Table Of Contentwww.it-ebooks.info
Managing Mission-Critical
Domains and DNS
Mark Jeftovic
www.it-ebooks.info
Managing Mission-Critical Domains and DNS
by Mark Jeftovic
Copyright © 2010 Mark Jeftovic. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are
also available for most titles (http://safaribooksonline.com). For more information, contact our corporate/
institutional sales department: 800-998-9938 or corporate@oreilly.com.
Editor: Brian Anderson Indexer: FIX! ME!
Production Editor: FIX ME! Cover Designer: Karen Montgomery
Copyeditor: FIX! ME! Interior Designer: David Futato
Proofreader: FIX ME! Illustrator: Rebecca Demarest
January -4712: First Edition
Revision History for the First Edition:
2014-12-16: Early release revision 1
2015-05-04: Early release revision 2
See http://oreilly.com/catalog/errata.csp?isbn=0636920034148 for release details.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly
Media, Inc. !!FILL THIS IN!! and related trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark
claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors assume
no responsibility for errors or omissions, or for damages resulting from the use of the information contained
herein.
ISBN: 063-6-920-03414-8
[?]
www.it-ebooks.info
Table of Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
1. Domain Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Why Domains Are Important 1
Anatomy of a Domain Name 1
Registry Details 3
Registrar Whois Server 4
Expiry Date 5
Registrant Contact Set 6
The Admin Contact Set 7
The Tech Contact Set 8
Billing Contact Set 8
DNS Details 8
Status 8
1_01 Wrap Up 10
2. Registries, Registrars & TLD Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Understanding Registries 12
The Original Top Level Domains 12
Generic TLDs 12
Country Code TLDs (ccTLDs) 13
IDN TLDs 13
Chartered TLDs 14
New Top Level Domains 15
Private Namespaces 16
Alternative Namespaces 16
Registrars 17
The Extensible Provisioning Protocol 17
NetSol Monopoly 17
iii
www.it-ebooks.info
ICANN and Competition 18
TLD Providers 18
Why Do I Need to Know All This? 18
3. Whois. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Thin vs Thick Whois 21
Whois Privacy 25
How to Tell if Whois Privacy is Enabled 27
Why you should always use “Whois” privacy 27
Why you should never use “Whois” privacy 28
Where is Whois going? Registration Data Directory Service (RDDS) 28
4. Intellectual Property & Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Which Domains Should Your Organization Register? 29
Asserting Your Trademarks Withing the New gTLD Landscape 32
Sunrise 32
Landrush 32
Premium Auction 33
The Trademark Clearing House 33
Typo domains 35
Dispute Mechanisms 38
Uniform Domain Name Dispute Resolution Policy (UDRP) 38
How the UDRP Works 38
Transfer Dispute Resolution Procedure (TDRP) 39
Uniform Rapid Suspension System (URS) 41
What if Somebody is infringing on your marks or squatting on your name? 42
What If Somebody Tries to Take Your Domains? 42
What Happens When Somebody Initiates a UDRP Against Your Domain 42
Domain Aftermarket 43
Account Push 43
Registrar Transfer 44
Domain Aftermarket and Backorder Services 44
Backordering and Registrar Expiry Frontrunning 44
Escrow Services 45
Other Legal Issues 46
Chapter Summary 49
5. Managing Your Portfolio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Multi-Domain Architectures 51
Organizational Best Practices 51
The Domain Portfolio Audit 51
Managing Customer Domains 51
iv | Table of Contents
www.it-ebooks.info
Authentication 51
Security 51
Scaling 51
Transferring Domain Names 51
Change of Registrant 52
Nameserver Redelegations 52
Registrar Transfer 54
Registrar Transfer and Nameserver Redelegation 54
6. Common Pitfalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Domain Slamming 55
Phishing 55
Unintentional Expiry 55
The Domain Expiry Cycle 55
Domain Scams 55
The “Foreign Infringer” Scam 56
Aftermarket Scams 56
ICANN Suspensions 57
Whois Accuracy Program 57
Incorrect or Bad Whois Reports 57
DNS Failures 57
7. Types of Nameservers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Root Nameservers 59
Resolvers or Recursors 65
Authoritative Nameservers 67
Primary Nameserver 67
Secondary Nameservers 69
Other Nameserver Types 70
Forwarders 70
8. DNS Queries In Action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Exceptions to UDP queries. When TCP is required. 72
Zone Transfers Happen Over TCP 73
Large Responses, EDNS and DDOS Mitigation (Oh My!) 73
Anatomy of a DNS Query: How Nameserver Selection Actually Works 74
Summing Up 75
9. Types and Uses of Common Resource Records (and some not-so-common ones…). . . 77
A / Hostnames 77
CNAME/ Alias 78
The MX Record 81
Table of Contents | v
www.it-ebooks.info
A couple of special case MX-isms: 82
SOA / Start of Authority 83
Originating Nameserver 83
Point of Contact 84
Serial 84
The Refresh interval 85
The Retry interval 85
The Expire Interval 85
The Minimum (a.k.a Time To Live) 86
NS / Nameserver 87
TXT / Text Records 87
SPF Records 88
SRV 88
NAPTR 89
DNAME 91
PTR 91
IPv6 93
AAAA 93
A6 93
KEY 93
CERT 93
DNSSEC Specific RR Types 93
Uncommon / Obscure RR Types 93
RP 94
AFSDB 94
LOC 94
vi | Table of Contents
www.it-ebooks.info
Preface
This book is a work in progress – new chapters will be added as they are written. We
welcome feedback – if you spot any errors or would like to suggest improvements, please
email the author at orabook@jeftovic.net.
