?
Solved

How to combine DNS server with a database

Posted on 2009-04-15
10
Medium Priority
?
652 Views
Last Modified: 2013-11-25
I have a commercial product whose licensing I want to track using DNS.  To verify the license upon installation the product sends a DNS query for the license number, e.g.,  12345-6789.mysite.com.

I want to implement a DNS server for mysite.com that receives these DNS queries and records them in a database.  It needs to track the originating IP  address of each query.  That way if I see a lot of hits for the same license code from many different IP addresses it will tell me that the license code has been pirated.

The DNS server will query the database and respond with different pseudo-addresses depending on the license status.  For example, 127.0.0.1 = good license, 127.0.0.2 = pirated license, etc.

My resellers have a license generator that I have given each of them.  The licenses generated by each reseller have a unique prefix, but  I won't know the entire license number in advance since part of it is randomly generated.  So I can't simply populate a DNS zone with a static list of type A records.   Basically I need a way to record NXDOMAIN responses for a given 12345-6789.mysite.com license originating from each unique source IP address and then print a summary report sorted by license number.

I have a good background in SQL and Win32 programming.  I already have SQL Server and Visual Studio 2008.  What I need is source code for a DNS server that compiles on Visual Studio 2008 and runs on Windows Server that I can hack.  The question is, where can I find such a thing?

I know about BIND, but it has a reputation for security problems (originally created circa 1980s) and is so big and crufty I'd rather not attempt it.  djbdns is lightweight but was abandoned in 2007 and is no longer actively maintained.  Is there anything else?  Open Source is not a problem since the result will be for internal use only.   Commercial products are also okay.
0
Comment
Question by:Gideon7
  • 4
  • 4
  • 2
10 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 24154116
OK, I am thinking along completly different lines here, but: I'd rather not look for a Win32 DNS server, but use a Linux-based flavor that has to be added a slick interface tof your choice  to that Windows machine in question (Easy: Using a Linux ODBC driver, slick, have a little server process sit on the SQL box and act as a 'proxy' to some sort).
Seems to be more scalable and customizable than any commercial product you'd find, and also there aren't many OSS competitors either. And, it adds a security bonus - by separating the DB from a machine that is 'closer' to be exposed to an attack (i.e. the DNS itself).
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24155645
>>>> It needs to track the originating IP  address of each query.  That way if I see a lot of hits for the same license code from many different IP addresses it will tell me that the license code has been pirated.

Some providers change the IP addresses assigned to their active client connections very frequently after short timeouts. So, you might get different IP addresses for one client if - for any reason - the client starts your prog multiple times. I don't think the IP address is a good indicator for that. Better take the MAC address which sureley won't change multiple times within a short period (or may switch to new MAC addresses but hardly back to an old one).
0
 
LVL 12

Author Comment

by:Gideon7
ID: 24159048
DNS does not transmit MAC addresses.  It has to be DNS to cross firewalls.
 I map the IP CIDR prefix by country using ARIN/RIPE/APNIC lookup. I look for different countries installing the same license hundreds of times.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 86

Expert Comment

by:jkr
ID: 24159103
Furthermore, MAC adresses are OSI layer 2 and do not cross layer 3 boundaries, such as routers...
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24160859
I don't know whether it is possible to retrieve a specific error code from a failed DNS request. If not, you can't reliable find out why a request has failed. And I don't know whether it is wise to stop program execution if for example the user is off-line or has a busy connection to their provider or if your server was not available.

Another thing is that I wouldn't pass a license number unencrypted in a dns request as a target address. You should consider writing a normal web service which makes the license check based  on a safe connection or at least using an encrypted input. Then, you could easily find out whether the service is not available or the license is wrong.


>>>> DNS does not transmit MAC addresses.  
Hmmm. If you could pass the license number from the client you surely could pass the MAC address as well ...
0
 
LVL 12

Author Comment

by:Gideon7
ID: 24161309
I don't know whether it is possible to retrieve a specific error code from a failed DNS request.
DNS responds with FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, or REFUSED.  See MSDN WinDNS.h.
I don't know whether it is wise to stop program execution if for example the user is off-line or has a busy connection to their provider or if your server was not available.
Only a positive response of 127.0.0.2 triggers license rejection.   Lack of response is silent.  The license number is hashed with a salt on each request so it  is never exposed, and a varying random prefix prevents manual blockage using the hosts file.
The Windows DNS Client service sends the packet from svchost.exe, not from my app, so Windows Firewall won't throw up a warning box if outgoing packets are blocked. It works through forwarding DNS servers and firewalls.  I've been using this system reliably for years and it works fine.
Currently I run Ethereal with a custom packet filter to catch the incoming DNS A queries.  Every few days I open Ethereal to scroll through the list of IP addresses to look for patterns that indicate piracy.  Currently I'm using just my eyeballs.  I would like to come up with a more automated system.
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24163040
>>>> DNS responds with FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, or REFUSED.  
Does that help with the above request?

>>>> Only a positive response of 127.0.0.2 triggers license rejection.   Lack of response is silent.
Good. I wonder about your question if all works fine, though.

>>>> I would like to come up with a more automated system.
Ok. Let's summarize. You now have a system based on DNS resolution which protocols licence requests without taking immediate penalties when a licence piracy is probable. You easily could made a program which evaluates the current protocol and may give recommendation to quit a currently invoked instance of your prog with the hint that the license conditions were - at least - unclear. IMO, such a behavior would require a (phone or online) service where the client could complain about an unrightful lock and where you have the chance to overrule the automatics and grant the rights which were refused by the automatic online check. I don't know whether you have the resources to maintain such a service, but surely it would be helpful if the possibility of a wrong valuation could be minimized or even excluded. So you really should consider to pass the task to a web service rather than misusing the DNS name service for a task where it was not made for.  
 
0
 
LVL 12

Author Comment

by:Gideon7
ID: 24163206
The system has worked fine for years, is invisible to users, and has never generated a single complaint nor a single false positive from a valid license holder.  HTTP methods are trivial to block.  Example:  "127.0.0.1 sls.microcoft.com" inserted into the hosts file blocks auto-activation of Vista.
Please stop posting on this thread unless you have information relevant to the question.
0
 
LVL 39

Expert Comment

by:itsmeandnobodyelse
ID: 24163632
>>>> Please stop posting on this thread unless you have information relevant to the question.
Fair enough. Forgive me trying to help.
0
 
LVL 12

Accepted Solution

by:
Gideon7 earned 0 total points
ID: 24266389
For a comparison of choices for available DNS solutions on Windows see http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
I selected PowerDNS and it is working nicely.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question