DDOS DNS

Similar Messages

• BGP help with UPnP/DDOS/DNS

  Currently i have 2x1GB BGP routers running at my upstream provider. Recently we had a huge DDOS attack that was a UPnP/SSDP attack that was focused at a customer and it was also attacking our DNS server. The BGP routers & Switches were lit up like a christmas tree, all data lights were pretty much solid trying to process the data coming in. Then my BGP routers just shut themselves down i can only assume that was caused by a Buffer overload. Can someone please advise me on if there is something i can do to help prevent this kind of attack in the future?

  Hello.
  As a DDOS prevention you may use either a DDOS prevention service from third party, or just try to protect your subnets/hosts with 
  Remote Triggered Black Hole Filtering
  https://tools.ietf.org/html/rfc5635
  Also if you faced any issue with network link utilization (inside your network) - deploy QoS or upgrade the links.
  PS: I wonder where you were not able to access your BGP routers?! Are they not fast enough to process 1G of data? Don't you protect management and control plane on the network devices?

• DNS security - DDos

  I've a public Nameserver(NS) on Windows Server 2008 R2
  a security firm has checked the server/DNS for treats/issue. 
  And It's stated that there's a security issue regarding when a request is made to the NS and the request is 17 bytes long the packet received is 449 bytes long. 
  How do I fix this issue? 

  There's a whole collection of hotfixes for DNS on WS2008R2 SP1.
  I'd suggest starting there.
  http://blogs.technet.com/b/yongrhee/archive/2012/02/18/list-of-dns-related-hotfixes-post-sp1-for-windows-server-2008-r2-sp1.aspx
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Recursive and authoritative DNS - DDOS attack

  We are using Windows Server DNS as our external DNS server which is available from internet and used to resolve our domain names. It is placed in DMZ. It is configured as recursive and authoritative. In internal company network we have
  4 Windows DNS servers which have forwarders configured for this DNS server in DMZ. If some attacker from the internet will try to use our DNS server placed in DMZ and available from internet for a lot of recursive queries it could result in denial of service.
  What is the best practice to avoid such attack?

  Actually, there's a rather complex algorithm that's used that's similar to, if not the same as, what the client side resolver on any machine (Windows and non-Windows) uses. It's an industry standard based on RFC definitions.
  More specifics in the following links, if you want to read up on it. And to one's surprise, it doesn't exactly work as one would like it to. The idea is to keep both up and the other one as a backup in case you fully lose the first one.
  DNS Client side Resolver Service and DNS Forwarders Query Algorithm
  http://blogs.msmvps.com/acefekay/2014/03/29/dns-client-side-resolver-service-and-dns-forwarders-query-algorithm/
  This blog discusses:
  WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
  Client side resolution process chart.
  The DNS Client Side Resolver algorithm.
  If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
  DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
  Client side resolution process chart
  http://blogs.msmvps.com/acefekay/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm/
  DNS Clients and Timeouts (Part 1 & Part 2), karammasri [MSFT] Dec 2011 6:18 AM
  http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
  http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
  DOMAIN NAMES - CONCEPTS AND FACILITIES - Dicusses local resolvers.
  http://tools.ietf.org/html/rfc882
  ==
  To add on how the client resolver picks a nameserver, below is a link to a discussion that points out the following - and please note, the operative point in the first bullet point indicates "equivalent," meaning that all DNS servers you enter into
  a NIC, must all reference the same exact data, so you can't mix nameserver with different data and expect the client to try all of them.
  •by RFC, all nameservers in a zone's delegation are equivalent
  •they are indistinguishable to the client
  •clients are allowed to choose the NS to query with whichever policy they wish
  •if any picked server fails to respond (e.g. "ns3"), then the next server is picked among the remaining set (e.g. ns1 and ns2) according to the policy
  •often clients use sophisticated policies that "score" servers and pick more often the ones that replied faster
  •as a by-product, in practice this policy makes caches favor "nearest" servers
  Above list was quoted from:
  When is a secondary nameserver hit?
  http://serverfault.com/questions/130608/when-is-a-secondary-nameserver-hit
  I hope that helps to understand it better.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• ISP Reporting Open DNS Resolvers

