Options dialog - DNS - Miscellaneous
(Main window -> Options button -> DNS / Miscellaneous section)
Copyright © 1999-2011 JH Software ApS
Options dialog - DNS - Miscellaneous |
Simple DNS Plus v. 5.2 Copyright © 1999-2011 JH Software ApS |
|
| • | Enable Round Robin (rotate DNS records in responses) When this option is enabled and multiple records of the same type are defined for the same name, Simple DNS Plus automatically rotates these records in responses (See Round Robin). |
| • | Synthesize empty reverse zones for standard private IP address ranges This prevents leakage of reverse DNS requests for private IP addresses. For details see draft-ietf-dnsop-default-local-zones |
| • | Send NOTIFY requests to secondary servers when a primary zone is updated Enables faster synchronization of zone changes to secondary DNS servers. Not supported by older DNS server software. |
| • | Keep the root server list (a.k.a. "hints file") updated automatically With this option enabled, Simple DNS Plus will automatically check for root server updates. You may want to disable this if you are using an alternate root or if your server is only used on for intranet purposes. |
| • | Enable EDNS0. EDNS0 payload size The original DNS specifications limits DNS request and response packets over UDP to 512 bytes (payload). As DNS servers need to send more data (for example, as the larger IPv6 addresses are added to TLD DNS servers etc.) this limitation causes truncation and DNS servers have to switch to the much less efficient TCP protocol. However most networks and Internet connections today support much larger UDP packets. With this option enabled, Simple DNS Plus will indicate to other DNS servers that it is able to send and receive larger packets over UDP, and it sends larger response packets over UDP to other DNS servers that have indicated that they support it. A value of 1280 is a good starting point for most setups, as this payload size fits within the standard ethernet packet size. In many cases values of 4096 and higher will also be fine depending on network, routers, etc. |
| • | Test EDNS0 at startup to ensure that this is supported by local firewalls Older Cisco PIX firewalls and other firewall products are known to drop DNS packets with EDNS0. If you experience this problem please contact your firewall vendor to get a firmware update. When this option is enabled, Simple DNS Plus will send some test EDNS0 packets at startup. If it determines that EDNS0 is not supported, it will log a warning (and Windows Event if enabled), and will then continue without EDNS0. |
| • | Respond to BIND version requests Since many Internet DNS servers are running some version BIND (mainly Unix/Linux DNS server), hackers often initiate an attack by sending a special request for the BIND software version number. They can then compare the response with a list of known vulnerabilities for that particular version of the BIND software and launch the actual attack. With this option enabled, Simple DNS Plus will respond to such BIND version requests with a text of your choice. When this option is not enabled, Simple DNS Plus will respond to BIND versions requests with a "not implemented" error message. A warning is always logged for BIND version requests. |
| • | Limit client caching time (adjust TTLs in responses to recursive requests) Recent Windows versions have a "DNS Client" service (enabled by default) which caches DNS records locally. Other operating systems have similar features. This option can be used to limit the time that client computers/devices cache the DNS records provided by Simple DNS Plus by setting a maximum TTL (time to live) value for DNS records in responses to these clients. This is independent of the length of time that Simple DNS Plus might itself cache (see Options dialog / DNS / Resolver / Caching section) the same DNS records and only takes effect for clients requesting recursion (not other DNS servers) and only for clients with IP addresses in the "Perform recursion for" list (see Options dialog / DNS / Resolver Recursion section). Limiting client caching time is useful when you want to be able to enforce quick updates - for example when using black/white-lists that are frequently updated, or plug-ins that might take effect at different times. NOTE: Microsoft Internet Explorer also caches DNS records (independent of the "DNS Client" service) for 30 minutes no matter what TTL is used. So updates may take up to 30 minutes no matter what unless the user restarts I.E. Other browsers also cache DNS records but typically for a shorter time. |
| • | Ignore all DNS requests for <root> (no response, no logging) This option was implemented to deal with a specific DNS amplification attack which was rampant in early 2009. The attacker would send requests for the DNS root from a spoofed IP address of the victim, so that DNS servers would respond with a relatively large DNS packet listing all the root DNS servers and thereby flood the victim. Other features are available to deal with such attacks including the Lame Requests settings and the Ignore DNS Request plug-in, but this feature filters out these specific packets at an earlier point in the process reducing CPU usage and preventing logging. |