Simple DNS Plus News

Simple DNS Plus v. 5.2 build 117 released / Problem resolving WebMD.com

Fri, 09 Jul 2010 14:12:00 GMT

Simple DNS Plus v. 5.2 build 117 is now available at http://www.simpledns.com/download.aspx
For more details on the updates and changes in this build, please see release notes.

Over the last few days, several users have reported not being able to resolve www.webmd.com.
The problem is an erroneous response (details below) from the DNS servers hosting the domain name.
We have contacted WebMD.com and their DNS provider (UltraDNS) about this and anticipate that they will fix the problem shortly.
However since WebMD.com is a very popular web-site (and UltraDNS is one of the larger DNS providers), we felt it was best to provide a quick workaround with above update to Simple DNS Plus.

When we do a lookup for www.webmd.com against one of the authoritative DNS servers (for example "pdns1.ultradns.net"), we get a response with a CNAME-record (alias) pointing to www.phx1.webmd.com and a SOA-record in the authority section:

The standard (RFC) interpretation of this SOA-record is that no records exist for the current name (www.phx1.webmd.com) and the requested record type (A) - a so called "NO DATA" response.
Therefore previous builds of Simple DNS Plus naturally stopped the resolving process here - no need to do anything more since we know the final answer (no data).

However if we do another DNS lookup for www.phx1.webmd.com against the same DNS server, we get a surprising response - now all of a sudden there IS an A-record for this name:

This is an error in the configuration or operation of the DNS servers hosting www.webmd.com, and we obviously recommend that they get this fixed as quickly as possible.

In this new build of Simple DNS Plus, we have made an exception for this very specific situation:
For responses received containing a CNAME-record in the Answer section, a "NODATA" SOA-record in Authority section is now ignored, and the CNAME alias is attempted resolved in a new outbound request.
This immediately makes it possible for Simple DNS Plus to resolve www.webmd.com and any other domain with the same problem.
The trade off is that this will also cause a few more outbound requests in certain situations. These extra requests would normally not be necessary, but it does make Simple DNS Plus more resilient against this type of problem.

Windows Server 2008 R2 Active Directory "Bad DNS Packet" error

Wed, 23 Dec 2009 20:26:00 GMT

There is a bug in Windows Server 2008 R2 causing a "Bad DNS Packet" error when you try to setup (or promote) Active Directory using Simple DNS Plus and other non-MS DNS servers.

The problem is described in MS KB 977158 - see http://support.microsoft.com/kb/977158/EN-US

The solution is to install the mentioned Windows hotfix.
However the MS KB article only links to the IA64 version of the hotfix - not the X64 version which most people need.
You can get a copy of the X64 version from http://www.simpledns.com/outbox/KB977158-x64.zip

Note that this hotfix will likely be included in a future automatic Windows update and/or a service pack.
So this temporary solution will only be necessary until then.

For more information on using Simple DNS Plus with Active Directory, see http://www.simpledns.com/kb.aspx?kbid=1049

Expiration of support for Simple DNS Plus v. 4.00

Thu, 17 Dec 2009 13:16:00 GMT

Note that from January 17th 2010 we will no longer provide support for Simple DNS Plus v. 4.00 (or earlier versions).

As per our Support Life-Cycle Policy, a Simple DNS Plus version is supported for 3 years after it is first released, and for 2 years after we stop selling it (whichever comes last).
V. 4.00 was originally released on April 10th 2005, and we stopped selling it on January 17th 2008 when v. 5.0 was released.

We encourage users of v. 4.00 and earlier version to upgrade to the current v. 5.2.
For details on all the new features and other improvements see:
v. 5.0: http://www.simpledns.com/kb.aspx?kbid=1215
v. 5.1: http://www.simpledns.com/kb.aspx?kbid=1246
v .5.2: http://www.simpledns.com/kb.aspx?kbid=1265

Simple DNS Plus v. 5.2 build 116 / v. 5.1 build 138 released

Thu, 10 Dec 2009 23:57:00 GMT

Simple DNS Plus v. 5.2 build 116 is now available at http://www.simpledns.com/download.aspx
For details on the updates and changes in this build, please see release notes.

