Taken From techrepublic.com.com, November 17th, 2008
The need to secure DNS has never been greater. Attacks against DNS cache integrity, including entire zone references, are an easy way for criminals to redirect your unsuspecting users to malicious sites. The IETF and others are working on a set of security extensions to protect the integrity of DNS information as it is shared across the Web. However, these extensions, known as DNSSec, are far from globally accepted, and it will probably be years before they are implemented for all DNS transactions.
So what can you do today to protect your users? Quite a bit, actually. But before we get to the DNS security checklist developed by the U.S. National Institute of Standards and Technology (NIST), it’s important to understand the role DNSSec will play in the future and why its implementation is an important part of global Internet security.
In this article I review how DNS works and I define DNS cache poisoning. In the next article, I describe DNSSec, how it will eventually provide protection from malicious redirection, and what you can do until DNSSec becomes a reality.
DNS review
The DNS (Domain Name System) is a critical component of not only the Internet, but also internal network operation. It uses distributed repositories to convert human-friendly addresses to IP addresses. For example, converting the domain name google.com to 64.233.187.99 or mail.google.com to 64.233.183.17. Routers need the numeric version to make sure packets make it to the right network segment, no matter where it might exist.
Figure 1 depicts the IP address resolution process when the target system and DNS server are both internal. In this example, a workstation must establish a session with a server in Farpoint.company.com. In order for a workstation to implement DNS, it must be running a DNS Client or Client Resolver. The resolver initiates the following process, resulting in the conversion of the domain name to an IP address (Microsoft TechNet, 2008).
Figure 1
Step 1: The resolver checks the resolver cache in the workstation’s memory to see if it contains an entry for Farpoint.company.com. The entry would be present if the workstation had resolved the name to an IP address since the last time it was powered on, and the Time to Live of the entry had not been exceeded. In this example, no entry is found.
Step 2: Having found no entry in the resolver cache, the resolver sends a resolution query to the internal DNS server.
Step 3: When the DNS server receives the query, it first checks to see if it can authoritatively answer a query about resources in company.com. If it can, the server performs a lookup in its internal zone table. In this case, it finds a host Resource Record (RR) that includes the IP address for Farpoint.company.com.
Step 4: The IP address of Farpoint.company.com is returned to the resolver.
Step 5: The resolved domain name and IP address are placed into the resolver cache. Figure 2 is an actual listing of the contents of a workstation resolver DNS cache.
Figure 2
In the previous example, the target server was located within the requestor’s network. But what if the target device is located somewhere on the Internet? In that case, the process is somewhat different. Please refer to Figure 3 as we step through this second DNS resolution process.
Figure 3
Step 1: The resolver checks the resolver cache in the workstation’s memory to see if it contains an entry for Farpoint.companyA.com.
Step 2: Having found no entry in the resolver cache, the resolver sends a resolution request to the internal DNS server.
Step 3: When the DNS server receives the request, it first checks to see if it’s authoritative. In this case, it isn’t authoritative for companyA.com. The next action it takes is to check its local cache to see if an entry for Farpoint.companyA.com exists. It doesn’t. So in Step 4 the internal DNS server begins the process of iteratively querying external DNS servers until it either resolves the domain name or it reaches a point at which it’s clear that the domain name entry doesn’t exist.
Step 4: A request is sent to one of the Internet root name servers. The root server returns the address of a server authoritative for the .COM TLD (Top Level Domain).
Step 5: A request is sent to the authoritative server for .COM. The address of a DNS server authoritative for the companyA.com domain is returned.
Step 6: A request is sent to the authoritative server for companyA.com. The IP address of Farpoint.companyA.com is returned.
Step 7: The IP address for Farpoint is returned to the client resolver.
Step 8: An entry is made in the resolver cache, and a session is initiated with Farpoint.companyA.com.
This process, from the client resolver perspective, is known as a recursive query.