  I have a WRV210 in stalled at a remote client, it is set to do a point to point VPN tunnel to the company office (Windows server) another 210 at the other end.
  Behind this specific unit are 2 Windows workstations(XP). The client just received the following email from AT&T:
  AT&T has determined that a device using your Internet connection is configured to run an open Domain Name System (DNS) resolver. A DNS resolver was observed answering public queries at Jan 7, 2014 at 7:06 PM EST at the IP address X.X.X.X. Our records indicate that this IP address was assigned to you at this time.
  Open DNS resolvers can be used for network attacks, presenting additional load on your Internet access and resulting in unreliable service.
  An open DNS resolver allows users on the Internet to perform DNS requests on your server. This is considered an insecure configuration and in the majority of cases, Internet subscribers should not operate an open DNS resolver. The open DNS resolver may be present due to a default operating system installation or system configuration issue. In some cases, network devices such as home wireless routers have flaws that expose DNS service to the Internet.
  To address this problem we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.
  If you use a wireless network, ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). In addition, ensure that the router is not configured to provide open DNS services (consult the manual for your specific hardware). Check the connections to the router and ensure that you recognize all connected devices.
  If your environment requires you to run an open DNS resolver, please limit access via an ACL, rate limiting, or another method to minimize abuse of your server. Visit http://www.team-cymru.org/Services/Resolvers/instructions.html for additional technical information on preventing abuse.
  Thank you for your prompt attention to this matter. We welcome your feedback and questions on this matter. Please contact us at [email protected] with any questions you may have.
  I have no port forwarding setup nor do I have any port triggering. The workstation is not setup in the DMZ, the inside network is setup as 192.168.1.x
  Can anyone point me in the right direction to resolve this?
  Thank you.

  My brother uses the Cisco WRV210 for his home wireless network and he has the same issue.  He received the below warning from his ISP.  The ISP provided this link http://www.thinkbroadband.com/tools/dnscheck.html to run a DNS check for this issue.  I have reset the router to factory settings and upgraded the firmware but it did not resolve the issue.  I have checked that all of his devices are clean of viruses and malware to the best of my ability.  Even my own laptop, which is fine with my own home network, reports of this DNS resolver issue when I run the dnscheck when connected to the WRV210.  This issue is beyond my knowledge and expertise.  His ISP has terminated his service twice already as a warning, each time having to demand to have it restored.  As a result I reinstalled my brother's 10 year old D-Link router and although it is noticeably slower, it does not exhibit this problem.
  Any assistance is greatly appreciated!
  Please be advised that we have received a report that your provisioned IP address is operating as an Open DNS server permitting unrestricted Recursive DNS Queries from anywhere on the Internet.
  Open recursive DNS resolvers; have been used to generate an increasing number of extremely large reflective DDoS attacks, without needing a large number of infected hosts to launch the attacks.
  Additional risks of open recursive resolvers include resource consumption by outside users without your consent, and, perhaps possible cache poisoning from outside entities.
  For more information on the problems associated with Open DNS Recursion and assistance in remediation this threat, can be obtained from the site below.
  http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
  if you are not running a DNS server and are using a home gateway or router, it may be possible the router is running a DNS server. Usually, the DNS server should only be accessible to the computers inside your home, however if configured incorrectly, it may make the DNS server accessible to the entire Internet. If you suspect your router may be the cause of this activity, we suggest contacting your router manufacturer's support desk for assistance in reconfiguring your router.
  Please note that each end user is responsible for the security of their computer system while connected to the network and thus is ultimately responsible for network abuse that is conducted through such configurations. Failure to take the appropriate measures to prevent network abuse through your internet account may result in a service interruption / account termination.

