07 Aug 2008 - Simple DNS Plus v. 5.1 build 106 released
Simple DNS Plus v. 5.1 build 106 is now available at http://www.simpledns.com/download.aspx
Several recent news articles about the Dan Kaminsky bug are referring to a "DNS Randomness Test" at
https://www.dns-oarc.net/oarc/services/dnsentropy
Unfortunately the system behind that test has a bug (AA flag set in referral responses) which prevents some DNS resolvers, including previous builds of Simple DNS Plus, from using it.
The test web page simply wouldn't resolve and you would just get a browser error page.
Yes - quite ironic indeed...
We have now updated Simple DNS Plus so that it can resolve this too - even with that bug in their system.
Run against Simple DNS Plus v. 5.1 build 106 the result of the web-based test should look like this:
There is also a description of a DNS TXT-record based test (which has the same bug) at
https://www.dns-oarc.net/oarc/services/porttest.
You can take this test using the DNS Look Up function in Simple DNS Plus as follows.
Enter "porttest.dns-oarc.net" in the domain name field:
From the "Look Up" button drop-down menu, select "Other record type" and then "Descriptive text (TXT)":
The result will be returned in a TXT-record like this:
For details on other updates and changes in this build, please see release notes.
This is NOT a critical update.
We recommend that all users update to this build, but there is no urgency unless you are directly affected by the issues addressed by this update.
01 Aug 2008 - Simple DNS Plus v. 5.1 build 103 released
Simple DNS Plus v. 5.1 build 103 is now available at http://www.simpledns.com/download.aspx
For even stronger protection against Dan Kaminsky's DNS bug, in this build we have added a new option to allocate a new random port for every outbound DNS request (see Options dialog / DNS / Outbound DNS Requests section).
Compared to pre-allocating ports at start-up as in previous builds, this new method is slightly slower because it has to constantly setup and tear down network sockets, but it does provide much better port randomization, and thus stronger protection.
DNS Stuff has created a very nice free tool to test DNS server port and query ID randomization.
Using this it is very easy to see the difference between Simple DNS Plus versions/builds.
Click the following links for screen shots of DNS Stuff's tool run against Simple DNS Plus:
- v. 5.0 and earlier
- v. 5.1 builds 100-102 with 10 (default) outbound ports
- v. 5.1 builds 100-102 with 999 (maximum) outbound ports
- v. 5.1 build 103
For details on other updates and changes in this build, please see release notes.
We recommend that all users update to this build.
28 Jul 2008 - Helm 3.2 / Simple DNS Plus v. 5.1 interface
Our good friend and long time Simple DNS Plus user Mr. Warren Ashcroft with Red Fox Hosting (*) has created an interface for Helm v. 3.2 and the new Simple DNS Plus v. 5.1.
This allows Helm 3.2 users to take advantage of the new features (including suspending/resuming zones) and enhanced security features (including "port randomization") of Simple DNS Plus v. 5.1.
Because of Dan Kaminsky's DNS bug we recommend that users of older Simple DNS Plus versions either upgrade to v. 5.1 or configure the older version to forward to a DNS server with "port randomization" (like Simple DNS Plus v. 5.1).
This just became a lot easier for Helm 3.2 users thanks to Mr. Warren Ashcroft.
Download the interface from here: helm32sdns51.zip (41 KB)
See "readme.htm" in zip file for instructions.
Please post any questions at http://forums.webhostautomation.com/showthread.php?t=24812
(*) Red Fox Hosting, a subsidiary of Red Fox UK Limited, provides small businesses and individuals with affordable, high-quality, reliable UK hosting services in an intuitive "Easy as 1-2-3" format backed by knowledgeable, responsive, and friendly support. It is our passion to establish and maintain your online web presence.
23 Jul 2008 - Dan Kaminsky’s DNS bug
The details on Kaminsky's bug have leaked to the Internet and are now available on several web-sites.
(This issue was first first announced on July 8th in US-CERT Vulnerability Note VU#800113 without any specifics and wasn't supposed to be fully disclosed until August 6th).
Now that the details are public, attacks based on this are very likely to happen in short order.
Even more so with of all the media attention this is getting.
The problem is a fault in the DNS protocol which makes it possible to inject false DNS records into a DNS server's cache, causing domain names to resolve to the wrong IP addresses - potentially re-routing Internet traffic to malicious servers etc.
This class of attacks (cache poisoning / spoofing) is nothing new. Kaminsky's variant is just more effective than previous ones.
First note that this vulnerability only applies to recursive DNS servers.
If recursion is disabled on your DNS server - it is not vulnerable.
If your DNS server is only hosting domains names (authoritative server only), simply disable recursion, and you are safe.
