Simple DNS Plus. Version Copyright JH Software

Transcription

1 Simple DNS Plus Version 4.00

2 I Simple DNS Plus Table of Contents Part I Welcome 4 Part II How to Get started Host a domain... name 5 3 Setup primary... / secondary 6 4 Secure you server Read the log Integrate with... other applications 13 7 Use HTTP commands Use command... line options 15 9 Configure advanced... options Use "warning.bat" Part III User Interface 21 1 Main window Views IP Address Blocking... dialog 24 IP Address... Blocking Rule dialog 24 Options dialog General DNS - Requests DNS - Recursion DNS - Forwarding DNS - Caching DNS - Security DNS - Records DNS - Zone... Transfers 29 DNS - Master/Slave DNS - NAT... IP alias 30 DHCP DHCP Scope dialog HTTP API Logging -... Log Details 32 Logging -... Log files 33 2 DNS Look Up... window 34 3 DNS Cache Snapshot... window 34 4 DNS Records... window 35 Zone Properties Record Properties New Zone Wizard Quick Domain... Wizard 38

3 Contents II Bulk Update Wizard Reverse Zone... Wizard 40 Import Wizard TSIG Dynamic... Updates 41 Part IV Definitions 41 1 Hosts file DNS Caching TTL (Time To... Live) 42 4 Root DNS records DNS Recursion DNS Forwarding Round Robin Zones Zone Transfers Reverse Zone... / in-addr.arpa Dynamic DNS... updates DHCP Part V Common DNS Record Types 50 1 A (Host Address) CNAME (Alias) MX (Mail Server) NS (DNS Server) PTR (Reverse) SOA (Zone Properties) Part VI Other DNS Record Types 54 1 A6 2 AAAA 3 AFSDB 4 ATMA 5 DNAME 6 HINFO 7 ISDN 8 LOC MB, MG, MINFO,... MR NAPTR 11 NSAP 12 RP 13 RT

4 III Simple DNS Plus 14 SRV 15 TXT 16 X Index 60

5 Welcome 4 1 Welcome Thanks to the DNS system we surf the Internet using names such as instead of impossible to remember IP addresses. DNS servers translate these domain names into machine readable IP-addresses needed to locate the requested web-server on the Internet. With Simple DNS Plus you can hosts your own domain names, or simply speed up Internet access with DNS caching 42. Simple DNS Plus is also a DHCP server 49, it comes with a DNS Look Up tool 34, and many other features. You can find answers to frequently asked questions at: If you have any questions or comments, please don't hesitate to contact us at: [email protected]. Select a topic on the left to get started. 2 How to Get started The first step after installing Simple DNS Plus is to configure the computers on the local network (including the one it is installed on) to use the now local DNS server instead of the ISP's DNS server. This is done under the computer's Network TCP/IP properties by assigning the IP address of the computer running Simple DNS Plus as the DNS server. The exact setup is slightly different for each Windows version - illustrations are provided at Local computers (except the one running Simple DNS Plus) can also be configured automatically using the DHCP 49 function. We also recommend disabling the "DNS Client" service on any local computer running Windows 2000, XP, or 2003 including the computer with Simple DNS Plus. See Next make sure Simple DNS Plus is running, and test the configuration by opening a web-page such as To ensure that you are not getting a copy cached by the browser, first empty out the browser cache (delete "Temporary Internet Files") and close all instances of the browser. And if you are using Windows 2000, XP, or 2003 and still have the "DNS Client" service running, type "IPCONFIG /flushdns" at a command prompt to ensure that no DNS data is cached by this service. If you got to the web-site, everything is now working correctly. You should also be seeing some activity in Simple DNS Plus (performance graph 23 or the request counter on the status bar 21 ). If you are new to DNS, it might be helpful to examine the log files 10 to get an idea how DNS requests are processed. This initial setup (without hosting any domain names) is often referred to as a "caching only DNS

6 5 Simple DNS Plus server". If you run Simple DNS Plus for a while, you should begin to notice an improvement in the time it takes to access web-pages - especially when you return to one you have visited previously. This is caching 42 - your computers no longer have to access an external DNS server every time you open a web-page. Next step is to start hosting your own domain names Host a domain name With Simple DNS Plus you can host DNS for your own domain names (and/or for others). First a domain name must the registered on the Internet. You can use the "WHOIS" look up 34 function in Simple DNS Plus to find an available domain name. There's a growing number of companies (registrars) and resellers offering domain name registration for ".com", ".net", and ".org" domain names. For country specific names (such as ".uk") the choice is often limited to a single registrar. See the complete list of registrars at When registering a domain name (or modifying a registration), you have to specify which DNS servers will be responsible for the domain name (also referred to as "host records" - or NS-records 52 ). Here you need to specify your own DNS server(s) - by name - such as "ns1.yourname.com". If you are already hosting other domain names you can use the existing "ns..." name for your server(s). Otherwise you may have to first create these "host records" ("ns1.yourname.com" = IP address). With some registrars you can do this as part of the domain name registration, others have a separate process for this. When in doubt, contact your registrar for details. It usually takes 24 to 72 hours for a new domain name and changes to become fully active on the Internet. You can configure your domain name in Simple DNS Plus even before you have registered it and use it yourself, but other people on the Internet won't be able to access it before it is registered and active. Next you need to configure the domain in Simple DNS Plus. From the main window 21, click the "Records" button. The first time you do this, you may be prompted to enter "Domain name of this DNS server" and "Administrator's address" using the Options dialog 25. This data is used as defaults for some of the DNS records automatically created by Simple DNS Plus. Enter the DNS server name (such as "ns1.yourname.com") and an address (for example [email protected]"). You should now be in the DNS Records window 35. This is where you work with your domain names and records. The easiest way to configure a new domain name is through the Quick Domain Wizard 38 (click the "Quick" button). Simply enter the domain name, and the IP addresses of your web, mail, and FTP servers (all optional). Once you have done this, close the DNS Records window 35, and your domain name is ready to go! Depending on your requirements and possibly requirements from the registrar, you may also need to setup a secondary DNS server 6.

7 How to Setup primary / secondary You have a probably heard or seen the terms "primary DNS server" and "secondary DNS server". Actually a DNS server (the computer/software) is not specifically "primary" or "secondary". A DNS server can be primary for one zone 46 (domain) and secondary for another. The original DNS specifications require that each domain name is served by at least 2 DNS server for redundancy. This may seem a little silly - especially if you run your DNS, web, and mail servers all on the same machine - if this machine goes down, it doesn't really matter that the backup DNS server still works. But many registrars (companies that register domain names) still do require this This requirement has since been somewhat relaxed, and depending which registrar you use, you may only need to specify one DNS server. Please note: registrars requiring 2 DNS servers sometimes refer to these as "primary" and "secondary". This has absolutely nothing to do with the actual primary/secondary functionality, and it doesn't matter in which order you enter your DNS servers for the domain name. This is just a list of servers, and there could be 1, 2, or any number of DNS servers listed for a domain name. By definition, a primary DNS server holds the "master copy" of the data for a zone 46, and secondary servers have copies of this data which they synchronize with the primary through zone transfers 46 at intervals or when prompted by the primary. Only one DNS server should be configured as primary for a zone secondary servers for redundancy. 46, but you can have any number of Both primary and secondary servers for a zone 46 serve exactly the same data to clients. Because of this you could easily "simulate" a secondary server on a single computer with 2 IP addresses. Simply configure the zone 46 (as primary), and the server will function as both the primary (on one IP address) and secondary (on the other IP address). The recommended practice is to configure the primary and secondary DNS servers on separate machines, on separate Internet connections, and in separate geographic locations. All for the purpose of redundancy. Many do this by making a "swap" deal with someone else: "be secondary for me, and I'll be secondary for you". Many new "broadband" Internet connections (such as cable modems and DSL) only come with one IP address, so this setup is often used not so much because of redundancy, but because the registrar requires two DNS servers (with separate IP addresses). When using separated primary and secondary DNS servers, zone transfers 46 are used to synchronize the secondary servers. With other DNS server software, a zone must initially be created on both the primary and secondary servers (creating individual DNS records and any following changes to a zone need only be done on the primary server). However, Simple DNS Plus has a unique option to automatically create and remove zones on secondary servers whenever you do this on the primary. We call this a master/slave pair and is configured through the Options dialog 25 (DNS Master/Slave section). Both servers must be running Simple DNS Plus (no other DNS servers we know of currently support this) The secondary server must be listed as a "slave" on the primary server, and the primary server must be listed as a "master" on the secondary. One Simple DNS Plus server can be master and/or slave for any number of servers.

8 7 Simple DNS Plus To create the zone 46 on the primary server, you can use the Quick Domain Wizard 38 (make sure to specify the name and IP address of the secondary DNS server). If you are not using the master/slave setup, or if your primary server is not running Simple DNS Plus, you will also need to create the zone 46 on the secondary server. Use the New Zone 37 function, select the "Secondary Zone" option, and specify the zone name and the IP address of the primary DNS server. Once a zone is configured on both primary and secondary servers, zone transfers 46 should automatically occur when needed. To verify, use the Look Up 34 function against the secondary server, or check the records on the secondary server through the DNS Records window 35. You can later change the primary/secondary status using the Zone Properties dialog 36. The Zone Properties dialog 36 "zone transfers" tab can be used to secure 7 the zone, so only authorized secondary servers are allowed to request zone transfer Secure you server As with all types of Internet servers, DNS servers are also targeted by hackers. The implications can be quite serious, but the good news is that you can protect yourself better by running Simple DNS Plus compared to trusting your ISP's DNS servers. There are several security issues with DNS, but Simple DNS Plus addresses them all: DNS Spoofing DNS Spoofing is the act of "injecting" false data into the cache 42 of a DNS server causing it to serve this false data to its clients. Hackers may do this simply to prevent someone from accessing the Internet (making a DNS server appear to malfunction), but intentions can be much more malicious and the effects far more serious. For example by "injecting" false MX-records 51 (Mail exchange), a hacker could actually re-route e- mails intended for a company's client or vendor to himself. If the hacker also forwards (relays) the e- mails to the correct destination, this might continue undetected for as long as the hacker cares. Or with an "injected" A-record 50 (for example = IP ) and a cloned web-site for a hacker could get your pin code, password, credit card number etc. There are two methods a hacker can use to do this: 1) Sending additional false records in a standard DNS response. You can prevent Simple DNS Plus from accepting these false records by enabling the "Prevent DNS spoofing" security option (See Options dialog / DNS Security 27 section). This is an option only because it can slow down resolving external domain names a bit. 2) Some DNS servers use consecutive request ID numbers, making it possible for a hacker to "guess" the next ID and then impersonate another server. Simple DNS Plus uses random request ID numbers, so this is not an issue. Port Scanners A hacker may use a software utility known as a "port scanner" to search for potential targets. This software sends dummy requests to a range of IP addresses on different service ports simply to register which addresses/ports respond. Any addresses/ports that responded will then be probed further for possible vulnerabilities. Simple DNS Plus has a special "stealth" option which makes it invisible to such port scanners, by not

9 How to... 8 responding to a DNS request unless it is for data in local zones or originates from a client offered recursion. See Options dialog / DNS Recursion 26 section. Many of these port scanners and other hacking utilities are known to send network packets originating from port zero. A normal DNS client or server would never do this, so such a packet is a strong indication that a hacker is at work. Simple DNS Plus can detect this and ignore such packets to avoid attracting further attention from the hacker. See Options dialog / DNS Security 27 section / "Ignore UDP packets originating from port zero". Telnet connections Hackers sometimes use a simple telnet client to connect to open server TCP ports, to see if they can get some type of response or perhaps crash the server by sending it junk data. Simple DNS Plus can often detects such connections, close them down, and log the event. Some Internet protocols (including HTTP, SMTP, and POP3) are transmitted in clear text and experienced users can communicate directly with such servers with a simple telnet client. However the DNS protocol is transmitted in binary format and cannot be accessed like that. See Options dialog / DNS Security 27 section / "Detect and close Telnet connections.". Zone Transfers Zone transfers 46 are intended for use by secondary DNS servers to synchronize with their primary server. But you can also request a zone transfer 46 using a number of different tools (like the Look Up 34 function in Simple DNS Plus), which will basically list all the records contained in a zone 46. This is great for troubleshooting, but you may not want to expose all the data in your zones 46 to strangers like this. Hackers could use this to find out what other servers you are running - and with this information launch other types of attacks. Zone transfers 46 also require considerably more bandwidth and CPU cycles compared to regular DNS requests. You can specify which IP addresses are allowed to request zone transfers 46 for each zone 46 in the Zone Properties dialog 36 under the "Zone Transfers" tab, and in the Options dialog / Zone transfers 29 section. DNS Recursion Internet users (other than your own users) may try to take advantage of your DNS server. For example if someone feels that their ISP's DNS server is too slow - they might just use another one - like yours. New Internet users quickly learn this "trick" through chat groups etc., and it actually happens quite often. Many ISPs and companies "offer" this service free of charge without even realizing it. This of course consumes additional bandwidth and CPU cycles. If you do not host any domain names, you could prevent this simply by blocking incoming DNS requests on your firewall, or configure Simple DNS Plus to only listen for DNS requests on a private IP address (see Options dialog / DNS requests 26 section). However, if you are hosting one or more domain names, you must allow other DNS servers access to your DNS servers. The difference between Internet users and other DNS servers is "recursion 44 ". Client applications (users) need the DNS server to perform recursion 44 (fully resolve domain names into IP addresses), whereas other DNS servers perform the recursion 44 themselves.

