I live in Hawaii and have been a customer of Time Warner’s Oceanic Cable for over 10+ years now. I rely on them to provide high speed Internet, or at least as high speed as it can get here on the islands. Just recently however, I’ve noticed that live video streams on Twitch.tv has been severely crippled. Twitch.tv is one of the largest video game streaming community on the Internet. I rarely play video games anymore but for some reason, I still like to watch others play the latest games and especially when there are tournaments going on. I’ve never, ever had a problem with Twitch until just about a month ago. I’ve always been able to stream their videos at high definition without any hiccups. A simple search though showed that I am not alone. In fact, other Time Warner Cable customers have showed similar slow downs when streaming in HD on Twitch. The problem got so bad that streaming anything other than 360p would give me a consistent “pause and resume” effect every 3-4 seconds. The network cannot keep up with the actual demands of the video stream and that is why there are pauses. In other words, the video is playing at a faster rate than what my bandwidth can handle. Many users who’ve experienced this are smart enough sometimes to just pause the video, let the buffer fill up and then resume. This is what many Youtube users have to deal with on a regular basis, especially when wanting to watch in 720p or higher. However, this “pause video” solution is not applicable to live video streams!

Below is a video in which I captured my experience when trying to watch a HD stream on Twitch during hours where my ISP throttled my connection to the site (I can only assume this is the case):

Below here is a video I captured moments after capturing the above video. This time however, I am connected to my VPN provider:

As you can easily see, watching Twitch streams in HD during busy hours resulted in a less than stellar experience. For live streams such as these, it is completely unacceptable to have the video pause every few seconds.

What Can We Do About This?

Employing a VPN to battle ISP throttling is a pretty drastic solution but there are numerous of other advantages to using a VPN. In fact, in this day and age where our digital identity is just as important in safe guarding as our true in-life identity, using a VPN is a good security measure against hackers and eavesdroppers from snooping on our data.  However, VPN’s have much more value such as:

• Providing Public Security – If you frequently use public hotspots in places such as Starbucks or McDonald’s to get free Internet access, then you should be aware that users who are connected to the same hotspot as you can easily snoop your data! That friendly looking gentleman sitting across from you eating his Big Mac is actually capturing traffic for later analysis from other users who are accessing the Internet via that free hotspot! With a VPN, you eliminate this scenario because once you establish a connection to your VPN provider, all of your traffic is routed inside that encrypted tunnel. While that gentleman is still able to capture your traffic, he/she will have a much more difficult time making sense of that data.
• Remaining Anonymous – If you wish to conduct some Internet business where anonymity is required, then a VPN is just the thing for you. When you connect to a VPN, websites you visit actually see the IP address of the VPN server instead of your own IP address.
• Accessing Restricted Content – If you want to access a service where it requires you to be in a certain geographical location, VPN can come to the rescue. For example, if a user located within the United States wants to watch videos on the BBC website, they are blocked from doing so because BBC strictly only allows users connecting from within the United Kingdom to view those videos. If your VPN provider actually has a server located within the UK, you actually can bypass that restriction and watch those videos even if you are not physically residing in the UK.
• Bypassing Download Limitations - Many online download sites place a limitation on how many downloads are provided to free users. For example, it may limit you to a single download per hour. With a VPN, you may be able to access another “download slot” because you are essentially connecting via a different computer.
• Bypassing Censorship and Restrictions – Last but not least, VPN allows you to bypass governmental censorship and ISP monitoring. If your country disallows visiting certain social websites, a VPN might be just the thing to bypass this restriction. If you are afraid that your government is monitoring your connection and online activities, a secure VPN tunnel actually helps prevent that monitoring to a certain degree.

So What’s Not to Like About a VPN?

A VPN does sound very interesting so what are some side effects?

Yet Another Monthly Fee

As with all things, accessing some sort of secured and reliable VPN server is not free. In almost all cases, you’ll have to pay either a fee every month or an annual fee at a discount. Depending on the extras, additional charges may apply. Keep this mind as this is yet another fee on top of what you pay every month to your ISP. If you don’t require the extra security or other benefits of a VPN but just so that you can stream your videos in HD, a VPN service may be hard to justify as you already know that you have the bandwidth available. It’s just that your ISP wants to play a dirty game and you as a customer have to find ways around it.

Your ISP is Still Very Smart

A VPN is not a silver bullet. While using a VPN does indeed hide traffic from your ISP, that encrypted traffic still has to pass through your ISP! Your ISP is what allows you to connect to the actual Internet, not your VPN provider. Therefore in a VPN scenario, your ISP is like a middleman which helps you connect to your VPN provider. In this case however, the “middleman” cannot see what is going on between the two parties but serves as just a “bridge” for the two parties to communicate with each other. While your data is protected, that “data” still has to move through the ISP. Downloading a 10GB file while you are connected to a VPN server still means that your ISP has to “move” 10GB of data for you. Some users like to purchase anonymous VPN services to download torrents. This is fine if your ISP throttles torrent traffic but if you suddenly have a huge spike in bandwidth generated each day, it will definitely raise a red flag and might even cause further investigations. Also, just because your ISP can’t throttle services such as Youtube anymore due to a VPN, they can still throttle your bandwidth overall. The keyword here is overall. This includes the encrypted traffic to and from your VPN server.  However, I’m sure you’d have to generate a massive amount of traffic for this to happen.

Not All VPN Providers are the Same

If you are seriously considering in deploying a VPN for security reasons, then you must put extra effort in researching your VPN provider. There are obviously a lot of choose from but you really have to be careful and not just look at the pricing. For example, if you are serious about security and privacy, you should spend some time going over their terms of service especially on the part of data retention and collection. While a VPN allows you to remain anonymous on the Internet, your VPN provider is still required to collect some sort of data about you such as the time and date you’ve logged on and such. Each VPN provider differs in this area and so you must do your own research. For most reputable VPN providers, they usually state that they will not hesitate to provide information about you to law enforcement should you conduct illegal activities while connected to their servers such as acts of terrorism, child pornography, hacking into other systesm, etc. If however you wish to just use their service to bypass ISP throttling restrictions, then obviously you don’t need to pay too much attention whereas security and privacy is concerned.

Your Government is Still Very Smart

If you live in a country where the government controls everything, you must use a VPN service at your own risk to bypass limitations and restrictions imposed by your ISP. In some countries, I’m sure the ISP is just another part of the government and so if you break the rules of the ISP, you are in effect breaking the laws of the government itself. As mentioned earlier, just because you are able to “hide” your traffic from prying eyes does not hide the fact that you are trying to hide something in the first place! Basically, using a VPN in this situation causes suspicions and it’s up to you whether or not the risks are worth it.

In the End…

Traffic throttling/shaping or whatever else you want to call it is a constant headache for many users. While there are legitimate reasons for why an ISP would want to throttle traffic to certain services, it all boils down to what will happen in the future. We rely much on our Internet services today and so can you imagine the landscape years from now? What happens when our ISP decides to throttle our services to Youtube or Netflix but tells the customers hey, for an extra $9.99 per month, we’ll make sure you’ll get the best user experience possible?! Users who don’t pay that “extra fee” will definitely have their traffic throttle while users who do pay are the only one’s allowed to stream in HD? This is sort of what net neutrality is about and I highly urge you to read up on it if you’re interested.

Personally though, this issue with Twitch just recently popped up. For the most part, my experience with Time Warner Cable has been pretty spectacular ever since I’ve been with them. Outages are infrequent and speeds are not bad for what we get on the islands. The sad news is even if I wanted to change ISP, there’s hardly any choices in Hawaii. For now, a VPN service is all that is needed to bypass their throttling restrictions on Youtube and Twitch. Also, there are times where the throttling happens at the service level and not ISP level. Google themselves actually do pose limitations and restrictions on bandwidth. So as you can see, a VPN is not the end all of solutions. The very good news is that for many VPN services, you can try them out for a couple of days to see if it helps with your situation or not. If not, simply cancel your account and try another.

For the most part, there are two different methods that most home users can remote in to their NAS4Free server at home. Everything depends on how your Internet service provider assigns you your public IP address. Let’s go over the first and most easiest method.

Port Forwarding

For most environments, especially in a simple home network, a user gains access to some server behind their router/firewall by configuring port forwarding. Think of a “port” as a doorway into your network. For many services, they will have different port numbers assigned to them. I actually have written an article way back then explaining a bit about ports. Please go over the article if you want to understand a bit more on just what it is.

Suffice it to say, we need to enable port 22 in our home router and point it to the internal IP address of our NAS4Free server. And….that’s it. It really is that simple!

You can see below how I have logged into the web management interface of my home Linksys router. I head over to the Applications and Gaming tab and select the “Port Range Forward” section. I simply make a new entry for my NAS4Free server and that is all there is to it.

Now comes the access part. If you followed my original article, then you should already be familiar with the WinSCP utility. It was this utility that we used to configure permissions on the folders for our users. We are going to be once again using this utility to remotely access our NAS4Free server. WinSCP allows us to remotely upload and download files to and from our server. Of course, the hard part is getting our computer to actually see that server when we are not within the local area network. With our port forwarding configuration in place, this shouldn’t be a problem any more.

The first thing we need to do is find out our current public IP address. Our public IP address IS NOT the internal IP address of our computer. This is the IP address that your ISP has assigned to you that actually allows you to connect to the Internet. To find this address, simply head over to www.whatismyip.com. This website will let you know what your current public IP address is. Write it down because we need it to access our server when we are away from our home network.

Once we have this information, we now have everything needed to remotely access our NAS4Free server. First, fire up WinSCP. Leave the File Protocol to ‘SFTP’. In the host name field, type in your public IP address.  DO NOT type in the actual internal IP address of the NAS4Free server! The port number shall remain at 22 unless you have changed it. The user name should be “root” and the password is whatever password you’ve set. On a default NAS4Free server, the default password is “nas4free”.

Once connected, you can see that I can easily access my mount point and browse through my server as usual. With WinSCP, I can easily drag files back and forth between my local computer and the server at home.

As you can see, it’s not that hard to give remote access to our NAS4Free server. However, this scenario of simply configuring the port forward range and nothing else is only for the lucky few who have public IP addresses assigned to them via their ISP that rarely change. For many others, their ISP will most likely dynamically assign them a different public IP address every couple hours or days. As you may have already figured by now, we rely on this public IP address to remote in to our NAS4Free server. If the address changes every couple hours or days, we need to manually first check what our public IP address is before we can initiate the connection with WinSCP. This can be a big hassle because how are you going to do this when your home server resides in California and you yourself is physically in Miami?! Also, who’s to say that the IP address you jotted down before you left your house didn’t change when the time comes for the actual connection? If that happens, you’ll have no way of connecting back to your server because once again, you’ll have no way of figuring out what your current public IP address is unless you have some third party tool or utility that can give you this information.

Luckily though, there are services out there that aims to help solve this headache.

Port Forwarding + Dynamic DNS

There are many services out there, paid and free, that allows home users to contact their internal servers from outside the Internet even though their public IP address changes often due to how their ISP behaves. How it works is simple. In my previous example, you saw that I had to manually enter in my IP address number into WinSCP. However, that “number” can change at any time and remembering a sequence of numbers in general is difficult for many users. It is much easier to remember “names” instead. When was the last time you entered in the IP address of 31.13.75.1 to access Facebook rather than www.facebook.com?

For this tutorial, I chose the service from noip.com to provide me with dynamic DNS services. The service is free to use and should get the job done for most home users who simply just want to connect to their NAS4Free server across the Internet and nothing more.

First we need to sign up for a free account from this webpage here. You can clearly see that with a free account, we don’t have much choices where domain name pickings are concerned. For free accounts, I have no choice but to stick with the domain name ending with .no-ip.biz. For the actual host name, I chose ‘mynas4free’. So, the actual and final name that gets mapped to my public IP address would be ‘mynas4free.no-ip.biz’.

Once we have activated our account with noip.com, we can then begin managing it. Well, actually, there’s nothing to manage!