In Simple DNS Plus this is configured in the Options dialog / DNS / Recursion section.
For recursive DNS servers, currently the best way to mitigate this vulnerability is to use a DNS server with "port randomization" - or to forward to a DNS server that has this feature.
A DNS server with "port randomization" sends outbound DNS requests from different port numbers (UDP) in random order and only accepts responses sent back to the same port number as each request was sent from.
The current Simple DNS Plus version 5.1 has "port randomization" (see Options dialog / DNS / Outbound Requests) which is enabled by default.
Older versions of Simple DNS Plus do not have this feature, and we therefore recommend that you either upgrade to v. 5.1 or configure the older version to forward (see Options dialog / DNS / Forwarding) to a DNS server that does have the feature.
If you do not have another DNS server to forward to yourself, you might consider forwarding to OpenDNS.com (see instructions here) or something similar.
Also note that in order to exploit this vulnerability, the attacker has to somehow trigger your DNS server into resolving a lot of domain names.
You can make this much harder by restricting DNS recursion to trusted IP addresses (Simple DNS Plus Options dialog / DNS / Recursion). This way the attacker has to get you to visit his web-page with some very fancy scripting or something similar in order to trigger the DNS lookups and resolving.
Over the years we have added many other features to Simple DNS Plus to help protect against cache poisoning / spoofing attacks, making it more resilient with each new release. So the newer the version the harder it is to successfully attack it.
Update August 1st 2008 - Stronger port randomization option in Simple DNS Plus v. 5.1 build 103
08 Jul 2008 - US-CERT Vulnerability Note VU#800113
The US-CERT (United States Computer Emergency Readiness Team) has today issued Vulnerability Note VU#800113 about DNS implementations being vulnerable to cache poisoning.
The latest release of Simple DNS Plus (v. 5.1) implements all the countermeasures mentioned and is NOT vulnerable.
More specifically, the 3 examples of deficiencies and defects listed in the vulnerability note are addressed in Simple DNS Plus as follows:
- Insufficient transaction ID space
Simple DNS Plus uses the full 16 bit range of possible transaction IDs (65536 total) in random order.
This has been implemented since version 3.00.
- Multiple outstanding requests
Simple DNS Plus queues identical incoming requests and will therefore never have multiple outstanding requests for the same resource records (RR).
This has been implemented since version 3.60.
- Fixed source port for generating queries
Simple DNS Plus by default uses multiple ports in random order for outbound requests.
The was implemented in the current version 5.1.
Additionally Simple DNS Plus has the option to restrict recursion to specific IP address ranges, making it possible to run a secure combined resolver and authoritative DNS server without the need to "run a local DNS cache" as suggested by the vulnerability note.
Simple DNS Plus v. 5.1 also fully implements the mentioned draft draft-ietf-dnsext-forgery-resilience.
For more details on how Simple DNS Plus protects against cache poisoning, please see
http://www.simpledns.com/help/v51/ht_secure.htm#spoofing
Because the details of the vulnerability have not been made public, we cannot assess if there is any increased security risk for older versions of Simple DNS Plus.
We recommend that users of older Simple DNS Plus versions either upgrade to the current version (5.1) or at least limit recursion to trusted IP address ranges (Options dialog / DNS / Recursion section).
In version 4.00 and earlier, make sure to enable the "spoofing security" option.
Update July 23rd 2008 - Dan Kaminsky's DNS bug details leaked
Update August 1st 2008 - Stronger port randomization option in Simple DNS Plus v. 5.1 build 103
08 Jul 2008 - Simple DNS Plus v. 5.1 released
Simple DNS Plus version 5.1 is here!
Check out all the new features and enhancements at http://www.simpledns.com/kb.aspx?kbid=1246
If you purchased a new license or an upgrade within the last year (July 7th 2007 or later), the upgrade to v. 5.1 is free. Simply re-use your current license key with the new version.
Otherwise, upgrade pricing and instructions are available at http://www.simpledns.com/upgrade.aspx
If you don't have your license key or if you are unsure when your license was purchased, you can retrieve the license key and status at http://www.simpledns.com/lostkey.aspx
Version 5.1 is now available for download from
http://www.simpledns.com/download.aspx
Upgrade instructions are available on the same web page.
We hope you like what we have done with Simple DNS Plus in v. 5.1, and as always, we look forward to hearing your comments and suggestions.
22 Mar 2008 - DNS Blacklist plug-in released for Simple DNS Plus
A new plug-in for hosting DNS blacklists (a.k.a. "DNSBL" / "RBL") with Simple DNS Plus is now available for download.
This plug-in is highly optimized to host DNS blacklists with millions of entries very fast and with very low memory usage.
