Split Horizon using views

View based Split Horizon

The BIND DNS configuration provides the following functionality:

1. Assume we want geographic users to get the lowest possible latency from a web service with a name of www.example.com
2. Assume we have a single worldwide email server called mail.example.com
3. Assume addresses 172.16.x.x originate in Mordor and we want them to be serviced by a local web server (172.16.1.1) we have installed in that land.
4. Assume addresses 172.15.x.x and 172.14.x.x originate in Gondor and we want them to be serviced by a local web server (17.15.1.1) we have installed in that land.
5. All other originations will default to a www.example.com at 192.168.1.2
6. For simplicity we assume an authoritative only server is being configured.

View based Authoritative Only DNS Server

View based Authoritative Only Name Server Configuration

The BIND DNS configuration provides the following functionality:

1. 'master' DNS for example.com
2. does NOT provide 'caching' services for any external users
3. does NOT provide recursive query services for any external resolvers (Iterative only)
4. provides 'caching' services for internal users
5. provides recursive query services for internal users

Authoritative Only DNS Server

Authoritative Only Name Server Configuration

The BIND DNS configuration provides the following functionality:

1. 'master' DNS for example.com
2. does NOT provide 'caching' services for any other domains
3. does NOT provide recursive query services for all resolvers (Iterative only)
4. optimised for maximum performance

Stealth (a.k.a. Split or DMZ) DNS Server

The functionality of the Stealth name server was previously described. The following diagram illustrates the conceptual view of a Stealth (a.k.a. Split) DNS server system.

Figure 6.1 Split/Stealth Server configuration

The key issue in a 'Stealth' (a.k.a. Split) DNS system is that there is a clear line of demarcation between the 'Internal' Stealth server(s) and the 'External' or Public DNS servers(s). The primary difference in configuration is the 'Stealth' Servers will provide a comprehensive set of services to internal users to include caching and recursive queries and would be configured as a typical Master DNS, while the External server may provide limited services and would typically be configured as an Authoritative Only DNS server.

There are two critical points:

1. The zone file for the 'Stealth' server will contain both public and private hosts, whereas the 'Public' server's master zone file will contain only public hosts.

2. To preserve the 'Stealth' nature it is vital that the PUBLIC DNS configuration does not include options such as 'master', 'allow-notify','allow-transfer', etc. with references to the IP of the 'Stealth' server. If the Stealth servers IP where to appear in the Public DNS server and its file system were to be compromised the attacker could gain more knowledge about the organisation - they can penetrated the 'veil of privacy' by simply inspecting the 'named.conf file.

   There are a number of articles which suggest that the view statement may be used to provide similar functionality using a single server. This does not address the problem of the DNS host system being compromised and by simple 'named.conf' file inspection additional data about the organisation being discovered. In a secure environment 'view' does not provide a 'Stealth DNS' solution if there is any possibility that a filesystem compromise can happen

Forwarding (a.k.a. Proxy, Client, Remote) DNS Server

Forwarding Name Server Configuration

The BIND DNS configuration provides the following functionality:

1. The name server is not a 'master' or 'slave' for any domain
2. provides 'caching' services for all domains
3. forwards all queries to a remote DNS from all local resolvers (Global forwarding)
4. limits query services to local resolvers only - this statement is designed to limit forwarding which both negates the effect of the forwarding server by increasing traffic loads and passes the bogus requests to the remote DNS potentially causing a DoS/DDos attack.