Simple DNS Plus v. 5.1 build 138 is now available at http://www.simpledns.com/download-oldver.aspx
For details on the updates and changes in this build, please see release notes.

These are NOT a critical updates. We do recommend that all users update to these builds, but there is no urgency unless you are directly affected by the issues addressed by the updates.

Update to the Simple DNS Plus API for .NET and COM

Fri, 30 Oct 2009 17:39:00 GMT

We have just released version 1.1 build 4 of the Simple DNS Plus API for .NET and COM.

Updates in this build:

Update: Uses Simple DNS Plus v. 5.2 code base (various optimizations and bug fixes).
Update: Setting Zone.DefaultTTL value now updates TTL value of all records which had the old default TTL value.
Update: Record TTL values now automatically synchronized in RRSet (records with same name / type) when adding new records.
Fixed: Setting DNSZone.AllowZoneTransfer property was not always saved correctly.

Version 1.1 build 4 is now available for download:
sdnsapi-setup.exe (720 KB)

If you have a previous version/build installed, simply run above installation file to upgrade.

For more information about the Simple DNS Plus API for .NET and COM, see the on-line documentation at http://www.simpledns.com/help/api/

Freeware DNS Client Library for .NET

Thu, 29 Oct 2009 11:55:00 GMT

We have just released "JH Software's DNS Client Library for .NET".

This can be used to perform simple as well as advanced DNS lookups from any .NET code (.NET v. 2.0 or later).

For details and download see http://www.simpledns.com/dns-client-lib.aspx

SPF checking HELO/EHLO host names

Fri, 16 Oct 2009 12:30:00 GMT

It has come to our attention that more e-mail servers are now performing SPF checks on the SMTP session HELO/EHLO greeting host name (in addition to checking the domain name part of the sender's e-mail address).

Therefore always make sure that your e-mail server is configured to use a correct host name (like "mail.example.com") in the HELO/EHLO greeting, and that an A- and/or AAAA-record exists for this host name in DNS.

Also, when using the "Automatic SPF" feature in Simple DNS Plus, make sure that the automatic SPF-record data is also valid for the HELO/EHLO host name, or define a specific SPF-record for the HELO/EHLO name in the zone where this belongs (this will override the automatic SPF record).

Note that the default automatic SPF record data "v=spf1 mx -all" will fail such a test if no MX-record exists for your HELO/EHLO name.
For example, if your domain name is "example.com" and your mail server is named "mail.example.com" (and uses this in HELO/EHLO greetings), you would probably only have an MX-record for "example.com" - not for "mail.example.com", and therefore "v=spf1 mx -all" fails to validate "mail.example.com".
Instead you could use "v=spf1 ip4:1.2.3.4 -all" (where 1.2.3.4 is the IP address of your mail server), which would work for both types of tests.

For more information about SPF in Simple DNS Plus, see KB1148.

New "Clone Response" plug-in

Thu, 20 Aug 2009 14:06:00 GMT

This new plug-in provides DNS responses by cloning the DNS records from responses to requests for another specified domain name.
This is an easy way to host many domain names that have the exact same records (except for their zone names).

For more details see KB1289.

Download cloneresponse-plugin.zip (9 KB) and un-zip it to the "plugins" sub-directory under the directory where Simple DNS Plus is installed. After this the plug-in will be available in the Simple DNS Plus Options dialog / Plug-Ins section.

Note that this plug-in requires an "unlimted zones" license and works with Simple DNS Plus v. 5.2 build 111 and later only.

New "TCP Port Forwarder" plug-in

Tue, 18 Aug 2009 11:47:00 GMT

This new plug-in provides simple TCP port forwarding.

If the Simple DNS Plus computer is connected to both the Internet and to a private network (LAN), this can be used to forward connections from the Internet to a computer on the LAN. For example mapping remote desktop connections (port 3389).

For more details see KB1288.

Download tcpforward-plugin.zip (18 KB) and un-zip it to the "plugins" sub-directory under the directory where Simple DNS Plus is installed. After this the plug-in will be available in the Simple DNS Plus Options dialog / Plug-Ins section.

