A network security consultant should fill the void where specialized knowledge is needed to design and implement security systems.
Wendy Wiltshire Manager, IT Blaney McMurtry LLP |
|
|
| Newsletter |
|
DNS: Terms and Process
The domain name system, DNS, allows us humans better interaction with the Internet or your own local area network. DNS provides translation of computer names, which we better understand, to IP addresses which computer and networking gear better understand - consider it the phone book for the network.
Timely response from DNS improves corporate productivity and improves over all users moral, as end users are not frustrated by long wait times for access to resources. Here we are going to review some of the configurable items universally found in DNS.
Remember, with DNS it is a matter of who knows what when asked.
What are the components that make up DNS? When configuring DNS what are the components you need to deal with, and what is the impact of making changes. Company productivity is not a place you want to be guessing. So the following are some of the key things you need to know when dealing with DNS...
Forwarders
A DNS forwarder is a DNS server that performs queries on behalf of another DNS server. Typically this will be the DNS server at your ISP. When setting up your DNS server, if you enter IP addresses in the forwarder section, then your DNS server will ask those IP addresses for information on any Domain which your DNS has no information on. The forwarder queries are made to the IP addresses as they appear in the list.
The Root.hints file
As we all should know, the Domain Name System is hierarchal. The root.hints file lists the name and IP address of the servers responsible for providing information for the top level domains. Using the root.hints file instructs your DNS server to ask the Internet directly for IP address information about a specific domain - thus reducing the chance for ‘not found’ errors.
Depending on the Operating system you are using the root.hints file may also be known as named.cache, root.ca. This file has not changed since Jan 29, 2004
Recursive Lookups
In DNS, recursion is the act of following the path. When a request is made for a domain the DNS server is unaware of, say www.esubnet.net the server will ask the root servers for the IP address of the name server which has information on esubnet.net, which will in turn be asked for the IP address for the machine hosting the www.
Turning off recursive lookups means that a DNS server will only provide information on domains it knows.
The Zone File
DNS information is held in a file called a zone file. The computer that holds the zone file for a given domain is called the Source of Authority (SOA for short) for that domain.
The zone file is made up of two parts the SOA fields (sdata) and the resource records (rdata). The components of each are explained below.
Common DNS SOA fields
The following list explains the common SOA record (sdata)information found in DNS:
MNAME The
RNAME A
SERIAL The unsigned 32 bit version number of the original copy of the zone. Zone transfers preserve this value. This value wraps and should be compared using sequence space arithmetic.
REFRESH A 32 bit time interval before the zone should be refreshed.
RETRY A 32 bit time interval that should elapse before a failed refresh should be retried.
EXPIRE A 32 bit time value that specifies the upper limit on the time interval that can elapse before the zone is no longer authoritative.
All time intervals are in seconds.
Common DNS record types
The following list explains the common SOA record (sdata)information found in DNS:
| Name | Short form | Explanation |
| Name pointer | PTR | Most often used to associate a domain name with its IPv4 IP address |
| Mail Exchange | MX | This indicates that this host is capable of receiving email. MX hosts are prioritized by including a number, the lowest number has priority. |
| Name Server | NS | This record type provides information on who is authoritative for a domain -or - which servers “know” about the domain and who do not have to ask another server. |
| Start of authority | SOA | This marks the start of the zone information. |
| Text String | TXT | Arbitrary binary data has a line length limit of 256 characters |
| Comment | ; | All characters after the semi-colon are ignored |
For more information on DNS and DNS resource records see RFC1035
Sample zone file
$TTL 86400 ; 24 hours could have been written as 24h or 1d
$ORIGIN example.com.
@ 1D IN SOA ns1.example.com. hostmaster.example.com. (
2002022401 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; minimum
)
IN NS ns1.example.com. ; in the domain
IN NS ns2.smokeyjoe.com. ; external to domain
IN MX 10 mail.another.com. ; external mail provider
; server host definitions
ns1 IN A 192.168.0.1 ;name server definition
www IN A 192.168.0.2 ;web server definition
ftp IN CNAME www.example.com. ;ftp server definition
; non server domain hosts
bill IN A 192.168.0.3
fred IN A 192.168.0.4
Originally published May, 2007
Fragment - Current Release
Articles
eSubnet Services
Contact us regarding your network,
security and Internet services needs
Contact us regarding your network,
security and Internet services needs
ESUBNET ENTERPRISES INC. TORONTO CANADA