This is a free add-on for Simple DNS Plus v. 5.0.
For more details see KB1241
We are also releasing a new freeware DNS Blacklist Editor tool for editing standard DNS blacklist files (RBLDNSD / RBLDNS format), and compiling such files for use with the new plug-in.
07 Mar 2008 - Update to the Simple DNS Plus API for .NET and COM
We have just released version 1.1 of the Simple DNS Plus API for .NET and COM.
Updates in this version:
1) Support for new SPF-record type (requires Simple DNS Plus v. 5.0 or later).
2) Simple DNS Plus v. 5.0 code base (various optimizations and bug fixes).
3) Included help file/documentation updated to VS2008 style.
Version 1.1 is now available for download:
sdnsapi-setup.exe (662 KB)
If you have a previous release installed, simply run above installation file to upgrade.
For more information about the Simple DNS Plus API for .NET and COM, see the on-line documentation at http://www.simpledns.com/help/api/
02 Mar 2008 - Developing plug-ins for Simple DNS Plus v. 5.0
We have just published 3 screen casts demonstrating how to create a plug-in for Simple DNS Plus v. 5.0 using Visual Basic.NET and Visual Studio 2005.
Check it out at http://www.simpledns.com/kb.aspx?kbid=1238
01 Mar 2008 - PHP and Simple DNS Plus
Recently we are getting more questions about accessing Simple DNS Plus from PHP code running on both Windows and Linux web-servers.
There are several options for updating DNS data in Simple DNS Plus through scripting and programming - see KB1192.
If you want to update Simple DNS Plus from PHP on a Windows/IIS web-server, the easiest option is probably the Simple DNS Plus .NET/COM API.
The latest version of PHP supports .NET objects - see http://www.php.net/manual/en/ref.dotnet.php
You can also update Simple DNS Plus from PHP directly through the HTTP API.
We have just added a PHP code example for this at http://www.simpledns.com/kb.aspx?kbid=1135#php
This also works if your PHP web-site is running on a Linux server or your Windows server does not have .NET.
Above is the first PHP code sample we have published, but we will try to include PHP in our code samples going forward.
28 Feb 2008 - Simple DNS Plus v. 5.0 plug-In library documentation
For users and third parties who wish to create plug-ins for Simple DNS Plus v. 5.0, we are now publishing detailed documentation for the plug-in library (sdnsplugin.dll) included in the standard Simple DNS Plus installation:
On-line version / Download CHM version (180 KB)
We are also working on a tutorial or possibly a screen-cast describing the process of creating a plug-in for Simple DNS Plus, and will be making this available shortly.
26 Feb 2008 - "MyIP" plug-in released for Simple DNS Plus v. 5.0
This plug-in simply returns the IP address of the client that sent the DNS request (as seen by Simple DNS Plus).
This can be used for example by dynamic IP clients to figure out their current IP address - or simply as a diagnostics tool.
This plug-in is obviously very simple and is a nice example of how to develop plug-ins for Simple DNS Plus.
Therefore we are also making the source code (C#) available for download so that anyone interested in creating their own plug-ins for Simple DNS Plus can study this.
We are working on additional documentation and tutorials for creating plug-ins for Simple DNS Plus and will be making this available shortly.
Download the "MyIP" plug-in and source code from http://www.simpledns.com/getplugins.aspx
NOTE: This plug-in requires Simple DNS Plus v. 5.0 build 110 (released earlier today) or later.
09 Feb 2008 - MySQL plug-in released for Simple DNS Plus v. 5.0
A new plug-in which queries a MySQL Server for host records and optionally reverse records is now available for download.
SQL queries are executed asynchronously (in a separate thread) and therefore won't slow down other requests not using the plug-in.
This plug-in is a free add-on for Simple DNS Plus v. 5.0.
Download from http://www.simpledns.com/getplugins.aspx
For more details on this plug-in see KB1225
06 Feb 2008 - New reseller in California, USA
We are very happy to introduce MyWebDoor as our authorized reseller in California, USA.
MyWebDoor will sell and provide local support for all JH Software products and services including Simple DNS Plus and Simple Failover.
05 Feb 2008 - Internet DNS root server list update - Now with IPv6
The Internet DNS root server list has just been extended with IPv6 addresses for 6 of the 13 root servers.
See the official announcement at http://www.icann.org/announcements/announcement-04feb08.htm
All DNS servers (or technically "DNS resolvers") need a list of the Internet DNS root servers in order to resolve any Internet domain name.
This list is referred to as the "root hints file" and is typically provided with the DNS server installation, which is also the case with Simple DNS Plus.
The addition of IPv6 addresses to the root server list marks a major step towards the IPv6 Internet.
