HKIRC
Home WHOIS Change(Member) 繁體 簡体

HKIRC

Technology FAQ

Q1: What is DNS?
Q2: What is WHOIS?
Q3: What is DNS parking? When should I use DNS parking
Q4: What is IP address? How many type of IP address?
Q5: What is CDN and punycode?
Q6: What is Name server?
Q7: What is DNS Zone file? What kind zone type is being used by .HK?
Q8: What is “DNS hosting”?
Q9: What is DNS record (NS, A, MX, etc)?
Q10: What is DNS Cache poisoning?
Q11: Why DNS Cache poisoning is important?
Q12: What did the security researcher Dan Kaminsky discover about DNS Cache poisoning?
Q13: How to check if the DNS server you use has the DNS Cache poisoning vulnerabilities discovered by Dan Kaminsky?
Q14: How to prevent DNS Cache poisoning?
Q15: What is IPv6?
Q16: What are the differences between IPv4 and IPv6?
Q17: What does IPv6 looks like in the DNS?
Q18: What service is HKIRC offering for IPv6?
Q19: What are the changes to the existing HKIRC panels for IPv6?
Q20: What is DNSSEC?



Q1: What is DNS?

A: Domain Name System (DNS) is a system which is used to translate human-recognizable computer hostname into the IP address so that the machine of this IP address can be reached over the network.

Back to top

Q2: What is WHOIS?

A: WHOIS is used to query the information of a domain such as domain holder, contact details and its expiry date.

Back to top

Q3: What is DNS parking? When should I use DNS parking?

A: If a registrant does not have hosting service for his/her domain, he/she can use HKDNR's name server (ns5.hkdnr.net.hk, ns6.hkdnr.net.hk) when registering the domain. However, it is not a hosting service for the domain's web site - it will show HKDNR's parking web page for the registered domain.

Back to top

Q4: What is IP address? How many type of IP address?

A: An IP address (Internet Protocol address) is a unique address that some electronic devices use to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). In simpler terms, IP address is a computer address.
There are mainly two type IP addresses: IPv4 and IPv6. IPv4(Internet Protocol version 4) is widely used in the Internet, and it uses 32 bits to represent an address. IPv6 (Internet Protocol version6), the successor of IPv4, makes use of 128 bits to represent an address instead of 32 bits. IPv6 has enough room for 3.4×1038 unique addresses.

Back to top

Q5: What is CDN and punycode?

A: CDN is the Chinese Domain Name which contains at least one or more Chinese characters, may contain one or more uppercase or lowercase English letters, numbers or hyphens. Punycode is a computer programming protocol by which a Unicode string of characters can be translated into the more-limited character set permitted in network host names.

Back to top

Q6: What is Name server?

A: Name server is a program or computer server that map a human-recognizable identifier (hostname) of a host to it's computer-recognizable identifier (IP address).

Back to top

Q7: What is DNS Zone file? What kind zone type is being used by .HK?

A: These are the files that contain the list of all the hosts in your domain, and their corresponding IP address. There are 13 type of zone file, which are .com.hk, .edu.hk, .org.hk, .idv.hk, .hk,.gov.hk, .net.hk, .公司.hk, .網絡.hk, .組織.hk, .教育.hk, .政府.hk,.個人.hk.

Back to top

Q8: What is “DNS hosting”?

A: It is is a service that runs Domain Name System servers.

Back to top

Q9: What is DNS record (NS, A, MX, etc)?

A: The DNS record stores host related information such as NS,A, MX, SOA.
SOA - Start of Authority. This is the record stating that this server is authorized for the specified domain.
NS - Name server: Specifies the name server to be used to look up a domain.
MX - Mail Exchange: Specifies mail server(s) for the domain.
A - A Record: Used for linking a FQDN to an IP address.

Back to top

Q10: What is DNS Cache poisoning?

A: The DNS cache poisoning is an attacker technique which causes the DNS caches the attacker’s forged DNS information when the attacker provides the non-authentic data to the vulnerable name server so that the name server’s client contacts such incorrect and possibly malicious hosts for particular services.

