IP Expo 2009 - DNS Best Practice

© 2009 tuscany networks Ltd slide 1

DNS Best Practices

presented by

Paul RobertsTechnical Services Manager

tuscany networks [email protected]


• The UK’s Leading IP Address Management and DNS Specialists• Domain Name Service (DNS)• Dynamic Host Configuration Protocol (DHCP) • IP Address Management (IPAM)• Switch Port Tracking

• 12 years experience in the DNS/IPAM market

• Over 100 large corporate customers including many global deployments• Finance, telcos, retail, manufacturing, service

providers, transport, government

Who are we?


• Pretty much everything that connects to the network uses an IP address

• Humans are not very good atremembering numbers, so wegive everything a name• A bigger problem with IPv6

• DNS, at its most basic, providesthe translation from name tonumber (IP addresses)• It's basically a telephone directory for networks

What is DNS?


• Imagine TV adverts that used IP addresses instead of names...

• 155.136.71.10 =

• 161.113.4.8 =

• 62.128.133.234 =

What is DNS?


• DNS = Domain Name System

• Specific servers run the DNS service• These are known as DNS servers or name servers• Multiple servers can be deployed to provide resilience• Clients query these servers in order to resolve names

and addresseso e.g. your PC typically talks to DNS when you browse a web page

or access an internal system/service

What is DNS?

DNS Server

What is the IP addressof news.bbc.co.uk?

news.bbc.co.uk =212.58.226.140


Why should I care?

Email & web

SAP/ERP/CRMActiveDirectory

File & Print

DNS


• Traditionally DNS has been an "under the covers" type service• It just sits there working• Everything else has grown up around it

o £1,000's spent on SAN/NAS storage solutionso £1,000's spent on the networko £1,000's spent on Microsoft servers and AD

• DNS is often neglected...UNTIL IT GOES WRONG!!!o then you notice!

• Other network services form a suite of "Core Network Services"• ...which also generally suffer from under-investment

DNS is often neglected


Core Network Services –Where do they fit?

Core NetworkServices

NAMING (DNS)

ADDRESSING (DHCP)

AUTHENTICATION (RADIUS)

TIME (NTP)

FILE DELIVERY (TFTP / FTP / HTTP)IP ADDRESS MGMNT

(IPAM)

MSFT AD CRMWeb E-Commerce IP Tel ERP Messaging

Routing WAN OptimizationIDS Switching Wireless Firewalls

Applications

Network Infrastructure


• A few years ago I visited a bank whose main DNS server was a single desktop PC under someone's desk• They hadn't meant it to be this way, they were

using WINS, but one day a service got implemented that required DNS

• Over time, more and more services were implemented that relied on that single server

• Another large financial were running their entire DNS on a desktop PC running Linux• Only 1 person knew anything about it

Not so long ago...


• With the advent of Active Directory and its dependency on DNS, many people are now running Microsoft DNS• The AD guys end up running DNS

o Are they suitably trained?– A DNS failure can bring down AD (and vice-versa)

• What happens to your non-Microsoft systems?o i.e. all your Unix servers in the data centre?

• Microsoft have previously stated that approx. 70% of all AD/Exchange support calls were DNS related*

But AD gives me DNS!

* http://redmondmag.com/articles/2004/05/01/10-dns-errors-that-will-kill-your-network.aspx


• If AD is already established, consider rationalising the number of DNS servers in useo This will reduce errors and make problem solving easier

o Make sure your AD guys are trained

• Consider migrating DNS to a dedicated platform

• Separate your internal and external DNS functions

• Implement redundant or highly-available servers

Considerations


• Have two infrastructures:• External DNS infrastructure

o Hosts your external Internet facing domainso Handles inbound queries from the Internet and outbound queries

from within your networko Should reside within a DMZ

• Internal DNS infrastructureo Provides a DNS service for your internal systemso Does NOT communicate directly with the Internet

– Goes via caching servers in your external DNS infrastructure

• Weigh up the pros and cons of servers vs appliances• Try to deploy the same solution for both infrastructures

How do I deploy it?


External DNS Infrastructure –Example

Zone transfers

Zonetransfers

Inboundqueries

Inboundqueries

Outbound queriesOutbound queries

Outboundqueries

Caching server

Caching server


• Implement a hierarchical DNS infrastructure• Use your primary servers to handle zone transfers

and dynamic updates• Use your secondary servers to handle client

queries• Use stealth secondaries or caching only servers for

small siteso Stealth secondaries are not advertised so will not normally

be queried by other remote sites

• Use forwarders to resolve Internet queries• Deploy an internal root domain (.) if you have a

complex DNS structureo Use a proxy server to resolve Internet queries

Internal DNS Infrastructure


Internal DNS Infrastructure –Example

Tocachingservers

Internal root server

Internal rootserver

Forwardedqueries

Forwardedqueries

Iterativequeries

Iterativequeries


• Using traditional servers presents several problems:• Hardware and OS managed

by different teamso DNS is probably managed by

someone else– Internal support issues

• Regular OS patches arerequired to secure it

o Patch Tuesday on Windows requiresreboot, causing DNS server outages

• Other applications could be running that may affect the DNS service

o Multiple open ports compromise security and stability

What is wrong with servers?


• Routers• Replaced mini-computers running

routing daemons

• NAS Filers• Replaced Windows/Novell file servers

• Firewall appliances• Replaced Unix boxes running F/W

software

• DNS/DHCP appliances• Replace Unix/Windows servers running

BIND or MS-DNS

Appliance Evolution


• Dedicated hardware• Total ownership

o You will not get people "piggybacking" apps on it

• More secure• No unnecessary open ports• Hardened OS• No local user accounts• No access to local OS

• Easier to patch/upgrade

• Additional features, such as high-availability and anycast

Appliance advantages


"anycast" on the Internet

As of 7th September 2009, there were 191 root servers (http://www.root-servers.org/)


• Who "owns" the DNS service?• Typically DNS service ownership falls between the

cracks• Nominate a team that is responsible for the DNS

and can support and co-ordinate DNS requirements from different projects

• Use dedicated servers or appliances to reduce outages due to maintenance

• Place DNS servers in your data centres or at the core of your network so everyone knows which servers to use

Best PracticesTake a holistic approach #1


• Ensure all your WAN links are resilient• If you have locations where this is not possible, you

may need to consider installing a local DNS server

• Ensure the server/appliance hardware you install is resilient• RAID 1 disk mirroring or solid state storage• Dual PSU's (connected to different power feeds)• UPS

Best Practices Take a holistic approach #2


• Ensure the server has out-of-band management capabilities to assist with upgrades and troubleshooting (RILO, DRAC, serial port etc.)

• Monitor your DNS servers!

Best Practices Take a holistic approach #3


• Most, if not all, secure web sites today rely on unsecure DNS• You may be using "https" but how can you trust

DNS is taking you to the right place?

• The DNS traffic itself is unauthenticated• Someone could have tampered with it!

• DNSSEC solves this and is available today• .SE, .ORG & .GOV are already signed• .COM will be done by 2011*• Out-of-the box support in Windows 2008 R2

and Windows 7

DNS Security Extensions(DNSSEC)

* http://www.networkworld.com/news/2009/022409-verisign-dns-security.html


• Visit our DNS Surgery onstand 329• Discover more about DNS• Discuss issues you may have• Find out more about the

solutions we can offer

• Each visitor can claim afree beer token, to beredeemed at the bar

[email protected]

Thank you

Date post:	27-Jun-2015
Category:	Technology
Upload:	ipexpo-online
View:	1,282 times
Download:	0 times

IP Expo 2009 - DNS Best Practice

Technology