DNS

From 太極
Jump to navigation Jump to search

Resource

TTL

How to see Time-To-Live (TTL) for a DNS record

Records

DNSCrypt

Network commands

DNS server

Setup on Linux/Ubuntu

sudo apt install bind9
sudo nano /etc/bind/named.conf.options
  # update 'forwarders' key to use 1,1,1,1; 8.8.8.8;
  # add 'forward only;'
sudo systemctl restart bind9
# open port 53, or let ufw to allow bind9

Pi-hole

Client part

  • Windows/Mac/Linux
dig @192.168.1.2  linkedin.com  # Suppose the DNS server ips is 192.168.1.2
Pay attention to the Query time result. If we run the same command again, the query time will be reduced to 0 because of the cache in the DNS server.

Client part 2: what is my DNS server /etc/resolv.conf or /etc/network/interfaces

systemd-resolve --status or resolvectl status

PS. dig command can show my DNS server as part of its output.

On Ubuntu 18.04 and up, it uses netplan.

Even I can change my DNS setting using the Network Manager (IPv4 -> disable Automatic -> Enter 8.8.8.8 -> Apply -> Toggle On/Off), the name solving does not work. Testing https://129.43.254.99 works but not https://brb.nci.nih.gov

Note: we are not supposed to edit /etc/resolv.conf file. See here on how to add DNS servers.

The real DNS servers IPs can be found by the network manager GUI or using the command line

nmcli dev show | grep 'IP4.DNS'

On my home computer, it just shows one line nameserver 127.0.1.1. On work computer, it shows

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search XXX.XXX.gov

On the VM of my work computer, it shows

nameserver 127.0.0.53
search XXX.XXX.gov

It seems the /etc/resolv.conf file changes with the file on the host.

After any change, we can restart the network by using sudo service networking restart.

Note:

  • nameserver Name-server-IP-address: Point out to your your own nameserver or to ISP’s name server. Up to 3 name servers may be listed.
  • search domain.com: The search list is normally determined from the local domain name; by default, it contains only the local domain name. So when you type nslookup www, it will be matched to www.cyberciti.biz

You can also use Public Name Servers

nameserver 8.8.8.8
nameserver 8.8.4.4

dig Command Examples

dig (domain information groper) is a DNS lookup utility.

$ sudo apt install dnsutils
$ dig google.com ANY
$ dig r-project.org  # only 1 is returned
$ dig r-project.org  ANY
...
;r-project.org.                 IN      ANY

;; ANSWER SECTION:
r-project.org.          7199    IN      NS      ns2.urbanek.info.
r-project.org.          7199    IN      NS      ns1.urbanek.info.
r-project.org.          7199    IN      NS      ns2.wu-wien.ac.at.
r-project.org.          7199    IN      NS      ns3.urbanek.info.
r-project.org.          7199    IN      NS      ns4.urbanek.info.
r-project.org.          7199    IN      NS      ns1.wu-wien.ac.at.
r-project.org.          7199    IN      A       137.208.57.37
r-project.org.          7199    IN      MX      5 mc1.ethz.ch.
r-project.org.          7199    IN      MX      5 mc4.ethz.ch.
r-project.org.          7199    IN      MX      5 mc3.ethz.ch.
r-project.org.          7199    IN      MX      5 mc2.ethz.ch.
r-project.org.          7199    IN      TXT     "v=spf1 ip4:129.132.119.208/32 ~all"
r-project.org.          7199    IN      SOA     ns0.wu-wien.ac.at. postmaster.wu-wien.ac.at.

DNSmasq (DNS + DHCP server)

Local forwarding server

dnsmasq program is running on my Ubuntu and Linux/Mint machines.

See nameserver 127.0.1.1 in resolv.conf won't go away!

$ ps -ef | grep -i dnsmasq

$ sudo netstat -anp | grep -i dnsmasq

DNS providers

Change DNS setting

Domain Setup & SSL Certificates, HTTPS - NGINX & Docker Compose

Shiny Production with AWS Book

Flush DNS cache

How to clear the DNS Cache?