For the most part, we are done here, if you can believe it! When you signed up for noip, it should have automatically detected your public IP address provided that you signed up on a computer within your home network. What we now need to do is head into our NAS4Free web GUI management pane and tell it our new configuration. Head over to Services –> Dynamic DNS. Hit the Enable check box in the top right corner. In the provider drop down menu, select no-ip.com. Fill in your domain name and also the user name and password you use to log into your noip.com account. The important part here is telling NAS4Free how often it should check your IP address to see if it has changed. You can also force it to update even if your IP hasn’t changed. I’ll leave the setting here for you to decide. Just remember that the interval is in seconds.

Once the settings have been saved, it’s time to test the connection, preferably from a computer that is not within your home network. Once again, fire up WinSCP and this time, type in your noip domain name instead of your public IP address in the host name field. All the other fields should remain the same as before such as port number, user name and password. As you can see below, I once again have successfully connected to my internal NAS4Free server!

Just for fun, if you do a simple ping of your domain name, it should resolve right back to your public IP address.

As a friendly reminder, using a service such as noip to reach your internal server is exactly just that. It maps the name you’ve chosen to your public IP address and more importantly, it updates it when it detects a change. Although you can sign up and pay for additional features, it is not required at all should you just require something rudimentary like what we are doing here and like I’ve mentioned earlier, most home users will not require something more advance than this. Once you have connected to your server at home, whatever it is you upload or download is completely dependent on whatever Internet connection you are using at the moment. It doesn’t matter if you upload/download 1MB of file or 1GB. Noip is completely irrelevant at that point once the connection has been established, sort of. Just think of it as the middle man.

If you’re point A and you want to talk to point C, then you’ll have to first talk to point B because point B is the one who knows how to reach point C.

Security

Anytime we open “holes” and “doorways” in our router/firewall, we have to be very cautious where security is concerned because that is one more avenue for an attacker to enter from. When you do open up your NAS4Free server to Internet access, you absolutely want to make sure that you use as strong a password as you can to protect the root account and pretty much any other account as well. You have to remember that your server is powered on 24/7 and your Internet connection is most likely enabled 24/7 as well. Therefore, if you can access your server remotely over the Internet, so can an attacker. Of course, the chances of this happening can be slim but that doesn’t mean it’s impossible.

To give your other users the ability to also SSH into your NAS4Free server while away from home, you’ll need to make a simple change in their user account properties. In the ‘Shell’ drop down menu, simply select ‘SCPONLY’. This option allows the user to remote in to the server and access only the folders they have access to. The weird thing is that they can still view and copy important system files on the server but they can’t delete the files nor add anything to those system folders. Also, please remember to remind your users that their user name IS CASE SENSITIVE! The user Bob is not the same as bob! It drove me nuts initially so please don’t make the same mistake. Oh and of course, they will need to learn how to use WinSCP as well.

Another thing you can do is periodically check your system log files for any malicious attempts to enter your system. Of course, a malicious user could simply erase and clear out your log but if that happens, then that obviously is a red flag to begin with. You can check your log file under Diagnostics –> Log. In the drop down box, select to view the SSH log file.

In the End…

As you can see, even if you understand just a tiny bit of how DNS works, then you’ll also understand how it is that we can remotely connect to our internal NAS4Free server within our internal home network from outside the Internet. Once you are able to do so, then you can safely retrieve your files any time and from any place as long as you have a decent Internet connection. However, this sadly is not always the case. You could be stuck for example in a hotel where the network team decides to block access to all ports but a few necessary ones such as browsing web pages and sending/receiving email. Because we are using port 22, which is a well known port number for the FTP protocol, we can find ourselves locked out from our home server. As a safety precaution, you can configure your NAS4Free server to use a different port well beforehand. Not only is this a bit more safe but it might also help get you out of a sticky situation.

What are VM Clones?

We should all be familiar with the benefits of virtualization by now. By creating virtual machines, we are essentially creating a virtual operating system that can be moved around as we like within the infrastructure. The one other major benefit of a virtual machine is being able to quickly make a copy of it. Because an entire virtual machine consists of just a couple of configuration files and a base virtual hard disk, we can essentially create a clone by simply copying the virtual hard disk file and creating a new virtual machine attached to that file.

So why would you want to create a clone? Simple. To save time. When you think about cloning in a physical environment, you’d typically create a master or gold image. This image is basically your base operating system of choice along with all of the software you’d require already pre-installed. These can include anything from your typical software applications, Windows software updates to special configuration options. Once this is done, you’d would then roll out that image to multiple computers. Once installed, that system would then resemble and function exactly the same as the master image. As you can see, this saves a heck of a lot of time because you no longer have to manually configure each and every system. You just configure it once and that’s it. With VM clones, the same theory applies except you have a bit more flexibility.

Types of VM Clones

There are typically two types of clones you can create in Hyper-V: full and linked or differencing disk/clone. Which type of clone you create will definitely depend on what it is you are trying to create in your lab environment.

Full Clone

This type of clone is what users typically associate with a “clone” in that it is taking a single virtual machine and duplicating the entire thing so that we have a second, exact replica as the original source. This clone is completely independent of the source VM in that it does not share nor require anything from it. If the original VM gets deleted or corrupted, it will not in any way affect the clone. This independence from the source VM comes at a price, however. Because it is a full clone, the clone will originally take as much hard disk space as the source VM. If the original VM is 20GB in size, then the clone will also be 20GB in size.

Linked/Differencing Clone

I’m not entirely sure if Microsoft has an official name for this type of clone. In VMware, it is called a Linked Clone. With Microsoft’s Hyper-V platform, you’d create a “differencing disk” to be able to create the same type of clone. Another name for this type of clone is a Parent to Child clone. Basically you’d start with the same master or gold virtual machine that is configured to your liking. Whereas in a full clone where we make an exact duplicate, with a parent to child clone we create a differencing disk (the child) that is “linked” to the master (the parent). Any changes to the child clone is written to its own disk and does not in any way affect the parent. When you perform this kind of clone, the child VM is obviously dependent on the parent and so if anything bad were to happen to the parent such as its virtual hard disk being deleted, then the child VM will cease to function. The major advantage to using this type of clone over the full clone type is the amount of disk space you will save. Because only the changes to the child are written (the differences), you can save a whole lot of disk space if you will be needing to create many separate virtual machines based on the parent.

Dude, What About Snapshots?!

Snapshots are definitely useful and I’m sure that feature was what got so many users excited about using virtual machines in the first place. I know it did for me. However, snapshots aren’t really considered clones. Snapshots provide a point in time copy/restore for a single virtual machine. Keyword there is single. When you create a clone, you are essentially create a completely separate virtual machine that has its own computer name, IP address, user accounts, etc. With a snapshot, you’re still working with that one individual VM. You can go back and forth between snapshots but on the network, you still have just one VM.

With that being said though, snapshots do have a lot in common with a differencing disk clone. In fact, it actually works quite the same. When you create a snapshot, a differencing disk actually gets created just like when creating a linked clone. The base VM image actually freezes and goes into read-only mode. Any changes from then on gets written only on the newly created differencing disk in order to protect the VM. Therefore, creating snapshots is not the same as creating clones.

With that out of the way, let’s begin first by creating a full clone in Hyper-V since it is the more easier of the two to get up and running.

Creating a Full Clone VM in Hyper-V

For this demonstration, I have a simple Windows 8 operating system called “Win8_source” that I will be using for both the source of the full clone example here and as the parent for the differencing disk in the next section. There is nothing really special about this VM at the moment. As you can see, I have some basic applications installed and that’s basically it. The size for this VM is about 9.5-9.6GB.

Before I clone the VM though, I should prepare it with the Sysprep utility. This awesome utility basically allows you to strip away specific security identifiers for the VM. This step is only necessary to perform if you will running multiple versions of this clone VM on the same network AND you want to join them to the same Active Directory domain. In a lab scenario, this is usually the case and so Sysprep’ing the VM is definitely something you should do to prevent any headaches later on. If this does not concern you as your virtual machines, both master and clones, will only be in Workgroups then you can usually skip this procedure. Prior to performing the Sysprep process, make sure that the VM is configured exactly to your liking! You generally don’t want to re-power back on the sysprepped image.

The Sysprep utility is included in most versions of Windows and can be found in:

C:\Windows\System32\Sysprep

Within the Sysprep folder, simply launch the sysprep utility. Although one can get extremely fancy with sysprep, all we need to do is select the ‘Out-of-box Experience’, enable the Generalize check box and have the system Shutdown once the process has completed. At the end, your source VM should have shut down and is completely ready to be cloned.

For the cloning process, there are actually two different ways to do it. The first and more correct way to do it is to perform an Export operation by right-clicking on the source VM within the Hyper-V manager. You specify a folder location to save the clone and you would then perform an Import operation. The second way to clone a VM is to simply just “copy” the source VM’s vhdx file, create a new virtual machine and finally, attaching the cloned virtual hard disk to it rather than creating a new one. I will be using the second method. An Export operation is great when you need to actually move virtual machines between different Hyper-V hosts and need to keep everything intact such as snapshots.

To begin, I simply head over to the location of my virtual hard disks and perform a copy/paste operation of the source VM. Here is the outcome. You can definitely rename the cloned VHD file to something else so you won’t get confused in the future. I renamed mine to ‘Win8_clone”.

Now that I have the cloned hard disk, it’s time to create a new VM for it. You’d go through the same usual process except when it comes to the part where it asks you about creating a VHD for the VM. On this page, you’d select the option of using an “existing virtual hard disk” rather than creating a new one. As expected, hit the Browse button and select the newly copied VHD file.

With the clone virtual machine configured, I can now power it on. Because I chose to sysprep the machine, it will initially go through the entire setup screen again as if the system was newly installed. Once that has completed though, I can see that the new virtual machine has all of the applications I installed on the source VM and that everything is exactly as how it was. You can now clone as many VM’s as you want base on the master VM. Also, don’t forget that you DO NOT have to sysprep your source VM! However, if your Windows virtual machines are going to be joining a domain, then I would definitely recommend you doing so.

Creating a Differencing Disk in Hyper-V

As mentioned earlier, creating a “differencing disk” in Hyper-V is similar to creating a Linked Clone in VMware’s parlance and it’s an awesome and quick way to spin up many similar yet different virtual machines all the while helping you save disk space as well. In this scenario, we do things just a bit differently because of the special parent-to-child relationship of the virtual machines.

Another thing you can do to protect the parent VM is to change the permission of its VHDX file so that it is read-only. This should add an extra layer of protection on the parent VM so that no changes can be made on it. Simply open the Properties of the VHDX file for your parent VM and enable the Read-Only check box and hit OK.

Next we create a new differencing disk in Hyper-V manager. In the Actions toolbar menu, select New –> Hard Disk and the wizard should appear. There are a couple pieces of information we need to specify and its important you get them right. When you select the option of either creating a VHD or VHDX disk, select the same type as the parent VM.

In the virtual disk type window, you’d want to select Differencing option.

Next, give your differencing disk a name and location.

Finally, you’ll need to specify the vhdx of the parent virtual machine. In my example, I am using Win8_source as the parent.

Now that the differencing disk as been created, it’s time to create a new VM and attach that disk to it. So, first create a virtual machine like always. When you get to the Connect Virtual Hard Disk page, we specify to attach an existing disk, similar to what we have done when we created our full clone. This time, however, we’ll obviously pick the differencing disk we’ve just created earlier. Do not pick the parent VM!

And that’s it! Once you start your new VM, you’d go through the same process earlier in the full clone procedure if you’d taken the time to sysprep the machine. Once I’m back on the desktop and everything is running as it should be, you can see below the size difference between the parent VM and the child VM. From now on, every new change I make on the child VM is only written to the differencing disk and the parent virtual disk is left completely alone. To make more clones, I simply repeat the process of first creating a new differencing disk based on the parent disk, creating a new VM and finally, attaching the differencing disk to it. It’s that simple.

In the End…

You can see how easy creating VM clones is in Hyper-V. Quickly being able to spin up virtual machines is one of the main benefits of virtualization and it’s a godsend for users at home who need to quickly create a small lab environment. Rather than needing to sit through installation and installation of the same operating system installation, you can now install everything just once and mass deploy that image out onto new virtual machines within a few minutes. Granted, it does take a few more steps on Microsoft’s Hyper-V client platform than on VMware’s Workstation product but the outcome is relatively the same. Please take advantage of virtual cloning whenever possible to maximize its potential!