10 9 Simple DNS Plus By specifying only the IP addresses of your own users in the Options dialog / DNS Recursion 26 section, you can effectively block "foreign" users, and at the same time allow other DNS servers to send requests for the domain names your are hosting. Denial of service (DOS) This is a very simple (yet effective) method of "hacking". By sending your servers an extreme amount of requests and basically using up all your bandwidth or processing power, a hacker can effectively prevent users and customers from accessing your services. Simple DNS Plus has an IP Address Blocking 24 function, which can automatically detect such attacks (specifically directed against the DNS server), and ignore the traffic. The traffic will still use some of your bandwidth, but Simple DNS Plus won't send replies (which would increase the problem) and won't use up the processing power of the machine it is running on. Another variant of "DOS" is establishing a lot of TCP connections using up all the resources of the target system. Simple DNS Plus has an option to limit the maximum number of simultaneous inbound TCP connections (Options dialog / DNS Security 27 section). DOS attacks are difficult to prevent completely, but if the hacker doesn't succeed in bringing down your systems, he might just look elsewhere. BIND version requests Since many Internet DNS servers are running BIND (a Unix DNS server), hackers often initiate an attack by sending a special request for the BIND software version number. They can then compare the response with a list of known vulnerabilities for that particular BIND version and launch the actual attack. Simple DNS Plus can be configured to respond to these BIND version requests with a text string of your choice (for example: "Sorry - no BIND vulnerabilities here!") by enabling the "Respond to BIND version requests" option in the Options dialog / DNS security 27 section. A warning is always logged for BIND version requests. On Windows NT/2000/XP/2003, you can test by entering the following at a command prompt: NSLOOKUP -class=chaos -type=txt version.bind <dns-server-ip-address> DNS Forwarding When you enable forwarding 44, you basically inherit any security issues of the DNS servers you are forwarding 44 to. So make sure those DNS servers are also configured securely - or don't forward to them. Dynamic DNS updates / IP spoofing If your Simple DNS Plus server is accessible from the Internet, and you enable standard dynamic updates 49 for any zone (in the zone properties 36 dialog) make sure to specify that only local IP addresses are allowed to send update requests, and that your router or firewall filters out any spoofed IP packets coming from the Internet claiming to be from those IP addresses. Most routers by default filter out any inbound IP packets claiming to be from the standard private IP address ranges ( x.x / x.x / 10.x.x.x). If this is not filtered by the router, a hacker may be able impersonate a trusted local computer by spoofing the origin IP address of the DNS packets, giving him access to change your DNS records. If you want to receive dynamic updates 49 across the Internet, make sure to use TSIG authenticated updates only (DNS Records Windows 35 -> Tools menu -> TSIG dynamic updates). Failover Unlike most other Internet server types/protocols, DNS actually has failover functionality built into the protocol itself. If you have 2 or more DNS servers hosting the same domain name and one of those DNS servers are down, other DNS servers will automatically try all of your DNS servers in turn until they get a response. The only requirement for this to work is that all your DNS servers are listed in the domain registration

11 How to for each domain name. It is easy to run one or more secondary DNS servers with Simple DNS Plus using the Master/Slave functionality - see Options dialog / DNS - Master/Slave 30 section. To failover protect other services (such as your web-site), you can use Simple Failover - see Read the log You can open log files created by Simple DNS Plus with notepad, or watch the most recent log entries using the Active Log View 23. Log lines starting with "->" are details for a previous line. In addition to the logs, you can receive notification for warning and error message via network messages, , or otherwise by using the warning.bat 19 feature. Writing log files to disk can be activated in the Options dialog / Log files 33 section. The following explains the errors, warnings, and header messages you might see: *** Error: Could not start DNS service [on <ip-address>] (Error <n>) This usually means that another DNS server or another program is occupying the DNS port (53) on the same computer. Can also occur when using "Internet Connection Sharing". For more information, please see Once you have corrected the problem, use "Start server" from the File menu. *** Error: Could not start DHCP service on <ip-address> (Error <n>) This usually means that another DHCP 49 server or another program is occupying the DHCP server port (67) on the same computer. Can also occur when using "Internet Connection Sharing". Once you have corrected the problem, use "Start server" from the File menu. *** Error: Could not start HTTP service on port <port-number> (Error <n>) This means that the HTTP port is occupied by another program or possibly another instance of Simple DNS Plus. You may need to change the port number used for HTTP in the Options dialog / HTTP API 32 section. *** Error: Could not open zone file: <file-name> Another program may be accessing the zone file (in the "data" subdirectory). *** Error: Could not update 'boot' file for zone <zone-name> Another program may be accessing the 'boot' file (in the "data" subdirectory). *** Error: Could not save zone file: <file-name> (Error <n> <error-description>) Another program may be accessing the zone file (in the "data" subdirectory), the harddisk may be full, or something else is preventing Simple DNS Plus write access to the file. *** Warning: UDP packet from <ip-address> port zero ignored See the "Port Scanners" section in How to secure your server 7. *** Warning: IP address <ip-address> blocked (more than <n> requests per second) See the "Denial of service" section in How to secure your server 7. *** Warning: Request from <ip-address> for BIND version - possible hack attempt See the "BIND version requests" section in How to secure your server 7.

12 11 Simple DNS Plus *** Warning: TCP connection from <ip-address> closed - Telnet detected See the "Telnet connections" section in How to secure your server 7. *** TCP connection request rejected - maximum connections (<n>) reached See the "Denial of service (DOS)" section in How to secure your server 7. *** Warning: Lame delegation for <domain-name> on <dns-server> (<ip-address>) A "Lame delegation" is when a DNS server, which is listed in the domain registration for a domain, is not configured with any data for that domain. "Lame delegation" sometimes happen because someone has registered a domain but only has one or no DNS servers, so they simply specify some random DNS servers to act as place-holders, even though none of these servers have a zone defined for the domain in question. Hence the domain is "lame" without a leg to stand on. If you see this message about your own server ("this server"), you should take steps to correct this immediately. If the domain-name in question is not yours, do a WHOIS look up 34 to determine the owner, and contact them to change it immediately (they are causing additional traffic on your Internet connection and additional processing for your DNS server ). If the domain-name is yours - add the zone 37 to your server immediately. *** Warning: Notify request not sent to <server-name> for <zone-name> - Could not resolve IP address Changes were made to a primary zone on this server, but the server could not notify (see zone transfers 46 ) a secondary DNS server. This typically means that no A-record 50 is available for the DNS server name specified in the NSrecord 52 for the secondary DNS server. *** Warning: [<server-name>] [<ip-address>] did not respond to Notify request for <zone-name> Changes were made to a primary zone on this server, but the server did not get any response when trying to notify a secondary DNS server. This typically means that the secondary server is down, or there is some type of network problem. *** Warning: Failed to Zone Transfer <zone-name> from <ip-address> (<error-description>) This server (secondary) could not complete a zone transfer 46 from the primary DNS server. This could be caused by general network problems or security 7 settings on the primary server. The server will continuously retry the zone transfer. *** Warning: Forward server <ip-address> does not offer recursion One of the forward DNS servers specified in the Options dialog 25 does not offer recursion 44. Select a different forward DNS server, or disable forwarding (not needed in most cases). *** Warning: Error [opening]/[writing] to [raw] log file (<error-description>) There was a problem writing a log file to disk. The server has temporarily stopped writing to this log file, and will attempt to open the file again in 5 minutes. *** Error: Application error: <error-description> In the unlikely event that you should see this error message, please contact [email protected] immediately for assistance. -> Header: Format Error Means that the binary structure of a DNS request or reply was not formatted correctly. This could be caused by network problems, a malfunctioning DNS server, or another TCP/IP program wrongly using port 53. -> Header: Server Failure

13 How to Usually means that some DNS server did not respond or that no NS-record 52 (or associated A- record 50 ) existed for a domain name. Often follows the "*** Warning: Lame delegation..." message (see above). This could also be caused by network connectivity problems. -> Header: Name does not exist! Means that the domain name specified in the request does not exist. If you know that the domain names does in fact exist, make sure you don't have a <root> zone in the DNS Records window 35, and make sure the root file 43 is intact (you can copy the original "named.root" file from the Simple DNS Plus directory to the "data" sub-directory). -> Header: Not implemented Means that the DNS server queried does not support the query type or record type. There are many experimental DNS query and record types, and most of these never become generally accepted. Most DNS server implementations support at least the A 50, CNAME 51, MX 51, NS 52, PTR 52 and SOA 53 record types. -> Header: Refused The queried DNS server refuses to respond - usually due to local security 7 settings. This most often happens in connection with zone transfers 46 - make sure the primary DNS server allows the secondary servers to zone transfer (see Zone Properties dialog 36 ). -> Header: Name exists when it should not This header is returned in a response to a dynamic update request. The update could not be completed because the prerequisites of the update request were not met. -> Header: Record set exists when it should not This header is returned in a response to a dynamic update request. The update could not be completed because the prerequisites of the update request were not met. -> Header: Record set that should exist does not This header is returned in a response to a dynamic update request. The update could not be completed because the prerequisites of the update request were not met. -> Header: Server not authoritative for zone This header is returned in a response to a dynamic update request. The update could not be completed because the server responding is not configured with the zone specified in the update request. -> Header: Name not contained in zone This header is returned in a response to a dynamic update request. The update could not be completed because the update name is not contained within the zone specified in the update request. -> Header: Invalid transaction signature (BADSIG) This header is returned in a response to a TSIG signed dynamic update request. The update could not be completed because the TSIG signature in the update request was invalid. -> Header: Unknown transaction signature key or algorithm (BADKEY) This header is returned in a response to a TSIG signed dynamic update request. The update could not be completed because the server responding is not configured with the TSIG key or signature algorithm used in the update request for the update name. -> Header: Transaction signature time stamp does not match server time (BADTIME) This header is returned in a response to a TSIG signed dynamic update request. The update could not be completed because the time stamp in the TSIG signature did not match the

14 13 Simple DNS Plus server's time (not within the requested "fudge" interval). 2.6 Integrate with other applications You can generate zone and record data for Simple DNS Plus from other applications. DNS record data is stored in standard "zone files" (simple text files), located in the "data" directory under the directory where Simple DNS Plus is installed. A standard "boot file" lists all the zones 46 with type, name, and file name. To examine the file layout, you can open the files generated by Simple DNS Plus with notepad (See RFC1035 for exact specifications). Each zone 46 has its own zone file - by default named "<zone-name>.dns". The boot file is named "boot". Each time Simple DNS Plus is restarted, or the "Reload DNS Records" is selected from the Tools Menu, the boot file and all zone files will be re-loaded. There are several options for making Simple DNS Plus load new zone files "on the fly": HTTP commands Simple DNS Plus can be prompted to perform a number of function through HTTP - either directly from a browser, or any other program that can communicate through HTTP. See How to use HTTP commands 14. Command line / UDP You can "tell" Simple DNS Plus to reload one or all zone files whenever it is required by using one of the command line options 15. Or you can do the same through TCP/IP from your own application. The "sdnsplus.ini" file contains a "ReloadPort" line. You can control Simple DNS Plus by sending TCP/IP message via UDP to this port number on IP address : reload unload clear tsigkeys udzone As command line "-R" option - same parameters As command line "-U" option - same parameters As command line "-C" option - same parameters As command line "-K" option - same parameters As command line "-Z" option - same parameters ".new" Zone File extensions You can create new or updated zone files in the "data" directory (under the directory where Simple DNS Plus is installed) with a ".new" extension (instead of ".dns"), and have Simple DNS Plus automatically scan for and load these file. To enable this, you must first edit the "sdnsplus.ini" file 16 and change the "NewScan" setting to the minute interval to scan for ".new" files (whole numbers only), and restart the program. When Simple DNS Plus discovers a ".new" file, it will first delete any ".dns" files with the same name, then rename the ".new" file and reload the zone. Make sure to increment the SOA-record 53 serial number when updating existing zones through this

15 How to method. Calling the DNS Look Up tool from other applications The Simple DNS Plus DNS Look Up tool/window is a COM object which can be called from any script or application supporting COM objects. For example, using VBScript it can be called like this: Set luobj = CreateObject("sdnslookup.lookupobj") luobj.lookup "domain.com", "A" There is only one object/class "sdnslookup.lookupobj", and there is only one method "lookup". The "lookup" method takes two parameters where the first is the domain name or IP address to look up, and the second is the type of lookup to perform (A, MX, WHOIS, etc.). The first parameter is mandatory, and the second parameter is optional (defaults to "A"). The "lookup" method displays the DNS Look Up window and performs the requested lookup. This functionality is for GUI applications only - no data is returned from the "lookup" method call. A small utility and supporting files for integration this into the Internet Explorer selection context menu is included with the Simple DNS Plus installation in the "ie-context" sub-directory. A tutorial of how to add a WHOIS button to Outlook 2003 using this functionality is available online at Use HTTP commands Simple DNS Plus can be prompted to perform different actions through HTTP - either directly from a browser, or any other program that can communicate through HTTP. This functionality is not intended as a direct user interface, but rather a way to communicate with Simple DNS Plus from other applications over the network (for example ASP script pages running on IIS). By default, Simple DNS Plus listens for HTTP requests on IP address port With this default configuration, you can open a web-page listing the available commands in your browser using Port 8053 is used to avoid conflicts with any web server software using the standard port 80 on the same machine. Please note that only the same computer can connect to IP , so if you need to access this from another computer, you will need to configure Simple DNS Plus to listen on a different IP address. You can change these setting in the Options dialog / HTTP API section 32. Simple DNS Plus accepts both HTTP "GET" and "POST" requests - use whichever is more convenient. When using "GET", all fields and values must be part of the URL. When using "POST", all fields and values must be in the message (none in the URL). The response will either be a text document ("text/plain" mime type) containing the result, an error 404 for unrecognized commands, or error 406 for requests that could no be performed. The request document/path name must be one of the commands described below. For example to list the contents of the zone file for simpledns.com, you could use the following (with GET):

16 15 Simple DNS Plus Commands: status Returns server status and request counters in text format. clearcache Clears the DNS cache. reloadall Reloads all zone data from disk. zonelist Returns a list of all zone names on the server (separated by <CRLF>). Optionally include the field "listtype", being either "simple" (the default), "primary" (primary zones only), "secondary" (secondary zones only), or "extended". Optionally specify a numeric ID in the field "zonegroup" matching a group ID in the "editrecs.ini" file to limit the list to a single zone group. getzone Returns the text of a zone file. Specify the zone name in the field "zone". loadzone Reloads an existing zone from disk. Specify the zone name in the field "zone". removezone Removes an existing zone from the server. Specify the zone name in the field "zone". updatehost Updates, creates, or deletes an A-record (host address). A parent zone must already exist for the host name. Specify the host name in the field "host". Specify an IP address in the field "data". If no data (IP address) is specified, the record is deleted. updatezone Updates or creates a new zone on the server. Specify the zone name in the field "zone". Specify the zone data in the field "data" (formatted as a standard zone file). For secondary zones, specify the primary server IP address in the field "masterip". Optionally specify a numeric ID in the field "zonegroup" matching a group ID in the "editrecs.ini" file. Make sure to increment the SOA-record 53 serial number when using this command. 2.8 Use command line options When Simple DNS Plus is running, you can use the following command line (Dos Prompt) options: (Make sure you run these from the directory where Simple DNS Plus is installed) SDNSPLUS -R Reloads all records including the hosts file 41 and root 43 records. SDNSPLUS -R zone-name file-name Loads or re-loads a specific zone 46. The file-name is only required if this is a new zone.

