Module 3 DNS Types

DNS - Types Master Slave Caching (resolver) Forwarding (Proxy) Stealth (DMZ) Authoritative Only

DNS – TYPES Best practice – single function per DNS Larger Sites – absolute rule Smaller sites DNS functions may be mixed in single name server BIND has fine control of type functionality Windows DNS – less flexible

DNS - Types DNS servers can support multiple domains Legitimate to mix master and slaves support even in larger sites on single server

DNS - Master Answers authoritatively for the domain May be one or more domains Reads zone file from local filesystem Multi-master Master-Slave Hidden Master

DNS Master

DNS - Slave Answers Authoritatively for the zone Loads zone file from a Master via network Checks Master On refresh time from SOA On receipt of NOTIFY Reads SOA RR from Master and if lower initiates transfer Uses AXFR or IXFR to transfer domain

DNS - Slave

DNS - Master - Slave Master may be visible in parents NS RRs Master may be hidden (not visible in parents NS RRs) Requirement is for two or more public DNS that answer authoritatively

DNS – Hidden Master

Primary and Secondary Old Terminology – implies priority of access DNS systems defined in NS RRs are ALL accessed typically based on a performance algorithm New terminology Master – Slave

DNS - Caching Acts for one or more clients Located where sensible PC stub-resolvers or other DNS Located where sensible In ISP, local network, Local PC Caches all results Is recursive – follows referrals Cache lost on reload Uses TTL to keep RRs in cache Needs hints zone file (root-servers)

DNS Recursive (Caching)

Caching - Open and Closed Caching Servers need to allow recursive services for internal clients Many also allow recursive services for external clients (OPEN) Approx 50% (4.5m) DNS are thought to be open Open DNS can be used in DDoS attacks Open DNS is vulnerable to cache poisoning Recursive Services should be limited to defined clients (CLOSED)

DNS – Open Resolver DDoS

DNS – Forwarding (Proxy) Forwards all queries to a recursive DNS Caches results Single request to recursive server gets single result Used where links are slow, congested or expensive Does not need hints zone file

DNS - Forwarding

DNS – Stealth (DMZ) Organization needs public access – web, ftp etc. Organization wants to keep many hosts invisible externally Separate DNS servers with different zone files for same domain BIND provides capability to provide both using a concept called views with IP based selection

DNS – Stealth (DMZ)

DNS – Stealth (DMZ) Still some weaknesses when internal DNS systems issue queries – DNS IP(s) are visible Firewalls typically configured not to allow such traffic

DNS – Stealth (DMZ)

DNS – Authoritative-only Only a Master or Slave Server may support many 100s or 1,000s of zones Does not cache (no hints zone file) Public DNS in a Stealth configuration High performance servers Root-servers gTLD, ccTLD

Types – Quick Quiz How does slave know when to transfer zone? Does a caching server need a hints zone file? Does a Forwarding DNS support recursive queries? Does an Authoritative-only DNS need a hints file? Why is an OPEN caching server bad?