A summary of DNS cache poisoning issues
When attackers want a DNS server to hand out IP addresses to their servers, they must use some method of replacing valid addresses on the caching server with their own. There are few controls to ensure the integrity of a query response, that it came from a server authorized to provide resolution information. Once the attacker’s information is written to a caching server or to a resolver’s cache, DNS cache is said to be poisoned. A more detailed description of one way this might happen is found in DNS Cache Poisoning: Definition and Prevention. Another method, recently disclosed by Dan Kaminsky, is described in An Illustrated Guide to the Kaminsky DNS Vulnerability.
One method developed to help prevent cache poisoning is randomization of the transaction ID. Each DNS query is assigned an ID. Randomizing this value makes an attacker’s job a little harder. Current DNS solutions support this feature, but Kaminsky demonstrated that it isn’t enough to provide reasonable and appropriate protection.
Adding query source port randomization to transaction ID randomization is a good way to increase an attack’s work factor. Instead of an attacker knowing only the transaction ID, he or she also has to know the port from which the transaction was sent. A securely configured DNS server using the most current iteration of BIND, for example, could randomize the port used instead of settling on port 53.
Although this is a big step forward, there are still many DNS servers not using this feature, putting systems querying them at risk. And even if all DNS servers on the Internet used a combination of transaction ID randomization and source port randomization, this should be considered an interim solution at best. The entropy provided is not sufficient to dissuade a tenacious attacker.
The final word
In the next post, we’ll look at what international organizations are doing to strengthen DNS integrity via DNSSec. Since DNSSec is still far from globally deployed, we’ll step through the NIST checklist for securely deploying DNS services without it.
Bebersapa waktu yang lalu ada temen – temen dari milis PHPUG yang menanyakan tentang syarat multimedia yang baik, nah aku tertarik dengan salah satu jawaban dari anggota millis yang kurang lebih seperti ini
Dari sisi interaction design, aplikasi yang baik harus memenuhi 6 hal berikut :
1.Intuitive Interaction
2.Clear Mental Model
3.Reassuring Feedback
4.Navigability
5.Consistency
6.Contextual
Intuitive Interaction
Intuitive artinya design yang familiar, dan bisa mengakomodir keterbatasan manusia.
Familiar terkait dgn past experience dari user. Misal kita udah terbiasa mengartikan icon “X” di pojok kanan windows sebagai close, ya kita pakai icon itu jg, shg learning curve dari user ngga terlalu curam (curam==sulit utk belajar/adaptasi dgn aplikasi).
Akomodir keterbatasan manusia, misalnya kita ngga bakal meminta user mengklik dua button yang jaraknya 400pixel dalam waktu yang
bersamaan.
Clear Mental Model
Contohnya dalam membuat presentasi, saat orang mengklik next, maka halaman selanjutnya muncul ‘slide-in’ dari sisi kanan, dan kalo klik tombol back, halaman sebelumnya ‘slide-in’ dari sisi kiri. Jadi user bisa menggambarkan di otaknya, bahwa di samping kanan page yg skrg, ada page selanjutnya, dan sebaliknya.
Reassuring Feedback
User sangat ngga suka merasa ‘lost’. Sense of lost ini harus di hindari, dgn memberi feedback yang jelas. Misalnya user mengklik tombol yang salah, sebaiknya muncul semacam Pop-up Alert yang membimbing user utk melakukan action yang tepat.
Atau saat user berhasil melakukan suatu action, tampilkan semacam Pop-up Alert yg mengatakan : “Anda telah berhasil melakukan X”.
Navigability
Sama dgn menghindari sense-of-lost,
ibaratnya jalan, kita harus memberi map yg jelas ke user. Dimana user skrg, dan kemana aja user bisa berada. Dan kalo user ‘tersesat’, harus ada mekanisme utk membawa user ke area safe/familiar. Contohnya di website, selalu ada link utk kembali ke ‘HOME’, shg user selalu merasa ‘safe’.