17 How to For loading individual zones we recommend using the more flexible -Z option instead. SDNSPLUS -Z z:zone-name f:file-name p:primary-ip g:group-id Loads, re-loads, and/or updates the status of a specific zone 46. The f:file-name parameter is only required if this is a new zone. The p:primary-ip parameter is only required if this is a secondary zone. The g:group-id is optional and refers to the numeric zone group ID which can be found in the "editrecs.ini" file. SDNSPLUS -U zone-name Unloads / removes a zone 46. SDNSPLUS -C Removes all records from the cache. Same as selecting "Clear Cache" from the Tools menu. SDNSPLUS -K Reloads the TSIG keys (the "tsigkeys.ini" file) 2.9 Configure advanced options The "sdnsplus.ini" file 16 and the individual zone files 16 can specify several advanced options not available from the graphical interfaces. You can edit these files manually with notepad. Generally it is not necessary to change any of these settings from their defaults. "sdnsplus.ini" file Located in the directory where Simple DNS Plus is installed. You need to stop Simple DNS Plus before changing this file, and then restart when done. [Main] DNSListenPort=<number> Specifies the TCP/IP port that Simple DNS Plus listens for DNS requests on. This should almost always be set to 53 (the default), but it is possible to use a different port number for example to work with a proxy program. Default: 53 DNSFromPort=<number> Specifies the port that Simple DNS Plus sends outgoing UDP requests from - and responses are returned to. The default (0) means that it should select any available port number above However, using this option it is possible to fix this port which can be useful when using a firewall. This option is not used for zone transfers (TCP connections). Default: 0 AutoUpdateRoot=<yes/no> With this option enabled, Simple DNS Plus will automatically check for root server 43 updates. You may want to disable this if you are using an alternate root or if your server is only used on for intranet purposes. Default: Yes NewScan=<number> Interval in minutes to scan data directory for files with ".new" extensions. See How to integrate with other applications 13. Not present by default.

18 17 Simple DNS Plus ErrorFileDump=<Yes/No> If an error occurs in the Simple DNS Plus program, it will attempt to create a "support.txt" file (to us for debugging). This option specifies if the support.txt file should include the major configuration files. Default: Yes WarningBat=<Yes/No> With this option enabled, Simple DNS Plus will execute the DOS batch file whenever an error or warning condition is detected. See How to use "warning.bat" 19 for details. Default: No DelOnlyZones=<list of zones separated by spaces> This option lists zones which are to be treated as "delegation-only-zones" - meaning they should only contain delegations, and no data of their own. When a DNS response, which is not a delegation, is received from a server responsible for one of these zones, the response will be converted into an "NXDOMAIN" error response. Default: blank DelOnlyAllTop=<Yes/No> When enabled (=Yes) all top level zones (single segment / no dots) such as "com" and "net" are treated as delegation-only-zones (See above). Please note that this does not include second level zones such as "co.uk" which would have to be added to the "DelOnlyZones" option above. Default: No DelOnlyExclude=<list of zones separated by spaces> This option lists top level zones which are to be excluded when the "DelOnlyAllTop" setting is enabled (see above). Default: blank [Opt-General] ServiceName=<text string> ServiceDesc=<text string> The Windows Service name and description. You may need to change this if running more than one instance of Simple DNS Plus on the same computer. The ServiceName can be used in "Net Start" and "Net Stop" commands. Default: sdnsplus / Simple DNS Plus [Opt-Requests] ShowAddIP=<Yes/No> When enabled, "Add IP address" controls are added to the "Listen for DNS requests on" IP list in the Options dialog. This makes it possible to configure Simple DNS Plus to listen for DNS requests on local IP addresses which were not automatically detected (a problem on some Windows Server 2003 installations). Default on Windows Server 2003 and later: Yes Default on earlier Windows versions: No AutoCNAME=<Yes/No> When enabled, all CNAME-Records 51 will be translated into "normal" records. For example if " has a CNAME-record pointing to "abc.com", and the A-record for "abc.com" is , a request for A-records for " will return A-record " = This is useful for certain client programs (including a widely used server) that don't understand CNAME-records. Please note this is not correct DNS server behavior, and should only be used if you have a program

19 How to that does not understand CNAME-records. Default: No MinTimeOut=<number> Specifies the minimum period of time (in seconds) during which Simple DNS Plus will continue resending the same DNS request to other DNS servers. With this setting at the default value of 0 (zero), client DNS requests will time-out after all authoritative DNS servers have been queried 3 times without a response. In dial-up configurations, this may not leave enough time for the network connection to be established, and so Simple DNS Plus will return a "server failure" response to the client - and the client's application may fail. This can be avoided by setting a sufficient minimum time-out interval here. This option forces Simple DNS Plus to do additional processing, so for optimal performance, only use it if you experience problems with requests timing out before a connection is established. The maximum value for this setting is 30 (seconds). Default: 0 [Opt-Recursion] NraNaaTXT=<text string> This option overrides the default text of the TXT-record that is sent along with synthesized records to clients which are not offered recursion. Only applicable if the "Respond with synthesized DNS records" option is selected in the Options dialog / DNS recursion 26 section. Default: not present [Opt-Caching] CacheTTLMinimum=<number> This option specifies the minimum period of time DNS records are cached. A value higher than zero may improve response time and reduce DNS traffic, but will likely cause problems with many domain names that rely on frequent DNS updates. "cnn.com" is one example of a well-known larger web site, which depends on low TTL values to enable quick changes to their web site (they currently use DNS TTL values of 5 minutes). Also, many small web-sites today depend on low TTL values because they run on ADSL or cable connections with dynamic IP addresses, and therefore require frequent DNS updates (when their IP address changes). We generally do not recommend using this setting. Default: 0 [Opt-Records] PermTTLMin=<number> A minimum TTL applied to all records in local zones (primary and secondary). Default: 0 NXDomTXT=<text string> This option overrides the default text of the TXT-record that is sent along with synthesized records in NXDOMAIN Redirect responses (see Options dialog / DNS records 29 section). Default: not present HostsReverse=<Yes/No> When Simple DNS Plus is configured to use a hosts file and this option is enabled, PTR-records will automatically be generated from the data in the hosts file in addition to A- and CNAME-records. Default: Yes [Opt-DHCP] DHCPNS2=<IP address list> 41 52

20 19 Simple DNS Plus Use to specify secondary DNS servers for DHCP clients. (The first/primary is always the IP address of the Simple DNS Plus server) Empty by default. DHCPWINS=<IP address list> Use to specify WINS server addresses for DHCP clients. Empty by default. DHCPNBDD=<IP address list> Use to specify NBDD server addresses for DHCP clients. Empty by default. DHCPNODE=<number> Use to specify NetBIOS node type for DHCP clients. 1=b-node, 2=p=node, 4=m-node, 8=h-node. Empty by default. DHCPScope=<text string> Use to specify the NetBIOS scope ID for DHCP clients. Empty by default. [Secondary-Zones] MinimumRefresh=<number> MinimumRetry=<number> MinimumExpire=<number> Minimum values (seconds) for SOA records in secondary zones. Can be used to limit the number of refresh and zone transfer requests. Recommended if you don't control the primary DNS server for the secondary zones you host. All are zero by default. UseIXFR=<Yes/No> Use to specify if IXFR (incremental zone transfers) should be used to synchronize secondary zones on this server with their primary server. If your primary DNS server uses older DNS server software which does not support IXFR, it may be necessary or more efficient to disable this setting. Default: Yes Zone files These files are located in the "data" subdirectory and have ".dns" extensions. You need to reload records (Tools menu) after changing these files. The following settings must be located before any records in the zone. ;$NoNotify If present, Notify requests will not be sent to secondary or slave servers for this zone. ;$MinimumTTL <number> Overrides any lower TTL specified in the file - and the "PermTTLMin" setting in the "sdnsplus.ini" file (see above) Use "warning.bat" Simple DNS Plus can execute the DOS batch file "warning.bat" from the directory where Simple DNS Plus is installed each time it detects an error/warning condition. To enable this, set the "WarningBat" option in the "sdnsplus.ini 16 " file to "=Yes". When run, "warning.bat" is passed a set of 2 parameters (an event ID and a description) from the following list:

21 How to Event ID Description 101 Error: Could not start DNS service [on <ip-address>] (Error <n>) 102 Error: Could not start DHCP service on <ip-address> (Error <n>) 103 Error: could not start HTTP service on port <port-number> (Error <n>) 201 Error: Could not open zone file: <file-name> 202 Error: Could not update 'boot' file for zone: <zone-name> 203 Error: Could not save zone file: <file-name> (Error <n> <error-description>) 301 Warning: UDP packet from <ip-address> port zero ignored 302 Warning: IP address <ip-address> blocked (more than <n> requests per second) 303 Warning: Request from <ip-address> for BIND version - possible hack attempt 304 Warning: TCP connection from <ip-address> closed - Telnet detected 305 Warning: TCP connection request rejected - maximum connections (<n>) reached 401 Warning: Lame delegation for <zone-name> on this server (<ip-address>) 501 Warning: Notify request not sent to <server-name> for <zone-name> - Could not resolve IP address 502 Warning: [<server-name>] [<ip-address>] did not respond to Notify request for <zonename> 503 Warning: Failed to Zone Transfer <zone-name> from <ip-address> (<error-description>) 601 Warning: Forward server <ip-address> does not offer recursion 701 Warning: Error opening log file [<error-description>] 702 Warning: Error writing to log file [<error-description>] 703 Warning: Error opening raw log file [<error-description>] 704 Warning: Error writing to raw log file [<error-description>] 999 Error: Application error: [<error-description>] These parameters can be accessed in the batch file as %1 (the event ID) and %2 (the description). For example to send a network alert to the administrator, the "warning.bat" file could look like this: NET SEND administrator "SDNSPLUS: %2" If you only wanted to know about "Lame delegation on this server" warnings: IF NOT %1==401 EXIT NET SEND administrator "SDNSPLUS: %2" Or you could pass one or both parameters to a VBScript or JavaScript: WSCRIPT warning.vbs %1 ""%2"" As an example, a VBScript file used to send an might look like this (assuming Simple DNS Plus runs on a computer with IIS including SMTP installed): EventID=WScript.Arguments(0) EventDesc=WScript.Arguments(1) Set MailObj=CreateObject("CDONTS.NewMail") MailObj.From="""Simple DNS Plus"" <[email protected]>" MailObj.To="<[email protected]>" MailObj.Subject="Message from Simple DNS Plus" MailObj.Body="Event ID: " & EventID & vbcrlf & _ "Description: " & EventDesc & vbcrlf MailObj.Send To learn more about the individual errors/warnings, please see How to read the log 10.

22 21 Simple DNS Plus 3 User Interface The Simple DNS Plus user interface consists of 4 primary modules: Main window 21 DNS Look Up window 34 DNS Cache Snapshot window DNS Records window Each of these 4 modules run in separate processes which can function independently of the others, and each appear separately in the Windows task bar. Except for the Main window, these modules can also be accessed without the Simple DNS Plus server itself is running. Each module has a number of functions and dialogs which are described in the following sections. 3.1 Main window The main window consists of a Menu 21, a Tool Bar 21, a Status Bar 21, and different optional Views 23. Menu File Menu Pause / Start server Use to temporarily pause and re-start the DNS and DHCP services. Shutdown Simple DNS Plus Shuts down Simple DNS Plus. View Menu Tool Bar Toggles the Tool Bar 21 on / off. Status Bar Toggles the Status Bar 21 on / off. Performance Graph Shows the Performance Graph View 23. Active Log Shows the Active Log View 23. DHCP Leases Shows the DHCP Leases View 23. Tools Menu Enter License Key... Select this function when you have purchased a Simple DNS Plus license (at to enter your license key. This will remove the

23 User Interface 22 evaluation time restriction. Edit DNS Records... Opens the DNS Records 35 window. IP Address Blocking... Opens the IP Address Blocking 24 dialog. Reload DNS Records Immediately reloads all DNS records including the hosts file 41 and root records 43. Use if manual changes have been made to any of the configuration files. Clear DNS Cache Unloads all cached 42 records. One possible use is if you want to track through the log the exact path to finding an external domain name from the root down. DNS Look Up... Opens the DNS Look Up 34 tool window. DNS Cache Snapshot... Opens the Cache Snapshot Viewer 34 window. Active Log Snapshot... Use this function if the Active Log View 23 is scrolling to fast or you need to copy text from the log. Options Opens the Options 25 dialog. Window Menu Clear Active Log (only available if Active Log view is shown). Clears the Active Log window. Tabbed documents Enables/disables tabbed layout of View windows. Tile / Cascade / Window selections Functions to organize/select the view windows. Help Menu Contents and index Opens this help file Online support Opens the JH Software support web page in your default browser. Check for updates Checks if you are running the most recent version of Simple DNS Plus. Support File Generates a file "support.txt" in the directory where Simple DNS Plus is installed. This file contains various information about your setup and the state of Simple DNS Plus on your

24 23 Simple DNS Plus computer which can be helpful for trouble shooting by JH Software support staff. About Simple DNS Plus Displays the Simple DNS Plus version number and license status. Tool Bar Look Up Button Opens the DNS Look Up 34 tool. Cache Button Opens the Cache Snapshot Viewer 34. Records Button Opens the DNS Records 35 dialog. Help Button Opens this help file. Status Bar The Status Bar consists of three sections: Status Show current server status - and if running, the total up-time. Requests Total number of requests received. Cache Number of DNS records currently in the cache including root 43 records, and hosts file 41 records Views There are three different "views" available. Use the View menu to activate them. You can have multiple Views open at the same time and they can be resized with the mouse or using the "Window" menu. Performance Graph Shows a graph of the number of requests received per second during the last minute. Active Log Shows current log activity. The level of detail and number of lines displayed can be customized through the Options 25 dialog. See How to read the log 10. If the log windows is scrolling too fast or you need to copy text from the log, use the "Active Log Snapshot" function from the Tools menu (or press F9). Please note that the Active Log does use a considerable amount of resources, so on a busy server we recommend closing View when not required. DHCP Leases Shows all active DHCP 49 leases with each computer's name, IP-address, Hardware address, and when its lease expires.

