Technology | Andrew Healey

Unused Domain – Add These DNS Records

By andrew on December 28, 2023December 28, 2023Leave a Comment

Why would an unused domain even need any resources records?

It’s common for domains to go unused. Sometimes they’re purchased for a potential idea or project. Other times, it’s to protect a name or trademark, or maybe they’re meant for use internally on a protected and private network. But the internet does weird stuff and sometimes there are steps that should be taken even if these domains aren’t being used.

In August of 2023, @byt3bl33d3r gave a talk at Defcon 31 called “SpamChannel: Spoofing Emails From 2 Million+ Domains and Virtually Becoming Satan,” on how he was able to use Cloudflare Workers to send email as millions of domains and pass ~~many~~ all of the protections meant to stop abuse. The talk is worth watching to see how these systems can be abused. Talk: https://www.youtube.com/watch?v=NwnT15q_PS8.

One takeaway from the talk was to add a null SPF record with “v=spf1 -all” in order to stop this kind of oversight and abuse. This got me thinking: What other DNS records should be in place to protect the abuse of a publicly unused domain?

MX (Mail Exchanger) Records

If the domain isn’t used, we’ll never be receiving email. While this record can simply be left out, we can help tell the internet that’s the case. In fact, RFC 7505 “A ‘Null MX’ No Service Resource Record for Domains That Accept No Mail” provides just this mechanism. A dot ( . ).

Sender Policy Framework, SPF

Of all the resource records, SPF provides the most direct example of how to let others on the web know to not accept email for the domain. In RFC 7208 “Sender Policy Framework (SPF) for Authorizing Use of Domains in Email”, it states, “Publishing SPF records for domains that send no mail is a well-established best practice.” My experience shows that’s not the case. At least as of 2023. But it is right there in the RFC which is helpful.

Domain-based Message Authentication, Reporting, and Conformance, DMARC

This may be overkill, but in the case pointed in the talk, I believe it’s simply extra insurance to go ahead and configure. And, like SPF, configuration helps everybody else detect the abuse and is simply a good netizen practice. For DMARC, there is not a “best practice” for this use case outlined within RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC). However, it’s pretty straight forward to tell the world to reject anything for this domain with the declaration below.

v=DMARC1 → Required. This directive is always the same and required. Simply tells the version, of which there is only one.

p=reject → Required. This is the Requested Mail Receiver Policy and is required for any DMARC record. “Reject” simply tells mail receivers to reject email that fails the DMARC mechanism check.

adkim=s; aspf=s → These defines strict (opp. relaxed) conformance/alignment with SPF or DKIM as required. Because there are no DKIM records for this domain and the SPF doesn’t permit a valid sender, these should fail.

sp → Note: This directive provides a policy if we were using subdomains. In its absence, all subdomains are covered by the primary policy so this isn’t required.

pct → Note: This provides a mechanism for mail receivers to apply the policy to a portion of mail received from the sending domain. This is helpful when testing out the impact of a new policy adjustment, especially for high volume senders. Default is to apply to 100 percent so this directive is unnecessary.

DomainKeys Identified Mail, DKIM

DKIM uses selectors to provide a mechanism of providing multiple public keys per signing domain. You can find the details of this within RFC 4871: DomainKeys Identified Mail (DKIM) Signatures. Because of this, when DKIM is used, it’s common to find many different selectors in use. And while some selectors are common (e.g. selector1, selector2, dkim, k1, google), there is no “default” selector we can provide a junk or null value to in order to ensure this check fails. However, requiring DKIM alignment within the DMARC policy should tell a receiving party to require valid DKIM which should always fail, thereby keeping the domain from being abused via email.

Certification Authority Authorization, CAA

CAA records allow a DNS domain name holder to specify one or more Certification Authorities authorized to issue certificates for that domain. The absence of a CAA record enables the domain holder to use any CA they want. Because this is an unused domain, there should never be a certificate issued (at least publicly) for any resources in this domain. RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record provides a mechanism for disallowing CAs following the CAA standard from issuing certificates by creating a CAA record with a value of a semicolon only ( ; ).