• What Is an Appropriate Hostname & DNS Zone Configuration for External DNS Setup?

  I setup servers that are hosted on a secure external data centre. The data centre has its own DNSS, so the DNS service is never setup on the server itself, and is handled by the data centre. I have already setup a handful of servers, and they all seem to be working well. Nevertheless, a couple of people in these discussions have told me, that I'm not setting the servers up 'properly' because of the way I'm naming the server - ie., they believe I'm assigning a 'wrong' hostname - and because of the way I'm setting up subdomains in the zone file. Here is how I'm currently doing it:
  CURRENT SETUP:
  The server is public, and it is also the ONLY machine publicly in the domain zone. So, if the client's domain is "example.com", there is only one machine that will respond to all services in that domain. Because of this:
  - Server Hostname: "example.com"
  - reverse DNS PTR record points to "example.com"
  -  'mail.example.com', 'www.example.com', 'ftp.example.com', etc, are all setup as A records that point to the same IP address as "example.com".
  This has been working fine so far. I have not had any problems with any service, including mail. However, a couple of people suggested that "example.com" is not a fully qualified domain name, and that this setup is therefore  'incorrect', and that it will cause me problems in the future. They suggest I should be setting these servers up like this:
  SUGGESTED SETUP:
  - Server Hostname: "server.example.com"
  - reverse DNS PTR record points to "server.example.com"
  - setup "www.example.com" as a record pointing to the same IP address as "server.example.com", but avoid setting up other subdomains unless absolutely necessary - ie., tell client to use "server.example.com" as the 'proper' address for mail/ftp/etc.
  Technically, 'net', 'company.net' and 'server.company.net' can all be fully qualified domain names, if each one of them points unequivocally to a single IP address. An domain name is not fully qualified, for instance, when it points to a subnet instead of a single IP address. Using "example.com" as a FQDN is technically correct. However, what is 'technically correct' and what Server considers acceptable are not always the same thing....
  I certainly don't want my clients to have problems in the future, and if OS X Server is going to misbehave because of the way I'm setting up my hostname and zone files, I need to know for sure NOW rather than later!

  I'm the "other people" referenced here.
  For general information on DNS, please acquire and skim a copy of Cricket Liu's DNS and BIND book.  It was on its fifth edition when last I checked.  DNS server on OS X Server is the ISC BIND server, which is discussed in that book in some detail.
  If configuring OS X Server in a data center, the OS X Server box probably does not want (nor need) to be running a local DNS server.  (Running local DNS services just means that DNS server will potentially become part of a DNS DDoS, if who can issue queries to the server isn't carefully controlled.)  Use the DC DNS server(s).
  If you want the domain itself to be used as an IP address (eg: example.com), then that's usually an A record, particularly if you're getting email via that domain (and not an MX record going elsewhere).  Some versions of OS X Server have had some issues with setting up this record within Server Admin.app and Server.app.
  The previous issues were likely due to stale DNS translations lurking within the configuration, and caching of that data up to the TTL.  (FWIW, this discussion is related to this thread and this thread.)