25 User Interface 24 The columns can be sorted by clicking the column headers. To manually delete a DHCP 49 lease, right click on the lease and select "Delete" from the pop-up menu. In order to prevent IP-address conflicts (two or more computers having the same address), it is very important that the computer for the deleted lease is also rebooted or removed from the network. Generally, it is not necessary to delete leases manually, as computers automatically release their leases when shut down properly. Older Apple/Mac clients and other devices which do not supply a computer name in the DHCP request will show with their hardware address as the name. To rename these, right click on the lease and select "Rename". The new name will be associated with the client's hardware address, and remembered as long as you run Simple DNS Plus even if the IP address changes IP Address Blocking dialog Someone sending an extreme number of DNS requests in rapid succession may be a hacker trying to crash the server or prevent others from using the service. You can use the functions in this dialog to automatically or manually block such hackers or IP addresses which for any reason run amok sending you DNS requests. Please note that this feature does not block traffic other than DNS requests - to block any other type traffic use a firewall. Auto block Automatically block IP addresses which send to many DNS requests too quickly Use to enable/disable automatic blocking Maximum DNS requests per second When an IP address sends more than this number of DNS requests in one second, it will be automatically be blocked (a "Blocked" rule will be added to list below) and further requests from this IP address are ignored. A typical workstation computer should not send more than requests in one second, but we recommend you set this value to at least 30 so that no legitimate clients get blocked. Block Specify for how long automatic blocks should last (when/if the automatically added "Blocked" rule should expire). IP Address Blocking Rules List of current blocking rules. Use the "Add" / "Edit" buttons to enter rule details in the IP Address Blocking Rule dialog 24, and use the "Remove" button to remove a rule. There are two types of rules; "Blocked" and "Trusted". DNS requests from "Blocked" IP addresses will simply be ignored. "Trusted" IP addresses will not be blocked automatically even if they exceed the "Maximum DNS requests per second" setting above. See also How to secure your server IP Address Blocking Rule dialog Use this dialog to enter details for rules listed in the IP Address Blocking dialog 24 :

26 25 Simple DNS Plus Rule type There are two types of rules; "Blocked" and "Trusted". DNS requests from "Blocked" IP addresses will simply be ignored. "Trusted" IP addresses will not be blocked automatically even if they exceed the "Maximum DNS requests per second" setting. IP address Enter the IP address (or first IP address of a subnet) that should be blocked/trusted. Subnet Mask Select the subnet mask of the IP address(es) that should be blocked/trusted ( means a single IP address). Rule expires Specify if/when this rule should expire. If you select a specific date/time or a length of time, the rule will automatically be removed after this. Comments Enter any comments you like - for example an explanation for why this IP/subnet is blocked/trusted. Simple DNS Plus automatically creates a comment about when the rule was created when automatically blocking Options dialog The Options dialog has the following sections: General DNS 25 Requests 26 Recursion Forwarding Caching 27 Security 27 Records 29 Zone Transfers Master/Slave NAT/LAN IP DHCP 31 HTTP API 32 Logging Log details Log files Note: Additional advanced options 16 can be specified in the "sdnsplus.ini" file General General Domain Name of this DNS server Used as the default primary DNS server name when creating new zones 46 (for the SOArecord 53 and NS-record 52 ). This is typically something like "ns1.yourname.com", but can be any domain name you want.

27 User Interface 26 This name is also displayed in the title bar of the Main Screen, and as a "Tool Tip" for the tray bar icon for easy reference. Administrator's address Used as the default "responsible person" when creating new zones 46 (for the SOA-record 53 ). The standard for this is the "hostmaster" user name - such as "[email protected]". Start Up Run as Windows Service (not available on Windows 95/98/Me) When checked, Simple DNS Plus will run as a Windows Service, being available even when noone is logged into the system. Run in background at Windows start up / log on When checked, Simple DNS Plus will start as soon as Windows is started or when a user logs on. Show icon in the Windows taskbar notification area When checked, Simple DNS Plus will be represented by a small icon in the tray bar (lower right hand corner of screen next to clock) DNS - Requests DNS Requests Listen for DNS requests on Select the IP addresses on which the DNS service will be available. DNS Responses Optimize responses (only include NS referrals when needed) Most DNS servers send a lot of extra "additional" information in DNS responses which is never needed by clients or other servers. This can waste both CPU cycles and bandwidth. With this option enabled, Simple DNS Plus responds with relevant "additional" data only. Some DNS analyzers (software / websites) may claim that your server is not configured correctly (does not provide root records) when this is enabled. Technically this is not an error, but the analyzers expect those records simply because that's what most other DNS servers provide. To satisfy such analyzers, simply disable this option, and then enable it again to improve performance when done analyzing. Use Round Robin (rotate DNS records in responses) When this option is enabled and multiple records of the same type are defined for the same name, Simple DNS Plus automatically rotates these records in responses (See Round Robin 45 ) DNS - Recursion Perform DNS recursion (resolve non-local domain names) Specify which IP addresses should be offered recursion 44. Use the Subnet Mask to specify a range of IP addresses; means one IP address only, means all IP addresses matching the first 3 segments etc. When a DNS request is received from an IP address not included above, and the request is

28 27 Simple DNS Plus for a non-local domain name Select one of the following options to specify how Simple DNS Plus should respond to such requests: Respond with DNS records from cache and local hosts file (default) Any data already cached 42 or in the hosts file 41 will be provided. Respond with a "Refused" error message Using this option, you specifically inform the client that you will not perform any recursion for them or provide any data for the requested domain name. Do not respond (stealth DNS) Using this option, simple port scanning will not reveal that you are running a DNS server. This may make you a less interesting target for hackers. Respond with synthesized DNS records Using this option, you can redirect the client to a sign up page, or to a page informing the client that he is using a wrong DNS server DNS - Forwarding DNS Forwarding (external resolution) See DNS Forwarding 44 for details DNS - Caching Cache DNS records received in responses from other DNS servers Use this option the enable/disable caching 42 Maximum cache time By default, records are removed from the cache based on the TTL received from the original DNS server. This options specifies the maximum amount of time cached DNS records should be kept. Maximum cache size You can use this option to limit the amount of memory Simple DNS Plus will use for caching. Reload DNS cache at startup If this option is checked, all cached records are written to disk when Simple DNS Plus is closed (including when the computer is shut down correctly). When Simple DNS Plus is later restarted, it will reload the cache recalculating the records' TTLs based on the time the program was closed. See also Caching DNS - Security DNS security, TTL Prevent DNS spoofing (a.k.a. "cache poisoning") DNS spoofing is a term used for malicious cache poisoning where forged data is placed in a DNS server's cache. Spoofing attacks can cause serious security problems, for example causing users to be directed to wrong web sites or being routed to non-authorized mail servers. When this option is checked, all records in received DNS answers are checked for authority, and records for which the answering DNS server does not have authority are ignored.

29 User Interface 28 Unfortunately, by ignoring these (potentially dangerous) records, additional processing is often necessary to locate records from confirmed sources, and so it can take longer to answer a request. This option should always be enabled on Internet DNS servers, but in closed environments such as Intranets, security may not be a concern and performance can be increased by disabling it. Ignore UDP packets originating from port zero Port scanner software is known to send network packets originating from port zero. A normal DNS client or server would never do this, so such a packet is a strong indication that a hacker is at work. You may need to disable this option if for example you are running some type of monitoring software that also sends requests from port zero. Detect and close Telnet connections Hackers sometimes use a telnet client to connect to open server TCP ports, to see if they can get some type of response or perhaps crash the server by sending it junk data. With this option enabled, Simple DNS Plus will detect most of these connections, close them down, and log the events. Respond to BIND version requests Since many Internet DNS servers are running some version BIND (mainly Unix DNS server), hackers often initiates an attack by sending a special request for the BIND software version number. They can then compare the response with a list of known vulnerabilities for that particular version of the BIND software and launch the actual attack. With this option enabled, Simple DNS Plus will respond to such BIND version requests with a text string of your choice. When this option is not enabled, Simple DNS Plus will respond to BIND versions requests with a "not implemented" error message. A warning is always logged for BIND version requests. On Windows NT/2000/XP/2003, you can test by entering the following at a command prompt: NSLOOKUP -class=chaos -type=txt version.bind <dns-server-ip-address> Maximum simultaneous inbound TCP connections A hacker may try to open a lot of TCP connections to exhaust server resources. Use this option to limit the total number of simultaneous inbound TCP connections Simple DNS Plus will accept. When this number of connections has been reached additional connection attempts are logged and then rejected. Maximum recursive DNS requests to resolve simultaneously Specifies the maximum number of recursive 44 requests to resolve at the same time. Automatic SPF records Synthesize missing SPF records for local domains Using this option you can provide SPF records for all domain names on your server without having to setup and maintain SPF records separately for every single domain name. If you need to provide unique SPF records for certain domain names, you can still setup individual SPF records for those names. This function only kicks in when there are no SPF records defined for a domain name already. IMPORTANT: When enabling this option, SPF records are synthesized for records in ALL local zones including secondary zones. These synthesized records are provided in responses to standard DNS lookups for TXT-records only - they are NOT provided in zone transfers to secondary DNS servers. Therefore you you make sure to configure this option the same way on any secondary DNS servers for your domain names.

30 29 Simple DNS Plus Please note that this function is automatically disabled for requests for any domain name containing the underscore (_) character to avoid collision problems with special purpose names such as "_domainkey". SPF is a spam fighting method which uses DNS TXT-records to define which hosts are permitted so send s for a domain. This works by defining a DNS TXT-record for the domain name containing codes specifying which hosts ( servers) are permitted to send e- mail for the domain name. Other servers can lookup this record when receiving an from an address with this domain name to verify that sending server is connecting from a permitted IP address. For details on SPF, please see See also How to secure your server DNS - Records DNS Records Data directory Specify the directory where data files are stored (boot and zone files). The default is a directory called "data" under the directory where Simple DNS Plus is installed. Load primary zones on demand only Enabling this option will delay loading of primary zones until the first related request is received. In setups with many zones this can greatly improve the server startup time. Inactive zones will never be loaded, which may also improve memory consumption. Hosts File Simple DNS Plus can use the local hosts file 41 as a source for DNS records. The TTL 42 specifies how long clients and other DNS servers may cache these records. NXDOMAIN Redirect Typically when you open a non-existing domain name in a web-browser, you either get an error page, or you are redirected to some search web-site controlled by the web-browser company. This of course happens all the time because of misspellings and bad links on web-sites. Now you can take advantage of those failed requests (from any client configured to use your DNS server) by redirecting them to your web-server instead of giving this traffic to the browser companies. This option redirects all recursive 44 DNS requests for non-existing domain names to a server IP address which you control. This gives you a unique opportunity to present your own custom search page, a domain sale offer, a marketing message, an intranet site, or anything else you can think of. Important: This function redirects ALL DNS requests for non-existing domain names (it is impossible to determine if a DNS request comes from a browser or another type of application), so you may need to use the sub-option to limit this to names starting with 'www'. And to prevent this from happening to your own domains, use the other sub-option to only redirect domains for which this server is not authoritative. Please note: Only requests which are for domain names confirmed non-existing (NXDOMAIN) will be redirected - not any other error type conditions. Domain names where the first 4 name segments resemble an IP address (reverse and RBL record names) will never be redirected DNS - Zone Transfers Zone Transfers The IP addresses listed here are allowed to request zone transfers 46 for any zone hosted on this

31 User Interface 30 server. Zone transfer permissions can also be specified for each individual zone in the Zone Properties 36 dialog. However the IP addresses / subnets listed here can always zone transfer no matter what the settings are in the individual zones. Notify Specifies if Notify requests are sent to secondary DNS servers (telling them about zone changes) DNS - Master/Slave Slave servers / Master servers Used to automate administration of secondary servers. When you create a new primary zone on one server (master server), all slave servers (the "Slave servers" list) will be notified that there is now a new zone available. When a slave server receives such a notification, it first checks its master list (those listed in "Master server") to validate the master, then requests update information and creates the zone (as secondary). A Simple DNS Plus server can act as both master (primary zones) and slave (secondary zones) at the same time, and can have multiple masters and slaves. NOTE: This functionality is unique to Simple DNS Plus, and is not currently supported by other DNS server implementation, so both master and slave must be running Simple DNS Plus. See also Zone Transfers DNS - NAT IP alias Enable NAT IP alias conversion for DNS requests from LAN Check/uncheck to enable/disable this function (see description below) NAT router IP address mappings (aliases) Enter external / internal IP address pairs. LAN IP addresses (internal/private side of the NAT router) Enter the private/internal IP addresses/subnets of your local area network. This computer is on the LAN side of the NAT router Check if this computer is located on the LAN. Description: In DNS responses to DNS requests from LAN clients only, this function changes A-records which are pointing to a public IP address of the NAT router to point to the corresponding private IP address of a local server. This way, for example HTTP requests from LAN clients for local web-sites will go directly to the local web-server instead of via the NAT router. Background: If you wish to run a web-server behind a NAT router, then you must point the DNS records for your web-site domain names to the public IP address of the NAT router, and on the NAT router map port 80 (for HTTP) to the private IP address of the local web-server computer. This works fine for all external visitors from the Internet. However, this setup often creates problems when you want to access your own web-site from the private side of the NAT router (from within the LAN).

32 31 Simple DNS Plus Without this function, when your web-browser makes a DNS request for the web-site domain name, it gets your public IP address and then tries to make a HTTP connection to that IP address via the NAT router. This requires the NAT router to route packets from the LAN side to the public IP address and back into the LAN - which many NAT routers cannot handle correctly. Often you get the router login page instead or nothing at all. Even if this does work, you are putting unnecessary load on the router. Please note: This function is for use with network setups with one or more external/public IP addresses on a NAT router mapped to internal server(s) on private IP addresses. This only works with one-to-one IP address mappings - each external/public IP address can only be mapped to a single internal/private IP address. If you need to have different ports on one external IP address mapped to different internal IP addresses, then you should run two DNS servers instead - one for external use and one for internal use. A "NAT Router" can be a physical device such as those from Cisco, Linksys, DLink, NetGear, etc., or a computer running "Internet Connection Sharing" or similar DHCP DHCP interfaces / scopes List of current DHCP scopes The details of each scope are defined in the DHCP scope dialog 31 when you click the Add/Edit buttons. Only one DHCP scope can be setup for each local IP address. Automatically update DNS With this setting enabled, Simple DNS Plus will automatically generate an A-record 50 and a PTRrecord 52 (and zones to keep them in if needed) when a DHCP client leases an IP-address so that other computers can find it using DNS. This requires unique client names, meaning that no two DHCP clients may have the same host name. If two computers on the network both have the same name and both are configured to use DHCP, the second computer booted will not get an IP address and not have access to the network. See also: DHCP DHCP Scope dialog 49 Local interface Select which local interfaces (IP address) should serve DHCP requests. IP Addresses (from/to) Specify the range (scope) of IP addresses to assign to DHCP clients. Subnet Mask Specify the Subnet Mask to assign to DHCP clients. Default Gateway Specify the Default Gateway IP address assign to DHCP clients. Lease Period Specify how long DHCP clients are allowed to use the assigned IP address.