Getting to Know DNS! Part 1

Getting to Know DNS! Part 2

Delegation

The delegation factor is very important where DNS is concerned and I’ve talked about this in the first article. However, I need to go over it again here because not much else will make sense until you get how delegation works. Well, at the very least the concept of it. You already know the DNS hierarchy and the levels within it. Well, how does a name server on the top level of the hierarchy know how to find a name server on the level below it? Simple. By delegating authority of that lower domain to someone else. In other words, allow another organization to maintain and administer it. By adding Name Server (NS) and A/AAAA resource records for the name servers that are authoritative for that specific domain portion, the upper tier name servers know exactly where to direct requests when the request is for a host within that specific domain.

For example, at the very root, there are around 13 root name servers spread across the world. The administrators maintaining these root name servers add NS and A/AAAA records for name servers of the various top level domains, which is the level right below it in the hierarchy. So, it has NS and A/AAAA records for the name servers authoritative for the .com, .net, .org, .edu and a myriad of other top level domains. That’s it.

Within the .com name space, the administrators add NS and A/AAAA records for name servers authoritative for the level below it. This includes the name servers for Google, Microsoft, Yahoo and a thousand others that use the .com top level domain. Similarly, the other top level domains add similar records for any second level domains that register their name under it. That’s it.

The name servers responsible for Google, Microsoft, Yahoo are then responsible for managing their actual zone and hosts within it. Again, this includes adding the appropriate NS and A/AAAA for their hosts. That’s it.

DNS Delegation

Ask Someone Else!

The good news when learning about how name resolution works is that there is just one major thing you need to keep in mind and that is DNS servers don’t really like to be bothered all that much! There is a very simple process that truly makes DNS so scalable and when you think about it, it’s so simple that you’re probably going to laugh yet admire the person who came up with this strategy. Here is the single thought you must keep in mind at all times: “If I don’t have the answer, then go ask someone else!”

That’s right folks. This one simple statement is what makes DNS so magical. Again, if you think about it, it makes perfect sense. The DNS infrastructure has many different levels. Each level or “tier” is managed by some organization. Therefore, it can be considered decentralized. However, all name servers need to coexist on the Internet (if they want a truly public presence) and so the major factor that ties DNS servers together no matter where they are in the world is that statement I just made. If a DNS server receives a request that it doesn’t have an answer for, then it simply asks another server who does! Eventually, the DNS server will get the right answer and return it to the client. How is this possible? Well, it goes back to directly what I’ve just said earlier. Although DNS servers all over the globe can be managed independently by different organizations, each level of the DNS hierarchy have name servers that are responsible for its own name space. Therefore, there must be some DNS name servers that are authoritative  for that portion of the DNS name space. When you make a name resolution request, it starts from way up top of the DNS hierarchy and continues to trickle down each tier until the name request can finally be solved.

Name Resolution Request Process

To demonstrate the point above, let’s now take a look at how a simple name resolution request that users perform on a daily basis, including yourself, look like. The most simplest of example is to see what happens when you enter in a URL address within your favorite browser. In this case, we want to reach www.microsoft.com. Immediately when you hit the Enter key on your keyboard, name resolution takes place and this is what happens:

1. The client DNS resolver on the local computer intercepts the name resolution request and first checks to see if the request can be answered locally. If not, then the request will be sent to the DNS server configured on the local computer as a “recursive” query. For most home users, this will be the DNS server located at their ISP headquarters.
2. The DNS server at ISP headquarters will then check to see if the request can be answered locally by the name server itself either via an authoritative answer or cache lookup. If not, then it will proceed to send an “iterative” query for www.microsoft.com to one of the 13 possible root name servers spread across the world.
3. At the root name server, it will not be able to give the IP address for www.microsoft.com BUT it will return an address for one of the top level domains (which is directly beneath it in the DNS hierarchy). Basically, this is the root name server’s way of telling the DNS server at ISP headquarter to go bother someone else!
4. The DNS server at ISP headquarter will now send another iterative request for www.microsoft.com to the IP address it has just gotten from the root name server. This IP address is for one of the DNS name servers in the .com name space.
5. At the name server over at .com, it will not be able to give the IP address for www.microsoft.com BUT it will return an address for a name server responsible for managing the microsoft.com zone. Basically, this is the .com’s name server way of telling the DNS server at ISP headquarter to go bother someone else!
6. The DNS server at ISP headquarter will now send another iterative request for www.microsoft.com to the IP address it has just gotten from the .com name server.
7. At the name server over at microsoft.com, IT WILL be able to fully answer the request because it knows the exact IP address for the host of www within its own microsoft.com zone. This name server is said to be “authoritative” for the microsoft.com zone. The IP address gets sent back to the DNS server over at ISP headquarters.
8. Upon receiving the answer, the DNS server at ISP headquarter will then return the request to our client resolver which it will then pass back to the application that made the request (the browser in our case).
9. The client computer can now communicate with www.microsoft.com. via the IP address it has just been given to by the DNS server at ISP headquarters!

Name Resolution Process

This ladies and gentleman, is how DNS name resolution works! You can easily see how each DNS server at each tier of the DNS hierarchy passes off the request it cannot give an authoritative answer for to another DNS server at a lower tier. This simple process continues until the answer can be found. However, after learning about this process, you may have a few questions or two and that is not surprising. Imagine this process happening thousands to even millions of times per second all over the world! While this process does indeed work to help clients find the IP address for a given host, it’s not that efficient. So, let’s continue on in the journey!

Clients Have it Good

By now, you’re probably wondering just what the heck a recursive and iterative query is. However, if you look carefully at the picture above, you can get some sort of idea as to what they are about. Basically, it’s simple.

The client portion performs a recursive query. What this means is that it tells the DNS server at ISP headquarters that hey, look buddy. I gave you a request. The answer that you give me back better be either the answer I’m looking for (the IP address) or an error message itself (if no such host or domain exists)! Looking at it from another perspective, the client, once it has sent its request, is able to just sit back and relax while the DNS server does all the work. Yups, clients have it good!

The DNS server at ISP headquarter, however, needs to perform the bulk of the work and this relates to the iterative requests that it sends out to other DNS name servers. What this means is that for a single iterative request, the DNS server that receives the request knows that it doesn’t have to provide the exact answer to the query. What it only has to do is give the “best answer possible”. This best answer can be known as a referral and it makes a lot of sense. If the DNS server doesn’t have the exact answer for a request, then what it should do is point the DNS server that made the request one step closer to the final destination.

Most public DNS servers perform iterative queries out of respect of not over burdening the root name servers. Can you imagine if the root name servers actually had to perform the bulk of the work instead?! However, DNS servers can definitely refuse to answer recursive queries and I’m sure that is just what the root and .com name servers are doing. In fact, most top level domain name servers should discard recursive queries by default.

Caching

Earlier, I mentioned that the name resolution process is not very efficient. However, in reality, that’s not actually true due to an incredible and simple feature called caching. Once I explain how caching works, you’ll be able to see that for a given name resolution request, it usually just involves steps 1 and 2 in the process I’ve described above and the rest of the other steps are unnecessary.

Caching is not new to DNS but it can definitely have a big impact. A cache is just a temporary location on your hard disk where it can store resource records that it has received from a DNS server. Think about this for a second. If I just made a request for www.microsoft.com and have gotten the correct answer from my DNS server, wouldn’t it make sense that I might make another request to www.microsoft.com in the near future? If yes, then doesn’t it also make sense that instead of repeating the whole DNS name resolution process again, the DNS resolver on my computer can just look in the cache to find the answer to speed things up? Well, of course it does! That’s the whole point with caching and it is a very important feature, especially where DNS servers all around the world are concerned.

In step one, the DNS resolver looks at your local cache to see if it can find the answer to the name request. If it can, then obviously the question has been answered and no query will be sent to an external DNS server. This not only allows your browser to get to the destination faster, but it also allows your DNS server to relax a little since that is one less request it has to perform!

Below, you can see a partial display of my DNS cache. You can see that I successfully navigated to Yahoo.com and in the process, cached its A record. Now, if I go back to Yahoo.com, then the DNS resolver would use this cached record to point my browser to the correct destination all without having to get any DNS servers involved.

DNS Cache

In most cases, your DNS provider will provide the answer to name requests via its own cache look up, which is step 2 in the process. A popular name server such as the one at your ISP headquarter will no doubt have thousands upon thousands of users making requests every minute. It is very likely that someone before you have already made a request for www.yahoo.com. Therefore, the resource record will have been cached at the DNS server as well and the server will be able to use it to answer your request of www.yahoo.com without having to bother the root name servers.

Time to Live

Now you’re probably wondering is that if the cache is all that powerful, can’t we just pre-populate the cache with all types of records pointing to Internet locations we visit often and not have to worry about DNS queries? Essentially, yes, you can do this with the HOST file but it might not be a good idea to do so and there is a good reason why.

For many companies that have a strong presence on the Internet, they would want to lower the TTL value on their resource records to mere minutes because they want their customers to be always able to locate their web servers after a change. The disadvantage of having a low TTL setting is putting a bigger burden on their name servers. Why? Well because if the resource record in a client’s cache gets purged quickly, then the clients (in most cases this will be DNS servers) will have to manually ask for the IP address again and that means the name servers at the company headquarters will need to do more work in answering those queries.

For many smaller companies and blog sites, they don’t necessarily have to worry much about name or IP address changes within their zone. Therefore, they can afford to set a higher TTL value, such as one hour. There is no right or wrong answer where the TTL setting is concerned. It just needs to make sense for the company. If a company is confident enough that hardly any hosts change on a daily basis within their zone, they could even set their TTL value to a week or more if they so wish.

Below, you can see the TTL value for Yahoo’s resource records being set to 10 minutes:

Time to Live

HOST File

Yes folks, as I’ve mentioned in the first article of the series, the HOST file continues to live on till this very day! During step 1 of the process, the DNS resolver actually consults the HOST file to see if it can also find an answer there for a DNS query. Entries in the HOST file are all statically created, which was one of the reason it lead to its downfall.

If the DNS resolver actually finds the answer to a name request within the HOST file, it will return that answer to the application. It doesn’t matter if the entry is right or wrong. The actual IP address for that host could have changed between the time you made the entry in the HOST file to the resolver actually returning it as an answer. If that is the case, then your browser will not be able to communicate with the destination host. Also, the resolver doesn’t perform any checks whatsoever. This often leads to users playing a prank on other novice computer users where they would make a entry in the HOST file pointing a specific host to a different IP address. Confusion would ensue once the user realizes that heading to www.facebook.com brings them to the www.myspace.com homepage! The HOST file can also be the target for malware. If they are allowed to make changes to your HOST file, they could use this same method to direct your browser to a fraudulent web page. Using the same example above, the attackers could setup a website that closely resembles that of www.facebook.com. Because you are at the fraudulent website, any credentials you enter will be captured by the attackers.

HOST File Prank

So Where Do I Fit in the Food Chain?!

Probably the biggest question you have at this point is just where the heck do you, an average user, fit in? Better yet, how do you own a piece of the Internet? Mere mortals like us obviously don’t own or have the know-how to manage a personal DNS name server. Also, we don’t know any of the awesome people who manages the upper level domains! How on earth are we gonna get noticed on the Internet?! The answer? Well, although we don’t have the resources ourselves, we know of people who do!

I’m going to use myself as an example. I wanted to create a blog and in order to do that, I needed two things. First, I needed to register the domain name that I want people to reach me at. Secondly, I needed a web host provider to actually host the data and files needed. Like I said above, I obviously can’t register a domain name by myself. But there are many registrars out there that can help me get this done. For a small fee, of course. Personally, I choose GoDaddy to help me register the anotherwindowsblog.com domain. GoDaddy has special relationships with the organization that do run the .com top level domain so they can help me in this regard. That solves one part of the problem.