Note that this plug-in works with Simple DNS Plus v. 5.2 and later only.

Updated "Remote DNS Look Up" function

Sun, 05 Jul 2009 15:18:00 GMT

Our on-line Remote DNS Look Up function has been updated to much closer match the features of the GUI based DNS Look Up tool that comes with Simple DNS Plus.

It now supports a long list of additional record types, it supports EDNS0 options including payload size and DNSSEC, and it supports displaying native characters in IDNs in the repose output.

The output is formatted the same way as in the GUI tool - in fact the on-line and GUI tools now shared much of their program code (both .NET based).

And finally the on-line function is now AJAX based for a smoother experience.

GeoDNS plug-in for Simple DNS Plus

Mon, 22 Jun 2009 08:30:00 GMT

This new plug-in provides a different DNS response depending on what country a DNS request originates from. This can be used to direct Internet traffic (web, FTP, streaming media, etc.) to a server geographically closer to the end-user, or with contents specific for a geographical area.

This is exactly the same that large web-sites such as Google.com and CNN.com do, and what companies like Akamai charge a lot of money to provide.
Now this functionality is available as a free plug-in for Simple DNS Plus.

For more details see KB1284.

Download geodns-plugin.zip (31 KB) and un-zip it to the "plugins" sub-directory under the directory where Simple DNS Plus is installed. After this the plug-in will be available in the Simple DNS Plus Options dialog / Plug-Ins section.

Note that this plug-in works with Simple DNS Plus v. 5.2 and later only.

Simple DNS Plus v. 5.2.105 / 5.1.136 / 5.0.125 released

Thu, 21 May 2009 10:56:00 GMT

Simple DNS Plus v. 5.2 build 105 is now available at http://www.simpledns.com/download.aspx
For details on the updates and changes in this build, please see release notes.

Simple DNS Plus v. 5.1 build 136 is now available at http://www.simpledns.com/download-oldver.aspx
For details on the updates and changes in this build, please see release notes.

Simple DNS Plus v. 5.0 build 125 is now available at http://www.simpledns.com/download-oldver.aspx
For details on the updates and changes in this build, please see release notes.

These are NOT a critical updates. We do recommend that all users update to these builds, but there is no urgency unless you are directly affected by the issues addressed by the updates.

DNS Blacklist Editor v. 1.0 build 4 released

Mon, 18 May 2009 11:16:00 GMT

When compiling lists for the Simple DNS Plus DNSBL plug-in, a bug related to exclusions caused some IP address ranges to be listed which should not be.

The new build of the editor is now available from http://www.simpledns.com/dnsbl-editor.aspx
This build is now also included with the DNSBL plug-in download.

Simple DNS Plus logs in W3C Extended format

Mon, 04 May 2009 13:49:00 GMT

A new command line tool which converts Simple DNS Plus raw request log files (.sdraw files) into the standard W3C Extended log file format (as typically produced by IIS, Apache, and other web-servers) is now available.

Note that DNS request (and the .sdraw log files) do not contain HTTP header information such as referrers, browser info, full URLs, etc. So while you can process the resulting W3C log files with various web-log analyzer programs, this does not replace web-logs.
Rather it provides a different perspective on traffic data.
Data columns shared with web-server logs are "date", "time", "c-ip" and "cs-host". Additional "x-" columns contain more details about individual DNS requests.

Click here to download "sdraw-w3c.zip" (35 KB)

The zip file above contains both the compiled "sdraw-w3c.exe" file as well as the C# source code (VS2008).
This is a very small and simple program so if you want to add some type of filtering (only output some requests) or build on this functionality, it is easy to do so.

The command line syntax is:
sdraw-w3c.exe <log-date> <raw-log-file> <w3c-log-file>

Raw request log files are enabled in the Simple DNS Plus Options dialog / Logging / Log Files section.

Thanks to "Fulgan" for suggesting this in our community forum.