33 User Interface 32 Domain Name The Domain Name assigned the DHCP clients. (The clients full domain name will be <machine name>.<this domain name>) Reservations Reserve IP addresses for specific computers based on computer name or hardware address (network card MAC address). Click the "Add" button to make a new reservation. Select an existing reservation and click the "Edit" button to modify it or the "Remove" button to remove it. See also: DHCP HTTP API Enable HTTP API interface Check/uncheck to enable/disable this functionality. On all local IP addresses / On IP address Select which local IP address(es) Simple DNS Plus should listen for HTTP requests on. TCP port number Specify the TCP port number that Simple DNS Plus should listen for HTTP requests on. Password If specified, all HTTP requests are authenticated with user "admin" and this password. Accept HTTP connections from List the IP addresses / subnets that which allowed to make HTTP requests. See also How to use HTTP commands Logging - Log Details Log details (Disk and Active Log View) Log individual requests, responses, and other events Select this option to log DNS and DHCP requests. Include DNS record details When checked, activity will be logged on the record level. Include outgoing DNS requests When checked, outgoing requests (to resolve records) are logged. Include requests from blocked IP addresses When checked, requests from blocked IP addresses will be logged (they are still otherwise ignored). Only log Errors and Warnings Select this options to only log events for potential problems.

34 33 Simple DNS Plus Active Log View (see Views 23 ) Lines in Active Log View The maximum number of log lines displayed in the Active Log View. When this number of lines is reached, older entries are removed to make room for new ones. In general we recommend the default value of 100. Higher values can impact performance, but may be helpful when troubleshooting. Buffer when Active Log View is closed When this option is enabled, Simple DNS Plus will continuously generate and buffer log data for the Active Log View. This way the latest log entries will always be immediate available when you open the Active Log View. This option can be very helpful for occasional troubleshooting, but generally it should be disabled to achieve the best performance. Windows Event Log Record errors and warnings to the Windows Event Log With this option enabled, events such as errors and warning are written to the Windows Event log (see Windows Control Panel / Administrative Tools / Event Viewer). This option has no effect on Windows 95/98/Me computers. See also How to read the log Logging - Log files Write full text log files to disk When enabled, Simple DNS Plus will write all DNS/DHCP queries and responses to a log file. Begin new log file Select how often a new log file should be created. Recycle To conserve disk space select how often the log files should be recycled (overwritten with new data). WARNING: Log files can grow very big very fast! Write raw data of incoming DNS requests to disk If enabled, Simple DNS Plus will create additional "raw" log files of all incoming DNS requests. This can be used to create domain / user statistics with an add-on program available from our website at Log file directory Specify the directory where log files are written. The default is a directory called "logs" under the directory where Simple DNS Plus is installed. Just like with other log files, system performance can be enhanced by writing log files to different physical disk drive (other than where the operating system is installed), but don't use a network drive.

35 User Interface DNS Look Up window The DNS Look Up tools lets you query Simple DNS Plus (or any other DNS server) for: Specific record types: A 50, CNAME 51, MX 51, NS 52, PTR 52, SOA 53 (and others). "Any" record (wildcard search). Zone Transfer 46 (list all the records in a zone). WHOIS (see below). To do a reverse look up (IP address to domain name), simply enter the IP address as the domain name, and do a PTR-record 52 look up. The IP address will automatically be converted to an inaddr.arpa domain 47 name. The IP address or domain name of the DNS server to query can be specified when "DNS Server Selection" is checked in the View Menu. When "Request Recursion" in the Tools Menu is checked (default), the DNS server will be asked to resolve the query if it doesn't have the answer in cache 42. Not all DNS servers accepts requests for recursion 44 (Also an option 25 in the Simple DNS Plus). If a DNS server does not offer recursion 44, it will usually still respond to the request, but may only offer references to closer matching DNS servers. WHOIS The WHOIS look up function provides detailed information (such as name, address and phone) about the owners of a domain name or IP address. This is done through special WHOIS servers maintained by the organizations responsible for the top level domains around the world. Simple DNS Plus comes with a recent list of these servers and will automatically select the best match when the "Auto WHOIS Server" option in the Tool menu is selected (default). You can add new WHOIS servers to the list by manually editing the "whois.dat" file found in the Simple DNS Plus directory. If you do a WHOIS lookup for a top level domain not listed in the "whois.dat" file, the lookup tool will try to use the server name "whois.nic." + the last segment of the domain name entered, as this is the most common WHOIS server name. COM Object The DNS Look Up window is also a COM object which can be called from any script or application supporting COM objects. For details on this, please see How to integrate with other applications DNS Cache Snapshot window The DNS Cache Snapshot window displays the currently cached 42 records in an explorer style window. Domain names displayed in the left pane are organized in the DNS tree structure from the root up - backwards compared to a full domain name. To locate " in the tree, first open "<root>", then "com", then "simpledns" and finally "www".

36 35 Simple DNS Plus The right pane shows any DNS records for the selected domain name. A record type of "-" means that the name does not exist, and a record type starting with "-", for example "-A", means that no records of this type exists for the name (negative caching). 3.4 DNS Records window The DNS Records window shows defined zones 46 and DNS records in an explorer style window. The left pane shows all zones 46 currently defined (primary zones with a "P" icon, and secondary zones with an "S" icon), and the right pane shows DNS records for the selected zone. To edit the properties of an existing zone (left list) or record (right list), simply double click the item (see Zone Properties 36 and Record Properties 37 dialogs). You can also right-click on a zone, on a record, or in an empty area of either list to quickly access related functions. To quickly jump to a zone in the list, first click on any zone to ensure that the zone pane has focus, then type the first letter of the zone name. You can do the same in the records pane. The following functions are available in the DNS Records window: File menu New (also available from the tool bar) Create a new zone or a new record in the currently selected zone Copy (also available from the tool bar) Make a copy of the currently selected zone or record. Move to group (only available when zones arranged by group - see View menu below) Move the currently selected zone to a different group. You can also move a zone to a different group simply by dragging it with the mouse. Delete (also available from the tool bar) Delete the currently selected zone or record Properties (also available from the tool bar) View/edit the properties of the currently selected zone or record Export zone list Creates a zone list file in CSV format (comma separated values). CSV files can be opened/imported into most spreadsheet and database software. Exit Exits the DNS Records window View menu Arrange zones The zones (left list) can be organized in a simple alphabetical list (default), by primary/secondary, or by custom group. Tool Bar / Status Bar Display / hide the tool bar / status bar.

37 User Interface 36 Refresh (also available from the tool bar) Saves any changes made to the currently selected zone, or reloads the currently selected zone (in case it was updated by another process). Tools menu Quick Domain Wizard 38 (also available from the tool bar) Use this function to quickly and easily create new zones by only entering the most elementary information. Bulk Updates Wizard 39 Use this wizard to quickly update many zones at once. Reverse Zone Wizard 40 (also available from the tool bar) Use this wizard to add or modify records in an existing reverse zone 47 without dealing with "inaddr.arpa", reversing IP addresses etc. (first select a reverse zone, then select this function). Import Wizard 40 Use this wizard to migrate / import from another DNS server implementation. TSIG Dynamic Updates Use to setup transaction keys for TSIG authenticated dynamic DNS updates 49. Help menu Contents & Index (also available from the tool bar) Display this help file Online support Open the online support page in your browser Zone Properties General Authority for this DNS server Specify primary or secondary. If secondary, specify the IP address of the primary DNS server to zone transfer 46 from. Zone aliases (shares zone file with) Displayed only if the zone's file is shared with other zones (informational only). SOA Record The SOA record 53. Zone Transfers (see How to secure your server 7 ) Accept Zone Transfer requests Specify which IP addresses that should be allowed to obtain this zone through zone transfers (typically secondary DNS servers). Dynamic Updates Accept Dynamic Update requests Specify which IP addresses should be allowed to dynamically update this zone (typically 46

38 37 Simple DNS Plus computers on the local network). Comments This is an open text area that can contain and comments or additional information about the zone that you need. For example for client account number or information about when the domain expires etc. For new zones, Simple DNS Plus will automatically enter a comment about how and when the zone was created. Please note that this information is not transferred to secondary servers. The "Use as default" button makes the current values on the current tab the defaults used when creating new zones Record Properties The Record Properties dialog is used to specify a DNS record's Name, Data and TTL 42. The record name must end with the name of the zone 46 it belongs to (automatically enforced), and can only be entered when creating a new record or copying a record. Valid characters are: A-Z, 0-9, hyphen (-) and period (.). To specify wildcard records, enter an asterisk (*) as the first character followed by a period (.) and the rest of the name. The Data depends on the record type - see the individual record types for more information: A 50, CNAME 51, MX 51, NS 52, PTR 52, more... The "Record Time To Live (TTL to cache 42 this record. 42 )" field specifies how long other DNS server and clients are allowed The "Record comments" field can be use to keep any additional information about the record such as what the record does, or a client account number. For records created or updated via dynamic updates, HTTP, or DHCP, Simple DNS Plus will automatically enter a comment about how and when the record was created. Please note that this field is not transferred to secondary DNS servers. For A-Records 50 there is a special option "Update Reverse Zone". This will create or update a PTR-record 52 in a reverse zone 47 to enable reverse lookups on the IP address New Zone Wizard The New Zone dialog is used to setup a new zone 46 of one of the following types: Primary Zone Creates a "master copy" in which you create records for your domain name. You can create a private root zone 43 by leaving the zone name blank - but only do this if your server is for an intranet and is not going to resolve any Internet domain names. See also the Quick Domain Wizard 38 for even faster creation of standard primary zones. Secondary Zone

39 User Interface 38 Creates a copy of a zone already configured on another (primary) DNS server for redundancy and load balancing. Records are created on the primary DNS server and automatically copied to this server through zone transfers 46. You will be prompted to enter the zone name, and the IP address of the primary DNS server. Reverse Zone (Primary) Creates a reverse zone 47. You will be prompted to enter the first IP address, subnet mask and the zone name. Enter the first IP address of the range of IP addresses you have, and select the subnet mask according to the number of IP addresses you have: up to (full class-c) up to up to up to up to up to up to If you have more than one class-c network (256 IP addresses), create a separate reverse zone for each class-c. The zone name defaults to the standard in-addr.arpa 47 name. For subnets other than (full class-c), you can change the zone name - or use the "Look Up" button to automatically detect the reverse delegation name used by your IP provider. After creating the zone, you can use the Reverse Zone Wizard 40 to edit the individual reverse records. Please note: to create a secondary reverse zone, use the "Secondary Zone" option above. Copy an existing zone (New Primary) Copies all the settings and records from an existing zone. The record names and data are converted to the new zone name. You will be prompted to enter the new zone name and select the zone to copy from. Alias for an existing zone (Zone file sharing) Creates a new zone which shares its records and settings with another zone. Both zones will use the same file, so any changes made to one zone will immediately be reflected in the other. You will be prompted to enter the new zone name and select the alias for zone (the zone to share file with). To later see which zones are sharing the same file, use the Zone Properties dialog Quick Domain Wizard The Quick Domain function automatically creates a new zone 46 and the most common DNS records associated with it.

40 39 Simple DNS Plus The zone 46 and records created can be modified using the Zone Properties 36 and Record Properties 37 dialogs, and you can always add or remove records later. Replace "yourname.com" in the following with your own domain name: Domain Name Enter your domain name (without the " Web server IP (optional) Enter the IP address of the web server for this domain. The wizard creates an A-record for "yourname.com" with this IP address, and a CNAME-record for " pointing to "yourname.com". This allows visitors to access your web-site through both " and just "yourname.com" Mail server IP (optional) Enter the IP address of the server for this domain. The wizard creates an MX-record 51 for "yourname.com" pointing to "mail.yourname.com", and an A- record 50 for "mail.yourname.com" with this IP address. FTP server IP (optional) Enter the IP address of the FTP server for this domain. The wizard creates an A-record 50 for "ftp.yourname.com" with this IP address. Secondary DNS server (optional) Enter the name and IP address of the secondary DNS server for the domain. This secondary DNS server will be notified of changes and allowed to perform Zone Transfers 46 on this domain/zone. The wizard creates an NS-record 52 for "yourname.com" and, if the secondary DNS server name is part of this domain name, also a matching A-record 50. The wizard also automatically creates an NS-record 52 for the primary DNS server (this server) and a SOA-record 53 based on the server name and administrator's address specified in the Options dialog 25. Clicking the "Use as Default" button will make the current values automatically appear the next time you use the Quick Domain Wizard Bulk Update Wizard Use this wizard to quickly update many zones at once. Find and replace IP address Use this option for example when changing the IP address of a server hosting web-sites or other services for several different domain names. You will need to enter the old IP address and the new IP address of the server. Update DNS server information Use this option for example when you add or change a DNS server hosting all of your domain names. You will need to enter the primary DNS server name and optionally up to 3 secondary DNS server names. Promote to primary DNS server. Use this option for example if your primary DNS server is permanently down/gone and you wish this

41 User Interface 40 secondary DNS server to become the new primary DNS server. You will need to decide what to do about secondary zones which have already expired (create empty primary zone, leave as secondary, or delete) Reverse Zone Wizard Use this wizard to edit an existing reverse zone 47 without having to deal with "in-addr.arpa", reversing IP addresses etc. To edit a record (IP to domain name), simply double click on an IP address and enter the corresponding domain name. The quickest way to populate all the records is the "Auto Fill" function. Enter a domain name, and all the records will be filled with something like " domainname.com", based on the IP addresses. The "Auto Scan" function automatically populates the reverse records by scanning all standard (forward) zones for A-records 50 with IP addresses listed in this reverse zone. To create a new reverse zone 47, use the New Zone 37 function Import Wizard The Import Wizard makes it easy to migrate from another DNS server implementation. You can import zones 46 in three different ways: Import a zone from another DNS server through a Zone Transfer Uses a standard zone transfer 46 to import the zone. Security settings on the original server might prevent zone transfers. If this is the case, either adjust the security settings, or use one of the following options instead. Import a single Zone File Import any standard DNS zone file (RFC1035). The zone file can be located on the same computer or in any network shared directory which you have access to. Import a set of Zone Files based on a Boot File Import all or some of the zones from another DNS server. Most DNS servers use a "boot file" which lists all the zones for which the server is responsible. The standard is a simple text file which has one line for each zone, listing authority (primary or secondary), zone name, primary IP address (secondary zones only), and the zone's file name. BIND (Unix DNS server) version 8.0 and later uses a file named "named.conf" which is structured similar to a C program. IMPORTANT - the boot file and the zone files must be located in the same directory. You may have to copy the files to a different location if they were originally arranged differently.