Note: For private use of a domain name, an additional benefit of using this mechanism to block certificate issuance is with Certificate Transparency (CT) information leakage. RFC 9162 defines CT as a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities. Blocking them from issuing certificates aids in protecting the private use of certificates and unintended information disclosure.

Root Domain Records: A, AAAA

These records are probably unnecessary and simply personal preference. There are really two acceptable choices here: 1) no records at all, or 2) use of addresses that won’t work on a public or private network. I’ve seen folks recommend private address spaces such as 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/24. However, these records could be abused as they would still potentially resolve to an address that is in use on a private network. If we’re going to use an address for these records, we want it to point to an address that cannot be used. Fortunately, engineers provided options for this in the ipv4 and ipv6 address space.

ipv4 root domain A record or “@”: 192.0.2.1 RFC 5737: IPv4 Address Blocks Reserved for Documentation sets aside 192.0.2.0/24 for use in documentation and advises operators to block or otherwise make inoperable, these addresses on private, public, and local networks.

ipv6 root domain AAAA record: 2001:DB8:: RFC 3849: IPv6 Address Prefix Reserved for Documentation sets aside 2001:DB8::/32 for use in documentation and advises operators to block or otherwise make inoperable, these addresses on private, public, and local networks.

Other Considerations

www CNAME record: There is a lot of debate about whether to use or not use www. The reality is that many things, including some users, prepend a domain name with www for a myriad of reasons. I usually throw this in there to save them a step and give them the domain root answer right away. And with CNAME flattening, I don’t see any downside to including this.

Wildcard DNS: There may be benefits to using a wildcard dns record, if your provider supports this functionality. This will always provide an answer for anything at your domain instead of an NXDOMAIN response.

The DNS Security Extensions: DNSSEC

And of course, none of this ensures the party querying your domain gets a trusted response unless you are signing your zones. Make sure to enable DNSSEC on those zones. If you ever end up using the domain, it’s one less thing you’ll forget about and later have to enable anyway. More info on DNSSEC.

Putting It All Together

Here’s an example zone file with all the recommendations.

dns.msftncsi.com DNS Requests Every Few Seconds

By andrew on February 18, 2018February 18, 2018

Over the weekend, I updated my wireless router to the latest revision of ASUSWRT-Merlin. I also decided to update my DietPi Pi-hole to their latest builds. Due to a full code rewrite of Dietpi, it meant a complete rebuild for that system. The release of ASUSWRT-Merlin also suggested resetting to factory defaults due to some major changes. Everything was about to be new again.

Once I got everything rebuilt and running, I noticed requests coming from my firewall to my dietpi every 10 seconds or so for dns.msftncsi.com. I immediately assumed this was some Microsoft telemetry noise on my network from MS NLA. However, the queries were coming directly from my firewall which seemed odd. Another search led me to a post on the Pi-hole discourse. After I ran nvram show | grep dns_probe, it was clear I found the culprit.

admin@gw:/tmp/home/root# nvram show | grep dns_probe
dns_probe_host=dns.msftncsi.com
dns_probe_content=131.107.255.255 fd3e:4f5a:5b81::1

I ran the following three lines and confirmed the traffic stopped. No reboot was necessary. The first post I read recommended setting dns_probe_content to 0.0.0.0 and dns_probe_host to “” (effectively blank). I later found a post by RMerlin that explains setting dns_probe_content to blank disables the watchdog service but effectively disables the dual WAN feature. It would make sense that dual WAN would require a watchdog service. So, if you use dual WAN, don’t do this. Otherwise, you should be fine.

admin@gw:/tmp/home/root# nvram set dns_probe_content=
admin@gw:/tmp/home/root# nvram set dns_probe_host=
admin@gw:/tmp/home/root# nvram commit

RPM/yum Database Corruption

By andrew on November 12, 2017November 12, 2017

Jumped onto my server and noticed a few out of date packages. A quick % sudo yum update reported the following:

error: rpmdb: BDB0113 Thread/process 12323/139745043400512 failed: BDB1507 Thread died in Berkeley DB library error: db5 error(-30973) from dbenv->failchk: BDB0087 DB_RUNRECOVERY: Fatal error, run database recovery error: cannot open Packages index using db5 - (-30973) error: cannot open Packages database in /var/lib/rpm CRITICAL:yum.main:

Fortunately, the fix was easy:
% sudo rpm --rebuilddb

Once complete, yum update worked like new.