• DNS Configuration for Exchange 2013

  I have a stand alone server 2012 with AD, DHCP, DNS and Exchange on it and started getting DDoS attacks
  I installed a firewall had to change the subnet of the server from 10.0.0.0/24 to 192.168.1.0/24 and after re-configuring the Servers IP, DHCP and DNS found that I had no incoming email. (invalid Security Certificate)
  I found that mail  traffic was directed to the Router instead of Exchange and being rejected with the routers security certificate. I have since fiddled with the DNS so many times I don't know what is right and wrong
  Anyone have any ideas where I have gone wrong  what is in the tables that shouldn't be there and what is missing.
  email address is user.mail.domain.com
  Geotrust SSL Security Certificate is mail.domain.com autodiscover.domain.com server01.domain.com
  **Forward lookup for domain.com
  Same as parent SOA
  [28]server01.domain.com, hostmaster.domain.com
  Same as parent NS
  server01.domain.com
  Same as parent NS
  ns1.domain.com
  Same as parent NS
  ns2.domain.com
  Same as parent MX
  [10]mail.domain.com
  Same as parent MX
  [20]mail.domain.com
  server01 MX [10]mail.domain.com
  Same as parent HostA
  192.168.1.10
  Same as parent HostA
  139.130.XXX.YYY
  server01 HostA
  192.168.1.10
  mail HostA 192.168.1.10
  mail HostA 139.130.XXX.YYY
  localhost HostA
  127.0.0.0
  Properties SOA ns1.domain.com 139.130.XXX.YYY
  ns2.domain.com 139.130.XXX.YYY
  server01.domain.com 192.168.1.10
  **Forward lookup for mail.domain.com
  Same as parent SOA
  [1]server01.domain.com, hostmaster.domain.com
  Same as parent NS
  server01.domain.com
  Same as parent HostA
  192.168.1.10
  Same as parent HostA
  139.130.XXX.YYY
  Properties of SOA server01.domain.com
  192.168.1.10
  **Reverse Lookup
  1.168.192.in-addr.arpa
  Same as parent SOA
  [1]server01.domain.com, hostmaster.domain.com
  Same as parent NS
  server01.domain.com
  Same as parent NS
  ns1.domain.com
  192.168.1.10 PTR
  domain.com
  192.168.1.10 PTR
  mail.domain.com
  OWA and Outlook 2013 work incoming and outgoing from within the subnet,  both internal emails and  external emails
  But users off site can't log in to outlook 2013 and get blocked with OWA  by invalid security certificate.
  **Testconnectivity.microsoft.com  results
  autodiscover failed
  resolved host domain.com successful with both correct IP addresses returned
  Port 443 open
  SSL Certificate incorrect it is the routers Certificate  not the Geotrust certificate.
  **This is the real issue, and I can't figure out why 
  Thanks Alan

  Thanks Luke
  Yes you are right , I get alternate WAN and LAN Ip addresses when I flushdns
  I suspected I had additional entries ans/or wrong entries in the DNS Zones
  i reformatted to show up in columns in the post
  I hope you can point out which are wrong
  **Forward lookup for domain.com
  Same as parent----- SOA----[28]server01.domain.com, hostmaster.domain.com
  Same as parent----- NS -----server01.domain.com
  Same as parent----- NS -----ns1.domain.com
  Same as parent----- NS -----ns2.domain.com
  Same as parent----- MX -----[10]mail.domain.com
  Same as parent----- MX -----[20]mail.domain.com
  server01-------------- MX----- [10]mail.domain.com
  Same as parent----- HostA --192.168.1.10
  Same as parent----- HostA --139.130.XXX.YYY
  server01-------------- HostA --192.168.1.10
  mail --------------------HostA-- 192.168.1.10
  mail --------------------HostA-- 139.130.XXX.YYY
  localhost-------------- HostA --127.0.0.0
  Properties SOA --ns1.domain.com 139.130.XXX.YYY
  ----------------------ns2.domain.com 139.130.XXX.YYY
  ----------------------server01.domain.com 192.168.1.10 
  **Forward lookup for mail.domain.com
  Same as parent----- SOA------[1]server01.domain.com, hostmaster.domain.com
  Same as parent----- NS--------server01.domain.com
  Same as parent -----HostA---192.168.1.10
  Same as parent -----HostA---139.130.XXX.YYY
  Properties of SOA server01.domain.com
  192.168.1.10
  **Reverse Lookup
  1.168.192.in-addr.arpa
  Same as parent----- SOA-----[1]server01.domain.com, hostmaster.domain.com
  Same as parent----- NS-------server01.domain.com
  Same as parent----- NS-------ns1.domain.com
  192.168.1.10-------- PTR------domain.com
  192.168.1.10-------- PTR------mail.domain.com
  do I need an autodiscover record?
  I setup 2 forward lookup zones  domain.com and mail.domain.com
  From memory the mail.domain.com was for external access but I don't think that was how it turned out
  Thanks