42 41 Simple DNS Plus TSIG Dynamic Updates These dialogs are used to setup transaction keys for TSIG authenticated dynamic DNS updates 49. You should configure a unique TSIG key for each client making dynamic updates. Key Name The key name must be specified in domain name format, but can otherwise be anything you wish. The RFC recommendation is to use a name which identifies both the client and the server - for example "client.domain1.server.domain2". However, it does not have to be part of or relate to any real domain name, and it works just as fine (and is probably easier) using just a simple name like "robert". Key Value The key value is a binary value which must be specified base 64 encoded. Click the "Generate" button to create a random or pass phrase based value. Using a pass phrase based value makes it easier to copy the key to a client application which has the same function, but it also potentially makes the key value easier to guess. Domain names to allow updates for Specify which domain names clients with this key are allowed to update. 4 Definitions 4.1 Hosts file Before DNS servers were invented, domain name translation depended entirely on the "hosts file", a text file stored on your organization's server, or on your PC. The hosts file listed, line by line, Internet domain names and their associated IP addresses. The master host file was compiled and stored on the machines at the Network Information Center (NIC) and was downloaded by on a regular basis by everyone accessing the Internet. Obviously this hosts file quickly grew much to large to be manageable. As the Internet grows, new domain names are added by the minute, and it is impossible for every computer on the Internet to keep downloading this file. The solution of course was the DNS server system. Unlike the hosts file, DNS servers don't rely on a single large mapping file. Instead DNS servers only contain information about the domain names they are directly responsible for and some limited reference data on how to find other domain names. Computers (including those running Windows) can still use the "hosts" file for name to IP-address translation instead of DNS, and this works fine on a small network where there are few changes and a limited number of computers to maintain. On Windows 95/98/Me the "hosts" file is located in the "c:\windows" directory, on Windows NT4/2000 in the "c:\winnt\system32\drivers\etc" directory, and on Windows XP/2003 in the "c:\windows\system32\drivers\etc" directory A sample "hosts" file is supplied with Windows named "hosts.sam" located in the same directory. Please note that the host file must be named "hosts" without any extension and it must be located in the above directories for Windows to automatically use it without a DNS server. Simple DNS Plus can use the local "hosts" file (or any other text file) as a source for A-records 50, CNAME-records 51 and PTR-records 52.

43 Definitions 42 Host file line example: hosta.com hostb.com Defines an A-Record 50 (hosta.com= ), a PTR-record 52 ( in-addr.arpa=hosta.com) and a CNAME-record 51 (hostb.com=hosta.com). Specify the file path and name of the Windows "hosts" file in the Options dialog / DNS Records 29 section, and Simple DNS Plus will provide records from the file as if they were defined as standard DNS records. One popular use of this feature in Simple DNS Plus is to block banner ad servers. For example pointing "adimages.yahoo.com" to , would prevent anything including banner ad images from being downloaded from that domain. If bandwidth is an issue, this can be a big help. The automatic creation of PTR-records 52 from the hosts file data can be turned off using the "HostReverse" setting in the sdnsplus.ini file 16. This is recommend if you are using the hosts file to point a lot of domains to the same IP address as suggested above. 4.2 DNS Caching Each time a recursive 44 DNS request is made to Simple DNS Plus, it stores in memory (cache) all the different DNS records it comes across while searching for the requested records. The cached DNS records are then used in subsequent request to locate information faster. By default, cached DNS records are stored until they time-out based on their TTL 42. Simple DNS Plus also has a "Reload DNS cache at startup" option to make its cache persistent between shutdowns and re-starts. When this option is enabled, the currently cached records are written to disk whenever Simple DNS Plus is shut down (including when the computer is shut down correctly), and when Simple DNS Plus is later restarted, it will re-load the cache and recalculate the records' TTLs 42 based on the time the program was closed. Most DNS servers will not cache a DNS record for more than one week. This is also the default in Simple DNS Plus, but you can change this through the "Maximum cache time" option. To view a snapshot 34 of the currently cached records, from the main window 21 click the "Cache" button or press F4. To empty the cache, from the main window 21 select Tools menu - > Clear DNS Cache Or use the "-C" command line option 15. You can change the various options related to DNS caching in the Options dialog / DNS caching section. 4.3 TTL (Time To Live) 27 All DNS records have a TTL property, specifying the amount of time other DNS servers and applications are allowed to cache 42 the record. When a DNS record is stored in the cache 42 of a DNS server, the record's TTL is continuously reduced as time go by, and when the TTL finally reaches zero the record is removed from the cache 42.

44 43 Simple DNS Plus When a DNS server passes DNS records from the cache 42 along to applications and other DNS servers, it supplies the current TTL value - not the original. This way the original TTL is guaranteed no matter how many DNS servers the record passes through. Even when a DNS server reports that a certain record does not exist, this information is cached using the "minimum TTL" from a SOA-record 53 supplied in the response. 42 Setting a record's TTL to zero, means that applications and DNS servers are not allowed to cache the record. 42 When deciding on the TTL, you need to consider how often the record will be changed. Because of caching, changes to a DNS record will not reach the entire network until the original TTL has expired - a good reason for setting a short TTL. But caching helps reduce network traffic. The longer the TTL, the longer the record will live in other DNS server caches around the world, and so fewer requests to the original DNS server are needed - a good reason for setting a long TTL. Generally, for a record pointing to a server/device with a static IP address and no need for quick updates, a TTL of one day is a good starting point. However, if the record is for a host with a dynamic IP address or for server which is part of a failover set (see you should be using a TTL value of a few minutes or less. Most DNS servers will not cache a DNS record for more than one week. This is also the default in Simple DNS Plus, but you can change this through the "Maximum cache time" option. Use the Record Properties dialog 37 to modify a record's TTL (select the record in the DNS Records window 35, and click the "Properties" button). 4.4 Root DNS records At the top of the domain name hierarchy is the root domain (typically references by a single dot, or <root>). Information about this domain resides on 13 root DNS servers located around the world. All Internet DNS servers are configured with references to these root servers referred to as the "root file", "hints file" or "cache file". Below the root domain are the top-level domains, which are either country specific or generic. Examples of country specific top-level domains are SG (Singapore) and CA (Canada), while generic top-level domains include the well-known COM (commercial organizations), EDU (educational institutions), GOV (governmental organizations), and NET (network organizations), among others. Note that top-level domains outside the U.S. are typically country specific, while U.S.-based sites typically use generic names. Below the top-level domains are the second-level domains (whitehouse.gov, microsoft.com, simpledns.com), and then the third-level domains, and so on down the chain. To locate any domain name, a DNS server generally starts by asking one of the root servers (unless it already has a closer match cached 42 ) The root server will supply references (NS-records 52 ) to DNS servers responsible for the next level (.com,.net, etc.). The DNS server then repeats the request to one of those server, which will supply references to the next level (for example simpledns.com), and so it goes on until the requested domain name is found. This process is know as recursion 44. This way a DNS server can locate any name in the world, as long as it knows the addresses of the root DNS servers. Simple DNS Plus includes the standard root file ("named.root") from the InterNIC containing records for the current Internet root DNS servers. This file is automatically loaded at startup (unless a private

45 Definitions 44 root zone 46 has been defined), and Simple DNS Plus automatically checks for updates to keep it current (unless you disable this using the "AutoUpdateRoot" option in the sdnsplus.ini 16 file) 4.5 DNS Recursion DNS requests can either be "recursive" or "non-recursive". Client applications typically requests that the DNS server performs recursion for them by setting an "RD" (recursion desired) flag in the request packet. This is a recursive request. Client applications do this both because they do not posses the ability to resolve domain names themselves, and also to take advantage of centralized caching 42 on the DNS server. However, when a DNS server sends requests to other DNS servers as part of the recursion process, these requests are typically non-recursive (the RD flag is not set). The DNS server indicates back to the client if it is willing to perform recursion or not by setting or not setting an "RA" (recursion available) flag in the response packet. When a DNS server receives a recursive request from a client that it is willing to perform recursion for, it will go through the process of resolving the requested domain name by first asking the root servers 43, which respond with a referral to the top level DNS servers, then asking one of those servers, which respond with a referral to the next level DNS servers, etc. When a DNS server receives a non-recursive request or a request from a client that it is not willing to perform recursion for, it typically responds immediately with whatever local data it has available at the time without doing any additional processing. Simple DNS Plus can also be configured to respond to such requests with an error, with synthesize records, or not respond at all in the Options dialog / DNS Recursion 26 section. A recursive request requires a lot more processing by the server compared to a non-recursive request. So it is important to configure Simple DNS Plus to only offer recursion to trusted clients. You can configure this in the Options dialog / DNS Recursion 26 section. NOTE: For programs like browsers and clients to work, they must have access to a DNS server that offers recursion. Therefore local computers (including the server itself) should always be offered recursion. 4.6 DNS Forwarding When Simple DNS Plus receives DNS request for a domain name configured for forwarding (Options dialog - DNS - Forwarding 27 ), it skips the normal DNS resolution 44 process and instead forwards the DNS request to the specified DNS servers asking them to do the resolution work for it. Of course if local data (own zones / cached records) matching the DNS request already exist, the request will not be forwarded, but rather replied to immediately using this local data. This also means that setting up DNS forwarding for a domain name which is also a local zone has no effect - data will always be served from the local zone and requests are never forwarded. However DNS forwarding for a sub-name of a local zone will cause forwarding. You can configure Simple DNS Plus to use forwarding for all domain names, and/or for specific domains (including their sub-names), and use extended forwarding: Forwarding for all domain names

46 45 Simple DNS Plus You can use forwarding for all domain names for example if you have multiple local DNS servers and wish to build up a central cache 42 on one or a few DNS servers, thereby limiting the DNS traffic sent over your Internet connection. In this case you would setup one (or a few) DNS servers (the central servers) to do normal resolution with no forwarding, and setup the remaining DNS servers to forward requests for all domains to these central servers. IMPORTANT: We have noticed that for no apparent reason many users have configured Simple DNS Plus (and other DNS servers) to forward DNS requests for all domain names to their ISP's DNS servers. Generally we do NOT recommend doing this. If the computer running Simple DNS Plus has Internet access, Simple DNS Plus can fully resolve any Internet domain name without the help of any forward DNS servers. Very often forwarding to your ISP's DNS servers only make resolution slower, as this adds another lookup step to the resolution process, and often ISP DNS servers are overloaded and slow to respond. By forwarding DNS requests to your ISP's DNS servers, you also inherit any security issues 7 that those DNS servers might have. For example if your ISP's DNS servers are spoofed - so is your DNS server. However, in certain situations, for example if your Internet connection is slow, it may be appropriate to forward to your ISP in order to limit traffic on your own connection and take advantage of DNS caching on your ISP's DNS servers. Domain specific forwarding You can use domain specific forwarding for example if you wish to be able to resolve both Internet domain names as well as a private domain name hosted on another DNS server. In this case you would configure forwarding specifically for the private domain name only. Extended Forwarding Normal forwarding (and normal resolution) is only performed for recursive 44 DNS requests, and only when the request originates from an IP address which is offered recursion (Options dialog - DNS - Recursion 26 ). However Simple DNS Plus also has a unique "extended forwarding" option, which when enabled causes ALL DNS requests for the specified domain and sub-names to be forwarded. There are several scenarios in which you might want to do this - for example: You are hosting part of your DNS data on a separate DNS server, but you only have one public IP address available for hosting DNS. You are hosting some or all of your DNS data on a separate specialized DNS server (for example an RBL list server) which requires a lot of resources (for example serving data from a database), and you want to offload this by having Simple DNS Plus sit in front of it caching the data, and thereby causing fewer requests to hit the specialized DNS server. You are hosting some or all of your DNS data on a separate DNS server which you don't want to expose directly to the Internet (for example if you have to use some other DNS software with known vulnerabilities). Simple DNS Plus will only forward standard DNS requests, only for the specified domain name, and it automatically filters out most malformed data. In all 3 scenarios, you can setup Simple DNS Plus on a computer with both a private IP address and a public IP address (or with a public IP address NAT mapped to it), setup the other DNS server on an private IP address only, and configure Simple DNS Plus to use extended forwarding for domains hosted on the other DNS server. 4.7 Round Robin Round Robin is a method of managing server (web, ftp, mail etc.) congestion by distributing connection load across multiple servers containing identical content.