Weekend Reading – April 15, 2016

By andrew on April 15, 2016

Blogs / News

Security: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services
Inception: Introducing Nested Virtualization in Windows Server 2016
Microsoft SQL: Microsoft SQL Server 2016 RC3 is Out
Security: new Ncrack 0.5 release
Apple: Uninstall QuickTime for Windows: Apple will not patch its security bugs
PowerShell: PoshWSUS 2.3.1.0 Released
Exchange: Migrating a small organization from Exchange 2010 to Exchange 2016 (Part 6)
Windows: Ten reasons you’ll love Windows Server 2016 #5: Software defined storage
DevOps: DevOps Basics: Introduction to Docker Registry and Images
Azure: Announcing Azure Resource Policy general availability
Tools: O365 Administration Center made in PowerShell studio
Training: Java Basics Course for Teens (or kids, maybe)
AWS: Training Update – Revised AWS Technical Essentials and Architecting on AWS Courses
Microsoft Storage: Data Deduplication in Windows Server 2016
Linux/Android: How to install and run Android Apps (APKs) on Linux with Shashlik
ELF’s: Ubuntu (not Linux) on Windows: How it works
Garage Tech: Run your own cloud: Installing OwnCloud 9 on Debian 8
Android/Security/Tools: Best Android Hacking Apps for Script Kiddies and Security Experts
Security: The anatomy of an spearphishing scam, or how to steal $100M with a fake email
Training: Introducing the Class Notebook add-in for OneNote—designed and built with teachers
Apple: Researchers claim to remotely ‘brick’ Apple devices with ‘1/1/1970’ bug
Office365: Introducing Office 365 Connectors
DNS: Azure DNS for Exchange Administrators (Part 3)
Exchange: Load balancing Exchange Server 2016 (Part 1)
PowerShell: Using PowerShell Gallery
Python: IPGeoLocation – Retrieve IP Geolocation Information
VMWare: VMWare Releases Security Updates
Microsoft: Microsoft Sues US Govt Over Unconstitutional Secret Data Requests
BSOD: Windows 10 Blue Screen of Death Gets QR Code
Security: Bitdefender’s free tool protects against TeslaCrypt, Locky, CTB-Locker infections
Training: in-depth course on cloud computing at Microsoft
Microsoft Storage: SMB Transparent Failover – making file shares continuously available

Weekend Reading – March 25, 2016

By andrew on March 25, 2016

Conference / Meetups

SQL Saturday #511. Redmond, WA. All Day, Saturday, April 2nd, 2016

Blogs / News

Cloud: Announcing Google Stackdriver. Monitoring, Metrics, Logging for GCP & AWS
Backup: Veeam Endpoint Backup FREE
Wireless/Security: Rootsh3ll Wi-Fi Security and Pentesting Series (RWSPS) – Preface
GoDaddy: Announces Worldwide Launch of Cloud Servers & Cloud Applications
Containers: Containers all the way through
Cloud: MSPs Take Note: The Cloud War Is Still Ongoing
AWS: Ten Years in the AWS Cloud – How Time Flies!
Exchange: iOS 9.3 fixes Multiple Response issue
Exchange: Azure DNS for Exchange Administrators (Part 1)
Active Directory: Using PowerShell to Gather Information from Active Directory
Active Directory: A Few Easy Steps to Help Protect Your Active Directory
Hyper-V: Linux Integration Services Version 4.1 for Hyper-V
Funny: Estimating Time
Networking: I’m New to SDN. Where Should I Start?
Docker: Native Docker Apps Arrive for Mac and Windows
Docker: Docker and Containers (Part 2) – Understanding Docker
Azure: Deploying Virtual Machines in Azure using Azure Resource Manager – ARM Templates (Part 2)
Security: FBI’s Most Wanted List – Cyber Edition
Microsoft Security: Microsoft Deploys Macro Blocking Feature in Office to Curb Malware
Security: PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers
Microsoft Security: Critical File Sharing Flaw in Windows and Samba (March 23 and 24, 2016)
Security (is hard): Certified Ethical Hacker website caught spreading crypto ransomware
Hardware: AMOLED displays are now cheaper to produce than LCD