Simple DNS Plus v. 5.2 released

Thu, 23 Apr 2009 13:18:00 GMT

Some of the new features in Simple DNS Plus v. 5.2 are:

- Remote Management
- Runs on Windows "Server Core"
- DNSSEC
- Secure Zone Transfers
- Check Internet Delegations wizard
- Windows Performance Counters
- And much more...

See all the details at http://www.simpledns.com/kb.aspx?kbid=1265

IMPORTANT: Version 5.2 may or may not be a free upgrade depending on when you purchased your license or last purchased an upgrade.
If you purchased your license or your last upgrade on or after April 23rd 2008, then the upgrade to v. 5.2 is free.
Otherwise you will need to purchase an upgrade - see http://www.simpledns.com/upgrade.aspx

V. 5.2 is now available for download at http://www.simpledns.com/download.aspx
Please read the important upgrade instructions on the same page.

Simple DNS Plus v. 5.1 build 135 released

Wed, 22 Apr 2009 09:57:00 GMT

Simple DNS Plus v. 5.1 build 135 is now available at http://www.simpledns.com/download.aspx

For details on the updates and changes in this build, please see release notes.

This is NOT a critical update. We do recommend that all users update to this build, but there is no urgency unless you are directly affected by the issues addressed by this update.

Secure zone transfers in Simple DNS Plus v. 5.2

Tue, 17 Mar 2009 20:38:00 GMT

The upcoming Simple DNS Plus v. 5.2 supports secure zone transfer (TSIG authenticated).
Both zone transfer requests and responses are authenticated, so this provides protection in two ways; it prevents unauthorized transfers (only people / servers with the correct key can transfer), and it ensures data integrity on secondary servers (not possible to spoof / inject false data during transfers).

In the Zone Properties dialog, you can now specify the TSIG key(s) which are allowed to transfer the zone:

For each key, you specify a key name, signing algorithm, and a secret:

For secondary zones, you can now specify the key to sign zone transfer requests with:

In the Options dialog / DNS / Local Zones / Zone Transfers section, it is now also possible to specify keys which are allowed to transfer all zones:

And in the Options dialog / DNS / Local Zones / Super Master/Slave section, it is now possible to allow / disallow un-signed zone transfer requests from slave server - and to specify keys for master servers:

Adding / editing a master server:

This new feature is available in Simple DNS Plus v. 5.2 BETA build 25 and later - now available at http://www.simpledns.com/beta.aspx

For other updates in this BETA build, please see the beta release notes

New build of the Simple DNS Plus API for .NET and COM

Wed, 04 Mar 2009 12:45:00 GMT

The Simple DNS Plus API for .NET and COM version 1.1 build 3 is now available for download from http://www.simpledns.com/addons.aspx

The purpose of this build is to fix some .NET compatibility issues on computers with .NET Framework 3.5 installed.
This build does not contain any changes to the API functions.

Simple DNS Plus on Windows "Server Core"

Tue, 17 Feb 2009 18:12:00 GMT

The upcoming Simple DNS Plus v. 5.2 also runs on Windows "Server Core".
For details see KB1278.

To download the current beta and for more information about beta testing see http://www.simpledns.com/beta.aspx

Remote manage Simple DNS Plus

Sun, 15 Feb 2009 18:07:00 GMT

The upcoming Simple DNS Plus v. 5.2 supports remote management, so that you can use the normal Simple DNS Plus user interface on a remote computer. This is much faster and uses much less bandwidth compared to accessing a remote server via Remote Desktop, VNC, or similar.
Traffic between the server and the remote GUI is highly optimized and secure. Authentication uses SHA-1 challenge/response to prevent password sniffing, all data transferred is encrypted, and larger data chunks (such as zone files) are compressed.

A new "Remote Management" section has been added to the Options dialog where you can enable/disable remote management, and specify IP address, port, and password:

A new "Remote Management" shortcut is added to the Windows Start menu - used to manage remote servers:

- which opens a "Connect to..." dialog:

It is possible to create desktop shortcuts pre-filled with the remote computer and password - details.