47 Definitions 46 Round robin works on a rotating basis in that one record is handed out, then moves to the back of the list; the next record is handed out, then it moves to the end of the list; and so on, depending on the number of servers being used. This works in a looping fashion. Let's say a company has one domain name and with an identical home page residing on three web servers with three different IP addresses. When one user accesses the home page he/she will be sent to the first IP address. The second user who accesses the home page will be sent to the next IP address, and the third user will be sent to the third IP address. In each case, once the IP address is given out, it goes to the end of the list. The fourth user, therefore, will be sent to the first IP address and so forth. Round Robin is enabled in the Options dialog / DNS Requests 26 section. Round Robin kicks in whenever two or more records with the same name and type exist in your own records or cached 42 data - such as two A-records 50 with identical names (but different IP addresses). 4.8 Zones Domains are broken into "zones" for which individual DNS servers are responsible. A domain represents the entire set of names / machines that are contained under an organizational domain name. For example all domain names ending with ".com" are part of the "com" domain. A zone is a domain less any sub-domains delegated to other DNS servers (see NS-records 52 ). A DNS server could be responsible (authoritative) for all records under the "xyz.com" domain, but by defining NS-records 52 for "abc.xyz.com", part of the domain is delegated to another DNS server - and perhaps even a different company/entity. A zone contains exactly one SOA-record 53 describing the general properties of the zone, and any number of other DNS records. Entire zones can transferred from a primary DNS server to secondary DNS servers through Zone Transfers 46. For an intranet (private network) DNS servers, a private root 43 zone can be defined by leaving the zone name blank in the New Zone Wizard 37. To create a new zone use the New Zone 37 function by clicking the "New" button in the DNS Records window Zone Transfers See also How to setup primary / secondary 6 When changes are made to a zone 46 and its records on the primary server, a zone transfer is used to update DNS records on secondary DNS servers. A primary server has the "master" copy of a zone zone 46 for redundancy. 46, and secondary servers keep copies of the When changes are made to zone data on the primary, they must be distributed to the secondary servers.

48 47 Simple DNS Plus Most DNS servers (including Simple DNS Plus) automatically notifies secondary servers whenever changes are made, and most DNS servers (again including Simple DNS Plus) will request a Zone Transfer whenever such a notification is received. For this to work correctly, NS-records 52 (and corresponding A-records 50 ) for each secondary DNS server must exist in the zone 46. Secondary servers also periodically check for changes, by polling the SOA-record of the zone from the primary server, and checking the serial number In addition to whatever other changes are made to a zone and its records, the serial number of the SOA-record 53 is always incremented. The periodic polling by the secondary servers is controlled by the refresh, retry, and expire parameters of the SOA-record 53. The secondary server waits the "refresh" interval before checking with the primary for a new serial number. If this check cannot be completed, new checks are started every "retry" interval. If the secondary finds it impossible to perform a serial check within the "expire" interval, it discards the zone. When the poll shows that the zone has changed (higher serial number), the secondary server will request a zone transfer. The actual zone transfer operation transfers all the records in the zone from the primary to the secondary server (similar to FTP). Simple DNS Plus supports a special optimized "incremental zone transfer" method which saves bandwidth by only transferring those changes made since the last zone transfer. Simple DNS Plus will by default request incremental zone transfers when getting zone updates from another (primary) DNS server. If that primary server does not support this and returns an error, Simple DNS Plus will then revert to doing a regular zone transfer. If you know that your primary DNS server does not support incremental zone transfers, you can prevent Simple DNS Plus from first trying this with the "UseIXFR" setting in the "sdnsplus.ini" file Reverse Zone / in-addr.arpa Reverse DNS is IP address to domain name mapping - the opposite of forward (normal) DNS which maps domain names to IP addresses. Reverse DNS is maintained in a separate set of data from forward DNS. For example, forward DNS for "abc.com" pointing to IP address " ", does not necessarily mean that reverse DNS for IP " " also points to "abc.com". Reverse DNS is mostly used by humans for such things as tracking where a web-site visitor came from, or where an message originated etc. Reverse DNS is typically not as critical in as forward DNS - visitors will still reach your web-site just fine without any reverse DNS for your web-server IP or the visitor's IP. However there is one important exception: Many servers on the Internet (including AOL's) are configured to reject incoming s from any IP address which does not have reverse DNS. So if you run your own server, reverse DNS must exist for the IP address that outgoing is sent from. It does not matter what the reverse DNS record for your IP address points to as long as it is there. If you host multiple domains on one server, just setup reverse DNS to point to whichever domain name you consider primary. ( servers checking for reverse DNS know that it is normal to host many domains on a single IP address and it would be impossible to list all those domains in reverse DNS for the IP).

49 Definitions 48 A special PTR-record type is used to store reverse DNS entries. The name of a PTR-record is the IP address with the segments reversed + ".in-addr.arpa". For example the reverse DNS entry for IP would be stored as a PTR-record for " in-addr.arpa". In Simple DNS Plus, a zone for reverse DNS records is created using the New Zone 37 function in the DNS Records window 35. Simple DNS Plus provides a Reverse Zone Wizard 40 which makes it easy to maintain reverse zones and records (without dealing with "in-addr.arpa", reversing IP addresses etc.) Reverse records can also be created automatically by checking "Update reverse zone" when entering A-Records 50 through the Record Properties 37 dialog. Reverse DNS is also different from forward DNS in who points (delegates) the zone to your DNS server. With forward DNS, you point the zone to your DNS server by registering that domain name with a registrar. With reverse DNS, your Internet connection provider (ISP) must point the zone ("...in-addr.arpa") to your DNS server. Without this delegation from your ISP, your reverse zone will not work. If you are assigned the class C network X, your ISP can delegate DNS authority for the "3.2.1.inaddr.arpa" domain name to your DNS server. Your DNS servers should in this case have a zone 46 called "3.2.1.in-addr.arpa" containing PTRrecords 52 for all active IP addresses in the class C network ( ). It is also possible to delegate "in-addr.arpa" authority for less than one class C network (256 IP addresses). This can be achieved in different ways, but typically follows the style described in RFC2317. (Please note: Many ISPs will not do this sub-delegation if you only have one or a few IP addresses. In this case your ISP has probably already setup some default reverse DNS for your IP addresses) For example if you are assigned network /29 ( to subnet mask ), the owner of the class C X (your ISP) would have these DNS entries on his DNS server: NS 52 24/ in-addr.arpa = your-dns-server-name1 NS 52 24/ in-addr.arpa = your-dns-server-name2 CNAME in-addr.arpa = 25.24/ in-addr.arpa CNAME in-addr.arpa = 26.24/ in-addr.arpa CNAME in-addr.arpa = 27.24/ in-addr.arpa CNAME in-addr.arpa = 28.24/ in-addr.arpa CNAME in-addr.arpa = 29.24/ in-addr.arpa CNAME in-addr.arpa = 30.24/ in-addr.arpa And your DNS server would have a zone 46 named "24/ in-addr.arpa" with the following records: NS 52 24/ in-addr.arpa = your-dns-server-name1 NS 52 24/ in-addr.arpa = your-dns-server-name2 PTR / in-addr.arpa = name1.your-domain-name PTR / in-addr.arpa = name2.your-domain-name PTR / in-addr.arpa = name3.your-domain-name PTR / in-addr.arpa = name4.your-domain-name PTR / in-addr.arpa = name5.your-domain-name PTR / in-addr.arpa = name6.your-domain-name A reverse lookup for IP (PTR-record 52 for " in-addr.arpa"), would first return an alias

50 49 Simple DNS Plus (CNAME-record 51 ) for "27.24/ in-addr.arpa" from the class C owner's DNS server, which is then translated to "name3.your-domain-name" by your DNS server Dynamic DNS updates Dynamic DNS updates are used to create and update DNS records directly via the DNS protocol. Simple DNS Plus supports standard dynamic updates (RFC2136) and TSIG authenticated dynamic updates (RFC2845). Standard dynamic updates are configured for each primary zone in the zone properties dialog 36. TSIG authenticated dynamic updates are configured by setting up keys in the TSIG Dynamic Updates dialog 41. Standard dynamic updates can be secured by specifying which IP addresses are allowed to send such updates. This is simple and efficient in a secure environment such as an intranet. For updates sent over the Internet where the originating IP address may not be known beforehand (dynamic IP) and does not guarantee the identity of the sender (IP spoofing), the dynamic DNS update can be authenticated using a transaction signature (TSIG). This is a method of cryptographically signing the update data with a key name / value pair (similar to a user name / password pair). The key name identifies the client to the DNS server, and the key value is a shared secret known only by this client and the DNS server DHCP Client applications supporting dynamic DNS updates: Recent versions of Microsoft Windows (Me, 2000, and later) have a TCP/IP option "Register this connection's addresses in DNS" which uses dynamic DNS update to automatically update DNS records for itself. Standard dynamic updates are used by default. TSIG authenticated updates are not supported. Several Internet dynamic IP address update clients support TSIG authenticated dynamic DNS updates. For example "DynSite" from Another product from JH Software, Simple Failover, supports both standard and TSIG authenticated dynamic updates. DHCP is used to automatically assign IP-addresses and other network configuration options to networked computers and devices on a local area network. On a Windows computer, the default option for the IP-address in the TCP/IP protocol settings (under network properties) on is "Obtain an IP address automatically". This will allow a DHCP server (like Simple DNS Plus) to automatically assign the client computer an IP-address, subnet mask, domain name, default gateway and DNS server (Simple DNS Plus automatically assigns itself as the DNS server). An IP-address is "leased" to a client computer for a configurable length of time known as the "lease period". This is the maximum time the client computer may use the IP address without getting the lease renewed. After half the time of the lease period has elapsed, the client computer will begin continuously trying to renew the lease.

51 Definitions 50 IP addresses can be reserved for specific computers based on computer name or hardware address (network card MAC address). To determine a computers hardware address, on Windows 95/98/Me, run "WINIPCFG" (from Start menu -> Run), select the correct adapter (network card), and see "Adapter Address". On Windows NT4/2000/XP/2003, run "IPCONFIG /ALL" from a command prompt, and see "Physical Address". When a DHCP client leases an IP-address, Simple DNS Plus can automatically generate, an A- record 50 and a PTR-record 52 (and zones to keep them in if needed), so that other computers can find it using DNS, just as if the client had a fixed IP-address and the DNS server had records defined for it. To enable this functionality, use the "Automatically update DNS" setting in the Options dialog / DHCP 27 section. In DNS, the full domain name of the client will be the computer name (defined under "Identification" in network settings) cleaned of spaces and special characters plus the domain name defined in the DHCP scope 31. Simple DNS Plus has a unique option for using DHCP with older Apple/Mac clients and other devices which do not supply a computer name in their DHCP requests. When first assigned an IP address, the client name will be listed as the client's hardware address as a hexadecimal number, but you can right click on the lease (DHCP Leases View 23 ) and "rename" it - giving it a real name, which is both easier to remember and use via DNS. The new device name will be remembered as long as you run Simple DNS Plus, even if the IP address changes. To configure DHCP, from the main window 21 select Tools menu -> Options 25 -> DHCP section. To view 23 active DHCP leases, from the main window 21 select View menu -> DHCP Leases. Additional advanced options 16 for DHCP can be specified in the "sdnsplus.ini" file. 5 Common DNS Record Types 5.1 A (Host Address) The A-record is the most basic and the most important DNS record type. It is used to translate human friendly domain names such as " into IP-addresses such as (machine friendly numbers). A-records are the DNS server equivalent of the hosts file 41 - a simple domain name to IP-address mapping. A-records are not required for all computers, but are needed for any computer that provides shared resources on a network. To create a new A-record, right-click a zone in the left list of DNS Records window Host Address (A-record)" from the pop-up menu. This record type is defined in RFC , and select "New

52 51 Simple DNS Plus 5.2 CNAME (Alias) CNAME-records are domain name aliases. Computers on the Internet often performs multiple roles such as web-server, ftp-server, chat-server etc. To mask this, CNAME-records can be used to give a single computer multiple names (aliases). For example the computer "computer1.xyz.com" may be both a web-server and an ftp-server, so two CNAME-records are defined: " = "computer1.xyz.com" and "ftp.xyz.com" = "computer1.xyz.com". Sometimes a single server computer hosts many different domain names (take ISPs), and so CNAMErecords may be defined such as " = " The most common use of the CNAME-record type is to provide access to a web-server using both the standard " and "domain.com" (with and without the www prefix). This is usually done by creating an A-record 50 for the short name (without www), and a CNAMErecord for the www name pointing to the short name. CNAME-records can also be used when a computer or service needs to be renamed, to temporarily allow access through both the old and new name. A CNAME-record should always point to an A-record 50 and never to itself or another CNAME-record to avoid circular references. To create a new CNAME-record, right-click a zone in the left list in the DNS Records window select "New Alias (CNAME-record)" from the pop-up menu. This record type is defined in RFC , and 5.3 MX (Mail Server) MX-records are used to specify the server(s) responsible for a domain name. Each MX-record points to the name of an server and holds a preference number for that server. If a domain name is handled by multiple servers (for backup/redundancy), a separate MX-record is used for each server, and the preference numbers then determine in which order (lower numbers first) these servers should be used by other servers. If a domain name is handled by a single server, only one MX-record is needed and the preference number does not matter. When sending an to "[email protected]", your server must first look up any MX-records for "xyz.com" to see which servers handles incoming for "xyz.com". This could be "mail.xyz.com" or someone else's mail server like "mail.isp.com". After this it looks up the A-record 50 for that server name to connect to its IP-address. IMPORTANT: An MX-record must point to the name of a mail server - not directly to the IP-address. Because of this, it is very important that an A-record 50 for the referenced mail server name exists (not necessarily on your DNS server, but wherever it belongs), otherwise there may not be any way to connect to that server. Do not point an MX-record to a CNAME-record another A-record 50 instead. 51. Many servers don't understand this. Add

53 Common DNS Record Types 52 To create a new MX-record, right-click a zone in the left list in the DNS Records window "New Mail Server (MX-record)" from the pop-up menu. This record type is defined in RFC , and select 5.4 NS (DNS Server) NS-records identify the DNS servers responsible (authoritative) for a zone 46. A zone 46 should contain one NS-record for each of its own DNS servers (primary and secondaries). This is mostly used for zone transfer 46 purposes (notify messages). These NS-records have the same name as the zone in which they are located. But the more important function of the NS-record is delegation. Delegation means that part of a domain is delegated to other DNS servers. For example all ".com" sub-names (such as "simpledns.com") are delegated from the "com" zone (hosted by the "InterNIC"). The "com" zone contains NS-records for all ".com" sub-names (a lot!). You can also delegate sub-names of your own domain name (such as "subname.yourname.com") to other DNS servers. You are in effect the "InterNIC" for all sub-names of your own domain name (if you have a really cool domain name, you might even be able to sell sub-names for profit). To delegate "subname.yourname.com", create NS-records for "subname.yourname.com" in the "yourname.com" zone. These NS-records must point to the DNS server responsible for "subname.yourname.com" for example "ns1.subname.yourname.com" - or a DNS server somewhere else like "ns1.othername.net". An NS-record identifies the name of a DNS server - not the IP-address. Because of this, it is important that an A-record 50 for the referenced DNS server exists (not necessarily on your DNS server, but wherever it belongs), otherwise there may not be any way to connect with that DNS server. If an NS-record delegates a sub-name ("subname.yourname.com") to a DNS server with a name in that sub-name ("ns1.subname.yourname.com"), an A-record 50 for that server (""ns1.subname.yourname.com") must exist in the parent zone ("yourname.com"). This A-record is called a "glue record", because it doesn't really belong in the parent zone, but is necessary to locate the DNS server for the delegated sub-name. To create a new NS-record, right-click a zone in the left list in the DNS Records window "New DNS server (NS-record)" from the pop-up menu. This record type is defined in RFC , and select 5.5 PTR (Reverse) PTR-records are used to map IP addresses to domain names (reverse of A-records 50 ). The name of a PTR-record is the IP address with the segments reversed and with "in-addr.arpa" appended to the end. As an example, looking up the domain name for IP address " " is done with a query for the PTR-record for " in-addr.arpa" For more information see the section on Reverse Zone / "in-addr.arpa" 47.