Weekend Reading – March 18, 2016

By andrew on March 18, 2016

Blogs / News

Windows: Work Folders for Android Released to Google Play Store
Home Hacks: Adblock DNS BlackHole with a Raspberry Pi
Amazon AWS: The Amazon Tax
Privacy: How your data is collected and commoditised via “free” online services
Apple: AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device
Training: IPv6 and Microsoft Windows
DNS Attack Analysis: Using the power of DNS traffic to deter infected machines
VMware: License changes put users on upgrade treadmill
PowerShell: Writing a Active Directory Audit Module – Creating the Project
Microsoft Edge Browser: Bringing Extensions to Microsoft Edge
Tools: Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more!
Tools: BinDiff now available for free
Tools: Draw AWS diagrams with Cloudcraft, Visualize your cloud architecture like a pro
Amazon AWS: 10 Lessons from 10 Years of Amazon Web Services
Podcast: Episode #2 of Office 365 Exposed Podcast
Tool Tutorial: tcpdump is amazing
VPN: Tip of the Day: The Conditional Access Framework and Device Compliance for VPN
Exchange: Migrating a small organization from Exchange 2010 to Exchange 2016 (Part 5)
Active Directory: Monitoring On-Premise Active Directory via Azure AD Connect Health
Bitlocker: Automatic Bitlocker on Windows 10 during Azure AD Join
Exchange: 20 years ago in a galaxy far away…
Windows 10: An Introduction of Windows 10 Credential Guard
How-To: How to use Port Knocking on Ubuntu to hide the SSH port
How-To: Installing Nginx with PHP (as PHP-FPM) and MariaDB (LEMP) on Debian 8
Android: Cyanogenmod, First 13.0 Release
PowerShell: Get Antivirus Path w/o use of WMI
PowerShell: Debugging PowerShell DSC Class Resources
Encryption: New NIST Encryption Guidelines
Security: Typosquatters Target Mac Users With New ‘.om’ Domain Scam
Security: Vulnerability scanners plagued with false positives, but still have value
MS Office: What’s new on the Office Roadmap – 2016-03-17
PowerShell/Security: Attackers packing malware into PowerShell