Caching Only DNS Server

Caching Only Name Server Configuration

The BIND DNS configuration provides the following functionality:

1. The name server is not a 'master' or 'slave' for any domain
2. provides 'caching' services for all domains
3. provides query services to local resolvers only (a closed DNS - note in configuration file shows how to Open the server if required)

Slave (Secondary) DNS Server

Slave Name Server Configuration

The BIND DNS configuration provides the following functionality:

1. 'slave' DNS for example.com
2. provides 'caching' services for all other domains
3. provides recursive query services to local resolvers only (a closed DNS - note in configuration file shows how to Open the server if required)

Master (Primary) DNS Server

Master Name Server Configuration

The BIND DNS configuration provides the following functionality:

1. 'master' DNS for example.com
2. provides 'caching' services for all other domains
3. provides recursive query services to local resolvers only (a closed DNS - note in configuration file shows how to Open the server if required)

Zone File Naming Convention

Everyone has their own ideas on a good naming convention and thus something that is supposed to be useful becomes contentious.

Here is a convention that is in daily use. Its sole merits are; it is a convention; it makes sense to its authors.

1. All zone files are placed in /var/named/ (for Windows users this would be %systemroot%\system32\drivers\etc). The base directory contains all the housekeeping zone files (e.g. localhost, reverse-mapping, root.servers etc.) with a subdirectory structure used as follows:

   1. /var/named/master - master zone files
   2. /var/named/slave - slave zones files
   3. /var/named/views - where views are used

2. master files are named master.example.com (or master.example.net etc.) if its a sub-domain it will be master.sub-domain.example.com etc.

3. slave zone files are named slave.example.com (or slave.example.ca etc.) if its a sub-domain it will be slave.sub-domain.example.com etc.

4. The root server zone file is called root.servers (typically called named.ca or named.root in BIND distributions).

5. The reverse mapping file name uses the subnet number and .rev i.e.. if the zone is '23.168.192.IN-ADDR.ARPA' the file is called 192.168.23.rev to save having to reverse the digits at 3AM in a blind panic.

6. The 'localhost' zone file is called master.localhost (typically called localhost.zone on BIND distributions). The reverse mapping file is called localhost.rev (typically called named.local in BIND distributions).

Sample BIND Configuration Overview

This chapter provides sample configurations and descriptions for each of the DNS types previously described. A BIND systems consists of the following parts:

1. A named.conf file describing the functionality of the BIND system. The entries in this file are fully described.
2. Depending on the configuration one or more zone files describing the domains being managed. The entries in zone files are fully described. Zone files contain Resource Records which are fully described.
3. Depending on the configuration one or more required zone files describing the 'localhost' and root name servers.

Understanding and configuration of the regions

Provides DNS servers DNS namespace to be divided into zones that store information about the name of one or more DNS domains. The region become a reliable source for information about each analysis the domain name listed in this area. This lesson introduces you to the DNS zones and how they are configured.

Areas

DNS servers provide the option of dividing the area into one or more areas, which can then be stored, distributed, and replicated to DNS servers other. Namespace DNS is a logical structure of your network resources, and to provide DNS zones physical storage of these resources.

Planning Area 3

When deciding whether or not to divide the area of the DNS to make your additional areas, and to consider the following reasons for the use of additional areas: • Is there a need to delegate management of the DNS your part of the area to another location or department within your organization? • Is there a need to divide one large area to a smaller area for the distribution of traffic loads among multiple servers, improving performance DNS name resolution, or create more error-tolerant system environment domain names? • Is there a need to expand the space by adding several sub-areas at the same time, such as to accommodate the opening of a new branch or site.

Additional areas

If you can answer "yes" and one of these issues, it may be useful to add or restructure your space in additional areas. When choosing how to structure areas, you must use the plan that meets the needs of your organization. There are two types of search area: a forward lookup zones and reverse lookup zones.

Forward Lookup Zones

There is a forward lookup zone allows to forward queries the search. The name servers, you must configure at least one forward lookup zone for the DNS service to work. When you install Active Directory using the Active Directory Installation Wizard allows the wizard to install and configure a DNS server, the wizard automatically creates the forward lookup zone on the basis of analysis of the name you specified for the server.

Establishment of a new forward lookup

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS. 2. Expand the scope of the DNS server. 3. Right-click Forward Lookup Zone folder and then click New Zone. In the New Zone Wizard guides you through the process of establishing an area of research forward. The wizard presents the following configuration options: the type of area, the name of the region, the zone file, and a Masters in DNS servers.