When connected to a remote Simple DNS Plus server, the window title (main and "DNS Records" windows) will indicate that this is a remote session:

During program installation (custom) it is now possible to exclude the service module (Core Service) for installations on remote desktops:

The remote management feature is available in Simple DNS Plus v. 5.2 BETA build 10 and later.
To download and for more information about beta testing see http://www.simpledns.com/beta.aspx

For other updates in v. 5.2 BETA build 10, please see the BETA release notes.

DNSSEC signed .gov

Thu, 05 Feb 2009 13:28:00 GMT

Today the .gov top level domain (U.S. government) was DNSSEC signed.
As per OMB Memo 08-23, all U.S. government agencies must DNSSEC sign their DNS zones (ending with .gov) before the end of 2009.

Federal agencies using Simple DNS Plus will be able to DNSSEC sign their zones in the upcoming Simple DNS Plus v. 5.2 (beta version available now). For details see:
- How to DNSSEC sign a zone with Simple DNS Plus
- Managing DNSSEC keys with Simple DNS Plus

Using the DNS Look Up tool in Simple DNS Plus 5.2, we can see that the ".gov" zone was indeed signed on February 5th 2009 at 12:01:02 PM (UTC):

And using the Check DNSSEC Signatures tool (free download), we can verify that the .gov zone's records are signed correctly:

Option in Simple DNS Plus to ignore root requests

Sat, 31 Jan 2009 13:48:00 GMT

Because of continued reports about DNS amplification / DDoS attacks (DNS requests for NS-records for <root> from spoofed IP addresses), we have added a new option in Simple DNS Plus to make it easy to deal with these requests and keep them out of the log.

In the Simple DNS Plus Options dialog / DNS / Miscellanuous section, there is now a new "Ignore all DNS requests for <root>" option:

And the statistics (available through the HTTP API) has a new counter for this:

This new option is in Simple DNS Plus v. 5.1 build 128 now available at http://www.simpledns.com/download.aspx

Please note that this only works against a very specific type of attack - which has been rampant for the last two weeks or so. It may become useless very quickly if the attackers change their tatics, but at least it should help right now.

IMPORTANT: When registering new domain names, some registrars require that your DNS server responds with a correct list of DNS root servers as part of their tests, so you may need to temporarily switch this option off when doing this.

DNSSEC in Simple DNS Plus v. 5.2

Sun, 25 Jan 2009 19:36:00 GMT

The upcoming Simple DNS Plus v. 5.2 supports hosting DNSSEC signed zones and has built-in functions for managing DNSSEC keys and for signing zones - all in a user friendly GUI of course.

What is DNSSEC?

Similar to digital signatures for e-mails, DNSSEC authenticates that a set of DNS records originate from an authorized sender (DNS server) using private/public key cryptography.
The main purpose of this is to protect DNS against falsified information (a.k.a. DNS spoofing).
DNSSEC does NOT encrypt or hide anything - all data is still in "clear text". Its only purpose is verification of data authenticity.
Learn more at http://www.dnssec.net/

Why now?

DNSSEC has been under way for more than a decade, and has been the subject of many changes and much controversy over the years. We have resisted implementing it in Simple DNS Plus until now for a number of reasons, but decided that it is finally time because:
1) Increased user demand - no doubt due to the Kaminsky bug with media coverage pointing mainly to DNSSEC as the long term solution.
2) DNSSEC protocol standards are finally in place and appear stable (RFC4033/4/5 and 5155).
3) The U.S. government recently mandated that all federal agencies must implement DNSSEC by the end of 2009 (OMB Memo 08-23).
4) Several countries have DNSSEC signed their TLDs including Brazil (.br), Bulgaria (.bg), Czech Republic (.cz), Puerto Rico (.pr) and Sweden (.se). World DNSSEC deployment map
5) Efforts to "sign the root" seem to be gaining some momentum.
6) Microsoft has announced that "Windows 7" will support DNSSEC, meaning that DNSSEC will be broadly available on client systems in a not so distant future.

Can DNSSEC be used today?

A significant obstacle for DNSSEC is that the Internet DNS root is not signed yet. This is stuck in international politics (has been for years), because this is ultimately about who gets to hold the "master key" to the entire Internet.
Until this happens, clients need to maintain a list of "trust anchors" for domains they want to verify.
But yes, DNSSEC can be used today within organizations (local "trust anchors") and for domains under the signed country TLDs mentioned above.
Practical uses are however still few because of limited client software support. Of course "Windows 7" may change this.

