Monday, May 20, 2019

DNS security

  • How Does DNS Filtering Work?
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, or IP addresses. DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 198.35.26.96. DNS maps IP addresses to domain names.

With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. If a particular webpage or IP address is known to be malicious, the request to access the site will be blocked. Instead of connecting to a website, the user will be directed to a local IP address that will display a block page explaining that the site cannot be accessed.

Can DNS Filtering be Bypassed?
Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter unless the chosen solution also blocks access to these anonymizer sites. An end user could also manually change their DNS settings locally unless they have been locked down.
https://www.spamtitan.com/web-filtering/how-does-dns-filtering-work/





  • Open DNS Filtering - Disadvantages You Should Know

When surfing the web, the DNS server of the Internet Service Provider is utilized to determine the IP addresses.
Different DNS servers with a filtering service such as OpenDNS filtering service can be used rather than the DNS server of the ISP.
The OpenDNS filtering service is fast and gives assurance against phishing and different issues frequently experienced when surfing the web

Some of the advantages of utilizing the filtering service of an alternative DNS server are:

Enhances security by blocking access to malicious and risky sites
Keep malware downloads from malicious and risky sites
Keeps your defense up to date to protect your users as threats arise

OpenDNS filtering service is more reliable and generally quicker than your ISP. The OpenDNS filtering service provides access to a site even when the DNS servers of this site are dead. OpenDNS filtering service is connected directly to PhishTank.com, an anti-phishing site.
When blocking a phishing site, the OpenDNS filtering service shows a warning page instead of the fraudulent site.

there are various drawbacks.

The OpenDNS filtering service will know which sites you visit, as the of your entirety DNS requests will go to their servers. The OpenDNS filtering service appears to be open and transparent. It is a question of trust.

The OpenDNS filtering service does not filter the URL, it blocks just the domains and sub-domains and does not block the rest of the URL. The OpenDNS filtering service does not enhance the speed of your connection. OpenDNS filtering service only accelerates the DNS queries

https://cdome.comodo.com/opendns-filtering.php


  • What is DNS Filtering?


How Does DNS Filtering Work?

In order to better understand how DNS attacks happen, it is vital to know how DNS work. To find a particular website, the IP address helps in reaching the particular web server. In the process, the browser consults the system’s hosts file, a text file with the IP addresses of any domain names. When the web address isn’t in the system’s hosts file, the browser will go to the DNS server which may be operated by an ISP, or by an organization like Google or OpenDNS.

How is DNS used by Hackers?
All that a hacker does is find a way to make the resolver report back the wrong IP address. When it is done, anyone from any part of the world trying to access the particular website will be redirected to a bogus website.Similarly, the emails also can be delivered to the wrong destination.

Cache Poisoning
In simple, cache poisoning as the term refers to is placing false information into the cache of a server. Hackers accomplish this by assigning a bogus “reply” with a tricked source IP address to an information request.

How long does the cache remain poisoned?
There is a time limit for the DNS information (TTL) to be active and then it requires to be recovered again from the official server. The TTL for DNS information is defined by the owner of the domain name, however, doing it at the right moment depends on the hacker to perform the malicious activities

DNS Protection
configure it to be as strong as possible against cache poisoning, the potential ways of doing it includes:
➢ instead of UDP port 53 – use a random source port
➢ randomizing the case of the letters of the domain names
➢ randomizing the query ID
➢ maintaining your DNS servers securely

Configuring DNS Filtering
By altering the MX records internally, a single configuration change can be done by which you can deny access to risky sites and secure your network.
https://cdome.comodo.com/blog/what-is-dns-filtering/


  • DNS Web Filtering 4 Myths And Some Truth


DNS filtering provides protection from online threats such as viruses, malware, ransomware, phishing attacks and botnets.
The Domain Name System (DNS) makes it so that we can use the Internet by remembering names, and computers can translate these names into machine-readable IP addresses to transfer information from websites, email servers, and file servers to your web browser or email client.

Myth 1: We don’t need web filtering, we already have endpoint antivirus
antivirus software can only detect known viruses while it’s running
end users are notorious for turning off antivirus and the local firewall on their computers to avoid sluggish performance or install software that they “need” to do their job

the business is liable for how its network is used.
If an end user is serving up pirated movies from your IP address, can your business afford the fine?
If an employee accidentally gets infected with a spam bot, it’s your IP address that will be blacklisted and blocked, and your email that will no longer be delivered.

