SPF Record Generator
Use this tool to generate your SPF record.

The DNS-01 challenge is more difficult to automate than HTTP-01, requiring that your DNS provider supply an API for managing your DNS records. //

there are several circumstances where you might choose DNS-01 over HTTP-01:

• If your domain has more that one web server, you will not have to manage challenge files on multiple servers.
• DNS-01 can be used even if port 80 is blocked on your web server.

The technique is called DNS-0x20 encoding, in reference to the hexadecimal number 0x20 (32 in decimal) and its relationship to ASCII characters. Its binary representation (0b100000) has all of its bits set to zero except for the fifth, counting from zero – which for ASCII characters determines whether a letter is upper or lower case. For example, 01000001 (65 in decimal) is the ASCII code for an upper-case A, while 01100001 (decimal 97) is the ASCII code for a lower-case a.

Described in more detail in an an academic paper [PDF], DNS-0x20 encoding expands the range of possibilities an attacker must guess without confusing the resolution of DNS names and IP addresses.

Essentially, you randomly toggle the 0x20 bit in a query to jumble up the case, send that out to be resolved, and expect the response to have the same matching case. If the cases don't match, you may be caught up in a cache poisoning attack, as the attacker won't know which case bits will be set or cleared by you when doing their poisoning.

When I was writing the zine How DNS Works earlier this year, someone asked me – why do people sometimes put a dot at the end of a domain name? //

almost every line starts with a ;;. What’s up with that? Well ; is the comment character in zone files!

So I think the reason that dig prints out its output in this weird way is so that if you wanted, you could just paste this into a zone file and have it work without any changes.

This also explains why there’s a . at the end of example.com. – zone files require a trailing dot at the end of a domain name (because otherwise they’re interpreted as being relative to the zone). So dig does too. //

There are two contexts where domain names are modified and get something else added to the end:

• in a zone file for example.com, grapefruit get translated to grapefruit.example.com
  • on my local network (with my computer configured to use the search domain lan), grapefruit gets translated to grapefruit.lan

So because domain names can actually be translated to something else in some cases, people like to put a "." at the end to communicate “THIS IS THE DOMAIN NAME, NOTHING GETS ADDED AT THE END, THIS IS THE WHOLE THING”. Because otherwise it can get confusing.

The technical term for “THIS IS THE WHOLE THING” is “fully qualified domain name” or “FQDN”. So google.com. is a fully qualified domain name, and google.com isn’t.

The domain name in the email address is fairly irrelevant. The name used in the MX record doesn't really matter either. ISPs will often use something like mail.customer-domain.com in MX records, all pointing to one server whose real name is obviously not mail.customer-domain.com. What does matter is the servers actual hostname.

When talking via SMTP, your server will identify itself in the SMTP conversation using its full hostname, in this case 'server.example.com'.

The A record for 'server.example.com' should point to the IP of your server, and the PTR record for this IP address should match the hostname.

server.example.com. A 82.197.45.124

124.45.197.82.in-addr.arpa. PTR server.example.com

IntoDNS checks the health and configuration and provides DNS report and mail servers report.

And provides suggestions to fix and improve them, with references to protocols’ official documentation.

The root cause of the worldwide outage appears to be a flubbed BGP route update.

Dane Knecht
@dok2001
. @Facebook DNS and other services are down. It appears their BGP routes have been withdrawn from the internet. @Cloudflare 1.1.1.1 started seeing high failure in last 20mins.
12:01 PM · Oct 4, 2021

Here we will discuss how to block website on MikroTik? how to block domain in MikroTik router and how to block social media websites on MikroTik, like Youtube, Facebook, Twitter.

One of the best solutions so far is to force everyone on the network to use a dns resolver you control and block the dns request for this domain.

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=udp to-addresses=<dns-server> to-ports=53
add action=dst-nat chain=dstnat dst-address=!<dns-server> dst-port=53 \
protocol=tcp to-addresses=<dns-server> to-ports=53

Then either create a static dns entry for download.windowsupdate.com pointing to 127.0.0.1 or use the layer7 filter to identify and drop the request.

There’s a definitive answer to this question, and you can find it in RFC 8375: use home.arpa. Never heard of it before? It wasn’t assigned as a special purpose top-level domain (spTLD) name for residential and small networks until 2018.

The home.arpa spTLD isn’t a globally unique domain name, and you can’t resolve it across the internet. It’s only meant to be used inside a small network, such as your home network. Routers and DNS servers know, [in theory,] not to forward ARPA requests they don’t understand onto the public internet. //

You may have seen some suggest you use the .local spTLD instead. That is an older spTLD name used by the self-configuring Multicast DNS (mDNS) protocol (RFC 6762.) You should not configure your router or devices to use this domain name.

DNS clients may defer the resolution of .local spTLDs to the system’s mDNS resolvers instead of its DNS resolver. You can end up with domain resolution conflicts, or a situation where only some devices can resolve your domains. //

What domain name to use in a residential home or local area network most often comes up in the context of configuring the DHCP server on your router. Most gateway routers leave it empty by default, or may populate it with a domain assigned by your internet service provider (ISP). You can safely set it to home.arpa on your local network’s DHCP server.