Who issues DNSSEC "certificates"?

You do!
While based on the same cryptography standards as SSL and e-mail signatures (RSA / DSA / SHA1), there is no 3rd party certification authorities involved with DNSSEC.
A new function in Simple DNS Plus v. 5.2 lets you create your own private/public key sets and sign your zones with these.
In order to establish a "link of trust" so that other Internet users can verify your keys and signatures, you create a delegation signature record (DS) which needs to be included and "counter signed" in the parent zone. For example if your domain name is "example.se", this DS-record needs to be added to the ".se" zone. The exact procedure for "uploading" this DS-record depends on your parent zone / TLD operator, and/or your domain name registrar.

What will DNSSEC look like in my DNS zones?

DNSSEC signing a zone adds the following records to the zone (may increase zone size by 4-5 times):
- DNSKEY-records: public keys.
- RRSIG-records: record set signatures.
- NSEC/NSEC3/NSEC3PARAM-records: denial-of-existence "fillers" for non-existing record names/types.
- DS-records: delegation signatures for secure sub-delegations.

Availability

The new DNSSEC functionality is part of the upcoming Simple DNS Plus v. 5.2.
For more information about Simple DNS Plus v. 5.2 and to download the current beta version, click here.

Root query DNS amplification / DDoS attack

Tue, 20 Jan 2009 12:57:00 GMT

Added January 31th 2009:
We have just added a new option in Simple DNS Plus to ignore root requests (and not log them) - click here for details.
Hopefully this will make it easier to deal with this attack.

Added January 30th 2009:
We do NOT recommend blocking the sender's IP address on your firewall, with IPSec, or anything else at the IP address level - that is exactly what the attacker wants you to do (we are seeing an alarming number of suggestion on how to do that).
By blocking the apparent sender IP addresses, you are really blocking the victim rather than the attacker - because the sender IP address is spoofed as the victim's.
The aim of the attack is twofold: (1) overload the victim's Internet connection with large DNS responses , and (2) make everybody firewall the victim, so he can't use his connection even after the attack.
The best way to counter this attack is by refusing or ignoring lame DNS requests as described below.

Over the past few days several users have reported receiving a slow stream of DNS requests for the DNS root (.) from unknown IP addresses.
One alert user pointed out that this is also being reported at http://isc.sans.org/diary.html?storyid=5713

Other than taking up some extra log space, this is not really a problem for the local Simple DNS Plus server or site.
It may however be an indication that someone is using your DNS server as part of a so-called DNS amplification attack against a third party - the owner of the IP address that the DNS requests appear to originate from.
By sending a DNS request from a spoofed IP address, an attacker can trick your DNS server into sending a relatively large response (all the root records) to the victim.

We recommend that you prevent this by limiting recursion to your own IP addresses, and refuse or ignore lame requests:

In the Options dialog / DNS / Recursion section, either turn off recursion completely if you don't need it, or limit it. Do not use the "For everyone" option:

And in the Lame Requests section, select either "Respond with a Refused error message" or "Do not respond":

IMPORTANT: When registering new domain names, some registrars require that your DNS server responds with a correct list of DNS root servers as part of their tests (thus the default setting), so you may need to temporarily switch back when doing this.

As described above, we recommend using the Lame Requests options to counter this type of attack in general.
If this particular attack is continuously hitting your server, you will do the victim a favor using the "Do not respond" option. When no longer under attack, you can switch to the "Respond with Refused error message" option which still ensures that your server is not "interesting" as a waypoint for this type of attack - since it won't amplify traffic.

Remote zone/record editor from HostsTools.com

Mon, 29 Dec 2008 15:10:00 GMT

Hosts Tools have just published a remote zone/record editor for Simple DNS Plus.

For details see http://www.hoststools.com/index.php/other-software/simpledns-client/

Make sure to also check out the rest of their web-site for many other useful hosting tools.