Back to top

Q11: Why DNS Cache poisoning is important?

A: Due to the vulnerable name server maintaining the incorrect entries of the domain names, user will be directed to attacker IP address unexpectedly. As a result, user could unintentionally access the attacker controlled website, which may contain virus or unknowingly download malicious content which can retrieve user’s personal information for illegitimate purpose.

Back to top

Q12: What did the security researcher Dan Kaminsky discover about DNS Cache poisoning?

A: He found that the current DNS has deficiencies in its protocol which facilities the attacks regarding the randomness of the transaction id and source port.

Here are examples:-

1) Insufficient transaction ID space
In the current required length of 16 bit of transaction ID, the attacker will require, on average, 32,768 attempts to successfully predict the ID. Smaller the bit length required in some flawed DNS, it is easier the attacker can predict the ID.

2) Multiple outstanding requests
Some vulnerable DNS allow multiple identical queries for the same resource record (RR)which will lead the feasibility of a 'birthday attack'.

3) Fixed source port for generating queries
Some DNS allocate an arbitrary port at startup and reuse this source port for all outgoing queries.

Back to top

Q13: How to check if the DNS server you use has the DNS Cache poisoning vulnerabilities discovered by Dan Kaminsky?

A: It can use the following tools to check vulnerability of DNS Cache poisoning.

1) DNS Checker
Purpose: Scan your DNS for randomness of source port and query id to check if it is randomness enough.
Detail: Please refer to http://www.doxpara.com/?p=1185

2) DNS Stuff Test Tool
Purpose: Similar as DNS Checker but it has a clear graphic to show the randomness status of source port and query id.
Detail: Please refer to http://www.dnsstuff.com

3) DNS-OARC Test
Purpose:Verify the DNS by its IP address. Use a DNS query tool such as dig to ask for the TXT record of porttest.dns-oarc.net
Detail: Please refer to https://www.dns-oarc.net/oarc/services/porttest

Back to top

Q14: How to prevent DNS Cache poisoning?

A: To mitigate the risk of DNS Cache poisoning, the following preventive alternatives can be taken.

1)Enforce the randomness of the source port and query id via NAT operation and filter out the suspicious spoofed traffic at network perimeter

2) Disable recursion request or only accept this kind of request in DNS if it is from white-list subnet.

3) Disable glue-fetching explicating of DNS server

4) Check with software vendor to study the security patch and apply it on the DNS server

5) If you are using a vulnerable DNS server which is not under your control, please contact the owner or administrator of the issue

6) Introduce a secure version of DNS “DNSSEC” which uses trusted digital certificate to determine the authenticity data.

Back to top

Q15: What is IPv6?

A: Similar to the use of telephone numbers on our fixed and mobile telecommunication network, each computer on the Internet is assigned a unique number called the IP (Internet Protocol) address. The current addressing scheme in use for IP addresses is called IPv4 (IPaddress version 4). IPv4 is 32-bit long (consisting of four 8-bit numbers separated by dots). It is expected that IPv4 addresses currently use on every devices connected to the Internet would eventually run out in 2011. A new addressing scheme called IPv6 (IP address version 6) has been developed. An IPv6 address is 128 bits long(consisting of eight 16-bit numbers separated by colons).

IPv6 has been available to Internet users for several years now, but its deployment poses some challenges. Because IPv6 has a different address format, IPv6 hosts can't talk directly to the IPv4 hosts that make up most of the existing Internet.

For direct communication over IPv6, both parties must have deployed IPv6 across their networks, and so far only a relatively small number of networks have done this. However there are schemes based on indirect communication methods which enable IPv6 and IPv4 networks to communicate with each other.

Back to top

Q16: What are the differences between IPv4 and IPv6?

A: Typical IPv4 IP address:
192.168.1.2 – Four groups separated by (.). Each group consists of a number ranging from 1 to 256. In theory, IPv4 can address up to 4,294,967,296 devices.

