DNS

rDNS: Do you really need it?

Reverse domain name system or rDNS is a really useful feature. But the reality is, it’s not a must to have it. It totally depends on the kind of domain you have. Answering more specifically, yes, you really need rDNS if you plan to send e-mails or provide any other service requiring DNS verification to operate.

If your domain doesn’t have such requirements, no, you don’t need to enable rDNS. Simple as that. If you want to understand properly what is rDNS and what it is for, this entire article is for you! Maybe you don’t need rDNS now, but you can need it later!

What is rDNS?

In the context of DNS requests, the most common operation is a forward DNS lookup. Meaning, a domain name is typed on a browser, therefore a DNS lookup takes place to search the IP address associated with that domain.

Reverse DNS (rDNS) is a DNS lookup of a domain name from a specific IP address. It’s exactly the opposite operation. That’s the reason it was named like this.

To enable rDNS you require a DNS PTR (DNS pointer) record to save the reverse DNS entries. Then, you have to input the reversed IP address’ components, plus “.in-addr.arpa”. For instance, for IP 12.23.34.45, its reverse DNS entry would be 45.34.23.12.in-addr.arpa.

The rDNS usually comes included as a service or feature in managed DNS plans. If yours doesn’t include it, for sure, you can buy it. What you are going to get is the possibility to generate a reverse DNS zone for your PTR records to be added.

Reverse DNS works with IPv4 (A) and IPv6 (AAAA). You don’t have to choose one or the other. Both can be used.

Why do I need rDNS?

Let’s be crystal clear, without rDNS, users will successfully reach your domain. That is a common confusion. rDNS utility points to the following. 

  • By adding PTR records to the reverse DNS zone, you are creating proof to guarantee there’s a match between the IP address and the domain name. This way, other companies’ servers can verify it and be protected from scammers.
  • In other words, using rDNS, e-mail servers (receivers) can check the IP address (sender) of every incoming message. If the match between the IP address and the domain name is validated, messages will be admitted as legit.
  • It helps to filter spam. Criminals send e-mails to potential victims using trustable and legit domain names (banks, taxation, health, insurance entities, etc.). Receiver servers can verify messages’ legitimacy and filter the risk.
  • It ensures your clients really get your messages. If your last e-mail MKT campaigns, promotions, special sales, etc., haven’t succeeded, consider that your e-mails can be going directly to the spam folder. rDNS can fix it!
  • It provides trustability to your domain for clients to know you are a legit product or service supplier.
  • Some cloud services, data storage, backup services, office applications, and more require DNS validation. Without it, they won’t work.

Conclusion

As you see, rDNS has real and useful functionality. Once you analyze it, chances for you to need it now or later are big. Considering how dangerous the Internet has become, deleting the risk of being considered as not trustable is vital. It can totally make a difference in terms of income for your business. If you need it now, enable it. If not, keep this information in mind. It could save you later! 

​How to use DKIM record Quick and Easy

DKIM record is an email security method for proving the origin (the sender) of the email. It uses cryptography to sign the outgoing emails and DKIM record with the Public Key for verification.

​The DKIM record setup process

There are 3 steps that you should take to set up DKIM for your email server:

​1. Generate the DKIM Keys.

For the purpose of creating new DKIM keys, you can use one of the many DKIM key generators that are widely available on the Internet. We will use the first organic result from Google, which is SparkPost.

You will need to add your domain, choose a DomainKey Selector (The name for the key. Example – Key001), and the key size (1024 or 2048 bits. The more bits, the more secure it is). Then press Create Keys to generate them. You will have the Public DKIM key and the Private DKIM key ready to use. 

​2. Enter the Public DKIM Key into your DNS name servers.

This step will allow those who will receive emails from you to verify that the emails are actually coming from your domain. They will check the signature and the DKIM Public Key and verify the origin of the email.

Here it depends a lot if you are running your DNS server or you use a cloud DNS provider. The steps will be slightly different, but the concept is the same, so you can still follow the steps.

Create a DNS TXT record.

There will be a few fields to enter:

Name : Key001._domainkey.YourDomain.com.

Value : v=DKIM1;p=YourPublicKey

Selector : Key001

Change Key001 with the name of the DomainKey Selector you have chosen.