• Dns block

  My organization does not have an IT professional or web developer, so any help on the following issue is appreciated! Our website DNS host is Business Catalyst and our email server is Office 365 AND we use Constant Contact for some of our email newsletters. Since early July, our employees have not been receiving Constant Contact emails and Constant Contact returned this message to our inquiry:
  "It appears that the entity that hosts DNS for this domain, Adobe Catalyst, has a block on CTCT's DNS caching servers...Note that this is not an email issue per se (blacklists, rate limiting, spam filtering, etc. will not be in play here), this is happening north of mail and SMTP, at the DNS level. Each attempt we make to deliver any mail to this domain is met with a "Host or domain name not found." I confirmed the block by attempting to resolve DNS for this domain directly from one of our DNS caching servers and each of my attempts are timing out."
  Does anyone know of a way to "un-block" Constant Contact? Also, this did start after we upgraded our office server computer although I'm not sure that that's pertinent.
  thank you!

  Hey jcook,
  We've been under some DDoS attacks on our DNS servers some 2 weeks ago (Incident Investigation - recent slowness and downtime) and as part of the incident investigation, we blocked some of the IP addresses that were making lots of requests. This could have been a possible reason why you were seeing that feedback from Constant Contact.
  We have now removed the block, so please let us know if you continue  to experience the same issues.
  Thanks and regards,
  Florin

• RVS4000 disabling IPS kills DNS

  Background: I recently bought a couple of RVS4000 routers set up a VPN between my home and office. Initial setup went great and I got the VPN working with Dynamic DNS at both ends quite easily. The only problem was that the performance sucked badly; my ISP gives me 45Mb/s and a frequently see this in both directions from both speed test sites and SFTP to other servers, and they are planning to upgrade our building to 100Mb/s next month. With the RVS4000 in place I typically get 12Mb/s download and 7Mb/s down. No problem, I thought. I've read that most of the performance problems come from the Intrusion Prevention System having to look at every packet. So I switched the IPS off...
  Problem: The problem I am having is that if I switch the IPS off then DNS breaks on every computer on the network :-( Look-ups go so slowly that my web browsers frequently time out. If I access somewhere by IP address then everything is fine and the throughput of the router is acceptable (I've see 28Mb/s when I've actually managed to get resolve the address of a speed test server). Unfortuantely this doesn't do me much good if I have no DNS. I restored the factory configuration for one router and then ran tests after each step of the configuration. Everything was fine until I switch the IPS off. I then restored to factory state again, confirmed everything was fine and changed nothing else except the IPS; when I disabled IPS the DNS died again!
  Question: Is there any work-around for this? I pay for 100M/s wiring between my home and office and with the IPS enabled I'm loosing 90% of the performance. If I disable the IPS the device is essentially useless. HELP! Any suggestions welcome. If I can't fix this soon the routers are going to have to go back for a refund.

  Well, after some more investigation I have made a little progress on this, although it is still not actually resolved.
  Having attached packet capture tools on both sides of the router and watched the DNS packets going through it seems that there is a bug in the RVS4000 firmware. With the IPS enabled, DNS packets pass through the device with just the source IP address changed (as you would expect due to NAT being enabled) and the checksum values in the IP and UDP headers updated (because the source IP address changed). In this situation everything works fine but the throughput is throttled by the IPS software.  If the IPS is disabled, the router not only changes the source IP address but also changes the source UDP port. Worse, it replaces the randomly chosen, non-privileged port number picked by the client with a sequentially chosen port number, starting at port zero. Thus with IPS disabled the outgoing DNS packets look exactly like the packets that would be used to bounce a DDoS attack off someone else's DNS server and my ISP is deciding that they look bogus and rejecting them.
  It's also worth noting that replacing the randomly chosen, non-privileged port number with a sequentially chosen port number, starting at port zero, introduces a serious new security vulnerability. If an exploit is found for a bug in the DNS client software on PCs then the only thing stopping this being as dangerous as the recent bugs in the BIND DNS servers is that it's hard for attackers to know which port to attack. Unfortunately if the client machine is behind an RVS4000 then the attacker doesn't need to know which port is being used because he can just send exploit packets with the source address set the the victim's ISP's DNS server and low, sequentially numbered destination ports and the RVS will conveniently pass the exploit on to the correct port on the victim machine. Thus for this type of exploit, having an RVS with IPS disabled is actually less secure than not having the router there at all.
  Re-mapping the source UDP port is unnecessary unless there is a port number collision, and the router manages just fine without re-mapping if IPS is enabled. If the port must be re-mapped it should be replaced with something that is randomly chosen and not a privileged port number, just like a good client would have picked. The current state on the RVS4000 1.2.11 firmware is broken and should be fixed.