Myth 2: DNS filtering is complicated
It starts with DNS lookup in just three steps:
    Query: You type a web address into the browser, triggering a DNS query.
    Lookup: The DNS server specified in your network interface configuration (usually provided automatically by your DHCP server) receives the request and looks up the IP address relating to that domain.
    Response: As long as the domain name exists, the corresponding IP address is returned, and your browser then uses that IP address to communicate directly with the web server for that domain (and usually caches it for future reference)
The filter protects your network by only providing lookup requests with a valid IP address for safe websites, but returns a local IP address to deliver a block page for forbidden sites.
DNS logging will show which lookups people have performed, but not which sites they actually visited, nor for how long.

Myth 3: DNS web filtering is easy to bypass
In most cases, simply setting the primary DNS servers as the cloud web filter in your DHCP server (usually this is all in your Internet gateway appliance for a small business – which includes the router, network switch, and a firewall) is good enough to block the majority of web-delivered malware and prevent access to any productivity-killing (Facebook) and bandwidth-gobbling sites (YouTube, Netflix).

They’ll find a proxy service or change their DNS settings locally on their computer if you haven’t locked it down
No web filtering approach is immune to circumvention – both appliance-based and cloud DNS filtering services can be bypassed
It’s time to roll up your sleeves and set some firewall rules on your Internet gateway/router
You can block DNS requests to anything other than your approved DNS service and block all other DNS requests.
If you use an external DNS server, you should allow only port 53/UDP to access the IP addresses of your chosen DNS filtering service servers.
If you have your own, locally hosted, internal DNS server, you should allow only port 53/UDP outbound requests from your internal DNS server's internal IP address to the external IP addresses of the primary and secondary DNS servers that your internal DNS server is configured to use.
local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.

Myth 4: Configuring DNS filtering is a lot of work
Most routers and firewalls will allow you to block port 53 – DNS traffic.
By editing your internal MX records, a single configuration change in one place  you can effectively prevent access to risky sites and protect your network.

Key Benefits of DNS Filtering
Block Malware & Malicious Sites
Control Internet Access
Prevent malware downloads from malicious or hacked websites
Keeps your defense up to date with targeted threat analysis and zero day updates to protect your customers as threats arise.

https://www.titanhq.com/blog/4-myths-about-dns-filtering-and-some-truth

  • How to Use OpenDNS on Your Router, PC, Tablet, or Smartphone


Changing Your DNS
You have two configuration options on your home network. You can change the DNS on your router, which is the main connection point to and from the Internet.
This has the advantage of covering everything in an umbrella of protection. This is also its disadvantage because every computer behind the router must then use the same router settings unless you specifically assign a client to use another DNS server.
Another disadvantage is that there’s no way to tell, at least with the free version of OpenDNS, where the traffic is coming from, so if you see a bunch of blocked websites, it could be you, it could be your spouse, it could be your children, or anyone else who comes over and connects to your network.

Preferred Method: Configuring Your Router
Nevertheless, the preferred method to using OpenDNS is to configure your router to direct all DNS request through their servers.

Clearing Your DNS Resolver Cache on Windows Clients
ipconfig /flushdns

Clearing Your Browser History
Clearing Internet Explorer’s Cache
Clearing Mozilla Firefox’s Cache
Clearing Google Chrome’s Cache


Alternative Method: Configuring Individual Clients

Changing DNS Servers on Windows Computers
Changing DNS Servers on an Android Device
Changing DNS Servers on an iOS Device

https://www.howtogeek.com/201312/how-to-use-opendns-on-your-router-pc-tablet-or-smartphone/



  • OpenDNS is a free online service that offers an extra layer of safety on the Interne

Technically, the service is DNS resolution
The main defensive computing advantage it provides is protection from bad Web sites, most importantly from phishing scams
You don't have to register to use the service, and there is no software to download or install.
All that's involved is a change to the networking configuration of either your computer or your router. This is a one-time change--OpenDNS requires no ongoing care and feeding.
Should you ever want to stop using the service, simply reverse the configuration change.
Should you ever want to stop using the service, simply reverse the configuration change
https://www.cnet.com/news/opendns-provides-added-safety-for-free/


  • OpenDNS is a company and service that extends the Domain Name System (DNS) by adding features such as phishing protection and optional content filtering in addition to DNS lookup, if its DNS servers are used.

