10 Aug 2010
- New reports of DNS amplification / DDoS attacks
Over the past few days, a number of Simple DNS Plus users have reported that they are receiving a lot of incoming DNS requests for <root> and/or various unknown domain names - typically originating from a limited number of IP addresses. We have also noticed reports of this with other DNS servers on various forums etc.
If you see something similar, this may be an indication that someone is abusing your DNS server as part of a so-called DNS amplification attack against a third party - the owner of the IP address that the DNS requests appear to originate from.
By sending a DNS request from a spoofed IP address, the attacker attempts to trick your DNS server into sending a DNS response packet to the victim and thereby become part of a DDoS attack. Typically the request is designed to trigger a response packet which is larger than the original request packet - thus the amplification.
We do NOT recommend blocking the sender's IP address on your firewall, with IPSec, or anything else at the IP address level - that is exactly what the attacker wants you to do! By blocking the apparent sender IP addresses, you are really blocking the victim rather than the attacker - because the sender IP address is spoofed as the victim's.
The aim of the attack is twofold: (1) overload the victim's Internet connection with large DNS responses, and (2) make everybody firewall the victim, so he can't use his connection even after the attack.
The best way to counter this type of attack is to make your DNS server unattractive as a "way-point". You do this by configuring Simple DNS Plus to either ignore or refuse lame requests.
First, in the Options dialog / DNS / Resolver / Recursion section, either turn off recursion completely if you don't need it, or limit it to your own IP address range(s):
Then, in the Lame Requests section, select either "Respond with a Refused error message" or "Do not respond":
Generally we recommend using the "Refused" option as this makes it easier to troubleshoot other DNS issues. However if this attack is continuously hitting your server, you will do the victim a favor using the "Do not respond" option. When no longer under attack, you can switch to the "Refused" option which still ensures that your server is not attractive as a way-point for this type of attack - since it won't amplify traffic.
If the requests are mostly for <root>, another way to deal with this traffic, and keep it out of the log at the same time, is the "Ignore all DNS requests for <root>" feature found in the Miscellaneous section:
31 Jul 2010
- Simple Failover v. 2.0
We are working on the next major version of
Simple Failover, and we would like to hear your feedback on the planned new features. There is also still time for adding more new features if you have a good idea.
See the list of new features at
http://www.simplefailover.com/kb.aspx?kbid=1298
Simple Failover is a software product which continuously monitors your servers (any networked device/service) to see which are up and which are down, and then dynamically updates your DNS records accordingly so that your domain name always points to a functional server. Additionally it can notify you of any encountered problems.
This upcoming v. 2.0 will of course be covered by our one year free upgrade protection. If you purchase a license for the current Simple Failover version today, you will receive a free upgrade to v. 2.0 when this is released.
Please e-mail us your thoughts and ideas, or post below, or in the all new
community forums
We look forward to hearing from you.
09 Jul 2010
- Simple DNS Plus v. 5.2 build 117 released / Problem resolving WebMD.com
Simple DNS Plus v. 5.2 build 117 is now available at http://www.simpledns.com/download.aspx
For more details on the updates and changes in this build, please see release notes.
Over the last few days, several users have reported not being able to resolve www.webmd.com.
The problem is an erroneous response (details below) from the DNS servers hosting the domain name.
We have contacted WebMD.com and their DNS provider (UltraDNS) about this and anticipate that they will fix the problem shortly.
However since WebMD.com is a very popular web-site (and UltraDNS is one of the larger DNS providers), we felt it was best to provide a quick workaround with above update to Simple DNS Plus.
When we do a lookup for www.webmd.com against one of the authoritative DNS servers (for example "pdns1.ultradns.net"), we get a response with a CNAME-record (alias) pointing to www.phx1.webmd.com and a SOA-record in the authority section:
The standard (RFC) interpretation of this SOA-record is that no records exist for the current name (www.phx1.webmd.com) and the requested record type (A) - a so called "NO DATA" response.
Therefore previous builds of Simple DNS Plus naturally stopped the resolving process here - no need to do anything more since we know the final answer (no data).
However if we do another DNS lookup for www.phx1.webmd.com against the same DNS server, we get a surprising response - now all of a sudden there IS an A-record for this name:
This is an error in the configuration or operation of the DNS servers hosting www.webmd.com, and we obviously recommend that they get this fixed as quickly as possible.
In this new build of Simple DNS Plus, we have made an exception for this very specific situation:
For responses received containing a CNAME-record in the Answer section, a "NODATA" SOA-record in Authority section is now ignored, and the CNAME alias is attempted resolved in a new outbound request.
This immediately makes it possible for Simple DNS Plus to resolve www.webmd.com and any other domain with the same problem.
The trade off is that this will also cause a few more outbound requests in certain situations. These extra requests would normally not be necessary, but it does make Simple DNS Plus more resilient against this type of problem.
23 Dec 2009
- Windows Server 2008 R2 Active Directory "Bad DNS Packet" error
There is a bug in Windows Server 2008 R2 causing a "Bad DNS Packet" error when you try to setup (or promote) Active Directory using Simple DNS Plus and other non-MS DNS servers.
