Technology FAQ


Q1: What is DNS?

A: Domain Name System (DNS) is a system which is used to translate human-recognizable computer hostname into the IP address so that the machine of this IP address can be reached over the network.

Back to top


Q2: What is WHOIS?

A: WHOIS is used to query the information of a domain such as domain holder, contact details and its expiry date.

Back to top


Q3: What is DNS parking? When should I use DNS parking?

A: If a registrant does not have hosting service for his/her domain, he/she can use HKDNR’s name server (ns5.hkdnr.net.hk, ns6.hkdnr.net.hk) when registering the domain. However, it is not a hosting service for the domain’s web site – it will show HKDNR’s parking web page for the registered domain.

Back to top


Q4: What is IP address? How many type of IP address?

A: An IP address (Internet Protocol address) is a unique address that some electronic devices use to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP). In simpler terms, IP address is a computer address.

There are mainly two type IP addresses: IPv4 and IPv6. IPv4 (Internet Protocol version 4) is widely used in the Internet, and it uses 32 bits to represent an address. IPv6 (Internet Protocol version 6), the successor of IPv4, makes use of 128 bits to represent an address instead of 32 bits. IPv6 has enough room for 3.4×1038 unique addresses.

Back to top


Q5: What is CDN and punycode?

A: CDN is the Chinese Domain Name which contains at least one or more Chinese characters, may contain one or more uppercase or lowercase English letters, numbers or hyphens. Punycode is a computer programming protocol by which a Unicode string of characters can be translated into the more-limited character set permitted in network host names.

Back to top


Q6: What is Name server?

A: Name server is a program or computer server that map a human-recognizable identifier (hostname) of a host to it’s computer-recognizable identifier (IP address).

Back to top


Q7: What is DNS Zone file? What kind zone type is being used by .HK?

A: These are the files that contain the list of all the hosts in your domain, and their corresponding IP address. There are 13 type of zone file, which are .com.hk, .edu.hk, .org.hk, .idv.hk, .hk, .gov.hk, .net.hk, .公司.hk, .網絡.hk, .組織.hk, .教育.hk, .政府.hk, .個人.hk.

Back to top


Q8: What is “DNS hosting”?

A: It is is a service that runs Domain Name System servers.

Back to top


Q9: What is DNS record (NS, A, MX, etc)?

A: The DNS record stores host related information such as NS, A, MX, SOA.

SOA – Start of Authority. This is the record stating that this server is authorized for the specified domain.

NS – Name server: Specifies the name server to be used to look up a domain.

MX – Mail Exchange: Specifies mail server(s) for the domain.

A – A Record: Used for linking a FQDN to an IP address.

Back to top


Q10: What is DNS Cache poisoning?

A: The DNS cache poisoning is an attacker technique which causes the DNS caches the attacker’s forged DNS information when the attacker provides the non-authentic data to the vulnerable name server so that the name server’s client contacts such incorrect and possibly malicious hosts for particular services.

Back to top


Q11: Why DNS Cache poisoning is important?

A: Due to the vulnerable name server maintaining the incorrect entries of the domain names, user will be directed to attacker IP address unexpectedly. As a result, user could unintentionally access the attacker controlled website, which may contain virus or unknowingly download malicious content which can retrieve user’s personal information for illegitimate purpose.

Back to top


Q12: What did the security researcher Dan Kaminsky discover about DNS Cache poisoning?

A: He found that the current DNS has deficiencies in its protocol which facilities the attacks regarding the randomness of the transaction id and source port.

Here are examples:

1) Insufficient transaction ID space
In the current required length of 16 bit of transaction ID, the attacker will require, on average, 32,768 attempts to successfully predict the ID. Smaller the bit length required in some flawed DNS, it is easier the attacker can predict the ID.

2) Multiple outstanding requests
Some vulnerable DNS allow multiple identical queries for the same resource record (RR) which will lead the feasibility of a ‘birthday attack’.

3) Fixed source port for generating queries
Some DNS allocate an arbitrary port at startup and reuse this source port for all outgoing queries.

Back to top


Q13: How to check if the DNS server you use has the DNS Cache poisoning vulnerabilities discovered by Dan Kaminsky?

A: It can use the following tools to check vulnerability of DNS Cache poisoning.

1) Web-based DNS Randomness Test by DNS-OARC
Purpose: Scan your DNS for randomness of source port and query id to check if it is randomness enough.
Detail: Please refer to https://www.dns-oarc.net/oarc/services/dnsentropy

2) Check your resolver’s source port behavior by DNS-OARC
Purpose: Verify the DNS by its IP address. Use a DNS query tool such as dig to ask for the TXT record ofporttest.dns-oarc.net
Detail: Please refer to https://www.dns-oarc.net/oarc/services/porttest

Back to top


Q14: How to prevent DNS Cache poisoning?