Change the part YourDomain.com. with your actual domain name.

Change the text after the p= (“YourPublicKey”) with the Public DKIM key you already created in the last step. Do not include “BEGIN PUBLIC KEY” and “END PUBLIC KEY”, only the value.

If you created the DKIM record on your computer, upload it into your DNS as a DNS TXT record.

​3. Enter the Private DKIM Key into your Email Server.

With the step before, you made sure that the receivers will be able to verify the DKIM record. Now you need to install it on your email server so it can use it to sign the outgoing emails.

So go to your email server. We are using hMailServer, but on all email servers that support DKIM records, you will have a similar interface and process so you can follow the steps. 

Create a new TXT record, on your computer, with the value you generated in step one for the Private Key

Then go to your domain and press the tab called “DKIM signing”. Inside the tab, press “Enable” and browse your computer for the TXT record with the Public Key you have just created. Add the Selector, just as you used before. In our case, “Key001”. The names must match!

​Testing the DKIM record

The easiest way to test it is to send an email to somebody you know, that uses Gmail from your email server. The receiver could click the “More” dropdown menu on the email located on the right side of the open email and select “Show Original”. 

There you should see DKIM: ‘PASS’ with domain YourDomain.com (your domain you previously added)

​Conclusion

That’s it! It wasn’t hard, was it? Now you are using one additional security measure for encrypting your emails. It could reduce the number of messages that were lost due to a spam filter of the receivers. 

Traceroute command – an overview

Traceroute command explained.

Traceroute command is one of the built-in commands with a command-line interface (CLI). You are able to use it for any OS, such as Linux, macOS, and it is even available for Windows (tracert command). It servers perfectly for network diagnostic and, more precisely, for tracing the route from a point to a target.

If you want to access it, you should open the Terminal application on your computer. Then you are able to use it to target a particular IP address or a hostname. After you perform a query, it is going to present to you data about every element on the network, from the first hop through all the way to the target. In addition, you will receive helpful statistics. You will see in the results how that precise query travels. With such beneficial information, you could understand the route in a better way. Moreover, to examine if there is some kind of unusual routing going on, also to make a plan about your future network expansion. As a result, you are going to be able to provide better and quicker query answering.

How does it work?

When you put the Traceroute command in action, your device is going to send packets of data starting from your IP address. It will proceed through multiple hops, and finally, it will reach its target, like a hostname or IP address. The software is going to operate with a shorter time-to-live (TTL) value and observe the ICMP replays. The process of probing will remain till a message appears “port unreachable” (ICMP) or “rest” (TCP), which will identify a host. As a final result, you are going to receive the hop’s addresses, TTLs, and round time per probe. In case you applied some of the additional options, you will see and extra information.

How to use the Traceroute command?

So, to trace the route to exampledomain.com, you have to open the Terminal application and type the following:

traceroute exampledomain.com

The answer that you are going to receive is divided into several columns.

  • The first one gives information about the hops it needs to reach the target.
  • The second column is for the IP addresses of those hops. 
  • The third column presents the information for every of the ping messages that traceroute have sent, plus the time they needed.

In the end, you have a clear picture of each of the hops that the query takes. You can understand if there are some delays on the route and between which devices appear a problem.

Options of the Traceroute command

Here are some of the essential options of the Traceroute command. You can try them for more precise queries: 

traceroute -m 35 exampledomain.com

In this example, you can increase the TTL to 35. That way, if you are far from your target, you will have five more hops to reach it rather than the default 30. 

traceroute -w 60 exampledomain.com

In this example, you can increase the time to wait, not only the number of hops. That means you can wait longer for an answer, however, and you will actually receive one. 

traceroute -q 8 exampledomain.com

In this example, you can increase the number of packets up to 8 from the default 3. As a result, you will receive a larger picture of the network with more further packets sent. 

traceroute -T exampledomain.com

In this example, you can adjust the interface for your query. Here, you apply T for TCP. However, you can apply -I for ICMP or -U for UDP

Primary DNS server – Definition

Primary DNS server explained.

You can find the Primary DNS server, also called the Master DNS server, so you can see that the names show its importance. Yet, it is the origin of all the original information concerning a particular DNS zone and its corresponding domains. The Primary DNS server has a very responsible role. It stores all the DNS records for its DNS zone. Whenever you want to make some changes or delete one record or several, you have to do it in the main source – the Master DNS server.