The company hosts a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks.

DNS services for personal home use
On May 13, 2007, OpenDNS launched a domain-blocking service to block web sites or non-Web servers visited based upon categories, allowing control over the type of sites that may be accessed
In 2008, OpenDNS changed from a closed list of blocked domains to a community-driven list allowing subscribers to suggest sites for blocking; if enough subscribers (the number has not been disclosed) concur with the categorization of the site it is added to the appropriate category for blocking
Other free, built-in features include a phishing filter. OpenDNS also run a service called PhishTank for users to submit and review suspected phishing sites
OpenDNS supports the DNSCrypt protocol, which authenticates DNS traffic between the user's computer and the name servers
https://en.wikipedia.org/wiki/OpenDNS
  • Dynamic Domain Name System

DNS is static so the IP address associated with it should be static. If you have a dynamic IP, the computer changes the IP address frequently. So by accessing the Domain Name, you will not be able to reach the desired computer. Dynamic DNS is used to in order to avoid this situation.
http://www.techcuriosity.com/tutorials/networking/difference_between_DNS_and_DDNS.php
Dynamic Detection of Malicious DDNS

  • In the past, you needed a static IP address, or an IP address that never changed, in order to manage a domain name. This is a problem because most Internet users have a dynamic IP address, or an IP address that can change (sometimes frequently). 

http://www.serv-u.com/kb/1408/how-does-dynamic-dns-work


  •  it can be quite difficult to set up and is a lot of hassle if you just want people to connect to your home web server or gaming server so rather than go to the trouble, there are many companies that will do this for you for free by offering a service known as "Dynamic DNS". This works by running a small program on your home machine that will discover your IP Address every so often or even every time you dial up and will then send it to the company that maintains the Dynamic DNS. Once this information has been received from your computer, the company will then update automatically update their DNS servers on the spot so that any changes to your IP Address are immediately made known to anyone trying to connect to you.

 http://whatismyipaddress.com/dynamic-dns
  • Multicast DNS is a way of using familiar DNS programming interfaces, packet formats and operating semantics, in a small network where no conventional DNS server has been installed.

http://www.multicastdns.org/


  • DNS-SD uses Multicast DNS (MDNS) which works by sending DNS packets over UDP to a certain multicast address. All mdns-capable hosts in the network also listen to this address. It uses UDP so, it's quite low overhead. Also, the clients are designed in a way that the amount of chatter on the network is kept to a minimum, by using extensive caching.


Service discovery is a two step process. The first step is finding the names of all hosts providing a certain service (e.g. printing). This will not yet give you the ip address, instead it gives you the mdns name (ending with .local). This is because the ip could possibly change, whereas the name will not.

The second step in service discovery is to resolve the .local name of the host over mdns. You ask via multicast who foo.local is, foo.local will see that packet, and respond via broadcast with its ip address, port number and other information.

https://stackoverflow.com/questions/11835782/how-exactly-does-mdns-resolve-addresses



  • Bonjour is Apple's implementation of zero-configuration networking (zeroconf), a group of technologies that includes service discovery, address assignment, and hostname resolution. Bonjour locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records.

https://en.wikipedia.org/wiki/Bonjour_%28software%29


  • Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers.


Zeroconf is built on three core technologies: assignment of numeric network addresses for networked devices, automatic distribution and resolution of computer hostnames, and automatic location of network services, such as printing devices. Without zeroconf, a network administrator must set up services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.
https://en.wikipedia.org/wiki/Zero-configuration_networking
mDNS can be abused to amplify the traffic of DDoS attack
  • What is a DNS leak and why should I care?
even when connected to the anonymity network, the operating system will continue to use its default DNS servers instead of the anonymous DNS servers assigned to your computer by the anonymity network. DNS leaks are a major privacy threat since the anonymity network may be providing a false sense of security while private data is leaking.
https://dnsleaktest.com/what-is-a-dns-leak.html


  • Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN
Given that WebRTC is potentially useful, it is something of a shame that the only way to prevent it from leaking your true IP address is to disable WebRTC in your bowser completely (although the Statutory add-on does allow you whitelist individual websites.)
The WebRTC issue only affects the Firefox, Chrome, and Opera browsers (not Internet Explorer or Safari etc., as these do not include WebRTC functionality.)
https://www.bestvpn.com/blog/31750/a-complete-guide-to-ip-leaks/


  • You might think your anonymity service protects you completely, but don’t get too cocky. If any trackable data is stored on your computer, or any traffic not completely routed through the anonymity network, you could be giving yourself away.
Just one leak is enough to link you back to your real IP and your real identity.
https://www.doileak.com/

  • What is a "WebRTC leaks"?

