技術常見問題﹝英文版﹞

WHOIS is used to query the information of a domain such as domain holder, contact details and its expiry date.

If a registrant does not have hosting service for his/her domain, he/she can use HKDNR’s name server (ns5.hkdnr.net.hk, ns6.hkdnr.net.hk) when registering the domain. However, it is not a hosting service for the domain’s web site – it will show HKDNR’s parking web page for the registered domain.

An IP address (Internet Protocol address) is a unique address that some electronic devices use to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). In simpler terms, IP address is a computer address.
There are mainly two type IP addresses: IPv4 and IPv6. IPv4(Internet Protocol version 4) is widely used in the Internet, and it uses 32 bits to represent an address. IPv6 (Internet Protocol version6), the successor of IPv4, makes use of 128 bits to represent an address instead of 32 bits. IPv6 has enough room for 3.4×10³⁸ unique addresses.

CDN is the Chinese Domain Name which contains at least one or more Chinese characters, may contain one or more uppercase or lowercase English letters, numbers or hyphens. Punycode is a computer programming protocol by which a Unicode string of characters can be translated into the more-limited character set permitted in network host names.

Name server is a program or computer server that map a human-recognizable identifier (hostname) of a host to it’s computer-recognizable identifier (IP address).

These are the files that contain the list of all the hosts in your domain, and their corresponding IP address. There are 13 type of zone file, which are .com.hk, .edu.hk, .org.hk, .idv.hk, .hk,.gov.hk, .net.hk, .公司.hk, .網絡.hk, .組織.hk, .教育.hk, .政府.hk,.個人.hk.

It is a service that runs Domain Name System servers.

The DNS record stores host related information such as NS,A, MX, SOA.
SOA – Start of Authority. This is the record stating that this server is authorized for the specified domain.
NS – Name server: Specifies the name server to be used to look up a domain.
MX – Mail Exchange: Specifies mail server(s) for the domain.
A – A Record: Used for linking a FQDN to an IP address.

The DNS cache poisoning is an attacker technique which causes the DNS caches the attacker’s forged DNS information when the attacker provides the non-authentic data to the vulnerable name server so that the name server’s client contacts such incorrect and possibly malicious hosts for particular services.

Due to the vulnerable name server maintaining the incorrect entries of the domain names, user will be directed to attacker IP address unexpectedly. As a result, user could unintentionally access the attacker controlled website, which may contain virus or unknowingly download malicious content which can retrieve user’s personal information for illegitimate purpose.

He found that the current DNS has deficiencies in its protocol which facilities the attacks regarding the randomness of the transaction id and source port.

Here are examples:-

1. Insufficient transaction ID space
   In the current required length of 16 bit of transaction ID, the attacker will require, on average, 32,768 attempts to successfully predict the ID. Smaller the bit length required in some flawed DNS, it is easier the attacker can predict the ID.
2. Multiple outstanding requests
   Some vulnerable DNS allow multiple identical queries for the same resource record (RR)which will lead the feasibility of a ‘birthday attack’.
3. Fixed source port for generating queries
   Some DNS allocate an arbitrary port at startup and reuse this source port for all outgoing queries.

It can use the following tools to check vulnerability of DNS Cache poisoning.

1. Web-based DNS Randomness Test by DNS-OARC
   Purpose: Scan your DNS for randomness of source port and query id to check if it is randomness enough.
   Detail: Please refer to https://www.dns-oarc.net/oarc/services/dnsentropy
2. Check your resolver’s source port behavior by DNS-OARC
   Purpose: Verify the DNS by its IP address. Use a DNS query tool such as dig to ask for the TXT record of porttest.dns-oarc.net
   Detail: Please refer to https://www.dns-oarc.net/oarc/services/porttest

To mitigate the risk of DNS Cache poisoning, the following preventive alternatives can be taken.

1. Enforce the randomness of the source port and query id via NAT operation and filter out the suspicious spoofed traffic at network perimeter
2. Disable recursion request or only accept this kind of request in DNS if it is from white-list subnet.
3. Disable glue-fetching explicating of DNS server
4. Check with software vendor to study the security patch and apply it on the DNS server
5. If you are using a vulnerable DNS server which is not under your control, please contact the owner or administrator of the issue
6. Introduce a secure version of DNS “DNSSEC” which uses trusted digital certificate to determine the authenticity data.

Similar to the use of telephone numbers on our fixed and mobile telecommunication network, each computer on the Internet is assigned a unique number called the IP (Internet Protocol) address. The current addressing scheme in use for IP addresses is called IPv4 (IPaddress version 4). IPv4 is 32-bit long (consisting of four 8-bit numbers separated by dots). It is expected that IPv4 addresses currently use on every devices connected to the Internet would eventually run out in 2011. A new addressing scheme called IPv6 (IP address version 6) has been developed. An IPv6 address is 128 bits long(consisting of eight 16-bit numbers separated by colons).

IPv6 has been available to Internet users for several years now, but its deployment poses some challenges. Because IPv6 has a different address format, IPv6 hosts can’t talk directly to the IPv4 hosts that make up most of the existing Internet.

For direct communication over IPv6, both parties must have deployed IPv6 across their networks, and so far only a relatively small number of networks have done this. However there are schemes based on indirect communication methods which enable IPv6 and IPv4 networks to communicate with each other.

Typical IPv4 IP address:
192.168.1.2 – Four groups separated by (.). Each group consists of a number ranging from 1 to 256. In theory, IPv4 can address up to 4,294,967,296 devices.

