IP Expo 2009 - DNS Best Practice

DNS Best Practices
presented by
Paul Roberts
Technical Services Manager
tuscany networks Ltd.
paul.roberts@tuscanynetworks.com

The UK’s Leading IP Address Management and DNS Specialists
Domain Name Service (DNS)
Dynamic Host Configuration Protocol (DHCP)
IP Address Management (IPAM)
Switch Port Tracking
12 years experience in the DNS/IPAM market
Over 100 large corporate customers including many global deployments
Finance, telcos, retail, manufacturing, service providers, transport, government
Who are we?

Pretty much everything that connects to the network uses an IP address
Humans are not very good atremembering numbers, so wegive everything a name
A bigger problem with IPv6
DNS, at its most basic, providesthe translation from name tonumber (IP addresses)
It's basically a telephone directory for networks
What is DNS?

Imagine TV adverts that used IP addresses instead of names...
155.136.71.10 =
161.113.4.8 =
62.128.133.234 =
What is DNS?

DNS = Domain Name System
Specific servers run the DNS service
These are known as DNS servers or name servers
Multiple servers can be deployed to provide resilience
Clients query these servers in order to resolve names and addresses
e.g. your PC typically talks to DNS when you browse a web page or access an internal system/service
What is DNS?
What is the IP address
of news.bbc.co.uk?
DNS Server
news.bbc.co.uk =
212.58.226.140

Why should I care?
DNS
Email & web
File & Print
Active
Directory
SAP/ERP/CRM

Traditionally DNS has been an "under the covers" type service
It just sits there working
Everything else has grown up around it
£1,000's spent on SAN/NAS storage solutions
£1,000's spent on the network
£1,000's spent on Microsoft servers and AD
DNS is often neglected...UNTIL IT GOES WRONG!!!
then you notice!
Other network services form a suite of "Core Network Services"
...which also generally suffer from under-investment
DNS is often neglected

Core Network Services –Where do they fit?
MSFT AD
CRM
Web
E-Commerce
IP Tel
ERP
Messaging
Applications
FILE DELIVERY (TFTP / FTP / HTTP)
IP ADDRESS MGMNT (IPAM)
Core Network
Services
AUTHENTICATION (RADIUS)
NAMING (DNS)
ADDRESSING (DHCP)
TIME (NTP)
Routing
WAN Optimization
IDS
Switching
Wireless
Firewalls
Network Infrastructure

A few years ago I visited a bank whose main DNS server was a single desktop PC under someone's desk
They hadn't meant it to be this way, they were using WINS, but one day a service got implemented that required DNS
Over time, more and more services were implemented that relied on that single server
Another large financial were running their entire DNS on a desktop PC running Linux
Only 1 person knew anything about it
Not so long ago...

With the advent of Active Directory and its dependency on DNS, many people are now running Microsoft DNS
The AD guys end up running DNS
Are they suitably trained?
A DNS failure can bring down AD (and vice-versa)
What happens to your non-Microsoft systems?
i.e. all your Unix servers in the data centre?
Microsoft have previously stated that approx. 70% of all AD/Exchange support calls were DNS related*
But AD gives me DNS!
* http://redmondmag.com/articles/2004/05/01/10-dns-errors-that-will-kill-your-network.aspx

If AD is already established, consider rationalising the number of DNS servers in use
This will reduce errors and make problem solving easier
Make sure your AD guys are trained
Consider migrating DNS to a dedicated platform
Separate your internal and external DNS functions
Implement redundant or highly-available servers
Considerations

Have two infrastructures:
External DNS infrastructure
Hosts your external Internet facing domains
Handles inbound queries from the Internet and outbound queries from within your network
Should reside within a DMZ
Internal DNS infrastructure
Provides a DNS service for your internal systems
Does NOT communicate directly with the Internet
Goes via caching servers in your external DNS infrastructure
Weigh up the pros and cons of servers vs appliances
Try to deploy the same solution for both infrastructures
How do I deploy it?

External DNS Infrastructure –Example
Outbound
queries
Inbound
queries
Zone
transfers
Caching server
Inbound
queries
Caching server
Outbound queries
Outbound queries
Zone transfers

Implement a hierarchical DNS infrastructure
Use your primary servers to handle zone transfers and dynamic updates
Use your secondary servers to handle client queries
Use stealth secondaries or caching only servers for small sites
Stealth secondaries are not advertised so will not normally be queried by other remote sites
Use forwarders to resolve Internet queries
Deploy an internal root domain (.) if you have a complex DNS structure
Use a proxy server to resolve Internet queries
Internal DNS Infrastructure

Internal DNS Infrastructure –Example
To
caching
servers
Iterative
queries
Iterative
queries
Forwarded
queries
Forwarded
queries

Using traditional servers presents several problems:
Hardware and OS managedby different teams
DNS is probably managed bysomeone else
Internal support issues
Regular OS patches arerequired to secure it
Patch Tuesday on Windows requiresreboot, causing DNS server outages
Other applications could be running that may affect the DNS service
Multiple open ports compromise security and stability
What is wrong with servers?

Routers
Replaced mini-computers runningrouting daemons
NAS Filers
Replaced Windows/Novell file servers
Firewall appliances
Replaced Unix boxes running F/Wsoftware
DNS/DHCP appliances
Replace Unix/Windows servers runningBIND or MS-DNS
Appliance Evolution

Dedicated hardware
Total ownership
You will not get people "piggybacking" apps on it
More secure
No unnecessary open ports
Hardened OS
No local user accounts
No access to local OS
Easier to patch/upgrade
Additional features, such as high-availability and anycast
Appliance advantages

"anycast" on the Internet
As of 7th September 2009, there were 191 root servers (http://www.root-servers.org/)

Who "owns" the DNS service?
Typically DNS service ownership falls between the cracks
Nominate a team that is responsible for the DNS and can support and co-ordinate DNS requirements from different projects
Use dedicated servers or appliances to reduce outages due to maintenance
Place DNS servers in your data centres or at the core of your network so everyone knows which servers to use
Best PracticesTake a holistic approach #1

Ensure all your WAN links are resilient
If you have locations where this is not possible, you may need to consider installing a local DNS server
Ensure the server/appliance hardware you install is resilient
RAID 1 disk mirroring or solid state storage
Dual PSU's (connected to different power feeds)
UPS
Best Practices Take a holistic approach #2

Ensure the server has out-of-band management capabilities to assist with upgrades and troubleshooting (RILO, DRAC, serial port etc.)
Monitor your DNS servers!
Best Practices Take a holistic approach #3

Most, if not all, secure web sites today rely on unsecure DNS
You may be using "https" but how can you trust DNS is taking you to the right place?
The DNS traffic itself is unauthenticated
Someone could have tampered with it!
DNSSEC solves this and is available today
.SE, .ORG & .GOV are already signed
.COM will be done by 2011*
Out-of-the box support in Windows 2008 R2and Windows 7
DNS Security Extensions(DNSSEC)
* http://www.networkworld.com/news/2009/022409-verisign-dns-security.html

Visit our DNS Surgery onstand 329
Discover more about DNS
Discuss issues you may have
Find out more about thesolutions we can offer
Each visitor can claim afree beer token, to beredeemed at the barpaul.roberts@tuscanynetworks.com
Thank you