WebRTC implement STUN (Session Traversal Utilities for Nat), a protocol that allows to discover the public IP address. To disable it:

    Mozilla Firefox: Type "about:config in the address bar. Scroll down to “media.peerconnection.enabled”, double click to set it to false.
    Google Chrome: Install Google official extension WebRTC Network Limiter.

What is a "DNS leaks"?

In this context, with "DNS leak" we mean an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.
Why my system suffers DNS leaks?

In brief: Windows lacks the concept of global DNS. Each network interface can have its own DNS. Under various circumstances, the system process svchost.exe will send out DNS queries without respecting the routing table and the default gateway of the VPN tunnel, causing the leak.
Should I be worried for a DNS leak?

If you don't want that your ISP, and anybody with the ability to monitor your line, knows the names your system tries to resolve (so the web sites you visit etc.) you must prevent your system to leak DNS. If you feel that you're living in a human rights hostile country, or in any way the above mentioned knowledge may harm you, you should act immediately to stop DNS leaks.
How Does Torrent Detection Work?

To detect data from your torrent client we provide a magnet link to a fake file. The magnet contains an http url of a controlled by us tracker which archives the information coming from the torrent client.
https://ipleak.net/


  • WebRTC (Web Real-Time Communication)
WebRTC (Web Real-Time Communication) is an API definition drafted by the World Wide Web Consortium (W3C) that supports browser-to-browser applications for voice calling, video calling, and P2P file sharing without the need of either internal or external plugins.
https://en.wikipedia.org/wiki/WebRTC

  • One of the primary reasons to use a VPN is to hide your true IP address. When using a VPN, all your internet traffic is encrypted and sent to a VPN server run by your VPN provider, before exiting to the internet.This means that outside observers can only see the IP address of the VPN server, and not your true IP address. The only way for them to discover your true IP address, therefore, is to convince your VPN provider to hand it over to them
https://www.bestvpn.com/blog/31750/a-complete-guide-to-ip-leaks/

  • WebRTC
WebRTC is a free, open project that enables web browsers with Real-Time Communications (RTC) capabilities via simple JavaScript APIs.
To enable rich, high quality, RTC applications to be developed in the browser via simple JavaScript APIs and HTML5.
http://www.webrtc.org/

  • DNS spoofing

DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker's).

DNS is a hierarchical naming system built on a distributed database for resources connected to the Internet.
DNS maps domain names to their corresponding Internet Protocol (IP) addresse
DNS has no authentication mechanisms included by default
The lack of authentication increases the risk of falsified DNSinformation being stored on a DNS Resolver by entities with no authority to do so.
These activities are known as DNS spoofing and DNS cache poisoning.

DNS spoofing and DNS cache poisoning can permit an adversary to map the internal network of an organisation based on queries from the internal DNS Resolver to upstream DNS Resolvers. DNS cache poisoning can subvert client connections to provide false information, facilitating installation of malicious code or the extraction of sensitive information

DNS Resolvers are typically configured to query upstream counterparts if they do not have a DNS record cached for the requested domain name.
This is known as recursion, or caching. Recursion improves response times and performance by caching replies similar to theway in which history is cached by a web browser.
Entries will remain in a DNS Resolver’s cache depending on the time to live (TTL) value in the returned record.