The place of the Primary DNS server is on top of other servers because it is the authoritative one. For that reason, when you make changes on it, they propagate to the rest of the servers and get updated. Furthermore, because it carries the IP addresses, with much more domain’s DNS records, its purpose is essential for the DNS resolution process to be performed.

Definitely, there is not one but numerous Primary DNS servers because there are many separate DNS zones and various networks. However, when we are speaking for a particular DNS zone, it is possible to have only one Primary DNS server. 

Although, the servers except the Primary are typically Secondary DNS servers. They serve as additional copies of the original zone data to keep the domain available in any situation, plus to provide redundancy. The copy in these servers is only readable, and you are not able to make any modifications to the DNS records there.

How does it work?

Each time a user makes a request for a domain name, a translation from a human-readable language into machine one (IP address) occurs. For instance, when domain.com is requested, the IP address (94.104.116.34) for that website has to be located.

 The Primary DNS server stores the original zone file. That is a specific file that holds the authoritative DNS information for a domain with all the DNS records. The IP address is also saved there.

The Master DNS server is the source of the DNS data, and it has to distribute this data with the Secondary DNS servers. That way, they are also able to answer DNS queries for the domain. Otherwise, it has to respond to the queries alone. 

When a domain is requested, a recursive server performs a search for the IP address. That is going to be given by a Master DNS server or a Secondary Authoritative DNS server. 

In order to keep the Primary DNS server safe, it is usual practice to have Secondary Authoritative servers. They respond with authoritative answers to the queries. 

How to protect a Primary DNS server?

You can consider hiding the Master DNS server and keeping your network protected. Actually, it would be best if you only let the required people have access, which means your administrators. As much as you limit the access to your Primary DNS server, the less is the chance for hacking or malicious modifications for your network and business.

In addition, hiding your server won’t change the process of responding to requests. They will be answered accurately, and your domain will be available.

DNSSEC – Definition

DNSSEC explained.

The Domain Name System Security Extensions, or for short DNSSEC, is an excellent method to improve the security of your domains. It is a superior DNS trait. When you start applying it to each DNS record is going to be attached a digital signature (DS) record. That provides a guarantee that the domain name source is authentic.

The main reason for its creation is to keep the users on the Internet safe and protected from any forged DNS data. For example, the address could be misleading or malicious and lead users to an unwanted website rather than the original one they requested.

When you start using DNSSEC, the DNS lookups are going to prove that the source of the website’s DNS is valid with digital signatures. Therefore, some types of attacks could be successfully stopped through its help. That is possible because the browsers will not open the site if the digital signature does not match.

How does it work?

DNSSEC is fixing the safety problems that concern DNS, which needs a cover of security on top. 

The answer is the authentication method that applies digital signatures with public-key cryptography – DNSSEC. With its help, the owner of a DNS service is able to cryptographically sign the DNS data for their domain name. It is essential to know that we are not speaking about the DNS queries themselves. 

To achieve that, every DNS zone requires a combination of a public and a private key. 

The domain owner uses the private key to sign the information in the zone. 

The public key is visible publicly, and it is placed in the zone.

Each DNS recursive server that wants to review data in the zone will receive this public key and confirm the authenticity of the DNS records. This occurs if it successfully authenticates the information. If not, the DNS recursive server is going to give an error message to the user. 

The information in the authoritative name server additionally requires to verify its authenticity. Its public key is confirmed, not by its own private key, but from the authority on top. The root zone does not have someone on top to sing its key.

What does it protect against?

The foremost aim of DNSSEC is to provide restrictions to third parties to attempt to falsify any DNS records. Limiting the following situations from happening, it is capable of protecting the integrity of the domain name.

DNS Cache Poisoning

It is considered a sort of man-in-the-middle attack. The attackers’ goal is to flood a DNS resolver with bogus DNS information. There are cases in which the attacks can progress a lot and establish a fake end result in the cache memory of the resolver. For that reason, the DNS resolver supplies a malicious and fraudulent address to all users that ask for that particular website. Unfortunately, it lasts till the TTL (Time-to-Live) expires.