For my web host provider, I chose not to go with GoDaddy but instead with HostGator. So now we have a small problem. GoDaddy is responsible for helping me register my name but my hosting is not provided through them. How to solve this problem? Well, it’s actually very simple. HostGator themselves have name servers that they manage for their hosts. Because my hosting is provided through them, then it’s obvious that when someone is looking for the IP address of www.anotherwindowsblog.com, then that answer should come from HostGator’s DNS servers instead and not from GoDaddy’s. How to we make this happen? Again, very simple! I just tell GoDaddy which DNS servers I want to register under my domain name! GoDaddy in turn will help me get that information propagated to the .com name servers. Within a few hours to a day of making that change, the entire world can then reach me at the correct location. If I decide to change my web host to another company, I perform the same procedure. I let GoDaddy know the right name servers my website can be reached at, wait a bit, and BAM! That’s it.

Once that is done, I really don’t have to deal with GoDaddy again. Every year, I just make sure to pay my annual fee of about $10 and that would be it. On the HostGator side, things do get more expensive but the concept is the same. I need to make sure I pay my monthly fee and HostGator will continue to make sure that the necessary resource records to reach my website are maintained. Simple, right?!

In the End…

I hope that you’ve enjoyed this article series! It was fun writing about DNS, one of my most beloved networking topics. There certainly is a lot to take in but if you think about it, it mainly boils down to understanding a couple of key important pieces. They include understanding the DNS hierarchy, name servers, resource records and finally, the actual name resolution process itself. Many of the information I’ve presented in this series was a bit overkill for your average DNS understanding but nonetheless, it should give you an even better understanding of just what goes on behind the scenes.

Now that you have a better understanding of DNS, you’re probably now wondering what are its future plans. DNS has remain largely unchanged throughout the years. If there were changes, it wasn’t big enough to really cause a change in how DNS performs name resolution. However, when DNS was built in the beginning, its creators didn’t really incorporate security into the process. While the creators did a magnificent job at making DNS as scalable as possible, they really had no way of imagining the threat vectors our networks face on a daily basis years after its creation. Well, that’s about to change with DNSSEC. This technology aims to allow clients to authenticate the origin of DNS responses and to prove that the data has not been modified in any way during its transit. Ultimately, while DNSSEC won’t really change how DNS functions today, it will bring a huge shift of changes in the security area and that is definitely a good thing. However, DNSSEC still has a long way to go before it sees widespread use.

With that all said, I want to thank you again for taking the time to reading this article/series on DNS. As with my reasoning for writing all my technical articles, I really hope that you have learned something useful. You should have realized by now that DNS plays an extremely important part in making the Internet work for millions and millions of users around the world. Can the Internet survive without it? It might. But in reality, it’s really not possible at the moment to be able to use the biggest network in the world without some sort of name resolution. While it is possible to remember one or even two IP addresses of our favorite websites, it is almost impossible to remember each and every one of them. It is probably impossible to cram our HOST file with every single Internet host in the world. In fact, it is this very fact that DNS was created in the first place!

So, the next time someone asks you if you know how computers can reach one another on the vast network called the Internet, I hope that by you finishing this article series, your answer will be a definitive YES!

Name Servers

All this talk about DNS this and DNS that but I haven’t taken the time to actually go over on what makes DNS tick internally and externally. The better question is, what actually makes DNS function? You already understand the concept of the DNS hierarchy but that’s the view from way up top. To really understand the distributed nature of DNS and what makes it so scalable, we need to focus our attention on DNS servers, a.k.a. name servers. The good news is that name servers are the building blocks of DNS as a whole. If you understand and can master how a name server functions, you also can master DNS as well. However, it’s easier said than done because name servers can be very complex. How they work and behave leads to the very core of DNS itself. A name server is basically a physical computer or in most cases, a server class computer that hosts zones and resource records. When your computer needs to perform name resolution, for example when you need to look up the IP address for www.google.com, then it is these name servers that gets sent the query or request.

Zones

Zones are a specific portion of the domain name space. For example, the company Google is responsible for and has total control over the Google.com “zone” within the DNS hierarchy. They registered for it so it belongs to them. They manage it with their own DNS name servers at their corporate headquarters. When a name server responsible for the zone it is managing answers a query for a DNS request for a host within its own name space, it is said that the name server is “authoritative” for it. They are authoritative because those name servers actually hold the resource records for the hosts. For example, if I need to look up the address for www.google.com, the answer I get back will not in most cases be authoritative because the DNS server I was using for the lookup was not directly from Google’s own name servers themselves. My DNS server got the answer either by looking at its cache or by performing an iterative lookup. Don’t worry, I will go into more detail about these two functions in the final article. However, if I switch things up and ask for the IP address for www.google.com directly from one of Google’s own name servers that is responsible for that zone, then the answer I get back will definitely be authoritative. Why? Because the name server I used to issue the query to actually contains the resource record (detailed in the next section) for the host www within the google.com zone. The Google DNS name server didn’t have to look elsewhere to help me find the answer. It itself actually holds the answer!

Although Google is almighty and powerful, it cannot somehow manage other zones for which they have no business managing! For example, while Google has the “authority” to manage the Google.com zone, they have none whatsoever when it comes to managing the Microsoft.com or Yahoo.com zone. As you can easily see, the DNS structure allows companies and businesses all over the world to manage their own portion of the name space all without having to worry or even knowing anything about other zones within the DNS hierarchy! Definitely remember this point as the final piece of the puzzle will be put together in the final article.

Below, you can see what happens when I look up the IP address for www.google.com using OpenDNS as my DNS server of choice (which obviously doesn’t belong to Google). Although I got the answer I was looking for, the answer was not authoritative.

Below, you can see what happens when I issue the same query for www.google.com but this time, I’m explicitly using a name server from Google. As expected, I once again got the answer I was looking for but this time, the answer was authoritative. You can tell because the “Non-authoritative answer” part was omitted.

Resource Records

Now it’s time to talk about what consists of the actual “data” portion of DNS. For any sort of DNS name server, they all have many things in common and one of those is the storage of resource records. For a lack of a better analogy, think of resource records as individual index cards with the physical name server itself as the library. When a user queries a name server or “library” for information, they return back resource records or “index cards” to the user which allows the user to easily find the correct server or “book” in our analogy. There are many types of resource records but only a couple of them see the most use on a daily basis. A single resource record usually contains a single piece of information about a given computer or host. A popular name server can contain literally thousands upon thousands of individual resource records! In the final article, you’ll get to see exactly why this is.

Because I personally am most familiar with Microsoft server technology, here I will use a DNS server in my test lab to give you an idea of what a resource record can look like. To get started, I will be briefly going over six of the most used resource record types stored on DNS name servers today. Again, think of each resource record I list here as an individual “index card”.

Start of Authority Record = For every zone, there usually exist a single SOA record. Although there can be many, many name servers serving resource records for a given zone (for redundancy and backup purposes), there can however be only one primary or master name server. There are also numerous other pieces of information related to the zone itself contained in the SOA record such as the email address of the person responsible for managing the zone along and the default Time to Live (TTL). This last bit of information is what we are most interested in and I will be talking about it in the next article. The Time to Live information bit plays a large role in reducing the burden of DNS servers.

A or AAAA Record = This is the most popular resource record in the DNS universe. The main job of a name server is to map host names to IP addresses and this resource record does exactly that! The A record is for IPv4 addresses and the AAAA (quad A) record is for IPv6 addresses. Nonetheless, they both serve the same purpose. In the picture below, notice that a host on my network labeled 8client.contoso.com is mapped to the 10.0.0.20 IP address.

PTR Record = A pointer record is the exact opposite of an A or AAAA record. Rather than mapping a host name to IP address, a PTR record maps a given IP address to host name instead. If you think this record is irrelevant in the real world, think again. It can be equally important as an A or AAAA record depending on the scenario. Also, note that the FQDN’s IP address is backward in the picture below. This is correct, although the reasoning behind this largely something you don’t need to concern yourself with.

NS Record = A name server record gives information to clients about which servers in the zone are authoritative for it. For example, Google can have 5 different name servers that is authoritative for their zone. Therefore, there would be 5 NS records as well within that zone. In my example, I only have one name server in my zone and so that is why I only have one entry. If I had 4 or 5 name servers, they would be listed here as well.

Mail Exchange Record = An MX record allows clients to find the server responsible for the handling and delivering of email. In my example, the MX record being shown states that when someone in my zone needs to send an email message, use the server specified in this MX record, which in this case is a server with the host name of ‘exchange’ within the contoso.com domain.

CNAME Record = A canonical name record is also very important where DNS name servers are concerned. It is also this resource record type that makes DNS so flexible in nature. Basically, a CNAME resource record allows a single computer host to be accessed via multiple names or aliases. A popular example is with the www host label. Some companies don’t actually like to give their web server a host name of ‘www’. However, users are most familar with entering www.somecompanyname.com when trying to reach their home page. Therefore, a CNAME record could be created so that whenever someone is looking for a host name of ‘www’, then point them to this server instead. That actual server name could be labeled however the company sees fit. It could actually have a FQDN of toothfairy.contoso.com. The users will still be able to access it because of an awesome resource record type called CNAME!

The Client

So far, I’ve only been talking about the server piece of the DNS puzzle. However, DNS is a client/server technology. That client piece of the puzzle is very simple. You are it! Whenever you make a name resolution request, your computer acts as the client while the name server acts as the server. To be more precise, there is a software piece called the DNS resolver that actually does the work. All you need to be aware of is that whenever a request is made for name resolution, the query is handled by the DNS resolver service on your machine. It is the job of the resolver to get the answer you are looking for.

Coming Up Next…

• Understand what are name servers and why they are the building blocks around the entire DNS infrastructure.
• Understand what zones are and what are considered authoritative and non-authoritative answers to a DNS client query
• Understand what resource records are
• Understand the most used resource records in DNS servers today
• Understand the client piece of DNS

Once you’ve gotten this part down, it is time to move on to the next and final article in the series. It is time you finally read about how DNS name servers actually process a DNS request and the work that has to go into each and every time of this happening. By the end of the third article, I promise that the entire picture will become much more clear!

Humans Are Stupid

One of the first things you should understand about DNS is how computers actually communicate with each other. You see, computer systems believe that us humans are dumb. Why? Because computers locate each other via numbers which they believe is much more efficient than using letters, symbols and numbers. However, us humans are very bad at remembering a large quantity of numbers. Heck, I’m the type of guy who have a hard time remembering a single phone number! For us, remembering a name such as Yahoo.com is so much more easier than trying to remember 206.190.36.45! That long string of number is called an IP address and it actually maps to the Yahoo.com domain name. So, when a user types in Yahoo.com into their browser, what the computer actually needs to do is translate or map that domain name to an IP address. This process is called name resolution. Well, that was just one example. There are literally millions and millions of web pages out there but each and every time you enter in an URL address, name resolution is performed.

So now you’re probably thinking that solving this problem is very simple. Just create a master database with all the name and IP address mappings listed within and call it a day. Anytime a computer needed to resolve a name, just have it consult this master database file. Surely that will work, right? The answer is yes, it definitely will. In fact, that’s how it originally worked as I talk and explain about the HOST file in the next section. The next question you then have to ask yourself is just who in the world will manage this database?! Due to the sheer size of the Internet, it will be next to impossible to keep this master database file updated. I’m sure every single second that goes on there is some sort of change within the thousands and thousands of individual computer networks that have a presence on the Internet. Good luck having someone interview for that job!

The Dreaded HOST File

To put things in perspective and give you an idea of just why a system such as DNS was very much needed, you’d have to go back to the late 60′s and early 70′s where the military successfully created one of the first computer network. This network was called the ARPANET. What this network did is of no great importance where DNS is concerned. What is important in our discussion here however is to understand that at this time, there weren’t many computers that the administrators needed to keep track of because the network was considered private. The Internet as we know of it today obviously didn’t exist at that specific time period. If there were only 15 computers on the network at any given time, communicating with them is as simple as using a file to map the computer’s host name to their known IP address. In fact, that’s exactly what they did! This simple database or file was called the HOST file and its main job is to allow a computer to find the IP address of another computer on the network via its host name. For example, if my computer  needed to find the IP address for a host computer called COMPUTER01, then it would look inside the HOST file. Within this file, there are two pieces of information and those simply are the the IP address for a given computer host or name. So, once having found the host name for COMPTUER01 within the HOST file, the computer would also learn of its IP address! Therefore, if you had 15 computers on the network, then you would have 15 entries within the HOST file. Simple but efficient. Most importantly, it actually worked great……..at first.

