I'm implementing a DNS server and I wonder if there's any tool, preferably online, that I can use to test that I've implemented various features right. A tool that I could use to make various requests to the DNS server and test that it follows the rfc 1035 specification. Are there any "reference test cases" or something like that? Or are people who implement protocolls supposed to just read the english natural language documents and just trust they don't do any human mistakes while reading it? Wouldn't a standard be stronger if it had test cases and not just a description? Anyway, I digress, How to test a DNS server so it complies with the standard, please?
Zonecheck is probably the tool you're looking for:
http://www.zonecheck.fr
http://www.zonecheck.fr/demo/
It's open source, written in Ruby officially used by the French registry for .fr domains.
The difficulies in devising a generic test suite for DNS servers are twofold:
recursive servers need much more functionality than authoritative servers
standard tests need a standardised set of test data
The latter is probably the largest problem - you'd have to find a way to load up your DNS server with all of the data that the test suite expects.
Related
I am building a relatively simple program to gather and sort data input by the user. I would like to use a local server running through a web browser for two reasons:
HTML forms are a simple and effective means for gathering the input I'll need.
I want to be able to run the program off-line and without having to manage the security risks involved with accessing a remote server.
Edit: To clarify, I mean that the application should be accessible only from the local network and not from the Internet.
As I've been seeking out information on the issue, I've encountered one or two remarks suggesting that local servers have their own security risks, but I'm not clear on the nature or severity of those risks.
(In case it is relevant, I will be using SWI-Prolog for handling the data manipulation. I also plan on using the SWI-Prolog HTTP package for the server, but I am willing to reconsider this choice if it turns out to be a bad idea.)
I have two questions:
What security risks does one need to be aware of when using a local server for this purpose? (Note: In my case, the program will likely deal with some very sensitive information, so I don't have room for any laxity on this issue).
How does one go about mitigating these risks? (Or, where I should look to learn how to address this issue?)
I'm very grateful for any and all help!
There are security risks with any solution. You can use tools proven by years and one day be hacked (from my own experience). And you can pay a lot for security solution and never be hacked. So, you need always compare efforts with impact.
Basically, you need protect 4 "doors" in your case:
1. Authorization (password interception or, for example improper, usage of cookies)
2. http protocol
3. Application input
4. Other ways to access your database (not using http, for example, by ssh port with weak password, taking your computer or hard disk etc. In some cases you need properly encrypt the volume)
1 and 4 are not specific for Prolog but 4 is only one which has some specific in a case of local servers.
Protect http protocol level means do not allow requests which can take control over your swi-prolog server. For this purpose I recommend install some reverse-proxy like nginx which can prevent attacks on this level including some type of DoS. So, browser will contact nginx and nginx will redirect request to your server if it is a correct http request. You can use any other server instead of nginx if it has similar features.
You need install proper ssl key and allow ssl (https) in your reverse proxy server. It should be not in your swi-prolog server. Https will encrypt all information and will communicate with swi-prolog by http.
Think about authorization. There are methods which can be broken very easily. You need study this topic, there are lot of information. I think it is most important part.
Application input problem - the famose example is "sql injection". Study examples. All good web frameworks have "entry" procedures to clean all possible injections. Take an existing code and rewrite it with prolog.
Also, test all input fields with very long string, different charsets etc.
You can see, the security is not so easy, but you can select appropriate efforts considering with the impact of hacking.
Also, think about possible attacker. If somebody is very interested particulary to get your information all mentioned methods are good. But it can be a rare case. Most often hackers just scan internet and try apply known hacks to all found servers. In this case your best friend should be Honey-Pots and prolog itself, because the probability of hacker interest to swi-prolog internals is extremely low. (Hacker need to study well the server code to find a door).
So I think you will found adequate methods to protect all sensitive data.
But please, never use passwords with combinations of dictionary words and the same password more then for one purpose, it is the most important rule of security. For the same reason you shouldn't give access for your users to all information, but protection should be on the app level design.
The cases specific to a local server are a good firewall, proper network setup and encription of hard drive partition if your local server can be stolen by "hacker".
But if you mean the application should be accessible only from your local network and not from Internet you need much less efforts, mainly you need check your router/firewall setup and the 4th door in my list.
In a case you have a very limited number of known users you can just propose them to use VPN and not protect your server as in the case of "global" access.
I'd point out that my post was about a security issue with using port forwarding in apache
to access a prolog server.
And I do know of a successful prolog injection DOS attack on a SWI-Prolog http framework based website. I don't believe the website's author wants the details made public, but the possibility is certainly real.
Obviously this attack vector is only possible if the site evaluates Turing complete code (or code which it can't prove will terminate).
A simple security precaution is to check the Request object and reject requests from anything but localhost.
I'd point out that the pldoc server only responds by default on localhost.
- Anne Ogborn
I think SWI_Prolog http package is an excellent choice. Jan Wielemaker put much effort in making it secure and scalable.
I don't think you need to worry about SQL injection, indeed would be strange to rely on SQL when you have Prolog power at your fingers...
Of course, you need to properly manage the http access in your server...
Just this morning there has been an interesting post in SWI-Prolog mailing list, about this topic: Anne Ogborn shares her experience...
I'm going to be writing my own STUN implementation in JavaScript (server-side with NodeJS), and I'm looking for a library to base my code on.
I have found both JSTUN and PJNATH, and both seem to be supported by members of stackoverflow. I downloaded the source for both, and PJNATH was about 15,000 lines of code whereas JSTUN was less than 3000.
Is one library more complete than the other?