For the first time it is now possible to resolve DNS for a domain name entirely through IPv6.
This of course requires that TLD and lower level DNS servers implement IPv6 as well, but this has already been available for .com and several other TLDs for some time.
As for Simple DNS Plus, the timing almost couldn't better better!
We just released Simple DNS Plus v. 5.0 with full support for IPv6 a few weeks ago.
The updated root server list file (named.root) is included with Simple DNS Plus v. 5.0 build 106 and later.
You can download the latest build from http://www.simpledns.com/download.aspx
If you have the Options dialog / DNS / Miscellaneous / "Keep root server list updated automatically" option turned on, Simple DNS Plus will automatically keep the root server list file up to date.
28 Jan 2008 - On-line DNS delegation tracing tool
A new on-line tool for tracing DNS delegation is now available at http://www.simpledns.com/lookup-dg.aspx
This tool traces the DNS delegation for a domain name from the Internet DNS root servers down to the DNS servers responsible (authoritative) for the domain.
This can be very useful to find out if a domain is delegated correctly.
It can also be used to trace reverse DNS delegation. Just enter an IP address (IPv4 or IPv6), and it will trace the delegation for the reverse DNS PTR-record name for the IP address.
Other on-line DNS tools also available:
Remote DNS Lookup: http://www.simpledns.com/lookup.aspx
Lookup GPS coordinates in DNS: http://www.simpledns.com/lookup-loc.aspx
17 Jan 2008 - Simple DNS Plus v. 5.0 released
The all new Simple DNS Plus version 5.0 is here!
This release has more new features and enhancements than any previous update.
For all the details, check out the "What's new" page at http://www.simpledns.com/kb.aspx?kbid=1215
If you purchased (or upgraded) your current Simple DNS Plus license within the last year (January 17th 2007 or later), the upgrade to v. 5.0 is free. Simply re-use your current license key with the new version.
Otherwise, upgrade pricing and instructions are available at http://www.simpledns.com/upgrade.aspx
If you don't have your license key or if you are unsure when your license was purchased, you can retrieve the license key and status at http://www.simpledns.com/lostkey.aspx
Version 5.0 is available for download from
http://www.simpledns.com/download.aspx
Upgrade instructions are available on the same web page.
IMPORTANT:
Version 5.0 is backwards compatible for the most part - but NOT 100%.
Before upgrading, make sure to check the "Retired features and breaking changes" list at http://www.simpledns.com/kb.aspx?kbid=1204
We hope you like what we have done with Simple DNS Plus in v. 5.0, and as always, we look forward to hearing your comments and suggestions.
14 Jan 2008 - Community Forums re-opened
Our Simple DNS Plus community forums are now open once again at http://www.simpledns.com/forums.aspx
The server which previously hosted our forums died on January 5th 2008 because of a faulty RAID disk set.
Unfortunately we have lost all the conversation data of the old forums.
We sincerely apologize to everyone we contributed to the old forums - we highly appreciate and value your participation.
We are now re-opening our forums using a new forum software Yet Another Forum which we think will be easier to use, and hopefully simpler to backup.
We believe community forums are a great way for users of our software products to communicate with us and each other.
So please go ahead and sign up, ask your questions, and post your suggestions.
07 Jan 2008 - Server failure - Missing forum and KB/news images
Over this past weekend (January 5th) our main Internet server died because of a faulty RAID disk set.
So for the past few days we have been working round the clock to get everything running again on a new server.
We had good backups of the all critical data (orders, licenses, etc.) and of most of our web-sites etc., but unfortunately we have lost the conversation data from our community forums and image files associated with KB and news articles.
This means that our community forums will be closed for a while as we want to take this "opportunity" to explorer different forum options before re-opening this.
In the mean time we are of course ready to answer any questions you have about our products and services by e-mail.
Also, many KB and news articles are now missing images or only have blurred/miniature versions.
We will probably wait until after the release of Simple DNS Plus v. 5.0 to replace the KB images, since many of these will need to be updated with new screen shots from v. 5.0 anyway.
We sincerely apologize for the mess - and yes - we have just signed up our new server for a Mozy Pro backup account.
13 Dec 2007 - Simple DNS Plus on Windows Home Server
Windows Home Server is a scaled down version of Windows Server 2003 with some nice home networking features added.
Like any other version of Windows 98/2000 and later, Windows Home Server runs Simple DNS Plus very nicely.
We are considering making an actual Windows Home Server Add-In edition of Simple DNS Plus at a later time, but for now to install Simple DNS Plus on Windows Home Server you need to either access the server computer directly or through a Remove Desktop connection and install it as you would on a normal Windows computer (not through the "Home Server Connector" software).
Next Page