For the curious, the HOST file on a Windows computer is usually located at:

C:\Windows\System32\Drivers\etc

You can use Notepad to open the file. Below is a picture of how an unaltered HOST file will look like:

Where Did it All Go Wrong?!

I guess the main theme with the ARPANET was simplicity. Everything needed to be as simple as possible. Why go through the trouble of creating a complex communication system when only a few computers were joined to the network? Now that you know just what exactly the HOST file is and how it looks like, your next question should be just how did they manage it? The answer, as you might have guessed already, is manually by hand! A person responsible for the HOST file made sure that any new computer hosts that are joined the network as well as was deleted or had their host name and/or IP address changed were also reflected in the HOST file. The file would then either be placed on a central server or distributed manually to all the other computers on the network. If COMPUTER01 changed its IP address, then the administrator for the master HOST file had to make sure to make this change as quickly as possible otherwise other computers on the network wouldn’t be able to communicate with it! Even if the administrator quickly made the change to the file, there still could be problems because a computer might not have updated their HOST file to this newest version! As you can quickly see, even on a small network such as the ARPANET how a much more efficient method for name resolution was needed. As the ARPANET grew in size (again, it’s not imperative to know why or how it grew but just the fact that it grew to a much more bigger size is enough), so did the need for a more efficient system for computers to map host names to IP addresses!

Make it Go Away!

Well, by now, you should realize that having a person manually updating the HOST file for hundreds and millions of computer hosts on a network is literally asking that person to commit career suicide. It’s just not feasible nor is it probably even possible! Well, luckily in 1983, a computer scientist named Paul Mockapetris created the Domain Name System and you can thank or worship whomever deity you choose so that he did! It’s a brilliant system and it works extremely well. I’m guessing by the way that we still use it today is a testament of the system’s reliability and more importantly, scalability strengths. At this point, you’d expect me to completely drop the subject of the dreaded HOST file but that is where you are wrong my dear readers. You see, the HOST file is actually still in use today even with DNS succeeding it! For backward compatibility purposes and for very specific scenarios, the HOST file still exists within our systems. In fact, this may come as a shock to some but as I’ll explain in the next article, a computer resolving a host name actually looks at the HOST file for the answer first before making an attempt at using DNS!

The Domain Name System

Alright, enough talk about the HOST file. Every talk about DNS can’t be complete without mentioning the HOST file because it is important you understand how name resolution worked in the past to really understand how DNS truly saves the day. With DNS, you can call it a hierarchical system with many different levels and branches. Think of it like this. If you have a really big task to accomplish, wouldn’t it make sense to break that task up into smaller portions and delegate that task to different groups of individuals? Well, this is the building block for DNS. As the network grew, it simply was not possible to have one governing body to rule them all. Instead, DNS breaks the namespace into more manageable chunks so that different organizations manage a specific portion of the namespace. Well, OK, what I just said wasn’t really all that true. There is actually a governing body that rule over the Internet namespace, sort of.

Immediately below the top level domains, we have our second level domain and here is where things get more interesting. Second level domains are where mere mortals like us actually get to own a piece of the Internet, sort to speak. At each level of the DNS pyramid or domain level, they each are maintained by different organizations. If this wasn’t the case, I’m sure mass chaos would ensue! The root domain is maintained by a very special group of people. They in turn delegate authority of the .com, .net, .info, .mil and all the other second level domains to other organizations. These organizations in turn delegate authority of second level domains to normal businesses and companies that want to have a public presence on the Internet. In most cases, this level is also where Internet Service Providers (ISPs) reside at.

What are some of the second level domains you ask? Here are some examples: CNN, Facebook, Twitter, Yahoo, Microsoft, ESPN and a host of others. I’m sure you get the idea. If that still doesn’t ring a bell, how about looking at it from this angle: cnn.com, facebook.com, twitter.com, yahoo.com and microsoft.com. Looks more familiar right? Well of course it does! This is how we get to websites within our browsers everyday! What this means is that those companies actually took the time to register their company names within the .com top level domain. They either paid a yearly fee to the organization that manages the .com top level domain or through some other third party organization. This allows them to have a public presence on the Internet because whenever a client wants to reach a server located within the Microsoft.com domain, the .com DNS servers have the necessary information to point the user to the right location. This will be much clearer in my next article.

Sub-domains and FQDN’s

By now, you should have a better understanding of the DNS system, if just a bit more. Continuing on, your next question would probably be just where the heck does the WWW portion come into play? So far, I’ve talked about the root, top level and second level domains. So is WWW another domain level on the DNS pyramid? To better understand the answer, we now focus our attention on subdomains and fully qualified domain names. Let’s use Microsoft as the example here. If Microsoft registered for the Microsoft domain name within the .com top level domain, wouldn’t it make sense for Microsoft to be in charge of any other domains they want to create under the Microsoft.com parent domain name? Of course it does! When Microsoft wants to create a new domain under Microsoft.com, what they are doing is creating a sub or child domain. For example, Microsoft could decide to create a new domain within their company for their sales department and name it Sales. The sales child domain would now fall under its parent domain of Microsoft.com. Together, the entire domain would be sales.microsoft.com. Microsoft doesn’t really need permission to create this child domain. They just need to make sure that users can reach it. If users can connect to Microsoft.com, which is the “root” domain at Microsoft headquarters, then it is the responsibility of Microsoft themselves to make sure that users can also reach computers within the sales.microsoft.com domain. The .com domain is just responsible for directing users to Microsoft.com, in most cases.

The last piece of the DNS puzzle is the computer hosts themselves and how they fit into DNS. This part is very important to understand because it forms the basis of name resolution. Continuing the Microsoft example, they can have a number of hosts within the Microsoft domain and similarly so within their Sales domain. If a physical computer in the parent domain (Microsoft) is labeled Alice, how would you think this computer’s label within the DNS hierarchy would look like? Simple. Once again, we just add another dot after the label to separate the different levels of the DNS pyramid. So, the complete computer name for a computer named Alice within the Microsoft.com domain would be: Alice.Microsoft.com. When labeled this way, this can also be considered the fully qualified domain name (FQDN) of the computer. A FQDN label is basically a computer’s name from the most bottom part of the DNS pyramid all the way up to the root domain of DNS. In other words, a simple look at a FQDN tells you where it is that specific computer host sits within the DNS pyramid. One look at the FQDN I’ve given earlier immediately lets me know that there is a computer with a name of Alice within the Microsoft domain, which is registered under the .com domain and of course, that in turn is under the root domain.

Going with our child domain example, how would the FQDN of a computer host with a name of Bob look within the Sales domain? Simple. Once again, we just tact on the extra information. So, the FQDN would look like: Bob.Sales.Microsoft.com. Once again, given this information, we can easily see how this specific computer fits in the DNS hierarchy from way down bottom all the way back up to the root.

Hold Up, Wait a Minute…

By now you may have noticed a simple pattern when looking at a FQDN. The left most portion (or the beginning) of the FQDN represents an actual computer host name. In other words, it represents an actual computer on a network. By now something should have struck you as very odd and peculiar. If what I just said was true, then am I actually telling you that when you type in a URL address of www.cnn.com that the www part is actually a real computer behind the scenes? Well, yes, that is exactly what I’m saying! When you enter in an URL address such as www.cnn.com, what your computer actually does is request the actual IP address for the computer named www within the cnn.com domain. In almost all cases, the address returned is the IP address for the computer named www, which in all likelihood is a web server of some sort. This isn’t always the case as companies deploy many security solutions to protect their resources but for the nature of this discussion, you can go ahead and believe just that to simplify things. In the next article, I will actually go more into the details of the name resolution process so you can see exactly what happens.

Coming Up Next…

In the next article, I’ll actually be explaining what name servers are and the data that stored within them. In this article, I’ve laid down the very basics of the DNS structure and namespace. This was obviously not meant to be a technical article and I’ve tried my best to really make things as simple as possible without overloading you with different terminologies. Here are some of the key pieces of information you need to understand from this article prior to continuing on to the next:

• Understand how computers communicate at a very high level. The key takeaway is that humans use names such as www.cnn.com while computers use IP addresses, or numbers, such as 192.168.1.1, to represent the same piece of information. This ultimately leads to a need for name resolution.
• Understand how the HOST file works. Although this file is rarely used in all but the most specific of scenarios and circumstances, it gives you a good understanding for why a system such as the DNS was sorely needed.
• Understand how the DNS pyramid, or hierarchy to be more precise, looks like. You should understand that the system is broken down to different levels, which can be managed by different organizations.
• Understand what a FQDN looks like and how it is used to map a specific host from the most bottom of the DNS hierarchy all the way back up to the root domain and vice-versa.

Once you are confident in your knowledge, you can safely move on to the next article where things get a bit more technical!

What is a RAID 1 Mirror?

When it comes to the physical hard disks within your computer, there is a technology called RAID (Redundant Array of Independent/Inexpensive Disks) that allows you to pool one or more hard disks together so that more can be achieved from them than if those hard disks were left alone to each work by itself. With RAID technology, you usually get to achieve two different goals: faster speed and more redundancy or reliability to your data. With RAID, there are also many different levels that allow you to achieve a mixture of speed and/or redundancy. The most popular implementations of RAID include RAID levels 0, 1 and 5. The more popular choice where home users and a need for redundancy are concerned is RAID 1, also called mirroring.

If you had one hard drive full of important data, wouldn’t you agree that one of the most efficient ways to backup those data should that hard disk fail is to make a copy of those original data and write them onto another physical hard disk? In other words, doesn’t it make sense to make a near 1:1 copy of that data elsewhere? If what I just said makes a lot of sense to you, then you just basically understood what RAID 1 is all about! I’ve always tried my best to teach users that backing up data does not have to be complicated at all. Heck, you could easily just do a copy of your important data, paste it onto your removable USB thumb drive and call it a day. You end up with a backup copy on the thumb drive so that if something disastrous happened to the original copy, you’d still be saved. However, I doubt you’d want to manually copy and paste data files back and forth each and every time you’ve created or modified a file. That is where a RAID 1 mirror comes into play.

As its name suggests, a RAID 1 “mirrors” every single piece of data you have on one hard disk and duplicates it onto a second physical hard disk automatically. This means that if you have 10,000 files on disk 1, you’d have the exact same 10,000 files on the mirrored drive, disk 2. If you erase 5,000 files from disk 1, then those same 5,000 files will also be erased from disk 2. This makes disk 2 an exact mirror of disk 1. All of this happens without you ever having to initiate any sort of backup software or waiting for a specific backup schedule to kick in.

Advantages and Disadvantages

As with all things in life, noting is perfect and implementing a RAID 1 mirror is no exception. You need to understand what RAID 1 can and cannot do for you prior to you relying on it:

Easy setup – Setting up a RAID 1 mirror within Windows is extremely easy. I mean it. It just takes a couple of mouse clicks!

Automatic - Once configured, Windows will take care of everything for you. From then on, every existing, newly created and modified files will be automatically mirrored to the other disk all without you having to do anything.

Minimize downtime – RAID 1 minimizes downtime from a hard disk failure. If your original drive suffers a hardware malfunction for any reason, you can quickly get your system back up and running by booting to the mirrored disk (assuming your mirrored the system drive and not a data only drive).

50% Overhead – By implementing a RAID 1, you are essentially paying a 50% penalty. For example, if the original hard drive that you want to mirror is 500GB in size, then your mirrored disk will have to be equal to or larger in size as well. Essentially, you are using 1TB of storage space to store 500GB of data, hence the 50% penalty.

Not real “backup” – I think this is debatable as it really depends on how you work with your data and computer in general. Many users don’t consider a RAID 1 implementation as a substitute for a real backup solution due to some of the following reasons:

1. Because both your original and mirrored disk are most likely inside your computer, a natural disaster such as a house fire have a good chance of destroying both hard disks. If a burglar physically steals your computer tower, then both physical disks are lost to you as well.
2. A RAID 1 mirror doesn’t provide any “point in time” copies of your data like how a real backup software does. If you’ve mistakenly overwritten a important document, that erratic change will also be reflected on your mirrored disk. RAID 1 doesn’t know the change you’ve just made was unwanted nor does it actually care. All it does is mirror everything you do one the primary disk onto the secondary.
3. Viruses and malware that infects your original drive will also be “mirrored” onto the other disk. If the malware renders your documents useless, your mirrored disk will reflect this change as well.