Fabricated zones

DNSSEC can protect against DNS attacks that unfairly use the DNS system and supply simulation results for zones. They may not exist, really, and criminals profit from holes among zones. So DNSSEC produces mechanisms for these holes to not being used and secure the complete zone. 

Advantages of using Managed DNS

If you own or administrate an online business, you know how vital DNS is for existing on the Internet. Of course, you can build your own DNS server, but having a Managed DNS brings really good advantages that you should consider.

What does Managed DNS mean?

Shortly, Managed DNS means the service offered for clients to use the DNS servers of a provider. Once you pick such a provider, its DNS servers (its infrastructure) will be available for you to manage all your DNS data (records) of your domain and make the domain available online. 

Providers supply their clients with a friendly control panel to manage their DNS. From there, you can create, add, modify, or clear DNS records, DNS zones, PoPs, etc.

Advantages of using Managed DNS.

Cost. 

Quality DNS providers own robust networks. Getting their service, you can access their whole infrastructure. So even an expensive plan for sure will be cheaper than creating your own DNS from zero.

Ease of use. 

To administrate DNS is not an easy task. But it can get more or less complex. Managed DNS gets in charge of routine tasks for you so you can focus on the essential ones. From the beginning, not being the one setting up all your DNS servers is a relief.

Easy scalability, up and down.

You look for constant growth, more traffic every day. But are you ready to handle this? With a Managed DNS service, you can expand or reduce your resources (speed, security, POPs, etc.) without badly compromising your budget. There are different plans to satisfy different websites’ needs and sizes. And you can add or cancel features based on your performance and real growth. 

Add as many PoPs as you need.

Having different points of presence (PoPs) is absolutely convenient, especially for international websites. Managed DNS providers offer you many servers around the world for saving your website’s DNS records and choosing those that are closer to your market. 

Whenever you require a PoP, you can easily add it.

Gain redundancy.

Redundancy is the way for websites to be constantly available. If your DNS records are saved only in a Primary Authoritative server, and it fails or suffers an attack, your site won’t be available. Managed DNS is the easiest way to add servers wherever you need them. While adding PoPs, automatically, you gain redundancy for your business. 

Get higher uptime.

Downtime means the time your website is not accessible for clients. And that generates angry clients and losses for your pocket. Again, saving your site’s DNS records in a single Primary Authoritative server is possible but risky. If it goes down, there’s no alternative for the site to be accessed by clients. If you have copies of your DNS records in more than one DNS server, you increase your business’s uptime. One or even several servers on a network could be shut down due to a violent cyber attack, but not all of them.

Extra security.

Threats on the Internet are many. Therefore there’s no single measure to be 100% safe, but a combination of them. Managed DNS supplies you servers enough to balance your traffic load, DNS-protected servers with the technology for analyzing and filtering suspicious traffic, and more. Such resources can be considered in your strategy to strengthen your defenses.

Conclusion.

To use a quality Managed DNS service is a good investment. Analyze the needs of your website, costs, and give it a try!

Understanding DNS cache.

Since its creation, due to its utility and efficacy, the Domain Name System (DNS) became very demanded. No network can fully function without it. And considering the number of networks that currently exist, be sure that the DNS it’s permanently busy!

Considering all the important processes that rely on this system, different mechanisms have been created to reduce its stress by helping it with the execution of some tasks. Here comes the DNS cache that makes DNS work better and faster!

What is the DNS cache?

The DNS cache is the temporary cache memory for saving DNS records of already queried domain names. This memory mechanism is available in different machines, DNS recursive servers, computers, mobiles, tablets…

The mechanism’s purpose is clear, not to repeat a DNS lookup every time that a specific domain name is requested. Think about that news site you request every morning. When you requested it for the first time, a DNS lookup took place to search for its corresponding IP address. Once a DNS recursive server got its IP address, it was possible to load the domain for you, and the DNS record (IP address) was saved in the DNS cache. The following day, you typed the news domain name for revisiting it, and loading it for you was easier and faster since its IP address was available in the DNS cache. A new DNS lookup was not needed this time.

These and all the DNS records related to the different domain names will only be available on the DNS cache temporarily, not permanently. If you wonder how long? The exact time is the one that you or your administrator establish in their TTL (time-to-live). 