Typical IPv6 IP address:
2001:0db8:85a3:0000:0000:8a2e:0370:7334 - IPv6 addresses are normally written as eight groups of four hexadecimal (0-9, a-f) digits, where each group is separated by a colon (:).IPv6 can address up to 3.4×1038 uniqueaddresses.

To shorten the writing and presentation of IPv6 addresses, several simplifications to the notation are permitted.

Any leading zeros in a group may be omitted; thus, the given example becomes
2001:db8:85a3:0:0:8a2e:370:7334

One or any number of consecutive groups of 0 value may be replaced with two colons(::):
2001:db8:85a3::8a2e:370:7334

This substitution with double-colon may be performed only once in an address, because multiple occurrences would lead to ambiguity. For example, the illegal address notation 2001::FFD3::57ab,could represent any of the following:
2001:0:0:0:0:FFD3:0:57ab
2001:0:0:0:FFD3:0:0:57ab
2001:0:0:FFD3:0:0:0:57ab
2001:0:FFD3:0:0:0:0:57ab


Using the double-colon reduction, the localhost (loopback)address, fully written as 0000:0000:0000:0000:0000:0000:0000:0001,may be reduced to ::1 and the undetermined IPv6 address (zero value), i.e., all bits are zero, is simply::.
For example, the addresses below are all valid and equivalent:
2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0000:0000:0000::1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8:0:0::1428:57ab
2001:0db8::1428:57ab
2001:db8::1428:57ab


:: means 0:0:0 or 0:0:0:0 or 0:0:0:0:0 or0:0:0:0:0:0 or 0:0:0:0:0:0:0 or 0:0:0:0:0:0:0:0 or 00:00:00 or 000:000:000 or 0000:0000:000 … etc.

Back to top

Q17: What does IPv6 looks like in the DNS?

A: When you normally look up DNS IP in IPv4 using the dig command, the answer may look like:

C:dig>dig @ns5.hkirc.net.hk hkirc.hk

; <<>> DiG 9.3.2<<>> @ns5.hkirc.net.hk hkirc.hk
; (1 server found)
;; global options: printcmd
;; Got answer:
;;->>HEADER<<- opcode: QUERY, status:NOERROR, id: 490
;; flags: qr aa rd ra; QUERY: 1, ANSWER:1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTIONSECTION:
;hkirc.hk. IN A

;; ANSWERSECTION:
hkirc.hk. 300 IN A 203.119.2.85

;; AUTHORITY SECTION:
hkirc.hk. 300 IN NSns5.hkirc.hk.
hkirc.hk. 300 IN NS ns6.hkirc.hk.
hkirc.hk. 300 IN NS ns7.hkirc.hk.

;;ADDITIONAL SECTION:
ns5.hkirc.hk. 300 IN A 203.119.2.22
ns6.hkirc.hk. 300 IN A 203.119.2.23
ns7.hkirc.hk. 300 IN A 203.169.156.100

;;Query time: 31 msec
;; SERVER:203.119.2.22#53(203.119.2.22)
;; WHEN: Mon Oct 12 14:36:152009
;; MSG SIZE rcvd: 144

The IPv4 result for ns5.hkirc.hk is shown below:


ns5.hkirc.hk. 300 IN A 203.119.2.22

Notice the single “A” in the answer, which indicates it is an IPv4 address.

Do the same with a domain name which have IPv6 address, like the one below:

C:dig>dig @ns1.hkirc.hk ns2.cuhk.edu.hk

; <<>> DiG 9.3.2<<>> @ns1.hkirc.hk ns2.cuhk.edu.hk
; (1 server found)
;; global options: printcmd
;; Got answer:
;;->>HEADER<<- opcode: QUERY, status:NOERROR, id: 155
;; flags: qr rd; QUERY: 1, ANSWER: 0,AUTHORITY: 3, ADDITIONAL: 4

;; QUESTIONSECTION:
;ns2.cuhk.edu.hk. IN A

;;AUTHORITY SECTION:
cuhk.edu.hk. 14400 IN NSNS3.cuhk.edu.hk.
cuhk.edu.hk. 14400 IN NS NS1.cuhk.edu.hk.
cuhk.edu.hk. 14400 IN NS ns2.cuhk.edu.hk.

