How to combine DNS server with a database

I have a commercial product whose licensing I want to track using DNS.  To verify the license upon installation the product sends a DNS query for the license number, e.g.,  12345-6789.mysite.com.

I want to implement a DNS server for mysite.com that receives these DNS queries and records them in a database.  It needs to track the originating IP  address of each query.  That way if I see a lot of hits for the same license code from many different IP addresses it will tell me that the license code has been pirated.

The DNS server will query the database and respond with different pseudo-addresses depending on the license status.  For example, 127.0.0.1 = good license, 127.0.0.2 = pirated license, etc.

My resellers have a license generator that I have given each of them.  The licenses generated by each reseller have a unique prefix, but  I won't know the entire license number in advance since part of it is randomly generated.  So I can't simply populate a DNS zone with a static list of type A records.   Basically I need a way to record NXDOMAIN responses for a given 12345-6789.mysite.com license originating from each unique source IP address and then print a summary report sorted by license number.

I have a good background in SQL and Win32 programming.  I already have SQL Server and Visual Studio 2008.  What I need is source code for a DNS server that compiles on Visual Studio 2008 and runs on Windows Server that I can hack.  The question is, where can I find such a thing?

I know about BIND, but it has a reputation for security problems (originally created circa 1980s) and is so big and crufty I'd rather not attempt it.  djbdns is lightweight but was abandoned in 2007 and is no longer actively maintained.  Is there anything else?  Open Source is not a problem since the result will be for internal use only.   Commercial products are also okay.
LVL 12
Gideon7Asked:
Who is Participating?
 
Gideon7Author Commented:
For a comparison of choices for available DNS solutions on Windows see http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
I selected PowerDNS and it is working nicely.
0
 
jkrCommented:
OK, I am thinking along completly different lines here, but: I'd rather not look for a Win32 DNS server, but use a Linux-based flavor that has to be added a slick interface tof your choice  to that Windows machine in question (Easy: Using a Linux ODBC driver, slick, have a little server process sit on the SQL box and act as a 'proxy' to some sort).
Seems to be more scalable and customizable than any commercial product you'd find, and also there aren't many OSS competitors either. And, it adds a security bonus - by separating the DB from a machine that is 'closer' to be exposed to an attack (i.e. the DNS itself).
0
 
itsmeandnobodyelseCommented:
>>>> It needs to track the originating IP  address of each query.  That way if I see a lot of hits for the same license code from many different IP addresses it will tell me that the license code has been pirated.

Some providers change the IP addresses assigned to their active client connections very frequently after short timeouts. So, you might get different IP addresses for one client if - for any reason - the client starts your prog multiple times. I don't think the IP address is a good indicator for that. Better take the MAC address which sureley won't change multiple times within a short period (or may switch to new MAC addresses but hardly back to an old one).
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Gideon7Author Commented:
DNS does not transmit MAC addresses.  It has to be DNS to cross firewalls.
 I map the IP CIDR prefix by country using ARIN/RIPE/APNIC lookup. I look for different countries installing the same license hundreds of times.
0
 
jkrCommented:
Furthermore, MAC adresses are OSI layer 2 and do not cross layer 3 boundaries, such as routers...
0
 
itsmeandnobodyelseCommented:
I don't know whether it is possible to retrieve a specific error code from a failed DNS request. If not, you can't reliable find out why a request has failed. And I don't know whether it is wise to stop program execution if for example the user is off-line or has a busy connection to their provider or if your server was not available.

Another thing is that I wouldn't pass a license number unencrypted in a dns request as a target address. You should consider writing a normal web service which makes the license check based  on a safe connection or at least using an encrypted input. Then, you could easily find out whether the service is not available or the license is wrong.


>>>> DNS does not transmit MAC addresses.  
Hmmm. If you could pass the license number from the client you surely could pass the MAC address as well ...
0
 
Gideon7Author Commented:
I don't know whether it is possible to retrieve a specific error code from a failed DNS request.
DNS responds with FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, or REFUSED.  See MSDN WinDNS.h.
I don't know whether it is wise to stop program execution if for example the user is off-line or has a busy connection to their provider or if your server was not available.
Only a positive response of 127.0.0.2 triggers license rejection.   Lack of response is silent.  The license number is hashed with a salt on each request so it  is never exposed, and a varying random prefix prevents manual blockage using the hosts file.
The Windows DNS Client service sends the packet from svchost.exe, not from my app, so Windows Firewall won't throw up a warning box if outgoing packets are blocked. It works through forwarding DNS servers and firewalls.  I've been using this system reliably for years and it works fine.
Currently I run Ethereal with a custom packet filter to catch the incoming DNS A queries.  Every few days I open Ethereal to scroll through the list of IP addresses to look for patterns that indicate piracy.  Currently I'm using just my eyeballs.  I would like to come up with a more automated system.
0
 
itsmeandnobodyelseCommented:
>>>> DNS responds with FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, or REFUSED.  
Does that help with the above request?

>>>> Only a positive response of 127.0.0.2 triggers license rejection.   Lack of response is silent.
Good. I wonder about your question if all works fine, though.

>>>> I would like to come up with a more automated system.
Ok. Let's summarize. You now have a system based on DNS resolution which protocols licence requests without taking immediate penalties when a licence piracy is probable. You easily could made a program which evaluates the current protocol and may give recommendation to quit a currently invoked instance of your prog with the hint that the license conditions were - at least - unclear. IMO, such a behavior would require a (phone or online) service where the client could complain about an unrightful lock and where you have the chance to overrule the automatics and grant the rights which were refused by the automatic online check. I don't know whether you have the resources to maintain such a service, but surely it would be helpful if the possibility of a wrong valuation could be minimized or even excluded. So you really should consider to pass the task to a web service rather than misusing the DNS name service for a task where it was not made for.  
 
0
 
Gideon7Author Commented:
The system has worked fine for years, is invisible to users, and has never generated a single complaint nor a single false positive from a valid license holder.  HTTP methods are trivial to block.  Example:  "127.0.0.1 sls.microcoft.com" inserted into the hosts file blocks auto-activation of Vista.
Please stop posting on this thread unless you have information relevant to the question.
0
 
itsmeandnobodyelseCommented:
>>>> Please stop posting on this thread unless you have information relevant to the question.
Fair enough. Forgive me trying to help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.