Module 3

DNS Types

DNS - Types Master Slave Caching (resolver) Forwarding (Proxy) Stealth (DMZ) Authoritative Only

DNS – TYPES Best practice – single function per

DNS Larger Sites – absolute rule Smaller sites DNS functions may be

mixed in single name server BIND has fine control of type

functionality Windows DNS – less flexible

DNS - Types DNS servers can support multiple

domains Legitimate to mix master and slaves

support even in larger sites on single server

DNS - Master Answers authoritatively for the

domain May be one or more domains Reads zone file from local filesystem Multi-master Master-Slave Hidden Master

DNS Master

DNS - Slave Answers Authoritatively for the zone Loads zone file from a Master via network Checks Master

On refresh time from SOA On receipt of NOTIFY

Reads SOA RR from Master and if lower initiates transfer

Uses AXFR or IXFR to transfer domain

DNS - Slave

DNS - Master - Slave Master may be visible in parents NS

RRs Master may be hidden (not visible in

parents NS RRs) Requirement is for two or more

public DNS that answer authoritatively

DNS – Hidden Master

Primary and Secondary Old Terminology – implies priority of

access DNS systems defined in NS RRs are

ALL accessed typically based on a performance algorithm

New terminology Master – Slave

DNS - Caching Acts for one or more clients

PC stub-resolvers or other DNS Located where sensible

In ISP, local network, Local PC Caches all results Is recursive – follows referrals Cache lost on reload Uses TTL to keep RRs in cache Needs hints zone file (root-servers)

DNS Recursive (Caching)

Caching - Open and Closed Caching Servers need to allow recursive

services for internal clients Many also allow recursive services for

external clients (OPEN) Approx 50% (4.5m) DNS are thought to be

open Open DNS can be used in DDoS attacks Open DNS is vulnerable to cache

poisoning Recursive Services should be limited to

defined clients (CLOSED)

DNS – Open Resolver DDoS

DNS – Forwarding (Proxy) Forwards all queries to a recursive

DNS Caches results Single request to recursive server

gets single result Used where links are slow,

congested or expensive Does not need hints zone file

DNS - Forwarding

DNS – Stealth (DMZ) Organization needs public access – web,

ftp etc. Organization wants to keep many hosts

invisible externally Separate DNS servers with different zone

files for same domain BIND provides capability to provide both

using a concept called views with IP based selection

DNS – Stealth (DMZ)

DNS – Stealth (DMZ) Still some weaknesses when internal

DNS systems issue queries – DNS IP(s) are visible

Firewalls typically configured not to allow such traffic

DNS – Stealth (DMZ)

DNS – Authoritative-only Only a Master or Slave Server may support many 100s or

1,000s of zones Does not cache (no hints zone file) Public DNS in a Stealth configuration High performance servers

Root-servers gTLD, ccTLD

Types – Quick Quiz How does slave know when to transfer

zone? Does a caching server need a hints zone

file? Does a Forwarding DNS support recursive

queries? Does an Authoritative-only DNS need a

hints file? Why is an OPEN caching server bad?