Transition Network (TN) guidance for DNS local forwarding ... · Web view6.2Windows 2008 (SP2 and...

Transition Network (TN) guidance for DNS local forwarding & server configuration

Copyright ©2017 Health and Social Care Information Centre Page 1 of xviiThe Health and Social Care Information Centre is a non-departmental body created by statute, also known as NHS Digital.

Transition Network (TN) guidance for DNS local forwarding & server configuration v 1.0 02/10/2017

Glossary of TermsTerm / Abbreviation What it stands forBT British Telecommunications plc

BIND Berkeley Internet Name Domain

DNS Domain Name System

N3 NHS National Network service

TN (TN-SP) Transition Network (Service Provider)

Copyright © 2016 Health and Social Care Information Centre. Page 2 of 17


Contents1. Introduction 4

1.1 Purpose of document 41.2 Background 41.3 Disclaimer 4

2. TN network DNS 43. DNS server forwarding behaviour 4

3.1 Forwarding options 4

4. Forward first vs forward only 4

4.1 TN DNS recommendation 44.2 Technical appraisal 4

5. Microsoft DNS servers basic forwarding configuration 4

5.1 Microsoft DNS server terminology/options 45.2 Windows 2003 45.3 Windows 2008, SP2 and R2 45.4 Windows Server 2012 (SP2) and 2016 (SP1) 4

6. Setting Microsoft DNS server forwarding behaviour 4

6.1 Windows 2003 46.2 Windows 2008 (SP2 and R2) 46.3 Windows DNS server checklist – for forwarding only 4

7. BIND DNS server forwarding 4

7.1 BIND 9.x.x forward only 47.2 BIND 9.x.x forward first 4



1. Introduction1.1 Purpose of documentThis document is primarily intended for NHS ‘end-user’ organisations connected to the Transition Network (TN), where those organisations have opted for local DNS provision in addition to, or as an alternative to the nhs.uk TN (internal) DNS infrastructure provided by the Transition Network Service Provider (TN-SP).

However it may also be of interest to:

Other NHS bodies concerned with IT deployment and infrastructure

Applications providers whose applications are provided to NHS end-users via the TN.

1.2 Background

The N3 network became the TN on 1 April 2017. Current N3 customers will notice no interruption of network service and many of the existing foundation services will continue as part of the agreement. The current DNS service is one of the key foundation services that will continue to be managed by the TN-SP, BT.

This guidance document is divided into two functional parts:

General guidance

DNS server configuration and behaviour

1.3 DisclaimerThe information and recommendations within this document are based on the TN-SP’s view of good technical practice and is provided in good faith. However the TN-SP is not responsible for the implementation of local DNS provision within NHS organisations and the consequences thereof.

It is recommended that technicians regularly check for updated information via their relevant software suppliers.



2. TN DNSThe NHS TN uses a set of core services provided by BT TN-SP. One of those services is the (nhs.uk) Internal DNS. TNSP DNS servers provide central name resolution services to any client on the TN. These servers will take one of five actions, in the following sequence:

1. Respond authoritatively

2. Respond from cached entries (previously queried and “remembered” data)

3. For specific DNS domains, FORWARD explicitly to partner DNS servers

4. Delegate to other DNS servers (for specific DNS domains or ‘zones’)

5. Iteratively resolve from the internet

The internal TNSP servers can be queried directly by end clients (resolvers) or other DNS servers local to, and used by, a group of end-user clients.

The internal DNS implementation is summarised in the diagram below.

Figure 1 – Shows TN-SP internal (TN) DNS provision



To utilise the internal DNS infrastructure, clients and servers must be explicitly configured. Workstations, laptops, and other hosts need only to point to DNS servers that will provide them with name resolution. Workstation configuration varies with hardware and operating system implementation and is beyond the scope of this document.

For the internal DNS infrastructure to be used directly by clients (resolvers), their DNS configurations need only to point to the TN network IP addresses of load-balanced DNS caching server infrastructure - cns0 and cns1. These ‘well-known’ IP addresses are:

194.72.7.137 (cns0.nhs.uk)194.72.7.142 (cns1.nhs.uk)

Any locally-provided DNS servers (typically for local clients on LANs connected to the TN network) need to be configured to use a function called forwarding, to query the TN internal DNS infrastructure. This is a method used by DNS servers to specifically direct some or all their queries to other DNS server(s), which will attempt to resolve the DNS question on behalf of the DNS server doing the forwarding. In other words, it makes the locally-provided ‘source’ DNS server look exactly like a DNS client to cns0 and cns1. This could be likened to a proxy - where the server(s) being forwarded to will perform all the work on behalf of the source DNS server. While this term is not used in DNS nomenclature, it hopefully illustrates the function.

When a DNS server is forwarding to another server, the query is always of a single type or variant, called a recursive query. In everyday language a recursive query is a request to a DNS server as follows: “here is a question; don’t come back until you have an answer.” This is the same type of query that resolvers (clients) almost universally perform.

The other type of query is called iterative. It is most commonly seen and used between DNS servers, especially on the Internet. Here one DNS server asks another, “here is a question; what is the best answer you can give me?”. This leads to a DNS server itself ‘learning’ the answer, by following a path learned from other DNS servers through a process called referrals. The TN DNS Service is designed to be recursive only to the namespace it is authoritative to, namely nhs.uk. With few exceptions, all other resolutions are performed iteratively i.e. best endeavour.

DNS forwarding always uses recursive queries. It is important to know this, since the way that Microsoft sometimes presents its DNS server configuration may confuse administrators, due to unclear wording of some of the options. This is covered in sections 5 and 6 of this document.