Weekend Reading – March 11, 2016

By andrew on March 11, 2016

Conference / Meetups

GeekFest Seattle – March 17th @ Noon
Beers with Engineers – March 17th @ 5:30pm

Blogs / News

Office365: Using XML to Backup and Restore Office 365 Settings
Automate all the things: IT depts. suffering from ‘patch fatigue,’ study says (Actual study‘ish)
Docker: How to use it in a practical way – Part 3
Exchange: A Sender Policy Framework (SPF) Primer for Exchange Administrators
Tom Knows Best: Best Mac Antivirus Software
Great Framework: Google Opens Up Collection of Vendor Security Assessment Questionnaires
Powershell: Configure DNS Dynamic Update Credentials for DHCP with PowerShell
Big Data: BBC TV Writes 21TB DAILY to Amazon S3
Office365: Announcing the new Office 365 admin center
Cloud RemoteApp: February updates to Azure RemoteApp
MFA w/ AzureAD: Azure AD Identity Protection: MFA Registration Policy
BGP: Want to Know More about BGP?
PowerShell+O365: Deep Dive Into Office 365 PowerShell Cmdlets
DddddDoS: 400Gbps: Winter of Whopping Weekend DDoS Attacks
1-800-Flowers-dot-com: Notice of Data Breach
Ransomware: Locky Ransomware Spreading in Massive Spam Attack
Hardsploit: The handy hacker help for hapless hopeful hardware hacks
Spelling: A typo stopped hackers siphoning nearly $1bn out of Bangladesh
CR4zi1e: Let your uSeRS chOOse wACKy passWords, US banks!
Crypto: A Wall Against Cryptowall? Some Tips for Preventing Ransomware
Powershell+Infosec: Powershell Malware – No Hard drive, Just hard times
Malware: W97M/Downloader macro malware grows even more deceptive
Opportunity!: Security market to exceed $170 billion by 2020, analysts say
Breach: Stolen laptop exposes PII of over 200K Premier Healthcare patients
DirectAccess+Server2016: DirectAccess Test Lab Guides for Windows Server 2016
Microsoft: SMH
Docker: Docker and Containers (Part 1) – Understanding Containers
Exchange: Mail Relay in Exchange Server 2016
Roll Your Own Slack: Install Mattermost with PostgreSQL and Nginx on CentOS 7

Weekend Reading – March 4, 2016

By andrew on March 4, 2016

Conference / Meetups

GeekFest Seattle – March 17th @ Noon
Beers with Engineers – March 17th @ 5:30pm

Blogs / News

MFA: No More Passwords – Microsoft’s Implementation of FIDO 2.0 Spec
SQL: SQL 2016 – It Just Runs Faster Announcement
OneNote: OneNote Class Notebook now available for all educators
UEFI: An Introduction of UEFI Secure Boot in Windows 10 Enterprise
Neat Hack: Playing with claim rules and attribute store to trigger MFA when the user is connected from a different country
Azure: General Availability for the Microsoft Azure StorSimple Virtual Array
Azure/MFA: Azure MFA for Enrollment in Intune and Azure AD Device registration explained
Powershell: Investigating AD Classes
Amazing A/V: AirTame – Chromecast for Meeting Rooms
Office: Microsoft Office Roadmap 3-3
Exchange: Migrating a small organization from Exchange 2010 to Exchange 2016 (Part 4)
O365’ish: Dynamic Office 365 Groups might come with a big cost
O365’ish: Office 365 Planner FAQ + Groups for Task Management
InTune: The Ultimate Intune Setup Guide
Azure: Preview of Azure Active Directory Identity Protection
O365: The new Office 365 admin center
Containers: 10 things to avoid in docker containers
DevOps: DevOps, Security and Compliance
PIES!!!!: https://www.raspberrypi.org/blog/raspberry-pi-3-on-sale/
Mardown Desktop Client: http://abricotine.brrd.fr/
VMWare: Bye-Bye, Support Ending
Hyper-V: Headless Hyper-V???
Infosec: How to Steal Secret Encryption Keys from Android and iOS SmartPhones
Infosec: Malware Still Prevalent on Corporate Network, Proofpoint Warns
Major Breach: Credit Unions Feeling Pinch in Wendy’s Breach
NewsBites: SANS News Newsbites
Hacked: CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers
Office… Still… It’s 2016, so why is the world still falling for Office macro malware?
Weak: Gaining access to your bank account with multiple passwords impacts 350 million customers
Linux: If You Like Fedora, You’ll Love Korora
Storage: 15TB whopper of an SSD. Farewell, spinning rust

Weekend Reading – February 26, 2016

By andrew on February 26, 2016

Conferences/Meetups

Windows Weekly Meetup at PostDoc Brewing in Redmond from 5-8pm on February 29^th w/ Mary Jo Foley and Paul Thurrott – http://www.geekwire.com/calendar-event/windows-weekly-meetup/
SeaSecEast Meetup @ LunchBox Laboratory in Bellevue from 6:30pm to 8:30pm on Tuesday, March 1^st. – http://www.meetup.com/SEASec-East/

