Monthly Archives: February 2018

Back to the SOA Record

In the past two posts we talked about the SOA record.  In this post, we’ll finish it.  The last parts of the SOA record are refresh, retry, and expire.  These are all numbers that note the number of seconds.  Each one does a different thing, but they all work together.

Refresh is the number of seconds the secondary name servers wait before asking the primary name server ‘do you have any updates for me?’.  You don’t want the primary to be drowned in requests of ‘got anything got anything got anything?’.  It’s like the two year old younger brother asking you constantly.  That’s annoying.  So we set the refresh of a domain.

The next number is the Retry.  Now suppose I ask my Mom ‘Can I have a new Xbox?’ and I don’t get a response.  How long should I wait so I don’t annoy her?  For a domain, that’s the ‘I didn’t get an answer from my primary name server, how long do I wait before asking again?’  Asking Mom repeatedly for an Xbox (especially if she doesn’t respond) is just going to make her mad.  Overloading a name server with repeated requests can do the same thing.

The Retry time must be less than the Refresh time.  Otherwise, I’m waiting longer than I should to re-ask than when I’d actually be doing my asking to begin with.

Now if my Mom doesn’t respond to me about the Xbox, how long should I wait until I give up on her ever responding?  (With my Mom, that’s infinity.  She’ll just ignore what she calls silly questions.) With domains, that’s Expire.  That tells the secondary server when to give up.  It’s usually a long time and the number has to be bigger than refresh or retry.  If it’s less than retry, then the secondary server is going to go ‘eh, why bother retrying, he’s dead Jim’.  Same with Refresh.  If it’s less than Refresh, then the secondary server is never going to bother trying.

Now for the last number, the TTL.  TTL stands for Time To Live.  This doesn’t actually anything to do with zone transferring.  Surprise!

It has to do with people querying the domain.  When I query a domain and get an IP address, the TTL tells me how long do I believe that response.  If it’s set to 300, then I believe that response for 5 minutes, at which time I have to query again.

It took us three posts, but we covered the SOA record!  In the next post, we’ll talk about other records used in DNS.

 

 

 

 

DNS and Serial Numbers

In the last post we started talking about the SOA record in DNS and the serial number used in a zone file.  I promised that in this post we’d talk about why we use serial numbers.

Hint:  It’s to cut down on traffic.

Chaos in the Traffic

Chaos in the Traffic

These days it seems you can stream anything, play games, play music, and there’s always enough bandwidth to go around.  What’s bandwidth?  That’s the size of your connection to the Internet and connections within the Internet.  In the old days, the amount of bandwidth was really small.  You could sit at a terminal and type things on a connection far away and hit a key, wait for it to appear, hit the next key, wait for it to appear.

Slow typing

Slow typing

In other words, there wasn’t much bandwidth available.

People came up with tricks to reduce bandwidth usage and one of those tricks was a serial number.

An operation name servers use to share zone files amongst themselves is called a zone transfer.  You can imagine that some of these files get really big.  If there isn’t a lot of bandwidth, then constantly passing those files back and forth is a bad thing.

Instead, you have the serial number and you ask the other side ‘excuse me, has your serial number increased from the value I have here?’ and if the answer is ‘yes’, then the zone transfer occurs.  Otherwise, the zone file stays where it is.

This means that when the administrator makes any change to the zone file, he has to update the serial number in order for the transfer to happen.

Now for the obvious question:  Can everyone do zone transfers?

Well, the answer is no.  It’s a security problem if we do let everyone transfer.

Who can do transfers?  Like we said before, there’s a master name server listed in the SOA record.  We also know that most domains have more than one name server. For example, Google has four:

  • google.com name server ns3.google.com.
  • google.com name server ns1.google.com.
  • google.com name server ns2.google.com.
  • google.com name server ns4.google.com.

Imagine having to update the zone file on each one of those.  No thank you!  That’s what the master name server is for, you update that name server and then the other three can zone transfer your zone file from it, assuming the serial number has increased.  Those other three name servers are called slaves to the master name server or secondaries to the primary name server.  We’ll call them secondary or secondaries.  It’s an older term, but I like it.

DNS and SOA record

We talked about DNS before and we talked about MX records and mail and DNS but now we’re going to talk about what else DNS can do.  Email uses the MX record type but there are a lot more record types for DNS out there than just mail.  In this post, we’re going to talk about one particular record, the SOA record.

Every domain has an SOA record, also known as a Start of Authority record.  Isn’t that a spiffy name?  Sounds like the delegation of authority in a business.  I shall start your authority here and here only!

I am your Start of Authority!

I am your Start of Authority!

Every domain has a zone file that’s created by the administrator.  The top of that zone file has the SOA record and the rest of the zone file has all the records for the domain.

The SOA record that defines information about the domain itself.  It includes the name for the master name server, that’s the names server that is the be-all and end-all of information for the domain. Think of it as the server that is always going to have the real and true information of the domain.

It also includes an email address for the administrator.  This looks like a domain.  Like:  hostmaster.example.com.  That doesn’t look like an email address, where’s the @ sign?  Well, the first information before the dot is the email address, everything after it is the domain where the email is sent to.  That means that hostmaster.example.com is the email address hostmaster@example.com.

It also has a serial number for the domain.  Every time you make a change in the zone file, you change the serial number.  In the next post, we’ll talk about why the creators of DNS used this.

 

Botnets

A phrase often heard on the news is a botnet. That’s another scary name, like ransomware. It sounds like there’s lots of robots lurking on the Internet as a great big network of trouble.

That’s true and not so true. It is a scary sounding name but the truth is that a botnet is a collection of computers, all of which were infected by the same malware to do the same thing for a controller.

It would be more fun if there were actual robots on the Internet, but since the Internet is a network of information and there’s currently no way for robots to run around on it, instead we have infected computers.  Though imagining R2D2 and BB-8 running around on the Internet is awfully fun.

BB-8 and R2D2 are not part of a botnet

BB-8 and R2D2 are not part of a botnet

The main controller for these computers use botnets to do their bidding.  They send spam, attack with a DDOS, or any other way they can make money.

Your computer can be part of a botnet and you won’t even know it. That’s a dangerous thing. You become a part of a botnet when your computer  by you clicking on a link and downloading software that adds you to the botnet. The scary thing is that your computer can also be hit because it’s on the same network as an infected computer. If your sibling’s computer is part of the network, it’s going to try to infect yours and it might happen without you knowing it. A good firewall configuration can help.

There’s several famous botnets, they’re famous (or infamous) for the damage they’ve done or the size of them.  These include Grum, ZeroAccess, Windigo, Cutwail, Conficker and Kraken.  I have one question about these botnets… who names these things? I think if I named one I’d name it ‘TeamAwesome Botnet’.

There’s another famous one known as the Mirai botnet.  The reason it was so scary is that it wasn’t computers that were part of the botnet, it was the devices in your home that are on the Internet that were part of the botnet. Things like routers, heating controllers, refrigerators, and even lightbulbs. It was the first major attack that used these devices and it took down a lot of important websites.

So, in summary, there are no robots running amok on the Internet, but there are a lot of computers acting bad.