A: To mitigate the risk of DNS Cache poisoning, the following preventive alternatives can be taken.

1) Enforce the randomness of the source port and query id via NAT operation and filter out the suspicious spoofed traffic at network perimeter

2) Disable recursion request or only accept this kind of request in DNS if it is from white-list subnet.

3) Disable glue-fetching explicating of DNS server

4) Check with software vendor to study the security patch and apply it on the DNS server

5) If you are using a vulnerable DNS server which is not under your control, please contact the owner or administrator of the issue

6) Introduce a secure version of DNS “DNSSEC” which uses trusted digital certificate to determine the authenticity data.

Back to top


Q15: What is IPv6?

A: Similar to the use of telephone numbers on our fixed and mobile telecommunication network, each computer on the Internet is assigned a unique number called the IP (Internet Protocol) address. The current addressing scheme in use for IP addresses is called IPv4 (IP address version 4). IPv4 is 32-bit long (consisting of four 8-bit numbers separated by dots). It is expected that IPv4 addresses currently use on every devices connected to the Internet would eventually run out in 2011. A new addressing scheme called IPv6 (IP address version 6) has been developed. An IPv6 address is 128 bits long (consisting of eight 16-bit numbers separated by colons).

IPv6 has been available to Internet users for several years now, but its deployment poses some challenges. Because IPv6 has a different address format, IPv6 hosts can’t talk directly to the IPv4 hosts that make up most of the existing Internet.

For direct communication over IPv6, both parties must have deployed IPv6 across their networks, and so far only a relatively small number of networks have done this. However there are schemes based on indirect communication methods which enable IPv6 and IPv4 networks to communicate with each other.

Back to top


Q16: What are the differences between IPv4 and IPv6?

A: Typical IPv4 IP address:
192.168.1.2 – Four groups separated by (.). Each group consists of a number ranging from 1 to 256. In theory, IPv4 can address up to 4,294,967,296 devices.

Typical IPv6 IP address:
2001:0db8:85a3:0000:0000:8a2e:0370:7334 – IPv6 addresses are normally written as eight groups of four hexadecimal (0-9, a-f) digits, where each group is separated by a colon (:).IPv6 can address up to 3.403 × 1038 unique addresses.

To shorten the writing and presentation of IPv6 addresses, several simplifications to the notation are permitted.

Any leading zeros in a group may be omitted; thus, the given example becomes
2001:db8:85a3:0:0:8a2e:370:7334

One or any number of consecutive groups of 0 value may be replaced with two colons (::):
2001:db8:85a3::8a2e:370:7334

This substitution with double-colon may be performed only once in an address, because multiple occurrences would lead to ambiguity. For example, the illegal address notation 2001::FFD3::57ab, could represent any of the following:
2001:0:0:0:0:FFD3:0:57ab
2001:0:0:0:FFD3:0:0:57ab
2001:0:0:FFD3:0:0:0:57ab
2001:0:FFD3:0:0:0:0:57ab

Using the double-colon reduction, the localhost (loopback) address, fully written as0000:0000:0000:0000:0000:0000:0000:0001, may be reduced to ::1 and the undetermined IPv6 address (zero value), i.e., all bits are zero, is simply ::.
For example, the addresses below are all valid and equivalent:
2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0000:0000:0000::1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8:0:0::1428:57ab
2001:0db8::1428:57ab
2001:db8::1428:57ab

:: means 0:0:0 or 0:0:0:0 or 0:0:0:0:0 or 0:0:0:0:0:0 or 0:0:0:0:0:0:0 or 0:0:0:0:0:0:0:0 or 00:00:00 or 000:000:000 or 0000:0000:000 … etc.

Back to top


Q17: What does IPv6 looks like in the DNS?

A: When you normally look up DNS IP in IPv4 using the dig command, the answer may look like:

C:\dig>dig @ns5.hkirc.net.hk hkirc.hk

; <<>> DiG 9.3.2 <<>> @ns5.hkirc.net.hk hkirc.hk
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 490
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;hkirc.hk. IN A

;; ANSWER SECTION:
hkirc.hk. 300 IN A 203.119.2.85

;; AUTHORITY SECTION:
hkirc.hk. 300 IN NS ns5.hkirc.hk.
hkirc.hk. 300 IN NS ns6.hkirc.hk.
hkirc.hk. 300 IN NS ns7.hkirc.hk.