Devices on your network should then assign themselves a example-device-hostname.home.arpa domain name. Please note that not all residential routers binds its DHCP leases’ host- and domain names to resolvable DNS entries in the router’s DNS server. You may not be able to resolve the home.arpa domains without additional configuration (or a different router or dedicated DNS server).

Your time is better spent ensuring all your devices support mDNS resolution than trying to fix DHCP lease bindings and DNS resolution on your router. //

Do not use undelegated domain names like .lan, .home, .homenet, .network, nor should you make up your own domain name. You can use a domain or a subdomain of a domain name you’ve bought from a domain registrar, however. This last option requires extra configuration of your router to work locally, and an advanced setup involving dynamic-domain names (DynDNS) to work over the internet.

PowerDNS, founded in the late 1990s, is a premier supplier of open source DNS software, services and support. Deployed throughout the world with some of the most demanding users of DNS, we pride ourselves on providing quality software and the very best support available. Since 2015 we are part of Open-Xchange.

Our Authoritative Server, Recursor and dnsdist products are 100% open source. For the service provider market, OX also sells OX Protect which builds on our Open Source products to deliver an integrated DNS solution with 24/7 support and includes features as parental control, malware filtering, automated attack mitigation, and long-term query logging & searching.

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information. //

"NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the US intelligence agency said.

If you want to switch to a public DNS server, you have a few options. The most common is Google’s Public DNS, which use the addresses 8.8.8.8 and 8.8.4.4.

If you trust Google less than your ISP, you can also use CloudFlare’s DNS, which claims to be the fastest and takes a privacy-first stance. The main address for it is 1.1.1.1, with an alternate of 1.0.0.1.

Lastly, you can also use OpenDNS, from Cisco, 208.67.222.222 and 208.67.220.220. To use default "family friendly" DNS blocking, use 208.67.222.123 and 208.67.220.123

US-based Firefox users get encrypted DNS lookups today or within a few weeks. //

I am of two minds on the privacy benefits of DoH/DoT, but my current feeling is that it's not worth bothering with because the benefits don't fit the common use cases.

On one hand, the idea of concealing your DNS lookups from your ISP feels like a positive one. Your ISP can still sniff your SNI requests and see where you're browsing, so it doesn't necessarily gain you any privacy, but it does at least make it more difficult for them to casually spy on you and aggregate your DNS lookups into a salable package.

On the other hand, giving all of your DNS lookups to Cloudflare or NextDNS potentially allows Cloudflare or NextDNS to....casually spy on you and aggregate your DNS lookups into a salable package. And your ISP can still see your SNI requests. So in a way, you're potentially inviting more people to watch you, not fewer.

I used DoH for most of last year, but there's a pretty strong argument to be made that you're better off running your own local recursive resolver with qname minimization enabled. This means your DNS requests are not encrypted, but it also means that you're directly doing the entire lookup yourself, which greatly reduces your vulnerability to dns poisoning.

More to the point, I'm no longer certain there's much benefit at all of obscuring your DNS lookups if the purpose of that obfuscation is to hide activity from your ISP. A bit more than 95% of sites have a unique page-load fingerprint and that makes figuring out what site you're visiting solely by IP address a trivial task regardless of DNS obfuscation.

With all of that in mind, I've ditched DoH/DoT and just set up unbound in full recursion mode. It's fast and it works great.

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

for maximum security on your domains, consider adopting some or all of the following best practices:

-Use registration features like Registry Lock that can help protect domain name records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).

-Use DNSSEC (both signing zones and validating responses).

-Use access control lists for applications, Internet traffic and monitoring.

-Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.

-In cases where passwords are used, pick unique passwords and consider password managers.

-Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.

-Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

OpenDNS test page to confirm that you are using OpenDNS' resolvers.

Your Internet is safer, faster, and smarter
because you’re using OpenDNS.
Thank you!

See OpenDNS in action

Check out our demo phishing site InternetBadGuys.com.

OpenDNS test domain - should be blocked if you're using OpenDNS resolvers

OpenDNS Test Domain

IPv6 Subnetting Calculator

Input an IPv6 address and the subnet size in slash notation:
IPv6 address:
Compressed Address: 2607:f1c0:832:ef00::80/56
Expanded Address: 2607:f1c0:0832:ef00:0000:0000:0000:0080/56
Prefix: ffff:ffff:ffff:ff00:0000:0000:0000:0000
Range: 2607:f1c0:832:ef00:0:0:0:0
2607:f1c0:832:efff:ffff:ffff:ffff:ffff
Number of /64s: 256

Select a number of subnets or a subnet size to divide the above into:
subnets or

Subnetting 2607:f1c0:832:ef00::80/56 into /64s gives 256 subnets, all of which have 1 /64s.

2607:f1c0:832:ef00::/64
....
2607:f1c0:832:efff::/64

Use the above calculator to plan your IPv6 networks. Because of the huge size of IPv6, we do not care about the number of hosts in a network. Remember, that the smallest recommended subnet is a /64.