DNS spoofing
DNS cache poisoning
DNS cache poisoning with flooding

Mitigation strategies

Separate authoritative and recursive DNS Resolvers
Limit zone transfers

Randomise source ports and transaction IdentifiersDNS Caching Resolvers are used by internal clients to resolve external domains. They should use random source ports and random transaction IDs to reduce the likelihood of an adversary successfully guessing and faking a response designed to poison the cache of a DNS Resolver.Avoid using routers, firewalls and other gateway devices that perform Network Address Translation (NAT), or more specifically, Port Address Translation (PAT) on DNS traffic. PAT devices often rewrite source ports to track connection state, thus negating the effect of any randomisation implemented by DNS.

https://www.cyber.gov.au/sites/default/files/2019-05/PROTECT%20-%20Domain%20Name%20System%20Security%20%28April%202019%29.pdf

  • Firewalls

Let's begin at the most prevalent security system: your firewall. All firewalls should let you define rules to prevent IP spoofing. Include a rule to deny DNS queries from IP addresses outside your allocated numbers space to prevent your name resolver from being exploited as an open reflector in DDoS attacks.
Enable inspection of DNS traffic for suspicious byte patterns or anomalous DNS traffic to block name server software exploit attacks.

Intrusion detection systems
Whether you use Snort, Suricata, or OSSEC, you can compose rules to report DNS requests from unauthorized clients. You can also compose rules to count or report NXDOMAIN responses, responses containing resource records with short TTLs, DNS queries made using TCP, DNS queries to nonstandard ports, suspiciously large DNS responses

Traffic analyzers
Capture and filter DNS traffic between your clients and your resolver, and save to a PCAP file. Create scripts to search the PCAP for the specific suspicious activities you are investigating

Passive DNS replication
This involves using sensors at resolvers to create a database that contains every DNS transaction (query/response) through a given resolver or set of resolvers. Including passive DNS data in your analysis can be instrumental in identifying malware domains, especially in cases where the malware uses algorithmically generated domain names (DGAs).

Logging at your resolver
The logs of your local resolvers are a last and perhaps most obvious data source for investigating DNS traffic
https://www.darkreading.com/analytics/threat-intelligence/5-ways-to-monitor-dns-traffic-for-security-threats/a/d-id/1315868

  • A logical next step towards a new, more secure Internet is to remove any central points of trust from the core of the Internet. Following the trust-to-trust principle, DNS and PKI functionality for end-hosts should exist near the edges of the network and not in the core.

Let’s imagine a server that provides DNS and PKI functionality and runs in a (local) network you trust. This server needs two things:

    Decentralized Consensus: Ability to reach consensus with the rest of the network about the global state of the DNS and PKI system.
    Tamper Proofing: Mechanism to ensure that data records in the DNS and PKI system cannot be easily tampered with.
Blockchains are great at providing both these properties; nodes can independently reach consensus and tampering with data records requires an enormous amount of compute power. It’s not surprising that blockchains have been used to implement decentralized DNS and PKI systems
https://medium.com/@muneeb/next-steps-towards-a-secure-internet-a057217acebb


  • The hosts file is like your speed dial directory for the internet.


Where is the hosts file located?
The actual location of the hosts file is stored in the registry under the key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, in the value, DataBasePath.
The hosts file does not have an extension, but it can be viewed by opening it with Notepad (or something similar). To replace or alter the hosts file, you will need Administrator privileges, but every user has “Read” permissions.
Before resolving an internet request (to look up the IP that belongs to a domain name), Windows looks in the hosts file to see if there is a predefined entry for that domain name (the speed dial, remember?).

These predefined entries in the hosts file can exist for several reasons:
Blocking: some people (who are oftentimes unaware that hosts files can be installed by their security programs) use them to block unwanted sites by connecting malicious or otherwise unwanted domains to the IPs 127.0.0.1 or 0.0.0.0 that both point at the requesting system itself, so in effect there will be no outgoing traffic for these requests.
Pointing: for example, system administrators use the hosts file to map intranet addresses.

Malware uses it for their own reasons, where the two most common ones are:
To block detection by security software: for example, by blocking the traffic to all the download or update servers of the most well-known security vendors.
To redirect traffic to servers of their choice: for example, by intercepting traffic to advertisement servers and replacing the advertisements with their own.

https://blog.malwarebytes.com/cybercrime/2016/09/hosts-file-hijacks/

What is a HOSTS file?
Each time you try to connect to internet address, computer has to determine its numerical address in the web. This is usually done using DNS (Domain Name System) servers. However, one could change the address of any site for oneself in computer by having it stored in Hosts file.  Simply put, the HOSTS allows skipping DNS  all the IP addresses of the websites you visit for increased internet
connectivity and speed, as these addresses are kept in the HOSTS file, which is
actually checked before your system queries the DNS servers.