Domain names and DNS can be thought of as the basic foundation of the internet. If
you want to explain how important DNS is to somebody, you might find the following
useful, this has been my “30-second elevator pitch” about DNS for close to 20 years now:
“Everytime you send an email, or visit a web page, type or receive an instant message, text
or SMS, place a VOIP call (or skype), or anything else involving the internet; it cannot
happen until a bunch of computers around the internet have a conversation about it:
where does this email need to be delivered to? What server is holding the file that this web
browser is asking for? Where is the VOIP gateway that needs to route this call? These
conversations happen very quickly - typically in under 100 miliseconds (less than 1/4th
the time it takes you to blink), and typically involve at a minimum 3 or 4 disparate servers
around the globe - none of which have anything to do with the actual email, web page, or
application being routed.
These special computers are called “nameservers” and without them, absolutely nothing
would happen on the internet”
What is interesting about DNS, given its importance, is how overlooked it is in the
overall scheme of Information Technology. Similarly, domain names (the logical nam‐
ing entities which anchor DNS lookups) are often the most profoundly misunderstood
facets of IT as well, even by otherwise advanced technical personel.
For some reason, DNS and domain names seem to be a “blind spot” in many organi‐
zations’ infrastructure. As we have fondly quipped since our early days as a managed
DNS provider, “DNS is something nobody cares about …until it stops working”.
vii
www.it-ebooks.info
It never fails to amaze me that a company can spend thousands, hundreds of thousands,
even millions of dollars on redundancy, high availability, firewalls, disaster recovery
plans and even insurance, and yet, the entire technical infrastructure of the organization
is held up by a couple of unpatched, forgotten nameservers gathering mold in a closet
somewhere. Often times this can be the case without a given company being aware of
it, because they simply allow their (pick one) web host, registrar, ISP, data center, or
some other vendor handle the DNS for them, perhaps as part of a bundled offering, and
they have absolutely no knowledge of the state of the DNS infrastructure deployed by
that vendor.
Following on that theme, perhaps the DNS infrastructure may be beyond solid: anycast
deployments, DDoS mitigation, hot spares, uptime monitoring and 24x7 NOC support,
but the portfolio of domain registrations are managed haphazardly or on an ad-hoc
basis. The smooth running underpinning of the organization is ripe for disruption by
an unintentional domain expiry or a domain registration getting slammed.
True Story
Once, several years ago I found myself meeting with the technical
director of a small Caribbean country code - ccTLD) We were meet‐
ing in the office building of the local government telecom that ran the
namespace. He asked, somewhat hesitantly, if could take a few mi‐
nutes to help them out with some DNS issues they were having with‐
in the rootzone for their ccTLD. I agreed. He stood up, said “come
with me please”, and I, expecting to be bundled off to a datacenter
somewhere, followed behind.
We went into the elevator, up a floor, exited and walked through a
small cafeteria/kitchenette. He opened what looked like an office-
supply closet and gestured to what appeared to be some kind of i486
tower computer under a desk. The root prompt was present on the
monitor.
“This is ns1.” He said, as he typed a few keystrokes (“vi /etc/
named.conf”) “Ns2 is down in the basement.” After I got over my
shock I took a look, mentally noting that “Right now I am hand-
editing the nameserver config of a country-level root server….” -
made a few changes for them, dutifully saved the file…and at his
behest, restarted bind.
Who Should Read This Book
Your time would be well spent in reading this book if:
• You are responsible for at least one mission critical domain which must be online
24x7x365, or are part of a team that manages large groups of domains (in the hun‐
viii | Preface
www.it-ebooks.info
dreds, or thousands and above) on behalf of your company or on behalf of your
downstream users.
• Your responsibilities include maintaining your organization’s core DNS, or DNS
for it’s downstream users or clients, and this even if you accomplish these tasks by
outsourcing DNS management to external providers.
(This can include: sysadmins, webmasters, IT consultants, and developers.)
The basic acid test is this: if your company’s or perhaps one of your client’s key domain
names went dark, will you be one of the people who is going to, paged after hours, woken
up in the middle of the night, grilled, yelled at or possibly fired afterwards? If the answer
is “yes” or “maybe” then this book is for you.
Why I Wrote This Book
I wrote this book because (at the risk of belaboring the point) all too often I come across
organizations and businesses who understand IT, who are fully eficacious within their
own core competence but they don’t possess an understanding of the principles outlined
in this book.
Either the DNS/nameserver solution is ad-hoc or inadequate to the gravity of the task
or else the back office lacks any procedural framework for handling the administrative
overview of the organization’s key domain assets.
I see definciencies on one side or the other in many, otherwise highly savvy organiza‐
tions. In extreme cases there is lack on both sides.
The separation of DNS ops from domain portfolio administration has always been in
my mind an artificial one, but it’s a divide that occurs in many places. Even when the
DNS is operated by extremely competent DNS gurus, there can be an institutional un‐
awareness of what is happening on the domain administration side of the fence that can
lead to catastrophic disconnects.
This book aims to remove that artificial distinction and to give you a solid framework
on effectively managing your organization’s naming architecture from the administra‐
tive / policy side right through to the techncinal DNS and nameserver implementations.
A Word On The “Domain Name” and “DNS Operations”
Environments Today
On the domain name side of things, the big picture these days (late 2014 thru mid 2015
and beyond) is the advent of the new Top Level Domains (TLDs) being added to the
internet root; as well as numerous policy additions from ICANN (the body that oversees
Preface | ix
www.it-ebooks.info