54 53 Simple DNS Plus To create a PTR-record use one of the following options: The Reverse Zone Wizard 40. The "Update Reverse Zone" check box in the Record Properties dialog 37 for an A-record 50. Right-click a reverse zone in the DNS Records window 35, and select "New Pointer (PTR-record)" from the pop-up menu. This record type is defined in RFC SOA (Zone Properties) A zone 46 contains exactly one SOA-record, which holds the following properties for the zone: Name of primary DNS server The domain name of the primary DNS server for the zone. The zone should contain a matching NS-record 52. address of responsible person The address of the person responsible for the zone. The standard for this is the "hostmaster" user name - such as "[email protected]". Serial number (see Zone Transfers 46 ) Used by secondary DNS servers to check if the zone has changed. If the serial number is higher than what the secondary server has, a zone transfer 46 will be initiated. This number is automatically increased by Simple DNS Plus when changes are made to the zone or its records (but not until you click the Refresh button, when another zone is selected, or when the "Edit DNS Records" window is closed). Unless you have a specific reason for changing this number, it is best to let Simple DNS Plus manage it. You should never decrease a serial number. Refresh Interval (see Zone Transfers 46 ) How often secondary DNS servers should check if changes are made to the zone. Retry Interval (see Zone Transfers 46 ) How often secondary DNS server should retry checking if changes are made - if the first refresh fails. Expire Interval (see Zone Transfers 46 ) How long the zone will be valid after a refresh. Secondary servers will discard the zone if no refresh could be made within this interval. Minimum (default) TTL Used as the default TTL 42 for new records created within the zone. Also used by other DNS server to cache 42 negative responses (such as record does not exist etc.). A SOA-record is automatically created when you create a new zone 37. This record type is defined in RFC1035.

55 Other DNS Record Types 54 6 Other DNS Record Types 6.1 A6 An A6-record is used to specify the IPv6 address (or part of the IPv6 address) for a host. A6-records expands the functionality of AAAA-records 54 by adding support for aggregation and renumbering. A lookup for an IPv6 records could involve several A6-records which each specify only part of the final address. This is achieved through the additional prefix-length and prefix name fields. To create a new A6-record, right-click a zone in the left list in the DNS Records window "Other new record" from the pop-up menu. This record type is defined in RFC , and select 6.2 AAAA An AAAA-record is used to specify the IPv6 address for a host. IPv6 is the future replacement for the current IP address system (also known as IPv4). The current IPv4 addresses are 32 bits long ( x. x. x. x = 4 bytes), and therefore "only" support a total of 4,294,967,296 addresses - less than the global population. With this limitation there is an increasing shortage of IPv4 addresses. To solve the problem, the whole Internet will eventually have to be migrated to IPv6. IPv6 addresses are 128 bits long and are written in hexadecimal numbers separated by colons (:) at every four digits. Zeros can be skipped - for example: 4C2F::1:2:3:4:567:89AB. Few applications and network devices currently support IPv6 and IPv6 addresses are not yet generally available, but this is expected to change rapidly. To create a new AAAA-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC AFSDB An AFSDB-record maps a domain name to an AFS (Andrew File System) database server. 35, and The server name points to an A-record 50 for the database server, and the sub-type indicates server type: 1 = AFS version 3.0 volume location server for the named AFS cell. 2 = DCE authenticated server. To create a new AFSDB-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and

56 55 Simple DNS Plus 6.4 ATMA An ATMA-record maps a domain name to an ATM address. The ATM address can be specified in either E.164 format (decimal) or NSAP format (hexadecimal). To create a new ATMA-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. 35, and This record type is defined in "ATM Name System Specification Version 1.0" published by the ATM Forum. 6.5 DNAME A DNAME-record is used to map / rename an entire sub-tree of the DNS name space to another domain. It differs from the CNAME-record 51 which maps only a single node of the name space. To create a new DNAME-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.6 HINFO A HINFO-record specifies the host / server's type of CPU and operating system. This information can be used by application protocols such as FTP, which use special procedures when communicating with computers of a known CPU and operating system type. Standard CPU and operating system types are defined in RFC1700 (Page 206 / 214). The standard for a Windows PC is "INTEL-386" / "WIN32". To create a new HINFO-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.7 ISDN The ISDN-record maps a domain name to an ISDN (Integrated Services Digital Network) telephone number. The ISDN phone numbers / DDI (Direct Dial In) used should follow ITU-T E.163/E.164 international telephone numbering standards. For example ( 1=USA, 212=Manhattan New York area code, =number) The ISDN sub-address is an optional hexadecimal number. To create a new ISDN-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. 35, and

57 Other DNS Record Types 56 This record type is defined in RFC LOC This record type is used to specify geographical location information about hosts, networks, and subnets. A LOC-record describes a location with the following properties: - Latitude / Longitude. - Altitude. - Size (diameter of the location described). - Horizontal / Vertical precision of the data. Because of the binary storage format used, only the first digit of the size and precision properties can be non-zero. Additional interesting and practical information about LOC-records is available at To create a new LOC-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.9 MB, MG, MINFO, MR Most Internet servers only support MX-records 51. Only use MB, MG, MINFO and MR records if you have specific requirements for these. To specify "mailbox" names, replace the sign with a dot (.). MB-records (Mailbox) Maps a mailbox to a host (server). The host must be the same as a valid A-record already defined in the same zone. MG-records (Mail group member) Used to specify mail group members (one MG-record per member). Each member mailbox must be identical to a valid mailbox (MB-record). MINFO-records (Mailbox or mail list information) Specifies the mailbox of the responsible person and optionally a mailbox for errors for this mailbox or list. Each mailbox must be the same as a valid mailbox (MB-record) that already exist in the zone. MR-records (Renamed mailbox) Specifies a renamed mailbox. An MR-record can be used as a forwarding entry for a user who has moved to a different mailbox. To create a new mailbox record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. These record types are defined in RFC , and

58 57 Simple DNS Plus 6.10 NAPTR NAPTR-records are used to store rules used by DDDS (Dynamic Delegation Discovery System) applications. One example is "ENUM" which allows an end user to type a telephone number into e.g. a web browser and access a listing of Internet resources (URI) for that number, such as addresses for IP telephony, or web sites. For more information on "ENUM", see or The "Order" field is a number (0 to 65535) specifying the order in which multiple NAPTR records must be processed (low to high) by the application. The "Preference" field is equivalent to the Priority value in the DDDS algorithm. It is a number ( ) that specifies the order (low to high) in which NAPTR records with equal Order values should be processed. The "Flags" field contains flags to control aspects of the rewriting and interpretation of the fields in the record. Flags are single characters from the set A-Z and 0-9. The use of this field is specified by the individual DDDS application. The "Services" field specifies the service parameters applicable to this delegation path. The individual DDDS application specifies the possible values for this field. The "Reg. Exp." field contains a substitution expression that is applied to the original string held by the client in order to construct the next domain name to lookup. See the DDDS algorithm specification for the syntax of this field. The "Replacement" field specifies the next domain name (fully qualified) to query for depending on the potential values found in the flags field. This field is used when the regular expression is empty (a simple replacement operation). The "Reg.Exp." and "Replacement" fields are mutually exclusive (only one can contain a value). To create a new NAPTR-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.11 NSAP An NSAP-record maps a domain name to an NSAP address. The NSAP address is entered using hexadecimal digits - any NSAP address format is allowed. To create a new NSAP-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.12 RP An RP-record specifies the mailbox of the person responsible for the host (domain name). A SOA-record 53 defines the responsible person for an entire zone 46, but a zone may contain a large

59 Other DNS Record Types 58 number of individual hosts / domain names for which different people are assigned responsibility. The RP-record type makes it possible to identify the responsible person for individual host names contained within the zone. To specify the "mailbox", replace the sign with a dot (.). Optionally specify the domain name for a TXT-record with additional information (such as phone and address). To create a new RP-record, right-click a zone in the left list in the DNS Records window "Other new record" from the pop-up menu. This record type is defined in RFC , and select 6.13 RT An RT-record specifies an intermediate host that provides routing to the domain name (host) of the record. This can be used by computers which are not directly connected to the Internet, or wide area network (WAN). A preference value is used to set priority if multiple intermediate routing hosts are specified - lower values tried first. For each intermediate host specified, a corresponding host (A) address resource record is needed in the current zone. To create a new RT-record, right-click a zone in the left list in the DNS Records window "Other new record" from the pop-up menu. This record type is defined in RFC , and select 6.14 SRV SRV-records are used to specify the location of a service. They are recently being used in connection with different directory servers such as LDAP (Lightweight Directory Access Protocol), and Windows 2000/2003 directory services. They can also be used for advanced load balancing and to specify specific ports for services - for example that a web-server is running on port 8080 instead of the usual port 80 (theoretical example - this is not yet supported by any major browsers). This record type is however NOT supported by most programs in use today, including web-browsers. The name of a SRV-record is defined as "_service._protocol.domain" - for example "_ftp._tcp.xyz.com". Most internet services are defined in RFC1700 (page 15), and the protocol is generally TCP or UDP. The "service location" is specified through a target, priority, weight, and port: - Target is the domain name of the server (referencing an A-record 50 ). - Priority is a preference number used when more servers are providing the same service (lower numbers are tried first). - Weight is used for advanced load balancing.

60 59 Simple DNS Plus - Port is the TCP/UDP port number on the server that provides this service. To create a new SRV-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.15 TXT TXT-records are used to hold descriptive text. They are often used to hold general information about a domain name such as who is hosting it, contact person, phone numbers, etc. TXT-records are also used for SPF. SPF is a spam fighting method which uses DNS TXT-records to define which hosts are permitted so send s for a domain. For details please see Simple DNS Plus also has an option to automatically provide missing SPF records - see Options dialog / DNS security 27 section. To create a new TXT-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and 6.16 X25 An X25-records maps a domain name to a Public Switched Data Network (PSDN) address number. Numbers used with this record should follow the X.121 international numbering plan. To create a new X25-record, right-click a zone in the left list in the DNS Records window select "Other new record" from the pop-up menu. This record type is defined in RFC , and

61 Index 60 Index - * - * (Wilcard records) 37 - A - A record type 50 A6 record type 54 AAAA record type 54 Active Log 32 Active Log View 23 Advanced options 16 AFSDB record type 54 Alias 51 Andrew File System 54 ATM address 55 ATMA record type 55 Automatic SPF 27 - B - BIND version 27 BIND version requests 7 Blocking 24 Bulk update 39 - C - Cache snapshot 34 Caching 27, 42 Canonical name 51 CNAME record type 51 Command line options 15 - D - Denial of service 7 Descriptive text 59 DHCP 31, 49 DHCP Leases 23 DHCP scope 31 Directory services 58 DNAME record type 55 DNS Cache 42 DNS forwarding 44 DNS Look Up 34 DNS records 29, 35 DNS Recursion 44 DNS Resolution 44 DNS security 27 DNS spoofing 7 DOS (denial of service) 7 DOS prompt 15 Dynamic DNS update 49 Dynamic updates 36, 41 - E - Error messages 10 Event log 32 Expire interval 53 - F - Find and replace IP 39 Forwarding 27, 44 - G - GPS 56 - H - HINFO record type 55 HMAC-MD5 41 Host address 50 Host information 55 Hosts file 29, 41 HTTP API 32 HTTP commands 14 - I - Import 40 in-addr.arpa 47 Integrate 13 IP Address Blocking 24 IPv6 54

62 61 Simple DNS Plus ISDN record type 55 - L - Lame delegation 10 LDAP 58 LOC record type 56 Location information 56 location of service 58 Log 10 Log details 32 Log files 33 Look Up 34 - M - Mail exchange 51 Mail server 51 Mailbox record types 56 Main window 21 Master 30 MB record type 56 MG record rype 56 Migration 40 MINFO record type 56 Minimum TTL 53 MR record type 56 MX record type 51 - N - Name Redirection 55 Name server record 52 Naming Authority Pointer 57 NAPTR record type 57 NAT router 30 NAT to LAN 30 New zone 37, 38 Non-recursive 44 Non-Terminal 55 Notify 29 NS record type 52 NSAP record type 57 NXDOMAIN redirect 29 - O - Optimize responses 26 Options 25 - P - Performace Graph 23 Port scanners 7 Port zero 27 Primary / secondary 6 Promote server 39 PSDN 59 PTR record type 52 - Q - Quick Domain Wizard 38 - R - Raw log 33 Recursion 7, 26, 44 Recursive 44 Refresh interval 53 Registrar 5 Replace IP 39 Reservations (DHCP) 49 Resolution 44 Responsible person 57 Retry interval 53 Reverse 52 Reverse Look Up 47 Reverse Zone Wizard 40 Root DNS Records 43 Round robin 26, 45 Route through 58 RP record type 57 RT record type 58 - S - Secondary DNS server 6 Security 7 Serial number 53

63 Index 62 Slave 30 SOA record 36 SOA record type 53 SPF records 27, 59 Spoofing 7, 27 SRV record type 58 Start of authority 53 Stealth DNS 26 Synchronize 46 - T - Telnet connections 7, 27 Time To Live 42 tray bar 25 TSIG 41, 49 TTL 42 TXT record type 59 - V - Version requests 7 Views 23 - W - Warning messages 10 warning.bat 19 Wildcard records 37 Windows event log 32 Windows service 25 - X - X25 record type 59 - Z - Zone transfers 29, 36, 46 Zones 46