For example, you have the BBC website cached in your HOSTS file: its entry would be displayed as 212.58.224.131 www.bbc.co.uk.Therefore, it would be easily reachable and it would
load faster than websites that are not cached in your HOSTS file.

That said you could make a list of trusted and most visited websites in this file for increased loading speed. OR, you could BLOCK unwanted sites by using the same HOSTS file and adding these websites and changing their IP addresses to that of your own computer 127.0.0.1 )

https://www.2-viruses.com/blocking-spyware-using-the-hosts-file


  • There is another way to resolve domain names without using the Domain Name System, and that is by using your HOSTS file. Almost every operating system that communicates via TCP/IP, the standard of communication on the Internet, has a file called the HOSTS file. This file allows you to create mappings between domain names and IP addresses.


The HOSTS file is a text file that contains IP addresses separated by at least once space and then a domain name, with each entry on its own line. For example, imaging that we wanted to make it so that if you typed in www.google.com, instead of going to Google we would go to www.yahoo.com. In order to do this you would need to find out one of the IP addresses of Yahoo and map www.google.com to that IP address.

One of the IP addresses for Yahoo is 216.109.118.69. If we wanted to map Google to that IP address we would add an entry into our HOSTS file as follows:

216.109.118.69 www.google.com

Network Testing - I manage a large Internet Data center and many times we need to set up test machines or set up development servers for our customers applications. When connecting to these development or test machines, you can use the HOSTS file to test these machines as if they were the real thing and not a development server. As an example, lets say that you had a domain name for a development computer called development.mydomain.com. When testing this server you want to make sure it operates correctly if people reference it as the true web server domain name, www.mydomain.com. Since if you change www.mydomain.com in the DNS Server to point to the development server everyone on the Internet would connect to that server, instead of the real production server. This is where the HOSTS file comes in. You just need to add an entry into your HOSTS file that maps www.mydomain.com to the IP address of the development server on the computers that you will be testing with, so that the change is local to the testing machines and not the entire Internet. Now when you connect to www.mydomain.com from your computer with the modified HOSTS file you are really connecting to the development machine, but it appears to the applications that you are using that you are connecting to www.mydomain.com

https://www.bleepingcomputer.com/tutorials/hosts-files-explained/



  • 7 Ways to Use Hosts File on Your Computer


1. Editing Hosts File to Block a website

To block any site from hosts file, you only need to map the hostname to the localhost IP (127.0.0.1) or a full-zero’s IP address (0.0.0.0) followed by the sites domain name.
For instance, to block users from access Twitter, add one of the following entries at the end of the hosts file:
127.0.0.1 twitter.com www.twitter.com
0.0.0.0 twitter.com www.twitter.com

2. Re-directing a Website Using Hosts File

You can also redirect the website to a particular domain. For example, you may edit the hosts file such that whenever a user tries to access Twitter, they are redirected to the company’s site or any other website.
First, you need to know the IP for your target website.
Then use the hosts file to map the IP to Twitter.com. To redirect Twitter to Google.com IP address 216.58.223.110, enter “216.58.223.110 www.twitter.com twitter.com” at the end of the hosts file and save.

3. Create Shortcuts for Websites or Intranet Services
You can also modify Windows hosts file to create shortcuts for public or internal sites or web services.
For instance, if you have a server with an IP, 192.168.1.10 on your network, it will be easier to remember a descriptive name than the IP address.
To create a shortcut for the device, you only need to map its IP to your preferred name with a .com extension.
Add “192.168.1.10 mydevice.com and save the file.

4. Testing Network / Web Servers
When you are running a web development server on your local network, it will be safe to test its functionality before publishing it live.
For instance, if you are running a web server (IP: 192.168.0.11), hosting two sites mysite1.com and mysite2.com, you can add the following entries to the hosts file:
192.168.0.11 mysite1.com
192.168.0.11 mysite2.com

5. Content Filtering and Ads Blocking
You can block Ad networks or unwanted sites by mapping the site to the localhost IP (127.0.0.1).
This will point back to your own PC blocking access to known malicious or Ads sites.

