DNS servers convert web addresses to IP addresses and vice versa. A DNS zone is a contiguous portion of the DNS namespace containing domains and subdomains. Resource records within zonal databases contain address mappings. Using multiple DNS servers improves performance and availability through load balancing and redundancy. Threats to DNS servers include flooding, request hijacking, and traffic interception. Security measures involve restricting dynamic updates, network interfaces, and zone transfers.

1. Session 4 DNS Network Design

2. Dynamic host configuration protocol (DHCP) automates the allocation of IP addresses, the subnet mask, the default gateway and the WINS server. The DHCP servers supply IP addresses to requesting DHCP clients The DHCP process takes place in four phases, namely: IP lease request IP lease offer IP lease selection IP lease acknowledgement DHCP service can be designed for: LAN Routed Networks Non-Microsoft clients Review

3. DHCP can be secured by stopping rogue servers and using firewalls One DHCP server can support thousands of DHCP clients in a local area network DHCP client uses the dynamic host communication protocol to communicate with the DHCP relay agent DHCP relay agent sends unicast packets to the DHCP server Review Contd…

4. Objectives Explain DNS and its features Identify the requirements for a DNS design Identify methods to secure the DNS Network Identify methods to increase DNS performance and availability

5. Domain Name System Used for conversion of Web addresses to IP addresses and IP addresses to Web addresses TCP/IP is the protocol mainly used for communication over the Internet Data is passed between computers in the form of datagrams The process of conversion of web addresses to IP addresses is called as name resolution Reverse name resolution is the process of conversion of IP addresses to web addresses

6. Domain Name System Contd… The two types of requests that DNS servers accept are: Iterative Queries Recursive Queries The naming scheme in DNS is a hierarchical structure called as the DNS namespace The DNS namespace consists of a root domain with several sub-domains under it DNS can be integrated with the following services: DHCP WINS Active Directory

7. DNS Network Design - Zones Refers to a portion of the DNS namespace that is contiguous Formation of zones makes name resolution easier Consists of single or multiple domains that contain sub-domains under them Every zone in the DNS namespace contains a database that contains resource records of the domains in the zone Three types of zones in DNS server are: Primary Zone Secondary Zone Stub Zone

8. Creating Zones We can create zones using the New Zone Wizard Select Action  New Zone to start the New Zone Wizard

9. Resource Records A resource record contains the names and IP addresses of the computer name in a zone Resource records can be created in a zone To create a resource record, select New Host (A) from the Action menu in the DNS console

10. Domains Second-level domains have to be registered Naming conventions for domains are: Use short and easy names Keep the number of levels to five or less Avoid usage of shortened names that are not readable Advantages of multiple DNS servers on a network are: Division of load amongst various DNS servers Improvement of performance Reduction of the risk of failure Reduction of traffic arising out of unmanageable load on a single DNS server

11. Types of DNS Servers Two types of DNS servers are: Forwarders – Receives name resolution requests from other DNS servers Caching-Only servers – Contains only cached requests and do not contain zones

12. Active Directory Integrated zones Provide read/write multi master copies of the zones Secure the dynamically updated DNS zones automatically Considered as traditional DNS servers by BIND DNS servers Traditional zones contain a single primary zone

13. Server Location DNS server location is based on the type of DNS zone used The types of zones are: Active Directory integrated Primary Secondary Delegated domain

14. Security Threats to a DNS Server Flooding the DNS with an unmanageable amount of requests Forwarding DNS requests from a DNS server to another DNS server that is under the control of an attacker Intercepting DNS traffic on the network to gain IP addresses which are then used to gain access to protected information DNS Server Requests DNS Server -I DNS Server -II Attacker Sending request Attacker Diverted

15. Secure Dynamic Updates Receives the IP address of DNS clients when the DNS server starts up

16. Limiting Interface Reduces the number of network interfaces from which a DNS server can receive requests

17. Securing Zone Transfer Limits the numbers of servers that can take part in a zone transfers

18. Protecting a DNS Server Prevents attackers from filling incorrect or unrelated information in a DNS server cache

19. DNS Network Performance The performance of a DNS server is evaluated in terms of its response time To improve DNS performance: Use upgraded hardware Reducing query resolution time by using multiple DNS servers Reducing network congestion caused by replication.

20. Summary DNS servers convert Web addresses to IP addresses and IP addresses to Web addresses Name resolution is the process of conversion of web addresses to IP addresses Reverse name resolution is the process of conversion of IP addresses to IP addresses DNS servers accept iterative and recursive queries A zone is a contiguous part of the DNS namespace Consists of single or multiple domains that contain sub-domains under them

21. Summary Contd… Resource records are part of zonal databases that contain web addresses and their equivalent IP address Multiple DNS servers are useful for d ivision of load amongst various DNS servers Two types of DNS servers are: Forwarders Caching-Only servers Active directory integrated zones secure the dynamically updated DNS zones automatically

22. Summary Contd… Security threats to a DNS server include: Flooding the DNS with requests Forwarding DNS requests to a DNS server under the control of an attacker Intercepting DNS traffic Secure dynamic updates r eceive the IP address of DNS clients when the DNS server starts up Limiting interface r educes the number of network interfaces from which a DNS server can receive requests Securing zone transfer limits the numbers of servers that can take part in a zone transfers The performance of a DNS server is evaluated in terms of its response time