Blogs/News

Security – 90 Percent of All SSL VPNs Use Insecure or Outdated Encryption, Putting Your Data at Risk
Security – Google Releases Project Shield DDoS Protection for press, human rights and election monitoring orgs
Creeper – Graphing when your Facebook friends are awake
Hack – How Google’s Web Crawler Bypasses Paywalls (Bonus: Extension to bypass paywalls)
Hacked – Who Hacked Us
Hack – I Dared Two Expert Hackers To Destroy My Live. Here’s What Happened.
Training – Learn SQL in 20 Minutes’ish
Controversial Nerd Stuff – Why use www?
Law – IT Manager Gets 30 Months in Prison for Trashing Ex-Employer’s Servers
Automation – 19-year-old made a free robot lawyer that has appealed $3 million in parking tickets
Security – Comodo AV Tech Support Feature Lets Anyone Connect to Your PC
Security – Angler Exploit Kit Learns New Tricks, Finds Home on Popular Website
Containerization – Introduction to Docker
Security – Obscurity is a Valid Security Layer
Security – Forthcoming OpenSSL Releases – High Severity!
Security – Silverlight 0-day pwn’d Mac & Windows
Privacy – Microsoft Telemetry Data Collection Explained by MS
M&A – MS Acquires Xamarin
Networking – University of Washington Researches Make Low-Power Wi-Fi Breakthrough
Apple – Apple plans Siri for Mac for this fall’s OS X 10.12 Launch
Powershell – Quick Test for Updates That Aren’t Installed
Powershell – Install the AD Powershell Module on Windows 10
Cloud – Explain Cloud Computing to Your Grandma
Microsoft – Best Practices for Meetings Using Skype for Business – Large Audiences
Mail – Common Errors in SPF Records
Mail – Remote Exchange Monitoring and Reporting Using Email
PM – Information Technology Risk Management
Security – Tip: Quick Analysis of Office Maldoc
Cloud – Spotify moves from AWS to Google Cloud Platform
Powershell – Powershell Gallery Officially Goes Public
Powershell – Use WMI the Modern Way

Weekend Reading – February 19, 2016

By andrew on February 19, 2016

VMWare: New White Paper: What’s New with VMWare Virtual SAN 6.2
Microsoft: Hyper-V Optimization Tips (Part 2)
Microsoft: Some Remote Desktop Session Host Guidelines
Microsoft: Hyper-V Virtualization 101: Some Basics Around Hyper-V Setups
Microsoft: Microsoft Releases Azure Active Directory Connect 1.1
Compliance: PCI DSS 3.2 slated for early 2016
Security: A Locky Ransomware Story worth sharing: How Just Opening an MS Word Doc Can Hijack Every File On Your System
VMWare: VMware reissues patch to fix RCE vulnerability in vCenter Server
Security/Microsoft: February’s Patch Tuesday (February 10, 2016)
Security: Do you trust NTP and time sources implicitly on networks you connect to? What about your users? Warning — Setting This Date On iPhone Or iPad Will Kill Your Device Permanently
Security: Here’s How to Decrypt Hydracrypt & Umbrecrypt Ransomware Files
Microsoft: What’s new on the Office Roadmap – 2016-02-14
GlibC: Dan Kaminsky is an expert on DNS security – and he’s saying: Patch right God damn now
O365: Updated people profile experience coming soon to Office 365
Exchange: Using Exchange Transport Rules to Add Email Signatures to Messages
Google/Data: What it looks like to process 3.5 million books in Google’s cloud
Exchange: How to display SMTP info on Outlook Web App
Exchange: Improvements to Compliance in Exchange 2016 (Part 2)
AWS: AWS Webinars for February & Early March 2016
Exchange: Remote Exchange Monitoring and Reporting using Email (Part 1)
Identity: Easy Parsing of ADFS Security Audit Events
Docker: How to use it in a practical way
PowerShell: Ping Alert Script
PowerShell: Friday Fun: A SysInternals PowerShell Workflow
PowerShell: List AD Users CSV
Security: Hunting for Executable Code in Windows Environments, (Thu, Feb 18th)
Linux: Linux 4.3 Reached End of Life; Users Need To Move To Linux 4.4