It allows to respond to DNS users’ queries faster and to optimize the resources efficiently. DNS recursive only do the really necessary lookups. 

How does the DNS cache work?

Whenever a user requests a domain name, a DNS lookup will be triggered. As a first step, the user’s device will search in the DNS cache included in its operating system (OS). It’s a database where different DNS records get saved and their corresponding TTL values. As mentioned before, that TTL is set by the DNS administrator of the domain. If the TTL hasn’t expired, the requested DNS records can be found directly there. The request will be responded to, and the domain loaded really fast. But if the TTL already expired, a new lookup will be needed, and this means extra time for the complete process to occur again.

This means a DNS recursive server will take the user’s request and ask other servers for the necessary DNS records. It will ask the root server, this will point to the exact TLD server that should be queried, and this last will send the recursive to the authoritative name server that can finally provide the DNS data (records).

The data will be sent to the user’s browser for loading the domain. And on the way, those data will be stored on the DNS cache of the recursive server, and the user’s device (computer, tablet, or mobile) to be available for a while, the time that their TTLs allow.

Conclusion.

The DNS cache is an efficient mechanism for making quicker and more efficient the DNS resolution process. It saves time, effort, and resources for the network (its different servers involved) and the user’s device.

Its utility is very appreciated by everybody, including the dark side of the web. DNS cache can be used for criminal purposes, so don’t forget to protect its security!

​Basic DNS terms and definitions

No time to waste! Let’s see the basic DNS terms and DNS definitions that you must know to manage your domain well.

​What is DNS?

DNS stands for Domain Name System. It is a global system that is decentralized and has a multi-level hierarchical structure that serves to connect domains to IP addresses. Thanks to it, people don’t need to remember IP addresses and can directly use domain names to connect to services.

​What is a domain name?

A domain name is an identifier, a unique text string, for naming devices or services like Wikipedia.org. People can use it and remember it a lot easier than its IP address.

​What is a DNS zone?

The DNS zones are the administrative partitions that the DNS namespace use. A particular DNS administrator administrates each one, and this makes the whole system decentralized. DNS zone and a domain are seen as the same thing in many cases, but it is not exactly the case. One domain can have just a single DNS zone, and then there is no real difference. But it also can have more DNS zones, and then they will be different.

​What is an IP address?

The IP address is the identifier that the Internet Protocol (IP) uses to name hosts on the Internet. It looks like a string of numbers and letters that are separated by dots. Based on this IP address, devices can connect to each other and send information. There are two types of IP addresses currently in use which are IPv4 addresses like 91.198.174.192 and IPv6 addresses like 2620:0:862:ed1a::1.

​What is a DNS query?

The process of searching the IP address (an A record or an AAAA record)or another DNS record of a domain is called a DNS query. A DNS client asks for the information it needs, its query gets taken by a DNS recursive server, and the client receives the corresponding answer or an error message in a case of failure.

​What is a DNS record?

 DNS records are text files that contain information regarding DNS. One domain can have multiple DNS records that indicate different entities and settings of a domain. One could show the IP address. Another can show a particular service like the email server and more.

The DNS records are stored inside a zone file that each DNS zone has.

​What types of DNS records exist?

  • A record – a domain to an IPv4.
  • AAAA record – a domain to an IPv6.
  • CAA record– shows a list of allowed Certification Authorities for the domain.
  • CNAME record – Links one name to another.
  • MX record – shows the email server for receiving emails for the domain.
  • NS record – shows the authoritative name server for the domain.
  • PTR record – IPv4 or IPv6 to a domain.
  • SOA record – indicates essential information about the zone. 
  • SRV record – used to show service.
  • TXT record – various use, including domain authentication.

Those are the most popular types, and there are more.

​What types of DNS servers exist?

You can separate two basic types of DNS servers – authoritative name servers and recursive name servers.

The authoritative name servers hold the zone file of a particular zone and can answer queries for it. In this category, you have the authoritative name servers of each particular domain like Wikipedia.org, TLD servers (like .org, .com, etc.), and Root server (the highest hierarchy level).

Recursive name servers serve to get the DNS query from a DNS client and search for its answer by checking different servers until they receive an answer. They are the middle-man between the DNS client and the authoritative name servers.