The problem is described in MS KB 977158 - see
http://support.microsoft.com/kb/977158/EN-US
The solution is to install the mentioned Windows hotfix.
However the MS KB article only links to the IA64 version of the hotfix - not the X64 version which most people need.
You can get a copy of the X64 version from
http://www.simpledns.com/outbox/KB977158-x64.zip
Note that this hotfix will likely be included in a future automatic Windows update and/or a service pack.
So this temporary solution will only be necessary until then.
For more information on using Simple DNS Plus with Active Directory, see
http://www.simpledns.com/kb.aspx?kbid=1049
17 Dec 2009
- Expiration of support for Simple DNS Plus v. 4.00
Note that from January 17th 2010 we will no longer provide support for Simple DNS Plus v. 4.00 (or earlier versions).
As per our
Support Life-Cycle Policy, a Simple DNS Plus version is supported for 3 years after it is first released, and for 2 years after we stop selling it (whichever comes last).
V. 4.00 was originally released on April 10th 2005, and we stopped selling it on January 17th 2008 when v. 5.0 was released.
We encourage users of v. 4.00 and earlier version to
upgrade to the current v. 5.2.
For details on all the new features and other improvements see:
v. 5.0:
http://www.simpledns.com/kb.aspx?kbid=1215
v. 5.1:
http://www.simpledns.com/kb.aspx?kbid=1246
v .5.2:
http://www.simpledns.com/kb.aspx?kbid=1265
10 Dec 2009
- Simple DNS Plus v. 5.2 build 116 / v. 5.1 build 138 released
Simple DNS Plus v. 5.2 build 116 is now available at http://www.simpledns.com/download.aspx
For details on the updates and changes in this build, please see release notes.
Simple DNS Plus v. 5.1 build 138 is now available at http://www.simpledns.com/download-oldver.aspx
For details on the updates and changes in this build, please see release notes.
These are NOT a critical updates. We do recommend that all users update to these builds, but there is no urgency unless you are directly affected by the issues addressed by the updates.
30 Oct 2009
- Update to the Simple DNS Plus API for .NET and COM
We have just released version 1.1 build 4 of the Simple DNS Plus API for .NET and COM.
Updates in this build:
- Update: Uses Simple DNS Plus v. 5.2 code base (various optimizations and bug fixes).
- Update: Setting Zone.DefaultTTL value now updates TTL value of all records which had the old default TTL value.
- Update: Record TTL values now automatically synchronized in RRSet (records with same name / type) when adding new records.
- Fixed: Setting DNSZone.AllowZoneTransfer property was not always saved correctly.
Version 1.1 build 4 is now available for download:
sdnsapi-setup.exe (720 KB)
If you have a previous version/build installed, simply run above installation file to upgrade.
For more information about the Simple DNS Plus API for .NET and COM, see the on-line documentation at http://www.simpledns.com/help/api/
29 Oct 2009
- Freeware DNS Client Library for .NET
We have just released
"JH Software's DNS Client Library for .NET".
This can be used to perform simple as well as advanced DNS lookups from any .NET code (.NET v. 2.0 or later).
For details and download see
http://www.simpledns.com/dns-client-lib.aspx
16 Oct 2009
- SPF checking HELO/EHLO host names
It has come to our attention that more e-mail servers are now performing SPF checks on the SMTP session HELO/EHLO greeting host name (in addition to checking the domain name part of the sender's e-mail address).
Therefore always make sure that your e-mail server is configured to use a correct host name (like "mail.example.com") in the HELO/EHLO greeting, and that an A- and/or AAAA-record exists for this host name in DNS.
Also, when using the "Automatic SPF" feature in Simple DNS Plus, make sure that the automatic SPF-record data is also valid for the HELO/EHLO host name, or define a specific SPF-record for the HELO/EHLO name in the zone where this belongs (this will override the automatic SPF record).
Note that the default automatic SPF record data "v=spf1 mx -all" will fail such a test if no MX-record exists for your HELO/EHLO name.
For example, if your domain name is "example.com" and your mail server is named "mail.example.com" (and uses this in HELO/EHLO greetings), you would probably only have an MX-record for "example.com" - not for "mail.example.com", and therefore "v=spf1 mx -all" fails to validate "mail.example.com".
Instead you could use "v=spf1 ip4:1.2.3.4 -all" (where 1.2.3.4 is the IP address of your mail server), which would work for both types of tests.
For more information about SPF in Simple DNS Plus, see
KB1148.
20 Aug 2009
- New "Clone Response" plug-in
This new plug-in provides DNS responses by cloning the DNS records from responses to requests for another specified domain name.
This is an easy way to host many domain names that have the exact same records (except for their zone names).
For more details see KB1289.
Download cloneresponse-plugin.zip (9 KB) and un-zip it to the "plugins" sub-directory under the directory where Simple DNS Plus is installed. After this the plug-in will be available in the Simple DNS Plus Options dialog / Plug-Ins section.
Note that this plug-in requires an "unlimted zones" license and works with Simple DNS Plus v. 5.2 build 111 and later only.