Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

New Domain Name System vulnerability revealed

Linux and popular DNS software are vulnerable to new SAD DNS cache poisoning method

Skull shape in a blue digital environment
  • Monday 13 December 2021

Exactly a year after publishing the first SAD DNS attack method, the same research team has revealed a new way of mounting a cache poisoning attack on the Domain Name System (DNS). At the conceptual level, the method is the same as the previous attack strategy: the researchers have discovered a new side channel via which false DNS information can be efficiently injected into a caching resolver. The method has therefore been dubbed SAD DNS 2.0. According to the researchers, it's mainly Linux systems that are vulnerable to the attack, along with popular DNS software such as BIND, Unbound and dnsmasq (all of which are Linux-based). Of the major public DNS services, half proved to be vulnerable, including Cisco's OpenDNS and Quad9 (9.9.9.9). While pointing out that the new SAD DNS variant can be countered in various ways, the researchers stress that DNSSEC is the best defence against cache poisoning. However, the effectiveness of DNSSEC does depend on universal adoption.

DNS cache poisoning

Like the first SAD DNS attack, SAD DNS 2.0 builds on the Kaminsky attack method published in 2008 by late security researcher Dan Kaminsky. In a Kaminsky attack, a caching resolver is injected with false DNS information by targeting it with DNS queries and spoofed false DNS responses. A DNS cache poisoning attack of that kind can be prevented by source port randomization (as defined in RFC 5452). That involves configuring the resolver to change the outbound UDP port for every query, which makes the spoofing of false DNS responses practically impossible.

Side channel attacks

The first SAD DNS attack negated the protection afforded by source port randomization by identifying the momentary (ephemeral) outbound UDP port. That was done by (indirectly) counting the ICMP messages sent in response to spoofed DNS responses. Once the outbound UDP port has been identified, a Kaminsky-style attack can be mounted. The attack method is described in more detail in this article. Like the first SAD DNS attack, the new one involves identifying the resolver's ephemeral outbound UDP port. However, the side channels used to do that (hence the name 'Side channel AttackeD DNS') are different. For the latest variant, the researchers developed various side channel attacks on the basis of the 'ICMP frag needed' and 'ICMP redirect' messages. This 'ephemeral port scanning' method involves sending a series of spoofed ICMP messages to the resolver, and then checking whether the ephemeral port has been hit. On Linux, a valid ICMP message leads to modification of the 'next hop exception cache' (part of the network stack). And it's possible to ascertain whether a modification has been made by, for example, sending a simple ping message to the resolver in question. Once the ephemeral outbound UDP port has been identified, a Kaminsky-style attack is again mounted to obtain the DNS transaction IDs by brute force. Additional techniques can be used to frustrate the transmission and safe receipt of the correct response from the true authoritative name server, thus increasing the window for landing false DNS responses. Those techniques were previously described in the publication about the first SAD DNS attack.

DNSSEC: the structural solution

When the researchers tested the new ICMP/UDP-based side channel attacks, they were able to inject vulnerable resolvers with false DNS information within a few minutes. Further analysis revealed that FreeBSD (and therefore MacOS) was not vulnerable – for the intriguing reason that its network stack doesn't fully conform to the RFC, according to the researchers. Recent versions of Windows were found to be partially vulnerable. "SAD DNS 2.0 exposes another weakness in the DNS, which can be properly resolved only by using DNSSEC," says Berry van Halderen, lead developer at NLnet Labs. "The issue here isn't a flaw in the software, but a weakness in the DNS protocol itself, which can be exploited if DNSSEC isn't active." While pointing out that the new SAD DNS variant can be countered in various ways, the researchers stress that DNSSEC is the best defence against cache poisoning. A non-secured resolver will accept false information if it arrives at the right moment, on the right port, and accompanied by the right transaction ID from the right (spoofed) sender. By contrast, a validating resolver will never accept the false information if it doesn't bear a valid digital signature.