1 / 23

Module 3

Module 3. DNS Types. DNS - Types. Master Slave Caching (resolver) Forwarding (Proxy) Stealth (DMZ) Authoritative Only. DNS – TYPES. Best practice – single function per DNS Larger Sites – absolute rule Smaller sites DNS functions may be mixed in single name server

zubin
Download Presentation

Module 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 3 DNS Types

  2. DNS - Types • Master • Slave • Caching (resolver) • Forwarding (Proxy) • Stealth (DMZ) • Authoritative Only

  3. DNS – TYPES • Best practice – single function per DNS • Larger Sites – absolute rule • Smaller sites DNS functions may be mixed in single name server • BIND has fine control of type functionality • Windows DNS – less flexible

  4. DNS - Types • DNS servers can support multiple domains • Legitimate to mix master and slaves support even in larger sites on single server

  5. DNS - Master • Answers authoritatively for the domain • May be one or more domains • Reads zone file from local filesystem • Multi-master • Master-Slave • Hidden Master

  6. DNS Master

  7. DNS - Slave • Answers Authoritatively for the zone • Loads zone file from a Master via network • Checks Master • On refresh time from SOA • On receipt of NOTIFY • Reads SOA RR from Master and if lower initiates transfer • Uses AXFR or IXFR to transfer domain

  8. DNS - Slave

  9. DNS - Master - Slave • Master may be visible in parents NS RRs • Master may be hidden (not visible in parents NS RRs) • Requirement is for two or more public DNS that answer authoritatively

  10. DNS – Hidden Master

  11. Primary and Secondary • Old Terminology – implies priority of access • DNS systems defined in NS RRs are ALL accessed typically based on a performance algorithm • New terminology Master – Slave

  12. DNS - Caching • Acts for one or more clients • PC stub-resolvers or other DNS • Located where sensible • In ISP, local network, Local PC • Caches all results • Is recursive – follows referrals • Cache lost on reload • Uses TTL to keep RRs in cache • Needs hints zone file (root-servers)

  13. DNS Recursive (Caching)

  14. Caching - Open and Closed • Caching Servers need to allow recursive services for internal clients • Many also allow recursive services for external clients (OPEN) • Approx 50% (4.5m) DNS are thought to be open • Open DNS can be used in DDoS attacks • Open DNS is vulnerable to cache poisoning • Recursive Services should be limited to defined clients (CLOSED)

  15. DNS – Open Resolver DDoS

  16. DNS – Forwarding (Proxy) • Forwards all queries to a recursive DNS • Caches results • Single request to recursive server gets single result • Used where links are slow, congested or expensive • Does not need hints zone file

  17. DNS - Forwarding

  18. DNS – Stealth (DMZ) • Organization needs public access – web, ftp etc. • Organization wants to keep many hosts invisible externally • Separate DNS servers with different zone files for same domain • BIND provides capability to provide both using a concept called views with IP based selection

  19. DNS – Stealth (DMZ)

  20. DNS – Stealth (DMZ) • Still some weaknesses when internal DNS systems issue queries – DNS IP(s) are visible • Firewalls typically configured not to allow such traffic

  21. DNS – Stealth (DMZ)

  22. DNS – Authoritative-only • Only a Master or Slave • Server may support many 100s or 1,000s of zones • Does not cache (no hints zone file) • Public DNS in a Stealth configuration • High performance servers • Root-servers • gTLD, ccTLD

  23. Types – Quick Quiz • How does slave know when to transfer zone? • Does a caching server need a hints zone file? • Does a Forwarding DNS support recursive queries? • Does an Authoritative-only DNS need a hints file? • Why is an OPEN caching server bad?

More Related