The type of area

There are three types of areas you can configure: • Active Directory-integrated. Active Directory-integrated zone is a major new version in the region. Region uses Active Directory to store and copy the zone files. • the fundamental criterion. The basic criterion is the master copy of the new storage area in a text file record. The management and preservation of the region in the first place on the computer that you are creating the region. • Standard secondary. There is a standard secondary zone is a replica of the Qaim area. Secondary zones of the read-only and is stored in standard text files. Primary zone must be configured to create a secondary zone. When you create a secondary zone, you must specify the DNS server, called the main server, which will be the transfer of information in the region to the name of the server that contains the level of the secondary zone. You create a secondary zone to provide redundancy and to reduce the load on the server that contains the name of the master file for the database area.

The benefits of Active Directory-integrated zones

In the level of the storage model, DNS updates take place on the basis of one update the main form. In this model, one authoritative DNS server for the area described as the main source of the region. This server maintains the master copy in the region, in a local file. With this model, the root server for the region represents one fixed point of failure. If this server is not available, and update the DNS requests from clients are not processed for the region.

Integrated Storage Guide

With the directory stored in an integrated and dynamic updates to DNS are conducted based on the model update multimaster. In this model, any authoritative DNS server (such as a domain controller running DNS servers) is described as the main source of the region. Because the master copy in the region is to maintain the Active Directory database, which is fully replicated to all domain controllers, this region can be updated by DNS servers on any domain controller in the domain. Multimaster update model with Active Directory, any of the servers main directory-integrated zone, and can handle requests from clients to the DNS zone update for as long as the domain controller is available and can be accessed on the web.

When you use Directory-integrated zones

You can use the access control list (ACL) editor to provide access to the region either granules or a specific resource record in the region. For example, the ACL for a specific domain name in the limited dynamic updates so that only allowed clients to the DNS-specific or to authorize only a secure, such as domain administrators with permissions to complete the region or standard features for that. This security feature is not available with standard primary zones.

Replicated regions

Zones are replicated to synchronize new domain controllers automatically whenever a new zone is added to the Active Directory domain. Although the DNS server can be selectively removed from the domain controller, directory-integrated zones are already stored on each domain controller, so the storage and management is not additional resources. Also, the methods used to synchronize the directory, store the information provides better performance than the standard zone update methods, which are likely to need to move the entire region.

Spaces

When the storage space and frequency basis (for example, one of the DNS storage and backup, and another for Active Directory), and additional administrative complexity is added to the planning and design of the network, and allow for their growth at the end. By integrating DNS storage, you can consolidate storage management and replication for both DNS and Active Directory information as a single administrative entity.

Area Name

Usually, a region called the area the highest in the hierarchy to include the region, that is, in the root domain of the region. For example, the region that includes both microsoft.com and sales.microsoft.com, would be the name of the zone microsoft.com. For more information about naming the region, see Chapter 2, "Introduction to Active Directory.

Zone file

Basic criterion for the forward lookup zone type, you must specify the zone file. The zone file is the name of the database file, which defaults to the name of the region with. DNS extension. For example, if the zone name is microsoft.com, the default database is the name of the file MICROSOFT.COM.DNS. When migrating from one region from another server, you can import existing zone file. You should put the file in the \ System32 \ DNS directory on the target computer before you create a new zone, where the root notes to the Windows 2000 installation folder, usually C: \ Winnt.

DNS servers

Standard secondary forward lookup zone type must specify the DNS server (s) from which you want to copy the region. You must enter the IP address of one or more DNS servers. Reverse lookup zone enable reverse lookup queries. Reverse lookup zones are not required. However, the reverse lookup zone is required to run troubleshooting tools, such as NSLOOKUP, and to record the name instead of IP address in Internet Information Services (IIS) log files.