I need both server and client components, and I would like to be as feature-complete as possible because I do NOT want to implement TURN (too hardware intensive).
Is there a better library that I should be looking at? Ultimately I want to make a completely ICE complient solution, but STUN is enough for now.
as far as I know, JSTUN is not a complete solution. This is what they have mentioned in their site.They want to add support for RFC 5389.Please check their web site(http://jstun.javawi.de/).
Does anybody know of a DNS Server that is written in Node.JS? I am specifically interested in Authoritative DNS Servers (as opposed to caching DNS server).
The only thing this needs to do is to serve A, MX, TXT, SPF, SOA, NS records based on my own algorithm which I will write into a fork or clone of whatever I find to start with.
In fact I may not need all of those types of records. But the important thing is that it must work. I do not want to have DNS debugging issues. I am hoping (expecting) this will not be a problem because DNS is very simple (I have heard).
Is there anything in Node.JS I can start with? If you know that something has been used in production, then please let me know.
The Node.JS DNS Servers I have found are
dnsserver.js (alternate link)
ndns which has an extension called mdns
dns-server
If anyone is using one for production, I would like to know. So far they seem to be very scattered efforts.
Check out https://github.com/tjfontaine/node-dns
Here's "a very basic authority server built with Node.js", in < 500 lines: dnsserver.js
After reviewing all available node.js DNS libraries, i found DNS2 to be one of the best available library in 2020 which is still maintained.
Some of its features:
Implementation in Pure JavaScript with no dependencies
Server and Client
Lot of Type Supported
Extremely lightweight
DNS over UDP, TCP, HTTPS Supported
https://github.com/song940/node-dns
npm install dns2
I found a DNS server write in node.js fun_dns the source is on github
bns: DNS library, server, and validating recursive resolver for node.js, in pure javascript.
Since Java is okay for you, you could have a look at the Eagle DNS project. It is written in Java and supports both MySQL and file based stores for the records, and allow you to write your own module if that doesn't fit your needs:
http://www.unlogic.se/projects/eagledns
I have to implement a DNS server in C and I don't know where to start. What are all the features that a DNS has...how can I implement a bare-bones DNS in single C file.
I don't even want to use a Database, just a file will work.
Thank you in advance
That's big for homework! Your teacher is ambitious. Implementing DNS
requires reading at least ten complicated RFC (not mentioning DNSSEC...) Do
not limit yourself to RFC 1034 and 1035, there are mandatory
RFC after (such as 2181 and 2671). See a nice graph of them.
Is it an authoritative name server or a recursive one?
Do you have to do it from scratch? If not, I strongly suggest to start
with the evldns library, which allows you to write an
anthoritative name server in 200 lines of C.
Otherwise, the usual advice applies: read source code (I suggest
nsd for an authoritative server and unbound for a recursive
one).
DNS is a big spec. If you really want DNS, use a DNS server. So if you want something really quick and dirty, why not just write a program that edits your hosts file (C:\windows\system32\drivers\etc\hosts or /etc/hosts (on UNIX)?)
dns.net points up RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES and RFC 1035: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION as the definitive references.
As a topical plus, wow your teacher by including some non-ascii IDN names in your toy lookup list.
The RFCs that the protocol is based on can be found here: http://www.zoneedit.com/doc/rfc/
There are also several explanations of the protocol that should be useful to be found around the internet, such as this one: http://www.windowsnetworking.com/articles_tutorials/Understanding-DNS-Protocol-Part1.html
This should get you started.
This example uses BSD sockets to build a simple DNS resolver.
http://www.binarytides.com/blog/dns-query-code-in-c-with-winsock-and-linux-sockets/
I am looking for a tool to scan a given URL for security vulnerabilities. I've googled around a bit and found a few but most of them require something that's publicly facing and my DEV environment isn't publicly facing, or they have some expensive solution that's more than I need for now. I don't need anything super powerful as I'm just doing lightweight testing for now, and the QA folk will run their more sophisticated battery of tests later.
EDIT: Use case for clarification
I hand the tool a URL to scan, ie: http://www.host.com/path/to/page.asp
It run a series of test on that pages to see if there are any possible security vulnerabilities it exposes. Examples include but are not limited to SQL injection, cross side scripting, etc.
Assuming that you wish to scan your web application, by providing the 'base' URL of the application to a penetration testing tool, you will find the OWASP Live CD project to be useful. Grendel-Scan available on the CD might prove to be most useful, since it appears to be the most mature among the penetration testing tools in the list. Nikito and the OWASP Wapiti project are the other penetration testing tools on the Live CD.
Additionally, the Watcher plug-in for Fiddler is also capable of detecting certain vulnerabilities in the application, although it requires that the individual pages in the application be visited with Fiddler as the proxy.
There are 2 forms of tools you will find for this, one type of tool has a list of known problems (bug in IIS version 5.34 or whatever) and goes through the list trying each issue. Tools of this kind also try common filenames like robots.txt and web.config etc. Nikito is an example of this type.
There is also the type that will look at all the querystring/cookie/form parameters and tweak them to try and trigger faults. I believe this is what would serve you best and for this I recommended burp proxy. http://portswigger.net/proxy/ There is a free version and a pro version. Also in this set of tools are expensive things like IBMs appscan and Hps webinspect.
Are you talking about scanning the URI that someone has requested from your site?
If so, you can use the .htaccess file to simply redirect to a 404 page any URI that doesn't exist or isn't found in the database (depending on how you're building the site).
You can therefore force requests to come in a specific way and anything that doesn't will automatically get canned.