• DDOS attack

  right now/all afternoon (11-12) i have been hit with a Distributed Denial of service attack (i have collected IP addresses from all over the world)
  arrrrgh, very frustrating
  besides changing the IP address of my mail server which would take days to do and then more to rebuild dns, what can i try to stop the flood?

  What's the DDoS aiming at? (Ensure that the server here is not an open relay for instance, and what you're seeing here is not just malware relaying spam or other such traffic through your server.) After that, there's not much you can do for a DDoS short of aiming your MX elsewhere or adding bandwidth and servers or otherwise just waiting out the DDoS, and this presumes your DNS time to live values are set short enough to allow you to move your entries more quickly, and a block of previously dark IP addresses to move into. Work with your upstream provider.

• How do I stop my server from being a DNS open resolver used for DOS attacks

  I just received this message:
  Dear Charter Business Internet Customer,
  Charter Communications has been notified that a DNS server on your network participated in a large-scale network impacting distributed denial-of-service (DDoS) attack.  The DNS server is acting as an “Open Resolver” and requires configuration changes. 
  We are asking that you take immediate action to update the DNS server(s) on your network, to remediate this issue.  
  What action do I take to fix this?
  OSX Server 10.10.2
  Paul

  Paul Kleeberg wrote:
  I will also block port 53 from the outside.
  Once again, thank you all for your assistance.  As is obvious, I know just enough to be dangerous.
  Paul
  It seems odd to me that port 53 is allowing inbound requests - a firewall should be between your server & the internet, you may want to check other services too. The internal server firewall isn't intended to be the only line of defence unless you are experienced in setting it up. NTP or other services can be used in other attacks.
  I wonder if this could help… (it scans the open ports at your IP, ignore the styling of the site ).
  https://www.grc.com/x/ne.dll?bh0bkyd2

• UPNP/SSDp/DDOS Attck Help

  how can I setup my bgp router to help stop a UpNP/SSDP attack? I recently just had a DDOS Attack that was a UpNP/SSDP attack that was focused on my DNS server. Is there a way that i can configure my BGP routers to help overcome this. This attack literately brought my 2 BGP routers to their Knees and cause the inbound ports to shutdown but the outbound ports to stay up?

  Hi Jeff,
  I have an additional question to this thread.
  I try to share code between WinRT and Windows Phone 8 using similar code.
  Starting on Windows Phone 8 I ommited the following lines:
          await socket.BindEndpointAsync(null,
          socket.JoinMulticastGroup(hostName);
  This worked fine on the Phone. MSDN mentions for BindEndpointAsync,
  that  GetOutputStreamAsync also leads to a binding.
  I could receive answers. but when I tried to use this on WinRT/Windows Shop I did not receive anything. I had to put in the two lines of code from above.
  This is not how it is supposed to be, right?
  Stefan

• Open DNS follow-up report

  Interestingly, after a very positive experience by adding the open DNS numbers 208.67.222.222 and 208.67.220.220, I found today that every time I tried to open Safari it knocked me offline. So I've now resorted back to the number originally assigned to me.
  What's going on with Safari?