Typical IPv6 IP address:
2001:0db8:85a3:0000:0000:8a2e:0370:7334 – IPv6 addresses are normally written as eight groups of four hexadecimal (0-9, a-f) digits, where each group is separated by a colon (:).IPv6 can address up to 3.4×10³⁸ uniqueaddresses.

To shorten the writing and presentation of IPv6 addresses, several simplifications to the notation are permitted.

Any leading zeros in a group may be omitted; thus, the given example becomes
2001:db8:85a3:0:0:8a2e:370:7334

One or any number of consecutive groups of 0 value may be replaced with two colons(::):
2001:db8:85a3::8a2e:370:7334

This substitution with double-colon may be performed only once in an address, because multiple occurrences would lead to ambiguity. For example, the illegal address notation 2001::FFD3::57ab,could represent any of the following:
2001:0:0:0:0:FFD3:0:57ab
2001:0:0:0:FFD3:0:0:57ab
2001:0:0:FFD3:0:0:0:57ab
2001:0:FFD3:0:0:0:0:57ab

Using the double-colon reduction, the localhost (loopback)address, fully written as 0000:0000:0000:0000:0000:0000:0000:0001,may be reduced to ::1 and the undetermined IPv6 address (zero value), i.e., all bits are zero, is simply::.
For example, the addresses below are all valid and equivalent:
2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0000:0000:0000::1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8:0:0::1428:57ab
2001:0db8::1428:57ab
2001:db8::1428:57ab

:: means 0:0:0 or 0:0:0:0 or 0:0:0:0:0 or0:0:0:0:0:0 or 0:0:0:0:0:0:0 or 0:0:0:0:0:0:0:0 or 00:00:00 or 000:000:000 or 0000:0000:000 … etc.

When you normally look up DNS IP in IPv4 using the dig command, the answer may look like:

C:dig>dig @ns5.hkirc.net.hk hkirc.hk

; <<>> DiG 9.3.2<<>> @ns5.hkirc.net.hk hkirc.hk
; (1 server found)
;; global options: printcmd
;; Got answer:
;;->>HEADER<<- opcode: QUERY, status:NOERROR, id: 490
;; flags: qr aa rd ra; QUERY: 1, ANSWER:1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTIONSECTION:
;hkirc.hk. IN A

;; ANSWERSECTION:
hkirc.hk. 300 IN A 203.119.2.85

;; AUTHORITY SECTION:
hkirc.hk. 300 IN NSns5.hkirc.hk.
hkirc.hk. 300 IN NS ns6.hkirc.hk.
hkirc.hk. 300 IN NS ns7.hkirc.hk.

;;ADDITIONAL SECTION:
ns5.hkirc.hk. 300 IN A 203.119.2.22
ns6.hkirc.hk. 300 IN A 203.119.2.23
ns7.hkirc.hk. 300 IN A 203.169.156.100

;;Query time: 31 msec
;; SERVER:203.119.2.22#53(203.119.2.22)
;; WHEN: Mon Oct 12 14:36:152009
;; MSG SIZE rcvd: 144

The IPv4 result for ns5.hkirc.hk is shown below:

ns5.hkirc.hk. 300 IN A 203.119.2.22

Notice the single “A” in the answer, which indicates it is an IPv4 address.

Do the same with a domain name which have IPv6 address, like the one below:

C:dig>dig @ns1.hkirc.hk ns2.cuhk.edu.hk

; <<>> DiG 9.3.2<<>> @ns1.hkirc.hk ns2.cuhk.edu.hk
; (1 server found)
;; global options: printcmd
;; Got answer:
;;->>HEADER<<- opcode: QUERY, status:NOERROR, id: 155
;; flags: qr rd; QUERY: 1, ANSWER: 0,AUTHORITY: 3, ADDITIONAL: 4

;; QUESTIONSECTION:
;ns2.cuhk.edu.hk. IN A

;;AUTHORITY SECTION:
cuhk.edu.hk. 14400 IN NSNS3.cuhk.edu.hk.
cuhk.edu.hk. 14400 IN NS NS1.cuhk.edu.hk.
cuhk.edu.hk. 14400 IN NS ns2.cuhk.edu.hk.

;; ADDITIONAL SECTION:
ns2.cuhk.edu.hk.14400 IN A 137.189.6.21
ns2.cuhk.edu.hk. 14400 IN AAAA2405:3000:3:60::21
NS1.cuhk.edu.hk. 14400 IN A 137.189.6.1
NS3.cuhk.edu.hk. 14400 IN A 202.45.188.39

;; Query time: 15 msec
;; SERVER:203.119.2.18#53(203.119.2.18)
;; WHEN: Mon Oct 12 14:35:052009
;; MSG SIZE rcvd: 159

Notice the answer for ns2.cuhk.edu.hk:
ns2.cuhk.edu.hk. 14400 IN AAAA 2405:3000:3:60::21
The “AAAA” in the result means that this is an IPv6 address.

HKIRC has added the capability to register Domain Name with IPv6 addresses as name servers. What this means is, using existing IPv4 network, HKIRC DNS server can now cater for both IPv4 address and IPv6 address. Clients do not need to have an IPv6 network to enjoy this service.

An extension to DNS has been developed to enhance its security. It stands for Domain Name System Security Extensions (DNSSEC) which helps prevent malicious activities like cache poisoning, pharming, and man-in-the-middle attacks. It uses digital signatures to allow websites to verify their domain names and corresponding IP addresses. By creating a chain of digital signatures, the data sources at all levels of the domain name are validated, safeguarding the Internet against the attacks.

.hk DNSSEC Service is available now. For details, please see our DNSSEC page.