a resolver know where the "." nameservers are?

Anatomy of a DNS lookup

Format of a DNS query

Transaction ID

Number of questions

Number of answers

Number of authority records

Number of additional records

Query name

Query type

Query class

Additional section responses in queries

When does DNS use TCP instead of UDP?.

Zone transfers happen over TCP

EDNS and large responses

The anatomy of a DNS query - how nameserver selection actually works

Chapter 7: Types and Uses of Common Resource Records

Format of an RR

Constructing a zone

Start of Authority (SOA)

MNAME (Originating Nameserver)

RNAME (Point of Contact)

Serial

Date-based

Unix timestamp

Raw count

When the format of the Serial actually matters

The Refresh interval

The Retry interval

The Expire interval

Minimum

Can't You Just Set Your TTL To 0?

Nameserver (NS)

A/IPv4 Address

CNAME/Alias

When to use Aliases vs Hostnames

The Mail Exchanger (MX) record

Preferences, Priorities, and Delivery Order

Backup MX handler considerations

Special case MX records

Managing many MX domains

TXT/Text Records

SPF records

SRV

NAPTR

DNAME

PTR

IPv6

AAAA

A6

CERT

TLSA

CAA

DNSSEC-specific RR Types

Chapter 8: Quasi-Record Types

URL Forwards and Redirects

The Zone Apex Alias (ANAME)

Updates

Multiple A records (RRSets)

CNAME chains

POOL records (multiple CNAME RRSet)

Why can't you have a CNAME with other data?

DYN (Dynamic DNS records)

Email forwarders

Generic email forwarding

Separating forwarders from backup spooling via MX records

How to handle a large volume of email - where to cluster?

Chapter 9: Common Nameserver Software

BIND

BIND-DLZ

Adding new zones to busy BIND 9 servers (in the olden days)

PowerDNS

Things to know

The Supermaster (auto-adding new zones to secondaries)

Installation

Lua integration

Configuring powerdns

Converting BIND-style zone data into powerdns

Slaving PowerDNS from BIND masters

Using a PowerDNS master to BIND secondaries.

Adding custom backends to PowerDNS

PowerDNS wrap-up

NSD

No native support for RFC 2136 dynamic DNS

Notifies to slaves

Installation and setup

nsd wrap-up

djbdns/tinydns

No native support for DNSSEC

No responses for non-authoritative domains

TCP not supported in main daemon

Supports IPv6, SRV, NATPR, etc, natively, out-of-box (mostly)

All zones in a single datafile

How time is handled

Installation from source

daemontools

ucspi-tcp

Getting your bind data into tinydns

axfr each zone

Using a parser

Slaving from a Bind master

Slaving bind from a tinydns master

tinydns wrap-up

Knot DNS

Configuration

knotc - the Knot DNS controller

Slaving zones

DNSSEC support

Conclusion

Chapter 10: Debugging Without Tears - DNS Diagnostic Tools

Command line-based tools

whois

Are we looking at the correct domain?

Has the domain expired at the registry?

What is the Registry/Registrar status of the domain?

Is the domain using the expected nameservers?

Is it DNSSEC-signed?

How to look at a Whois record for a new TLD

dig

Understanding dig responses

The HEADER section

The ANSWER section

The AUTHORITY section

The ADDITIONAL section

Using dig

DNSSEC

Reverse lookups

Delegation chains

host

named-checkzone and named-checkconf

dnstop

Web-based debugging tools

DNS stuff

whatismydns

dnsviz

easywhois

domaintools

Chapter 11: DNS Operations and Use Cases

Transferring domain names

Change of registrant

Nameserver redelegations

Redelegating DNSSEC-signed domains

Registrar transfer (without changing nameservers)

IMPORTANT - make sure your new registrar knows what to do with the nameservers.

Beware! Transfers may trigger the WAP!

Steps of a registrar transfer

Registrar transfer and nameserver redelegation

Adding additional nameservers

External secondaries

External masters

Other considerations

Structuring secondary DNS arrangements

Securing zone transfers with TSIG

Syncing zone data across secondaries

Planning migrations with DNS updates

Moving to new nameservers

Moving single zones

Have the new nameservers slave from the current master

Setting up a new master to serve the new nameservers

Moving entire portfolios of domains

Round Robin DNS

Load-balancing/global weighted load-balancing

DNS failover

The target resource must be monitored

Its health must be measured and evaluated

The standby resource must be ready

There must be a reversion strategy

Dynamic DNS

Standards-based dynamic DNS (RFC 2136)

Dynamic DNS via web requests

Geo DNS

Edns-client-subnet

Native support for Geo DNS

PowerDNS and GeoIP backend

BIND and Geo IP

A GeoIP fork for djbdns

GeoDNS-centric nameservers

Anycast method

Custom PowerDNS backend method

Zone apex aliasing

Reverse DNS and netblock subdelegations

Classless reverse DNS

The proper way to do sub-/24 PTR records

The RFC 2317 method

RFC2317 modified

Implementing SPF, DKIM, and DMARC

SPF

SPF - things to know

SPF breaks email-forwarding

Overcomplicated SPF records can lead to bounces

DKIM

DMARC

Chapter 12: Nameserver Considerations

Anycast versus Unicast

Unicast architectures

Anycast DNS

Your own Autonomous System Number (ASN)

Address space to announce

Transit providers

The aftermarket

Transit providers who will route you

Nameserver configurations

Debugging under anycast

Anycast DNS and DDoS mitigation.

Heterogeneity vs homogeneity in nameserver deployments.

Notes:

Description based on print version record.

ISBN:

9781788999755

1788999754

OCLC:

1045049694