  Jake,
  One Verizon DSL account; one Westell 6100 modem
  Check with Verizon and find out what the max download / upload speeds should be.
  If this is the plan you purchased: http://www22.verizon.com/residential/highspeedinternet/
  *"And we’re constantly looking for ways to make our DSL faster—recently upgrading our Starter plan to 1 Mbps* download and our Turbo plan to 7.1 Mbps."*
  1 Mbps download / 7.1 Mbps is hardly high speed.
  You can check your upload/download speeds here. http://www.speedtest.net/
  To realize faster download and uploads speeds you would need to upgrade your service.
  This is more then just a DNS issue.

• Problem with DNS and/or Virtual Host (works from inside, not from outside)

  I am running several web sites (as virtual hosts) successfully on one Xserve (192.168.200), which are accessible internally and from the Internet (via forwarding port 80 on our firewall).
  Now I am trying to add another web site (newmini.domain.com), which however is running on a Mac mini (also on the same subnet as the Xserve) at 192.168.100. What I did is make an additional entry under the Xserve's DNS for the domain (domain.com) (+ Machine..., pointing to 192.168.0.100). (I also made the necessary changes to the Mac mini's httpd and hosts configuration--no problem there).
  Now, here's the strange thing: All computers on the subnet, whose DNS points to the Xserve, can see and browse newmini.domain.com fine. No problem. The computers ask the Xserve for the IP of the host in question, the Xserve says, "192.168.100", the request goes to the Mac mini, and it serves the web site as expected.
  But this doesn't happen if the request comes from the Internet. Instead of seeing the Mac mini, the client sees the default web site of the Xserve... So it appears that somewhere, the virtual host part of the HTTP request is lost between our firewall and the Xserve.
  Any ideas? Thanks.

  It's not going to.
  You say you've setup port forwarding on the firewall. Port forwarding only cares about the port number (80). It knows nothing about the nature of the request (e.g. the hostname that the web request is for). Therefore all extenal connections on port 80 get sent to the XServe. The newmini doesn't see the traffic at all.
  If you only have a single public IP address you can only forward port 80 traffic to a single machine. Your options are to either use a different port number, or configure the XServe to proxy the connection to the mini (so now the traffic goes router -> XServe -> Mini -> XServe -> router), although that might not do what you want since it still places load and dependencies on the XServe.

• Open DNS

  My very much up-to-date Safari has been exceptionally neurotic. The day begins at lightning speed, then slows down, then, from time to time, Safari simply knocks out my internet connection.
  I've seen others here suggesting one could add 208.67.222.222 and 208.67.220.220 in their DNS menu. I haven't done it yet, simply when I click "+" to do so, my current numbers disappear. I was hoping the two series of numbers above could be added rather than substituted, so that if there was a problem with the two suggested numbers, I could revert back to the old ones, provided by, I assume, my internet provider Verizon.
  Any thoughts on the above?

  How did you add them?
  If you are using a single computer: Open System Preferences/Network. Double click on your connection type, or select it in the drop-down menu, and in the box marked 'DNS Servers' add the following two numbers:
  208.67.222.222
  208.67.220.220
  (You can also enter them if you click on Advanced and then DNS)
  Sometimes reversing the order of the DNS numbers can be beneficial in cases where there is a long delay before web pages start to load, and then suddenly load at normal speed:
  http://support.apple.com/kb/TS2296
  If your computer is part of a network: please refer to this page: http://www.opendns.com/start/bestpractices/#yournetwork and follow the advice given.
  (An explanation of why using Open DNS is both safe and a good idea can be read here: http://www.labnol.org/internet/tools/opendsn-what-is-opendns-why-required-2/2587 /
  Open DNS also provides an anti-phishing feature: http://www.opendns.com/solutions/homenetwork/anti-phishing/ )
  Wikipedia also has an interesting article about Open DNS:
  http://en.wikipedia.org/wiki/OpenDNS