Consistency
Konsistensi terkait dng learning curve dari user thd aplikasi kita. Kalo misalnya satu saat tombol navigasi ada di kiri, kemudian di halaman kedua, tombol navigasi di letakkan di pojok kiri, user akan kebingungan. Konsistensi jg terkait dgn theme/design graphics dari aplikasi. Setiap page ngga harus punya warna yg sama, tapi harus punya theme yg sama. Penting utk tau ttg Color Harmony, shg penggunaan warna bisa konsisten.
Contextual
Contextual diartikan sbg dimana dan oleh siapa aplikasi itu digunakan. Misalnya kita suka menggunakan sound effect utk menambah
user experience, tapi sound effect ngga berguna jika kita akan menggunakan aplikasi itu di tempat yg ramai, atau malah di tempat yang ngga boleh bising.
Siapa usernya jg harus diperhatiin, misalnya utk aplikasi yg digunakan orang tua, pastinya ngga boleh ada font-font yg kecil dan warna-warna yg rame.
BORRYS HASIAN
http://www.picosoul. com
http://www.humaneinteracti on.com
Buat URL Cantik
Posted on: September 11, 2008
Banyak diantara web – web yang kita kenal apabila kita menuju pada linknya maka akan menunjukkan suatu tampilan url yang tidak biasa. tidak biasa dalam artian URL yang digunakan tampak lebih rapi n lebih enak dibaca. example :
http://www.mxin.co.cc/index.php?halaman=berita&id=10
bisa disingkat dengan menggunakan
http://www.mxin.co.cc/halaman-halaman-9.html
mau tau caranya ???? 😛 oke dah kita mulai aja :
- Buat file dengan nama .htaccess
- Taruh di direktori web kita
- Edit file .htaccess dengan notepad or editor lain
- Ketikkan source berikut :
Options All -Indexes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^halaman\-([a-z]*)\-([0-9]*).html index.php?hal=$1&id=$2 [QSA,L]
</IfModule>
Literatur :
Bengkelprogram.com
http://www.bambangriadi.com/br/2008/07/mengatasi-error-htaccess-di-localhost/
http://webtools.live2support.com/misc_rewrite.php
http://www.iwebtool.com/htaccess_url_rewrite
http://cooletips.de/htaccess/index.php
http://www.jagoanhosting.com/blog/file-htaccess/
http://blog.jefendi.web.id/2008/02/03/paksa-server-memakai-php-v-4/
http://www.konconebudi.com/uncategorized/lets-play-url-rewrite.html
http://www.linkvendor.com/seo-tools/url-rewrite.html,result#r
Alhamdulillah kemarin dapet makanan gratis buat berbuka dari bos perlengkapan nih ndak usah basa – basi diliatin aja fotonya ya 🙂
-
- Temen – temen perlengkapan + Ibunya Anak – anak
-
- Makan Kidzu + Fres Tea – Orang Jelek Nampang
-
- Makan Pake Sendok Ama Sumpit
-
- Nyobak Narsis
-
- Aku, Rody ma Akbar
-
- Kekenyangan Abis Makan
-
- Doraemon Ku hadiah dari Kidzu – Tampak Samping
-
- Doraemon Ku hadiah dari Kidzu – Tampak Depan
- In: bebas
- 2 Comments
Sudah sejak lama gw bingung banget kalo harus nentukan ketiga hal itu, n jujur aja pasti kamu – kamu semua pasti juga akan dibuat bingung dengan hal tersebut kecuali elo punya harta yang berjibun or punya kemampuan yang lebih yang buat lho mampu ngelakuin apa aja.but …
Kantoran, gue pernah jadi orang kantoran jujur aja ndak uenak banget jadi orang kantoran, harus dateng tepat waktu belum lagi situasi dikantor yang uuh “suck“, but kalo dikantoran uenaknya ndak usah bingung – bingung ntar awal bulan nyari duit kesana – kemari, karena so pasti gaji akan mengalir dengan sendirinya dari kantong si bos 🙂