;; ADDITIONAL SECTION:
ns5.hkirc.hk. 300 IN A 203.119.2.22
ns6.hkirc.hk. 300 IN A 203.119.2.23
ns7.hkirc.hk. 300 IN A 203.169.156.100

;; Query time: 31 msec
;; SERVER: 203.119.2.22#53(203.119.2.22)
;; WHEN: Mon Oct 12 14:36:15 2009
;; MSG SIZE rcvd: 144

The IPv4 result for ns5.hkirc.hk is shown below:

ns5.hkirc.hk. 300 IN A 203.119.2.22

Notice the single “A” in the answer, which indicates it is an IPv4 address.

Do the same with a domain name which have IPv6 address, like the one below:

C:\dig>dig @ns1.hkdnr.hk ns2.cuhk.edu.hk

; <<>> DiG 9.3.2 <<>> @ns1.hkdnr.hk ns2.cuhk.edu.hk
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 155
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;ns2.cuhk.edu.hk. IN A

;; AUTHORITY SECTION:
cuhk.edu.hk. 14400 IN NS NS3.cuhk.edu.hk.
cuhk.edu.hk. 14400 IN NS NS1.cuhk.edu.hk.
cuhk.edu.hk. 14400 IN NS ns2.cuhk.edu.hk.

;; ADDITIONAL SECTION:
ns2.cuhk.edu.hk. 14400 IN A 137.189.6.21
ns2.cuhk.edu.hk. 14400 IN AAAA 2405:3000:3:60::21
NS1.cuhk.edu.hk. 14400 IN A 137.189.6.1
NS3.cuhk.edu.hk. 14400 IN A 202.45.188.39

;; Query time: 15 msec
;; SERVER: 203.119.2.18#53(203.119.2.18)
;; WHEN: Mon Oct 12 14:35:05 2009
;; MSG SIZE rcvd: 159

Notice the answer for ns2.cuhk.edu.hk:

ns2.cuhk.edu.hk. 14400 IN AAAA 2405:3000:3:60::21

The “AAAA” in the result means that this is an IPv6 address.

Back to top


Q18: What service is HKIRC offering for IPv6?

A: HKIRC has added the capability to register Domain Name with IPv6 addresses as name servers. What this means is, using existing IPv4 network, HKIRC DNS server can now cater for both IPv4 address and IPv6 address. Clients do not need to have an IPv6 network to enjoy this service.

Back to top


Q19: What are the changes to the existing HKIRC panels for IPv6?

A: There is no difference in the appearance of the new HKIRC IPv6 compatible panels. The only changes is for IP entry fields and display in the panel, which now supports IPv6 notation as well as new address length for IPv6.

Examples for these are as follows:

1.Add DN Host (Panel: Registrant, Reseller, Registry, Registrar and API )

2.Modify DN Host (Panel : Registrant, Reseller, Registry, Registrar and API )

3. Modify DNS (MNS) (Panel: Registrant, Reseller, Registry, Registrar and API)

4. Query DN Host (Panel: Reseller, Registry, Registrar and API)

5. Whois search from hostname (Panel: www, Registry and Registrar)

Also additional checks are added to check for valid IPv6 format in all entry fields. These are:

Valid Invalid Reason for invalid
0000:0000:0000:0000:0000:0000:0000:0000 0:0 wrong length
0000:0000:0000:0000:0000:0000:0000:0001 1::1::1 2 compression
0:0:0:0:0:0:0:1 Abcr::avdc Wrong format
0:0:0:0:0:0:0:0001 123:123 Wrong format
0:0:0:0:0000:0:0:0001 1231:asda.123.123 Wrong format
0::1 1232:1232:1232:1232 Wrong format
0:0::1 234234344 Wrong format
::1
1::0
1::0:0
1:0::0
1::0000
1::
ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Back to top


Q20: What is QR Code?

A: QR Code (Quick Response Code) is a type of two-dimensional code (or matrix bar code). It can [store a reasonably large amount of information within a small square shaped symbol. Smartphone users who have QR code reader on their phone can scan the code and decode the information provided.

Back to top


Q21: How can I make use of the QR Code to my business?

A: You can easily generate the QR Code of your website ended with .hk. Some web browsers in the market (e.g., Microsoft Edge, Google Chrome) can create the QR code for your .hk website URL. You can then download the code as an image and put it on your promotional materials, or even your business cards. Your customers will be taken directly to your website or email address upon a scan of the code.

Back to top

If you have further enquiries, please contact us at +852 23191313 or by email to enquiry@hkirc.hk. Thank you.