;; ADDITIONAL SECTION:
ns2.cuhk.edu.hk.14400 IN A 137.189.6.21
ns2.cuhk.edu.hk. 14400 IN AAAA2405:3000:3:60::21
NS1.cuhk.edu.hk. 14400 IN A 137.189.6.1
NS3.cuhk.edu.hk. 14400 IN A 202.45.188.39

;; Query time: 15 msec
;; SERVER:203.119.2.18#53(203.119.2.18)
;; WHEN: Mon Oct 12 14:35:052009
;; MSG SIZE rcvd: 159

Notice the answer for ns2.cuhk.edu.hk:

ns2.cuhk.edu.hk. 14400 IN AAAA 2405:3000:3:60::21

The “AAAA” in the result means that this is an IPv6 address.

Back to top

Q18: What service is HKIRC offering for IPv6?

A: HKIRC has added the capability to register Domain Name with IPv6 addresses as name servers. What this means is, using existing IPv4 network, HKIRC DNS server can now cater for both IPv4 address and IPv6 address. Clients do not need to have an IPv6 network to enjoy this service.

Back to top

Q19: What are the changes to the existing HKIRC panels for IPv6?

A: There is no difference in the appearance of the new HKIRC IPv6 compatible panels. The only changes is for IP entry fields and display in the panel, which now supports IPv6 notation as well as new  address length for IPv6.

Examples for these areas follows:

1.Add DN Host (Panel:Registry, Registrar)



2.Modify DN Host(Panel :Registry, Registrar)




3. Modify DNS (MNS) (Panel:Registry, Registrar)



4. Query DN Host (Panel:Registry, Registrar)



5. Whois search from hostname (Panel: Registry and Registrar)



Also additional checks are added to check for valid IPv6 format in all entry fields. These are:

Valid Invalid Reasonfor invalid
0000:0000:0000:0000:0000:0000:0000:0000 0:0 wrong length
0000:0000:0000:0000:0000:0000:0000:0001 1::1::1 2 compression
0:0:0:0:0:0:0:1 Abcr::avdc Wrong format
0:0:0:0:0:0:0:0001 123:123 Wrong format
0:0:0:0:0000:0:0:0001 1231:asda.123.123 Wrong format
0::1 1232:1232:1232:1232 Wrong format
0:0::1 234234344 Wrong format
::1    
1::0    
1::0:0    
1:0::0    
1::0000    
1::    
ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe    
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff    

Back to top

Q20: What is DNSSEC?

A: An extension to DNS has been developed to enhance its security. It stands for Domain Name System Security Extensions (DNSSEC) which helps prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks. It uses digital signatures to allow websites to verify their domain names and corresponding IP addresses. By creating a chain of digital signatures, the data sources at all levels of the domain name are validated, safeguarding the Internet against the attacks. For details of DNSSEC, please view its introduction at Wiki.

HKIRC has set up a DNSSEC Test Bed for other parties to trial out DNSSEC and become familiar with the technologies behind DNSSEC.

Use of the HKIRC DNSSEC Test Bed is free of charge. For details, please see our DNSSEC Test Bed page.

Back to top

 



If you have further enquiries, please contact us at +852 23192303 or by emailto info@hkirc.hk.Thank you.

LastUpdated: 5 / 12 / 2013

© HKIRC 2011 | FAQ | Privacy Policy | Terms of Use | Contact Us | Accessibility
This site has been optimized for Internet Explorer 7.0 or above and Mozilla Firefox 3.5 or above.
Disclaimer
© Copyright 2011 HKIRC All right reserved.
Facebook Caring Organisation