Transcript basic-dns-mod3-types

Module 3
DNS Types
DNS - Types
Master
 Slave
 Caching (resolver)
 Forwarding (Proxy)
 Stealth (DMZ)
 Authoritative Only

DNS – TYPES

Best practice – single function per
DNS
Larger Sites – absolute rule
 Smaller sites DNS functions may be
mixed in single name server

BIND has fine control of type
functionality
 Windows DNS – less flexible

DNS - Types
DNS servers can support multiple
domains
 Legitimate to mix master and slaves
support even in larger sites on single
server

DNS - Master
Answers authoritatively for the
domain
 May be one or more domains
 Reads zone file from local filesystem
 Multi-master
 Master-Slave
 Hidden Master

DNS Master
DNS - Slave



Answers Authoritatively for the zone
Loads zone file from a Master via network
Checks Master




On refresh time from SOA
On receipt of NOTIFY
Reads SOA RR from Master and if lower
initiates transfer
Uses AXFR or IXFR to transfer domain
DNS - Slave
DNS - Master - Slave
Master may be visible in parents NS
RRs
 Master may be hidden (not visible in
parents NS RRs)
 Requirement is for two or more
public DNS that answer
authoritatively

DNS – Hidden Master
Primary and Secondary
Old Terminology – implies priority of
access
 DNS systems defined in NS RRs are
ALL accessed typically based on a
performance algorithm
 New terminology Master – Slave

DNS - Caching

Acts for one or more clients


Located where sensible






PC stub-resolvers or other DNS
In ISP, local network, Local PC
Caches all results
Is recursive – follows referrals
Cache lost on reload
Uses TTL to keep RRs in cache
Needs hints zone file (root-servers)
DNS Recursive (Caching)
Caching - Open and Closed






Caching Servers need to allow recursive
services for internal clients
Many also allow recursive services for
external clients (OPEN)
Approx 50% (4.5m) DNS are thought to
be open
Open DNS can be used in DDoS attacks
Open DNS is vulnerable to cache
poisoning
Recursive Services should be limited to
defined clients (CLOSED)
DNS – Open Resolver DDoS
DNS – Forwarding (Proxy)
Forwards all queries to a recursive
DNS
 Caches results
 Single request to recursive server
gets single result
 Used where links are slow,
congested or expensive
 Does not need hints zone file

DNS - Forwarding
DNS – Stealth (DMZ)




Organization needs public access – web,
ftp etc.
Organization wants to keep many hosts
invisible externally
Separate DNS servers with different zone
files for same domain
BIND provides capability to provide both
using a concept called views with IP
based selection
DNS – Stealth (DMZ)
DNS – Stealth (DMZ)
Still some weaknesses when internal
DNS systems issue queries – DNS
IP(s) are visible
 Firewalls typically configured not to
allow such traffic

DNS – Stealth (DMZ)
DNS – Authoritative-only
Only a Master or Slave
 Server may support many 100s or
1,000s of zones
 Does not cache (no hints zone file)
 Public DNS in a Stealth configuration
 High performance servers

Root-servers
 gTLD, ccTLD

Types – Quick Quiz





How does slave know when to transfer
zone?
Does a caching server need a hints zone
file?
Does a Forwarding DNS support recursive
queries?
Does an Authoritative-only DNS need a
hints file?
Why is an OPEN caching server bad?