Portability - If you plan on moving disks in a RAID 1 mirror to another computer, things can get complicated very quickly. If you are not experienced in RAID technology, just “pretend” that moving disks from a RAID 1 array to a different system cannot be accomplished. This will save you a headache for now. If you do wish to perform this feat, which is definitely possible, then you should take a look at using a hardware based RAID solution rather than a software based RAID as what I will be showing you here.

Computer crash - If your computer will not boot at all and it’s not due to a an issue with your hard disks, then you will be left completely in the dark. Although you might have a working laptop or secondary computer, you won’t be able to access your data on the RAID 1 array (assuming no online backup of the data you need to work with exists) without extra work such as physically removing one or both of those disks and getting it to work on that secondary computer which once again brings up the portability problem above.

As you can see, there are definitely a lot of think about prior to implementing RAID 1. Although this technology is mainly used in business environments, they usually have some other type of true backup system in place as well. Using RAID 1 for them in this situation is just to minimize downtime. For home users, there is much less incentive in creating a RAID 1 array in anything but the most specific of scenarios. If having read all this and you are still interested though, then read on!

Creating a Software RAID 1 Array in Windows

The first thing to do is install a second physical hard disk in your computer system. Remember, this mirrored disk will need to be equal or larger in size than the drive you are going to be mirroring from. Once booted into Windows, head over to Disk Management and you should see a pop up window asking you to initialize your new disk. Hitting OK should be fine in most cases. In this simple demo, I will simply be mirroring my system drive. For home users, this is the most likely scenario as well.

To create a mirror of my system drive, Disk 0, I simply right-click on the first partition on Disk 0 and select “Add Mirror”.

On the next screen, I need to choose which disk will be the mirror. As I only have one extra and empty disk, I will select that one (Disk 1).

You might then be presented with a notification pop up window. This is letting you know that it will convert your basic disks to dynamic disks. As basic disk type can’t be used for RAID, they must be converted to dynamic type disks.

Once you hit Yes, the process will commence. Once the first partition has completed its sync process, I then proceed to mirror my main C: partition and repeat the process:

Once the resynching process has completed for the second volume, I will then have a perfectly mirrored disk!

Breaking and Removing the Mirror

Breaking a mirror

When you have a perfectly working mirrored set but no longer have a need for it, you can either break or remove the mirror. The main difference between breaking and removing a mirror is that the former does not erase and reformat the secondary disk after the mirror configuration has been deleted. All of your mirrored data will still reside on it and you can then physically remove the disk out from your system. To break a mirror, simply right-click on the secondary disk within the mirror set and select “Break Mirrored Volume”. Of course, you then receive a warning about doing so will break the data redundancy.

However, if you are trying to break a system mirror, you’ll receive an error message stating that the mirror is the current system or boot plex. It seems you’re stuck at a dead end since the mirror is still active and ongoing. According to Microsoft, this is by design and the correct way to break a system mirror is by using the Diskpart.exe command line utility as followed by that KB article I’ve linked to.

Here are the commands I used to successfully break the mirror:

I had to perform that procedure twice, first for the C: volume and the second for the system reserved partition, volume 2. You can see the results below where the mirror is clearly broken but the data is still preserved on my secondary disk. Windows will automatically assign the next available drive letters to the volumes on the mirrored disk. If I now head into Computer, I will see both the C: and E: volumes along with F:. Both C: and E: contains the exact same set of files as each other. However, because the mirror configuration is now broken, any data I add or modify from then on to C: will not be duplicated to E:.

Removing a mirror

Fortunately, removing a mirror is much more easier than breaking a mirror because it’s much more destructive! Remember that when you remove a mirror, all data on the secondary disk will be destroyed! In most cases, you will need to remove a mirror once one of the disks within the mirror set fails completely. Because Windows will not be able to connect to the failed disk, you will not have the opportunity to “peacefully” break the mirror. A remove operation is needed. To do so, simply right-click a disk within the mirror and select “Remove Mirror”. You then need to specify which actual disk you want to remove the mirror from and confirm your selections. Once they have been removed, you can see that my secondary disk has been reformatted:

Booting to the Mirrored Disk

Finally, let’s see what happens when our primary disk fails. If all goes accordingly, booting to the secondary mirror is a piece of cake. Why? Because when you created the mirror, Windows knew that you were creating a mirror of the system/boot drive. It then automatically added an entry for you in the boot manager to boot from the secondary disk should it not detect the primary during startup! To simulate a disk failure, I’m just going to disconnect the primary disk.

First, Windows will immediately notice that something has gone wrong and kindly state that we need to perform some sort of recovery as seen below. If you look way down below, you’ll see an option to use/boot into a different operating system. That is exactly what we need to do because remember, the secondary mirrored disk is an exact clone of the original and so there really isn’t a reason why we can’t boot to it. In fact, that’s one of the main benefits of creating a RAID 1 mirror of your system drive in the first place!

As I mentioned a bit earlier, Windows automatically wrote a new entry to the boot manager at the time we created our mirror so that we can boot to the mirrored disk. You can see the results here as I can now simply choose to boot to the secondary plex. That’s just a fancy word for the secondary mirror so don’t be too alarmed.

Once I have made my selection, as expected, I will be right back inside my Windows system with hardly any changes at all. At this point, Disk Management will also realize something is wrong with our mirror setup and it will reflect as such:

At this point, you either have the option of reconnecting the failed hard disk back to the system (assuming it has been fixed) or in most likely hood, remove the mirror and start from scratch. Remember, you can’t really break the mirror at this point because that can be achieved only when the mirror is in a healthy state. Also, “removing” the mirror can also be misleading because as I said earlier, removing it will cause all data on the disk to be erased. But the failed disk is not connected to the system so how can this be?! Well, this again is misleading. The data on the failed hard disk technically still resides on the disk, assuming you have a method of getting to it such as accessing it via a Live Ubuntu DVD. But this is not necessary because you are now using your mirrored disk, which up to the point your primary disk failed, contains the exact set of data and files. Therefore, you really don’t need the failed hard disk anymore.

If you want to re-mirror your now primary disk, you simply repeat the steps by configuring a new mirror for it. Of course, you will need to purchase a new physical hard disk for this to happen!

In the End…

You should now have some good idea of where a RAID 1 fits in your computing lifestyle, if at all. Again, I’d like to admit that implementing a RAID 1 solution for home users is only appropriate in the most specific of scenarios. In most cases, this is the fear or paranoia of a physical hard disk going bad. If the thought of having to completely reinstall an operating system and taking the time to migrate data over from a backup elsewhere is daunting to you, then a RAID 1 mirror might just be for you. Think of it as an always up-to-date “clone” of your primary hard drive. With software image backup solutions, you get to create a full system image backup of your computer, which is great. However, your data is constantly changing and revolving and this image that you create initially quickly becomes outdated unless a new image is created every so often or you implement a different backup strategy in addition to the image backup. With a RAID 1 mirror array, your secondary disk is exactly the same as your primary at all times. No intervention on your part is necessary besides the initial setup and configuration.

But it would be ill advised to treat a RAID 1 mirror as your only and sole backup solution scheme unless you are absolutely sure of what the risks entails from doing so. However, if you create a supplementary backup scheme to go along with it, RAID 1 will start to look much more promising, especially if you have the requirement of getting back up and working on your system as quickly as possible after a single physical hard disk failure!

Mailvelope

Mailvelop is a browser extension for Google Chrome’s browser along with Mozilla Firefox, although the latter is still in development. An early preview version is still available at the time of this writing (version 0.5.5). What sets Mailvelope apart and makes it so interesting from the few other extensions I’ve tried in the past is its flexibility. Mailvelope, once installed, is able to work within both Gmail, Outlook, Yahoo and GMX webmail interfaces! Many of the other extensions I’ve tried were locked down to mainly Gmail since it is one of the more popular services. With Mailvelope, you no longer have to worry about which mail service you use! The also neat aspect of the extension is that you also get to add other services to utilize Mailvelope! For example, I have an email account with Fastmail.us, which I believe is operated by Opera. By default, Mailvelope won’t recognize that email service but with a click of a button, I can instantly start encrypting and decrypting emails in Fastmail just like how I could with Gmail and Yahoo!

Installation and Configuration

In this article, I will be using Mailvelope within Google Chrome. Installing the extension is as simple as finding it in the Chrome Web Store and installing it like how you would with any other extension! Because I’m such a nice guy, you can find the link to install Mailvelope down below. Hey, that saves you one extra step right?!

Once installed, the first configuration step is to import our private and public keys into the key ring. Sadly, Mailvelope doesn’t support the import of a previous key ring and so what we need to do here is import each and every single private/public key in your library into Mailvelope. To do so, click on the Mailvelop icon at the top right corner and select the Options setting. Of course by default, your key ring is devoid of any keys:

Mailvelope does include the option of generating your own key pair for you but I already have my own key pair so I have to perform an import.

If you click on the Import Keys link, you will see a big text box. Here is where you have to manually copy and paste the PGP block text that makes up your private and public keys. You’ll have to do this for each and every private/public key you want to use with Mailvelope. The bad news is that the extension does not allow one to select a .asc key file and import it that way. The good news is that we can at least paste multiple keys within the text box to import multiple keys at once, although you’ll still have to open each key you have in Notepad or a similar text editor.

For each private key you have, you’ll most likely see both the public key portion along with the private key portion. For every recipient public key, you’ll obviously see just the public key portion. What you need to do is copy this block of gibberish text into Mailvelope. Below, you can see that I’ve opened my private key for awbtesting808@outlook.com within Notepad:

Below that part is my private key, which looks similar except it says “PRIVATE KEY BLOCK” instead of PUBLIC. I simply copy this entire text and paste it into Mailvelope as such and click on the Submit button. If everything goes as planned, you should see two green success messages stating that the import process was successful. For the purposes of this demo, I will also import the public key of my other email account, anotherwindowsblog@gmail.com.

If I head back to my Key Ring section, I can now see that I have my public/private key for my main email account and the public key of the email account I will send encrypted email too.

As far as setup goes, I am now prepared to send encrypted emails to one of my recipients along with being able to decrypt emails sent to me with my private key within Mailvelope!

Sending Encrypted Emails

Also, all encryption and decryption is done locally on your computer using Javascript.

Clicking on this icon presents us with a pop up box allowing us to simply choose to which recipients to encrypt the email for. Of course, the drop down box will only include recipients for which you have added a public key for. Here you can see that I’ve selected to include both my sending email account along with the recipient. I chose to this because Mailvelope doesn’t include an option to automatically encrypt all emails you send with your own public key. Without doing so, you will not be able to re-read the email message within your “Sent” email folder! You can also choose to encrypt the email as HTML or plantext.

Once I hit the OK button, you’ll see the familiar blob of text that indicates your email has been encrypted!

Decrypting Emails

I have now received the encrypted email in my Gmail inbox. Mailvelope automatically recognizes the encrypted message and will allow me to decrypt it as seen below. All I have to do is hover my mouse within the message which will change to a padlock icon, click once and Mailvelope will ask me for the passphrase of my private key. Once that is entered correctly, I can then read the message back in plaintext!

Adding New Pages

As I mentioned in the beginning, what makes Mailvelope so awesome is its ability to allow you to manually add different pages to integrate Mailvelope. In this example, I will quickly and easily show you how to integrate Mailvelope into the Fastmail email service!

First I’ll need to log in to my Fastmail account and compose a new message. Once here, I simply click on the Mailvelope extension icon and select the “Add Page” option setting. Mailvelope will add a new record for the new web page and all I have to do next is hit the “Save changes” button as seen below:

Now, when I re-login to Fastmail and compose a message, I see the familiar Mailvelope padlock icon! Although I don’t have a key pair for this email account, I can still send encrypted mail to any recipients I have a public key for due to the Mailvelope extension.