Freelance, gue ndak ngebayangin bakal jadi freelancer, pekerjaan ini uenak banget karena banyak tantangan didalamnya, mulai ngedepin client yang mbetein, nungguin PO keluar, dikejar deadline, nyari kesana kemari orang yang mau kasih freelance, disatu sisi elo akan bebas nentui yang elo mau, tapi elo mesti hati – hati karena ndak setiap hari, minggu or bulan elo akan dapet kerjaan… ya itulah freelance
Entrepreneur, kalo yang satu ini hampi – hampir sama dengan Freelance but kalo yang satu ini orang nya memang bener – bener jeli dalam melihat peluang, berbeda dengan freelance yang cenderung menunggu bola, kalo entrepreneur akan menjemput bola.nih ini tingkatan yang sedang coba gue jajakin, disatu sisi entrepreaneur lebih sedikit diperlukan tenaga yang ekstra cause elo harus jeli melihat pasar n konsumen
So kalo kata nugie lewat lagunya, so sudahkah elo temukan lentera jiwamu ???
lakukan apa yang elo yakini benar…
lakukan jika itu memang benar…
lakukkan dengan sebenar – benarnya …
follow your passion !!!!
Ngaktifin register global
Posted on: September 2, 2008
Register global adalah bagian dari PHP yang berfungsi sebagai modul untuk pengaksessan sebuah variabel. pada kondisi normal untuk versi PHP dibawah 4 biasanya register global diseting on sebaliknya untuk versi 4 keatas register global diseting off. pasti banyak yang tanya kenapa kok ada yang di on kan and ada yang di off kan kayak combo operator cdma aja :P, tidak lain dan tidak bukan adalah masalah keamanan, terutama semakin rawannya securiti.
untuk ngakses variabel jika register global dioff kan maka via PHP kamu dapat gunakan :
$_GET[“$variable”]; —–> gunakan ini kalo elo nggunain method Get
$_POST[“$variable”]; —–> gunakan ini kalo elo nggunain method Post
kalo elo ndak pake fungsi diatas sampe botak ndak bakalan bisa 🙂
nah ini kemarin ada kasus gue udah pake fungsi diatas tapi tetep aja variabel ndak bisa diakses, terpaksa deh sambil gigit jari gue akhirnya mbuat file .htaccess buat ngaktifin register global buat web gue ( bukan keseluruhan server )
nih elo simpan tulisan dibawah ini :
php_flag register_globals on
tulisan diatas yang cuman sebaris itu elo simpen di file .htaccess, terus filenya kamu taruh didirektori web yang mau diaktifkan register globalnya but skrip diatas ndak berfungsi untuk server yang nggunain phpsuexec
Header Baru Buat UMM
Posted on: September 1, 2008
just to the point :
itung – itung ngerayain ramadhan bulan yang suci yang ndak akaen terulang gue semangat buat header baru buat kampus gue, pengennya bikin yang simple n ndak nampilin foto cause biasanya gue slalu nampilin foto – foto sampe – sampe kemarin gue waktu ada moment penerimaan mahasiswa baru gue di bilangin headernya kok kayak STPDN :))
nih dah gak usah basa – basi gue tampilin headernya :
Kalo sempet kunjungi juga sitenya disitu ada jadwal puasanya juga lho, nih linknya http://www.umm.ac.id
jangan lupa kirim koment ya!!! 🙂
So What U d0 Now ??
Posted on: September 1, 2008
1 September 2008, awal puasa, awal gue kembali ngeblog dengan domain baru.. moga – moga aja domain ini bisa tahan lama…
there are no complex domain just 4 word mxin that i spech this like mixin (“Mencampur”)
So buat temen – temen gue tunggu share content and linknya. thank’s 4 all
Mxin's Weblog 