6. Adding Websites to Hosts File to Improve Browsing Speed
Add a site to the hosts file can increase the browsing speed. This is simply because the computer doesn’t need to query DNS server for IP and waste time waiting for a response.

7. Preventing Malicious Attacks
You can prevent such unauthorized edits by changing the properties for the “hosts” file.
Under the “General” tab, tick the “Read-only” checkbox to disable editing.

https://www.webnots.com/7-ways-to-use-hosts-file-on-your-computer/

  • Learning About DNS Record Types


Name Servers
When you bought your domain name, your registrar probably configured default DNS records for you and provided the Name Servers (NS) for them. You need to have a Name Server (which are often mirrored in pairs and triplets for redundancy, e.g. ns1.yourregistrarserver.com, ns2.yourregistrarserver.com) to tell the Internet's DNS directory the numeric IP addresses of your web servers and services.

A Records
If a web user types in jeffreifman.com, the request will be passed off to a directory which will look for a DNS record that corresponds to my root domain. By root, I mean no prefix, no www, i.e. no sub-domain, just http://jeffreifman.com. For example, the root-level A record of your domain might point to 107.164.32.96. That will tell the Internet to which IP address to send your browsing request.

Subdomain Records
You can also configure A records for a variety of sub-domains. For example, if you want www.yourwebsite.com to go to the same address, you can set up an identical A record for the sub-domain www, i.e. the root domain, and the www domain would have identical IP addresses.

Wildcard Entries
DNS records also allow wildcard entries (using an asterisk *) that make it easy to route all sub-domain traffic to one IP address.

Inbound Routing on Your Server
When traffic arrives at your server from the DNS mapping system, how your server handles it must be configured there

CNAME Records
CNAMEs are essentially domain and sub-domain text aliases to map traffic to. For example, if you've ever set up a blog through a service such as WordPress or Tumblr, they may ask you to map your domain name to a CNAME rather than with an A record to an IP address

MX Records
MX records tell the DNS system where to send all that email you receive.

Changing Email Providers and Moving Email
MX records only instruct the DNS system where to route today's email—your existing email is stored in the cloud databases of your current email provider. If you wish to move all of your existing messages, you'll need to rely on their tools or your mail client software. And, of course, you'll also have to update your MX records to your new provider's settings.

TXT Records
TXT records allow the domain owner to authenticate themselves by posting secret codes within their DNS. When you register with Google Webmaster Tools, it will ask you to verify that you own the domain by doing just that.

AAAA Records
If you decide to support IPv6 addressing, you'll need to configure an AAAA record with its larger addressing scheme:
https://code.tutsplus.com/tutorials/an-introduction-to-learning-and-using-dns-records--cms-24704


  • What is Cisco umbrella DNS?

Cisco Umbrella Malware and Content Filtering through DNS. ... Cisco Umbrella offers security protection for both Home and Enterprise users through filtering DNS requests. The job of the DNS servers are to translate website URLs to their respective IP address.
The company hosts a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.


  • What is umbrella OpenDNS?

The company hosts a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.


  • Which is better OpenDNS or Google DNS?

Google also has a public DNS (8.8.8.8 and 8.8.4.4 for IPv4 service, and 2001:4860:4860::8888 and 2001:4860:4860::8844 for IPv6 access), but Cloudflare is faster than Google, and faster than OpenDNS (part of Cisco) and Quad9.

  • DNS or other Services works on both TCP and UDP

Two protocols are different from each other. TCP is a connection-oriented protocol and it requires data to be consistent at the destination and UDP is connection-less protocol and doesn't require data to be consistent or don't need a connection to be established with host for consistency of data.

UDP packets are smaller in size. UDP packets can't be greater than 512 bytes. So any application needs data to be transferred greater than 512 bytes require TCP in place. For example, DNS uses both TCP and UDP for valid reasons described below. UDP messages aren't larger than 512 Bytes and are truncated when greater than this size. DNS uses TCP for Zone transfer and UDP for name, and queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn't get response from DNS, it must retransmit the data using TCP after 3-5 seconds of interval.

There should be consistency in DNS Zone database. To make this, DNS always transfers Zone data using TCP because TCP is reliable and make sure zone data is consistent by transferring the full zone to other DNS servers who has requested the data.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/dns-works-on-tcp-and-udp