In the End…

As you can see, it doesn’t take much to use the Mailvelope extension in Chrome. This is one of the better OpenPGP browser extensions I’ve found and one that works exactly as advertised. With other extensions, it either had a problem importing keys to not being able to correctly encrypt the email message. Suffice it to say, there’s not much OpenPGP browser extensions to begin with but Mailvelope is definitely something I hope will mature and improve over time.

With that being said, there are many things that Mailvelope can improve on. For one, and this is a big one, there must be signing and signature verification. I’d rather not see this implemented until the developer gets it right than delivering something that doesn’t work outright or is broken but this is one big thing that prevents Mailvelope from being used full time. I believe the developer also is trying to fix the “plaintext draft” issue where prior to sending an email, a draft of that email is saved on the servers of the email provider. I wouldn’t also mind seeing a better way to import public keys rather than doing a manual copy and paste. Finally, I’m sure if this extension takes off, many users will want a better way to mass export/import their keys and settings of Mailvelope to quickly and easily set it up on different machines.

As it stands, Mailvelope is definitely something you should keep an eye on. I’m sure a lot of OpenPGP users out there would love for major email providers to build a native interface that allow users to implement OpenPGP but I’m sure that’s not happening anytime soon! Therefore, we have to rely on extensions and plugins such as Mailvelope to fill in the gap. Once this extension gets more fine-tuned, it would be a huge break for OpenPGP users all over the world who don’t wish to use a dedicated desktop email client such as Thunderbird and Outlook. .

gpg4o

gpg4o is developed by a German firm called Giegerich & Partner. Luckily for me and many others, their website has English translation. They have a ton of information on their site but most importantly, what I am looking for is their support and requirements to gpg4o. The gpg4o plugin supports the latest Windows 8 operating system and more importantly, supports both Outlook 2010 32bit and 64bit installations. They have stated that the plugin will work with Outlook 2013 in the near future so that is definitely good news.

The pricing for gpg4o is based on yearly support and updates to the plugin. At the moment, purchasing a single year of update and support for gpg4o will cost you about 94 euros, which when converted to US dollars, will be at around $127. They do offer discounts if you purchase more than one year of support for up to 5 years, which will cost you around $255. If you are also planning on purchasing licenses in bulk, they have discounts for that as well.

From what I have noticed, their support is excellent. I’ve had a chance to talk with Mr. Giegerich himself and upon installing the trial version, I’ve stumbled across a big issue that prevented me from continuing. An email to their support staff quickly helped remedied the problem and prompted a direct response from Mr. Giegerich as well. This lets me know that they seem serious about their support for gpg4o.

So without further ado, let’s take a look at how gpg4o works!

My Setup

To demonstrate OpenPGP, I have two email accounts configured. In one corner I will be using my main email account for this blog, anotherwindowsblog@gmail.com. This account is configured on my Thunderbird email client along with the Enigmail plugin. In the other corner I will be using a dummy account of awbtesting808@outlook.com. This email has been configured in my Outlook 2010 email client.

gpg4o allows you to try the full product for free for a full 45 days. It states that the trial version is not limited in functionalities but it will place a watermark on your email signatures.

UPDATE 4/4: Good news! gpg4o version 3.1 has been recently released! Some of the new features include:

• Support of Outlook 2013
• Embedded Installation of GnuPG
  (gpg4o checks if you have a GnuPG installation – if not – you can automatically download and install it)
  So there is no need to download and install GnuPG manually anymore.
• Redesigned settings dialog
• New first installation wizard (more support for first-time PGP users).
• Backup and Restore of all settings (including your keys)
• Displaying of signature/encryption state inside the mail’s body.
  So if you forward or print a mail, you can see how it was secured

Installation

The first thing we need to do is install GnuPG. gpg4o requiress a version below 2.0. They have included a download link to GnuPG version 1.4.13 on their download page. The installation is pretty much a next, next experience. The defaults will suffice. GnuPG is what will provide much of capabilities of the OpenPGP implementation. Think of it as the backend. gpg4o and all the other third party plugins can be considered the front end, which usually provides you with a graphical interface and much better client integration.

Once GnuPG has been succesfully installed, don’t be alarmed if nothing happens or changes! This just sets the stage for the installation of gpg4o itself, which we will do next. At the writing of this article, the latest version of gpg4o is 3.0.

The first step is to install Visual Studio Tools.

Next up is the EULA agreement for gpg4o:

Next is the installation directory, which you can keep at the default:

And just like that, the installation will start and in just 3 seconds, the installation will complete.

gpg4o Key Generation and Configuration

Once gpg4o has been installed, relaunch Outlook 2010 and you will be presented with the configuration wizard to help you get started. First, gpg4o will look for the gnupg executable. If you’ve installed GnuPG in the default directory, gpg4o should have picked this up automatically and you won’t have to do a thing. If not, simply browse to the gpg.exe executable location.

Next up is your email account settings. Because this is my new email account, I will need to create a new key pair for it, which gpg4o will happily allow me to do. Here, you also have the option to configure if you want to by default sign and encrypt all outgoing emails from this email address. Not all of my email recipients are on the OpenPGP system so I will leave these options unchecked. On a sidenote, you will later have the ability to create recipient send rules which allows you to specify to gpg4o what do to whenever sending emails to a recipient. And finally, you can tell gpg4o what to do when you try to send an HTML email rather than a plaintext one.

Now that we have our OpenPGP key pair created and the gpg4o settings configured, it’s time to prepare the email clients with public keys!

Key Import

First things first. How easy will it be to import other recipient’s public keys? Well, that turns out to be easy as pie. Simply right click on the public key attachment within the email and select the “Import public key” setting. If you head into Key Managment, you will see that the public key has been successfully imported. That’s it!

To send the recipient my own public key, I simply create an email and within gpg4o, there is an option that allows me to automatically attch my public key to the email with a click of a button.

Now that the initial setup has completed with both of my email accounts having each other’s public key, the fun can now begin.

Encrypting and Signing with gpg4o

First I will send an encrypted and signed email by using gpg4o. By doing so, I am both encrypting the email so that no one else may see it besides the intended recipient and to prove that I indeed have sent the email and no one else as the email has been signed with my private key. gpg4o makes both task extremely easy to do. When composing an email, you simply hit the Encrypt button to encrypt it and the Sign button to sign the email. If you hit the “Activate Automatic Options” check box, gpg4o will look to see if any of the recipients you are sending to are configured with a matching send rule and if it has, then it will apply the options you have configured to it here.

When you hit either the encrypt or sign button, you might see a warning message about sending HTML emails. At this point, you can either keep the email as HTML or convert it to plaintext.

Of course, anytime you require access to your private key, you will be asked for your password and that is no different here with gpg4o. You can as well specify how long to cache the password so you don’t have to reenter it.

In my Thunderbird email client, the below picture should look very familiar to users who are familiar with OpenPGP. All that random character gibberish basically means the email have been successfully encrypted and sent to the recipient!

Once decrypted and verified, everything turns green within Thunderbird, which lets me know that the email has been successfully decyrpted and verified!

Decrypting and Verifying with gpg4o

You’ve seen the sending part with gpg4o. Now let’s see how we decrypt and verify an email with the plugin. This time I will send an email from my Thunderbird client, encrypted and signed, to my Outlook 2010 client. As expected, you can see below that the email came in its encrypted form and without the private key, it’s basically useless.

Once I use my private key to decrypt the email though, you can see that everything once again works smoothly and as expected! The highlighted portion tells me that the signature has indeed been verified with the recipient’s public key and of course, being able to see the original message in plaintext proves that I have the private key and passphrase. What’s also neat is the ability to zoom in and out of your email using the slider!

One thing I did notice is that the if you do not have the reading pane enabled in Outlook 2010, you will not see the signature validation information as seen above. If you like to read your emails in a separate window, then this might present a problem for you. As seen below, you can see that I don’t get any signature verification status (the colored box) once I double click on an email:

Misc. Options

At this point, I’ve just proved that gpg4o indeed works as expected when you use OpenPGP for its most basic purposes, which is encrypting and decrypting an email along with both signing and verifying a digital signature. If this is all you need to do, then I’m sure you’ll enjoy gpg4o a lot! However, the plugin has a couple of other options and most of their usage depends on how deeply rooted you are to the OpenPGP system.

Sending Rules

If you have a lot of  email recipients that you communicate with using OpenPGP and a whole bunch of others who don’t, then creating sending rules can help automate some tasks. For example, you can create a rule called “Subject Private” where you specify that any emails you send henceforth with the word “private” in the subject line, then automatically encrypt it with the recipients public key but to not sign it and also do not allow HTML. Sending rules also help if you manage a bunch of different email addresses within Outlook 2010. By combining different conditions in a rule, you can make some pretty complex send rules to do your bidding. Continuing with the example earlier, I can in addition specify that the rule only takes place if the subject has the word private in it in addition to it being from a specific sender. Because I manage 5 different email accounts, I can have this rule only apply for the one I use with OpenPGP.

Key Management

If you heavily rely on OpenPGP for your communications, then I’m sure you’ve heard about key signing, trust levels and key uploads. All of this can be done within the Key Management section within gpg4o.

Key Signing

Signing a public key means that you put your stamp of validation on the key’s owner. This is how the web of trust works. As a public key gains more signatures, the more “trusted” that key can appear although there are definitely exceptions to this which the topic alone can span to a whole new different article. A very simple scenario is what you get when you have John, Sally and Bob. Both John and Bob know each other very well but Bob doesn’t know Sally, whom he needs to communicate securely with. Luckily for Bob, John knows Sally and has signed her public key with his signature. Because Bob knows John and therefore trusts him, then he should also trust his “vouching” for Sally and therefore trust Sally’s public key really does belong to Sally.

Set Owner Trust

You can also set a level of trust to each public key’s owner. This “trust” is not what most users initially think it means. The trust level here specifically states the level of trust you put in the owner in signing other people’s keys and has nothing to do with the owner’s identity. For example, you can be sure that Bob’s public key really belongs to Bob but you also know that Bob has a habit of signing other people’s public key without putting much effort into the validation process. Therefore, I wouldn’t put too much “trust” in Bob not because he’s not who he says he is but rather on his reputation as a key signer.

Upload to Keyserver

If you want your public key to be easily attained by the public community, then you would consider uploading your key to one of the several public key servers around the world. This allows people who’ve never communicated with you before to easily download  your public key and send you encrypted emails. Of course, you can also search those key servers for public keys as well right within gpg4o. Once you have signed a recipient’s public key, you can similarly re-upload it to the original keyserver from which you’ve obtained it from. Do be aware that some users do not want their public keys to be uploaded so please do not do so unless you are sure.

In the End…

If you are serious about using OpenPGP for your communications and are dead set on not making the switch to Thunderbird, then currently you don’t have much options where Outlook 2010 and 2013 is concerned. Two products that I know of out there is Symantec PGP Desktop and the other is that of gpg4o by Giegerich & Partners. Whereas the former works as a proxy on your desktop, the latter is a direct plugin for Outlook 2010. gpg4o works pretty well and for these types of software, they either work or they don’t. It’s as simple as that. I’m glad to say that yes, gpg4o works very well within Outlook 2010.

The plugin is very user friendly and I’m sure anyone who is familiar with the OpenPGP universe will have no trouble at all. The problem might come for more advance users. When compared with Enigmail on Thunderbird, there definitely are some options missing. For example, you aren’t able to attach a photo to your public key within gpg4o. The requirement to enable the reading pane in order to view signature verification status might not be what the user wants. Enigmail also gives users the ability to pass command line parameters to the gnupg.exe executable, which does most of the encryption/decryption legwork. For example, advance users might want to compress their emails using a different level of compression. That can be easily done within Enigmail but not so in gpg4o. Again, these are only things advance users might need but I do still wish to see that a paid alternative can match and/or even surpass that of free solutions.

