Upload
caitlin-powell
View
235
Download
1
Embed Size (px)
Citation preview
Module 3
DNS Types
DNS - Types Master Slave Caching (resolver) Forwarding (Proxy) Stealth (DMZ) Authoritative Only
DNS – TYPES Best practice – single function per
DNS Larger Sites – absolute rule Smaller sites DNS functions may be
mixed in single name server BIND has fine control of type
functionality Windows DNS – less flexible
DNS - Types DNS servers can support multiple
domains Legitimate to mix master and slaves
support even in larger sites on single server
DNS - Master Answers authoritatively for the
domain May be one or more domains Reads zone file from local filesystem Multi-master Master-Slave Hidden Master
DNS Master
DNS - Slave Answers Authoritatively for the zone Loads zone file from a Master via network Checks Master
On refresh time from SOA On receipt of NOTIFY
Reads SOA RR from Master and if lower initiates transfer
Uses AXFR or IXFR to transfer domain
DNS - Slave
DNS - Master - Slave Master may be visible in parents NS
RRs Master may be hidden (not visible in
parents NS RRs) Requirement is for two or more
public DNS that answer authoritatively
DNS – Hidden Master
Primary and Secondary Old Terminology – implies priority of
access DNS systems defined in NS RRs are
ALL accessed typically based on a performance algorithm
New terminology Master – Slave
DNS - Caching Acts for one or more clients
PC stub-resolvers or other DNS Located where sensible
In ISP, local network, Local PC Caches all results Is recursive – follows referrals Cache lost on reload Uses TTL to keep RRs in cache Needs hints zone file (root-servers)
DNS Recursive (Caching)
Caching - Open and Closed Caching Servers need to allow recursive
services for internal clients Many also allow recursive services for
external clients (OPEN) Approx 50% (4.5m) DNS are thought to be
open Open DNS can be used in DDoS attacks Open DNS is vulnerable to cache
poisoning Recursive Services should be limited to
defined clients (CLOSED)
DNS – Open Resolver DDoS
DNS – Forwarding (Proxy) Forwards all queries to a recursive
DNS Caches results Single request to recursive server
gets single result Used where links are slow,
congested or expensive Does not need hints zone file
DNS - Forwarding
DNS – Stealth (DMZ) Organization needs public access – web,
ftp etc. Organization wants to keep many hosts
invisible externally Separate DNS servers with different zone
files for same domain BIND provides capability to provide both
using a concept called views with IP based selection
DNS – Stealth (DMZ)
DNS – Stealth (DMZ) Still some weaknesses when internal
DNS systems issue queries – DNS IP(s) are visible
Firewalls typically configured not to allow such traffic
DNS – Stealth (DMZ)
DNS – Authoritative-only Only a Master or Slave Server may support many 100s or
1,000s of zones Does not cache (no hints zone file) Public DNS in a Stealth configuration High performance servers
Root-servers gTLD, ccTLD
Types – Quick Quiz How does slave know when to transfer
zone? Does a caching server need a hints zone
file? Does a Forwarding DNS support recursive
queries? Does an Authoritative-only DNS need a
hints file? Why is an OPEN caching server bad?