Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

Slides:



Advertisements
Similar presentations
Module 7 Advanced Zone Files.
Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop.
DNS server & Client Objectives Contents
DNS Domain name server – a server to translate IP aliases to addresses As you know, IP (internet protocol) works by providing every Internet machine with.
DNS. DNS is a network service that enables clients to resolve names to IP address and vice-versa. Allows machines to be logically grouped by domain names.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
Chapter 4 - Lab DNS Configuration in Linux.  DNS Configuration in Linux Projects 4-1 through 4-3 Projects 4-4 deals with multiple domains  DNS Configuration.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Address Policy Meeting What is Reverse DNS October 26th, Brisbane Bruce.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Recursive Server. Overview Recursive Service Root server list localhost in-addr.arpa named.conf.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
The Domain Name System Unix System Administration Download PowerPoint Presentation.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
The Domain Name System (DNS)
Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.
Domain Name Services Oakton Community College CIS 238.
Windows Server 2008 Chapter 8 Last Update
DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.
Module 3 DNS Types.
Advanced Module 3 Stealth Configurations.
New SA Training Topic 7: DNS and DHCP To implement the underlying basis for our organizations networking, we rely on two fundamental services  DNS – the.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 17 Domain Name System
DNS Related Commands Sayed Ahmed Computer Engineering, BUET, Bangladesh (Graduated on 2001 ) MSc, Computer Science, U of Manitoba, Canada
Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.
DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.
Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf.
Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
BIND THE DNS SERVER TO USE !. DNS Domain Name Services Name to IP resolving /etc/hosts /etc/resolv.conf.
Internet and Intranet Protocols and Applications Lecture 5 Application Protocols: DNS February 20, 2002 Joseph Conron Computer Science Department New York.
Module 2 Zone Files. Objective Understand the idea of a zone and how it relates to a domain name understand zone file structure Understand the major Resource.
1 Kyung Hee University Chapter 18 Domain Name System.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
Configuring Name Resolution and Additional Services Lesson 12.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.
DNS server & Client Objectives –to learn how to setup dns servers Contents –An Introduction to DNS –How To Download and Install The BIND Packages –How.
Linux Operations and Administration
DNS/Proxy Babu Ram Dawadi. Introduction - DNS Domain Name Server Domain Name Server –programs that store information about the domain name space –largest.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
DNS - BIND9 Přednášející Vaše jméno. Master and caching name server options { directory "/var/named"; allow-transfer {“none”;}; }; zone "." { type hint;
Web Server Administration Chapter 4 Name Resolution.
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
2/26/2003 Lecture 4 Computer System Administration Lecture 4 Networking Startup/DNS.
$TTL SOA ns.semgu.kz. root.semgu.kz. ( ; 28800; 14400; ; 86400; ) IN NS ns.semgu.kz. IN NS dns.semgu.kz. IN MX 10 router.semgu.kz.
WHAT IS DNS??????????.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Domain name server a server to translate IP aliases to addresses
DNS zones and resource records
DNS and Bind Presenter David Wood
RPZ Configuration DNS RPZ Configuration Lecturer: Ron Aitchison
A New Approach to DNS Security (DNSSEC)
DNS RPZ Intro RPZ Overview Lecturer: Ron Aitchison
Presentation transcript:

Module 10 Advanced Topics

DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update (IP and crypto) or update-policy (crypto only) Crypto may use TSIG or SIG(0) Used by AD extensively Interaction between AD and BIND9

DNS - DHCP

DNS - Security Overview

DNS and Security Local (1) is admin based Variety of sysadmin techniques (permissions) Chroot (jail) DDNS (2) - inhibit or use IP/Crypto controls Zone Transfers (3) - inhibit or use IP/Crypto controls Resolver (4) - DNSSEC - viable Resolver (5) - DNSSEC - not viable

Open vs Closed Resolvers Allows anyone, anywhere to query your resolver DDoS amplification attacks recursion yes; defaulted Big Deal ~50% of resolvers were open BIND9.4 partial close using allow-query- cache {localnets; localhost;}; Always use allow-recursion with explicit list (use ACL clause for big lists)

Closing DNS - Techniques # If authoritative servers (master/slave) # inhibit all recursion recursion no; # if master/slave with caching (hybrid) or caching only (resolver) # use an appropriate local address scope statement # to limit recursion requests to local users allow-recursion { /24;}; // change IPs as required # OR if the DNS server's IPs and netmasks cover the whole # local network you can use: allow-recursion {"localnets";”localhost”;}; # personal DNS # hard limits on reading listen-on { ;}; // or listen-on {localhost;}; listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;}; # OR allow-recursion {"localhost";};

DNS - Uses DNSBL - DNS Blacklist Used for blacklists Whitelists ENUM Maps E.164 (Telephone numbers) Generic Principle of adding some (processed) name to a base name to get a DNS response

DNS - DNSBL $TTL 2d # default RR TTL $ORIGIN blacklist.example.com. IN SOA ns1.example.com. hostmaster.example.com.( ; se = serial number 3h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns1.example.com. IN NS ns2.example.com. # black list records - uses origin substitution rule (order unimportant) IN A # allows testing # black list RRs IN A # or some result code address IN TXT "Optional-explanation for black listing" # the above entries expands to blacklist.example.com IN A # generic list...

DNS - Other Lists $TTL 2d # default RR TTL $ORIGIN whitelist.example.com.... # white list records - using origin substitution rule # order not important other than for local usage reasons # normal whitelist RRs # by convention this address should be listed to allow for external testing IN A # black list RRs IN A # or some result code address IN TXT "Optional-explanation for listing" # the above entries expand to blacklist.example.com IN A # generic list... # name based RRs for white listing friend.com IN A # all domain addresses IN TXT "Optional-explanation for listing" # expands to friend.com.whitelist.example.com joe.my.my IN A # single address # expands to joe.my.my.whitelist.example.com...

DNS - Best Practices Don't mix Authoritative and caching practical only for big sites Configurations document config file changes don't assume defaults - be explicit Closed resolvers Zone files document changes use $ORIGIN (with dot!) Be consistent with names (w/o $ORIGIN)

DNS Resources (BIND 9) (info portal) Pro DNS and BIND!

Quick Quiz Can DHCP be used to update the reverse map file? Name at least two security threats. Why is an OPEN DNS a Bad Thing? Name at least one other use for DNS. Why is $ORIGIN important?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.