How To Set Permanent DNS Nameservers

How To Set Permanent DNS Nameservers in Ubuntu and Debian

Test if you are using OpenDNS

https://welcome.opendns.com/

I try to change the DNS ip using either Network Connection GUI or modifying /etc/resolv.conf (& calling sudo /etc/init.d/networking restart). But it does not change anything??

DNS-over-HTTPS (DoH) in Firefox

Mozilla Firefox Expands DNS-over-HTTPS (DoH) Test to Release Channel.

This does not affect the result of DNS leak test and another test.

Query DNS server

DNS leak test

To list the current DNS servers used by my system,

Method 1:

# Ubuntu >= 15
$ nmcli dev show | grep 'IP4.DNS'
$ nmcli device show <interfacename> | grep IP4.DNS
# Ubuntu <= 14
$ nmcli dev list iface <interfacename> | grep IP4

Method 2:

$ cat /etc/resolv.conf

Method 3 (macOS):

scutil --dns | grep nameserver
# cat /etc/resolv.conf

Another way is to use the R packages: gdns and dnsflare. More Options For Querying DNS From R with 1.1.1.1.

3 Ways to Check DNS Propagation Status

https://www.makeuseof.com/tag/check-dns-propagation-status/

DNS tricks

5 DNS Servers Guaranteed to Improve Your Online Safety

http://www.makeuseof.com/tag/best-dns-providers-security/

5 Nifty Ways to Use DNS to Your Advantage

http://www.makeuseof.com/tag/nifty-ways-use-dns-advantage/


DNStracer

http://www.ubuntugeek.com/dnstracer-trace-dns-queries-to-the-source.html

Dyndns and ddclient

See

nano /etc/ddclient.conf

protocol=namecheap
ssl=yes
use=web, web=dynamicdns.park-your-domain.com/getip
server=dynamicdns.park-your-domain.com
login=yourdomain.com
password=a9438540ba8a449fb0ed09c3737b9e32
@

Note that the specification should depend on the domain name registrar (eg namecheap). For namecheap, the login/password is NOT your actual credential from your domain name registrar. The password should be obtained from the domain name registrar website. The last line is about the host. If I am setting it up for a subdomain, I should enter the subdomain name (and skip the domain name part). The ssl=yes is to ensure the connection is made over https instead of http.

And run sudo ddclient -daemon=0 -debug -verbose -noquiet to verify ddclient is working. You shall get a long return with the last line looks like

SUCCESS:  updating YOURSUBDOMAIN: good: IP address set to XX.XXX.XXX.XXX

No matter which method we use, we can go to our DNS account (in namecheap, go to Dashboard -> MANAGE button -> Domains -> Advanced DNS) and temporarily change the global IP address to another one, run the update script and then check if the global IP address has been updated to the correct one.

namecheap

Cloudflare

Mail

CDN

Why You Should Use a CDN to Improve Your Website’s User Experience

no-ip

Similar to Dyndns. It has its own client program. Needs to build it yourself.

Also see the troubleshooting guide.

See http://ducky-pond.com/posts/12 for instruction of setting autostart on Debian system.

See http://www.coulterfamily.org.uk/pages/PCs/Linux/FAQ-LINUX-NO-IP-CLIENT.php for another approach.

Note: If noip2 cannot start automatically or noip2 does not update even it can be seen from ps -ef command, use sudo crontab -e command. For some reason, after I use sudo crontab, noip2 can update IP. So the only problem right now is it cannot update every 30 minutes even sudo noip2 -S says so. The problems may be 1. ps -ef shows the command runs from nobody user 2. sudo noip2 -S says it updates every 30 minutes via /dev/eth0 with NAT enabled.

Update: An alternative is to use ddclient. However, ddclient never updates the IP.

Mail

  • Allow only one MX record for each host for free no-ip account.
  • Click Host/Redirects > Manage Hosts > Modify.

DNS attack

What Are DNS Attacks and How Do You Prevent Them?

IP spoofing

What Is IP Spoofing and What Is It Used For?