All in all though, gpg4o seems to be a sturdy little plugin that from my estimation, will only get better over time. Their support seems excellent as mentioned earlier in my article. Keep in mind however that they are a German based company and from my guess, their support staff might rely on language translation services when communicating with non-German speaking customers. This didn’t seem to be a big problem for me with the couple of emails I’ve traded with Mr. Giegerich himself and his support staff. What I am most excited for when it comes to this company is their future offering of a Home and Student edition of gpg4o. This either means private home users and students can either purchase gpg4o for a much lower price or it could be that the company will offer it as a free download. It’s hard to hide my excitement with this news because I was always a strong believer in email encryption and many users I’ve come across have always asked for an “Enigmail” alternative for Outlook clients. I will definitely keep my eye out from now on. Once again, big thanks to Mr. Giegerich himself and his support staff for quickly helping me solve an issue I’ve had with gpg4o!

In no particular order, these are some of my most beloved features of the Galaxy S3:

Screen Size and Phone Quality

Coming off of the 3.5 inch screen of the iPhone 3GS to the 4.8 inch screen of the Galaxy S3, I was just blown away. A lot of users no doubt will bark at the need for a smartphone to be that big in screen size but I’m telling you right now that once you’ve used a smartphone of this size, using anything smaller will feel like an insult. The iPhone 5 comes with a 4 inch screen which makes things a bit better but I personally feel 4.5 inch is the right size for me. While the phone is definitely usable with one hand, there are some things that require me to shuffle the phone around in order for my thumb to reach the far corner of the screen. However, this is not a deal breaker for me personally and I’ve grown accustomed to it. However, I’m not sure how I feel about anything bigger than 4.8 inches. The rumor mill has it that the S4 will be about 5 inches. Pretty soon, our smartphones will be the size of mini tablets and in fact, the Galaxy Note series actually blurs that line between a tablet and smartphone.

A lot of users don’t like the cheap quality build of the Galaxy S3 but when I first held the phone in my hand, it was a non-issue. The phone is incredibly thin and it actually has a nice feel and weight to it. Not as light as the iPhone 5 but not as heavy as the Nokia Lumia 920. In fact, the Galaxy S3 weighs about the same as my old iPhone 3GS! I loved the weight of that phone and I think it strikes me as the perfect balance for a smartphone.

iPhone 5 vs S3 Screen Size

Unknown Sources

Let’s not beat around the bush. Enabling this option allows a user to install .apk files directly on their phone. This means a user can illegally download apk’s for their favorite apps (which usually requires a fee to legally obtain) on the Internet and sideload it onto their phone. Personally, I use this option because I have purchased some apps from the Amazon App Store. One of my most important app purchases is ezPDF reader. Why should I have to pay twice to use the same app on both my Kindle Fire and Android phone? By sideloading the Amazon App Store apk (which is perfectly legal), I can now re-download all of my previous app purchases right onto my Galaxy S3. In the future, if I find Amazon has an app for a cheaper price than what I find in the Google Play store, I can purchase it from Amazon and then install it on my S3.

Unknown Sources

Removable Battery and External Storage

A lot of users love a phone with a removable battery. Well, I’m not one of them. To be more exact, I don’t care too much for it but I do agree that it’s a great option. I rarely owned a phone where the battery failed after a period of ownership. Maybe I’m just lucky. But I can see this as a great feature for users who travel or are on the road a lot. By purchasing an external battery pack and keeping it fully charged, they can be sure that they will have doubled their battery life, literally. This is awesome because no longer do users have to purchase a battery phone case such as those for the iPhone. Many of them add bulk and weight to the overall phone.

The external storage with the microSD card is what I’m most happy about. The ability to instantly cram an extra 64GB of local storage into your phone is a godsend considering the amount of media we have nowadays. I can store my entire music collection onto the card and not have to worry about running out of storage on the phone itself. Those storage spaces can be used mainly for apps as some don’t allow you to install directly onto a microSD card. I was always saddened that the iPhone never gave users the ability for external storage and I’m sure that it will never happen. Cloud storage is a big thing but not all users want to store their data in the cloud nor do they have an unlimited data plan to stream those content back down onto their phone!

Removable Battery

Customization

No doubt, you’ve heard at some point or another that if you want more options to customize your phone, Android is the way to go and they aren’t kidding. My phone isn’t even rooted and yet the things I am able to do is still astonishing. Everything from the UI down to controlling the very phone itself such as creating profiles and automating it to do things in certain situations is unbelievable. For example, I can have the phone automatically disable my 4G connection while at home and turning it back on while I’m away which in turn disables my Wi-Fi. I’m not even going to talk about custom ROMs because that in itself is a whole different level of customization!

Customization

Widgets

Widgets aren’t for everyone but they do serve a purpose and that is to easily allow a user to access information from within an app but on thier homescreen/lockscreen instead. Widgets actually play a big part in Andriod customizations. Rather than looking at the same ol’ app icons on your homescreen page after page, you can instead opt to place widgets for those apps instead. For example, a feed reder widget allows me to scroll through my RSS feeds right on my homescreen without actually entering the app itself. Other widgets allow you to control a function of the app. A perfect example is a media player widget where it allows you to quickly pause and resume an audio track without having to reenter the actual app each time.

Widgets

Samsung Smart Stay

I love the Smart Stay function! In order to save battery, most users like myself set a low screen timeout setting. However, what happens when you are slowing reading a webpage for more than the timeout setting allows? Well, your screen gets turned off, obviously. With Smart Stay, Samsung brilliantly thought of the idea to use the front facing camera to detect whether your eyes are focused on the screen and if you are, it will not disable your screen! At first I thought it wouldn’t work but surprisingly, it works amazingly well. One of my hardcore iPhone loving friend was so jealous of this feature.

Smart Stay

Camera Settings

The camera on the Galaxy S3 is amazing but one of the best things I like about it is the amount of built-in options and settings you can play with. Sure, you can download other camera apps to do the same thing and maybe even do it better but I like stock options that gets the job done. I’m not a hardcore photographer but I do appreciate the many settings built into the default camera app on the S3. For example, I am a big fan of black and white photos. There are just some pictures that look so amazing with no colors in them (weird, but you gotta trust me on this one) and the Galaxy S3 allows me to take B/W photos natively without having to download any camera apps. Of course, the video recording is pretty top notch as well. 1080p videos are buttery smooth and vibrant in colors.

Camera Settings

Notification LED Light

LED Notification

Google Offline Maps

Currently, this feature is only available on Android devices and not on IOS. This feature alone has already convinced a friend of mine to switch over to Android whenever the S4 will be released. This feature is a godsend for users who don’t have an unlimited data plan or for users who travel frequently. By being able to download an entire map or region area to your phone for offline browsing, you won’t have to worry about being lost anymore just because you can’t get a data connection. Of course, this feature does have limitations at the moment, one such being that you can’t use it for direction navigation, but I’m sure Google will be able to improve upon Offline Maps in future updates. Google Maps itself is also very superb. I have to admit that when it comes to directions, I am the most confused person out there. Heck I even can get lost in a mall! I was just not born to have a good sense of direction and that is why Google Maps has changed my life.

NFC and S-Beam

No doubt you’ve seen the Samsung commercial where two guys easily shared their playlist by tapping the back of their phones together. This is not a gimmicky feature and it indeed works. If you are in the same room as your friends and want to be able to share pictures and videos, it doesn’t make sense to have to upload that video to some online service, give the link to your friend only to have him/her download it back down onto their phone. Instead, why not just directly download the media onto the destination phone itself? This is what NFC and S-Beam does for you and once you’ve used it, you’ll never want to leave home without it if sharing media with your friends is a big thing. Sadly, the iPhone’s don’t incorporate an NFC chip and so this feature is not available. This makes it impossible for Android users such as myself to be able to share pictures with my iPhone loving friends. Of course, they are slowly realizing what they are missing out on and are debating whether to get the S4 in the future or not. Largely, this really depends on what Apple will bring to the table with the iPhone 5s/6. I was insanely disappointed that they didn’t include an NFC chip in the iPhone 5. They had a chance to do something incredible with it and once again change people’s lives but we’ll just have to wait.

In no particular order, these are some of the negative things I’ve experienced with the phone (not all is pretty you know):

Sound Quality Issues

One of the most irksome issue I found with my S3 is the low sound emitted from the output speakers. The weird thing is it depends on what I am viewing. Sometimes, I have to crank up the volume to the max just to hear the sound and there are even times where I have to use my hand to cuff around the speaker so that the sound is more audible and this is in a fairly quiet surrounding! For other media, the sound returns to normal and I have to lower the volume. I can’t recognize any pattern and so it’s a case by case basis. It really is frustrating. Using my earphones solves the issue. Some users have even reported that the low volume remains on everything that they do, including the ringer volume! Luckily that doesn’t happen to me but the issue nevertheless needs to be addressed.

More Options, More Problems

How can this be? Well, sometimes the more you tinker around the OS, the more chances there are for you of breaking something. With Apple’s IOS, you are severely limited in what you can actually do with the OS itself but the good news is that you will generally get a more stable and consistent user experience. Throughout my time with my iPhone, I rarely encountered any crashes or app issues and this was on a jailbroken phone! As of now, I have no idea what I did prior to this issue happening but I’m currently using the Amazon Cloud Player as my go-to music player app. It worked perfectly when I first got the phone but after a lot of customization later, I now have an issue where if I’m using my headphones, switching off the screen will force the sound to play from my speakers instead. I have to turn my phone back on, pause the music, resume and then lock my screen again. I have also encountered app crashes here and there but the issue is nowhere near as bad as others make it out to be. I guess this is the disadvantage of having a more open operating system. By allowing users more options and customizations, the more chances there are of something going wrong.

Lack of Notifications on Lock Screen

This is more of a preference issue. I loved how I could at a glance see notifications right on my iPhone lock screen. With the S3, you need to pull down the notification center in order to view your notifications. I believe if your phone has a security lock on it, then it is not possible to access the notification center at all from the lock screen. I have tried a couple of apps that seems to bring a similar notification experience as on the iPhone but decided to go for a different route instead. What I have done now is installed Widget Locker and from there, I simply created an icon on my lock screen to pull down the notification center. While swiping down from the top of the phone is not really a hard thing to do, I feel that a button is much more intuitive, especially if I will be doing it multiple times a day. Also, the LED notification lights help a lot in this regard as well since it alerts me whether I have important notifications awaiting my attention.

In the End…

I couldn’t be happier with my decision on switching over to the Android system. There are many other minor things that I love about this phone but I felt the one’s I’ve mentioned are the best and most useful for my use cases. As with both Android, Apple or Windows Phone, if a feature is missing or if the stock apps are inefficient, you can easily just download a third-party app to fill the role. At the moment, it seems as if both the Google Play and Apple Store are filled with the same apps that most users would ever need. Of course, there will be some apps that are can be found on one system and not on the other but for the most part, I didn’t really find anything missing (app wise) after the migration to Android. If a specific app couldn’t be found within Google Play, a quick search would most likely lead me to an alternative app to fill the same function/role.

Fight!

It seems that as far as phone functionality goes, the Samsung Galaxy S3 beats the iPhone 5 hands down. From the amount of customizations and settings available to the user, one could question just how long is Apple going to wait until they bring similar features to their iPhone lineup. It seems that we are on the path of manufacturers releasing major smartphone devices every year now rather than every other. With the iPhone, it seems as if every new version looks and behaves the same but with obvious minor upgrades such as a faster CPU/GPU and upgraded camera. There is a reason why many users are starting to link the words “boring” and “iPhone” together. How long this will continue remains to be seen as undoubtedly a new iPhone version should be released within 2013. Personally, I can hardly wait until Samsung reveals the Galaxy S4. A lot of my friends seem to have already made the decision to switch over to Android. Apple really needs to step up their game. It’s obvious that millions of users will continue to purchase iPhone devices no matter what Apple does but technology oriented people are starting to question Apple’s decision making. It’s not like they don’t have the funds or brains to really design an iPhone to compete with the Galaxy lineup (hardware and feature wise).

Of course, writing about this topic can span many articles long so I’ll just leave it at that. I’m extremely happy with my Galaxy S3 but my eyes are still on Apple to see what they will bring to the table come later this year. Also, RIM is about to announce their new Blackberry device in two days time and we also have the Ubuntu phone and Firefox OS to play with as time goes by. As the saying goes, competition is always good for the consumers!