3. DNS server forwarding behaviour3.1 Forwarding options

When forwarding is used on a DNS server there are two different behaviours that can be configured:

3.1.1 Forward firstIf a ‘local’ DNS server receives one of the following responses, from an upstream server they are forwarding to:

Timeout; Non-Existent Domain, NXDOMAIN = an answer does not exist, but a server

authoritative for the domain exists and is correctly responding;

Server Failure, SERVFAIL = the server believed to be authoritative for a domain either does not respond or indicates it is not authoritative for a domain;

the server will then further attempt to resolve the name itself using iterative name resolution, starting at the root name servers as configured/defined (e.g. for Microsoft DNS servers - as configured in the “Root Hints” tab of Properties) and then follow referrals to obtain an answer.

3.1.2 Forward onlyThe DNS server will only ever follow the forwarding path. Only answers from the servers this DNS server is forwarding to will be processed. The forwarding DNS server will not attempt to use iterative name resolution (as described above) to try to get an answer, if a Timeout, NXDOMAIN, or SERVFAIL is received from the server being forwarded to.

It is important to understand that whatever IP address(es) the DNS server is configured to forward to, that operation is always performed first. If an answer is received back from a server that has been forwarded to, that answer will be sent back to the client or source initiating the query and no further process will take place.



4. Forward first vs forward onlyThe NHS and TN-SP have not established clear requirements or directives on which forwarding behaviour should be used, however the following states TN-SP’s recommendation:

4.1 TN DNS recommendationFull name resolution, both internal and to the internet is fully supported by the TN internal DNS infrastructure. Therefore forward first is not necessary. In all cases, the DNS caching servers will respond not only with internal nhs.uk DNS names, but also names from the internet (external DNS).

The goal of the infrastructure is to provide that common point where any DNS server on the NHS network can resolve any and all DNS queries. Therefore there is no need to implement forward first on any TN-based DNS server.

4.2 Technical appraisalIn some cases, forward only may be the only viable option. Where firewalls or other access controls prevent a DNS server contacting and communicating with any other server than those they are configure to forward to the choice is simple - it should be forward only (since requests to contact the root name servers directly would timeout).

Even if there is open access to root name servers (which also requires open access to contact any DNS server that delegation and referrals may lead to, using iterative name resolution), policy or mandate by a group or location may still dictate forward only.

Notwithstanding the TN-SP’s recommendation for the TN network, there is no 100% right or wrong answer. Each approach has benefits and disadvantages.

4.2.1 and 4.2.2 are technical option appraisals provided for further information, assuming a server can be configured and operate properly with either setting.

4.2.1 Forward firstThis gives the most control to the server itself. It allows the server to resolve names from the internet (or from root name servers as defined in root hints) without having to rely on or know that the servers being forwarded to have that access. The servers that are being forwarded to would only be needed to provide answers to:

queries that are not for domains the forwarding DNS server is authoritative for;

specific domains that are not available on the internet;

queries for domains that are available both on the internet and internally, but where the specific query cannot be answered from internet-based DNS servers.



The server itself can then query the internet (or alternatively the network encompassed by the root name server defined in ‘root hints’; often referred to as an “Internal Root”).

Another advantage of a forward first configuration is that the server doing the forwarding, if it does go to the Internet, will cache not only the answers that come back, but also any information obtained along the way (through iteration and referrals). This allows the server to build up its cache on its own, which could reduce the amount of traffic generated by this server, especially if the total number of entries queried for is small and repeatedly asked for.

Be aware that when forwarding is done, should the server being forwarded to have access to the internet, it will respond with answers to internet-bound queries. This is because forwarding is always done first. This may create some difficulties in troubleshooting, since those diagnosing must first determine where a response came from: via a forwarded request, or from an iterative query.

Forward first can also mask the symptoms of a problem - for example, if a timeout or SERVFAIL is returned from a forwarded to server, which is followed by an iterative query to the internet, that latter query may return either an NXDOMAIN or an undesirable answer that is from an internet-facing DNS server. This may lead to false conclusions on what an actual problem may be.

4.2.2 Forward onlyForward only is an excellent way to enforce a clear resolution path. It also allows for better control of responses. For example, if a name typically used on the internet is not one that should be resolved, it can be blacklisted or blackholed by returning a bogus IP address. This has been very common, especially when public instant messaging (IM) services should not be used on a particular network (the IM server IP addresses are replaced by bogus ones on internal DNS servers).

By having a single resolution path, troubleshooting is made easier. When a query is made, only one path (to the forwarded to server(s) IP address(es)) needs to be checked.

Since forwarding uses recursive queries, it will only get back an answer to the specific question asked. This does not allow the DNS server doing the forwarding to build up more information in cache.

However, by forwarding to a common point, it could take advantage of the sum total of all the queries that many other clients and servers have made. Iterative queries often require multiple packets be sent to get an answer. By concentrating the iterative queries to a common, central point, the overall number of DNS packets that might be generated from a larger number of DNS servers is reduced.



5. Microsoft DNS servers basic forwarding configuration

As stated previously DNS forwarding always uses recursive queries. It is important to know this, since the way that Microsoft sometimes presents its configuration may confuse administrators, due to unclear wording of some of the options.

Microsoft DNS is usually configured on servers using the DNS Microsoft Management Console (MMC) - a Windows graphical application that provides access to the Microsoft DNS server settings. The appearance of the forwarding options is different between different versions of Windows server environments. In this document the forwarding configuration of three different DNS MMCs will be described:

Windows 2003 (SP2)

Windows 2008 (SP2) and Windows 2008 (R2)

Windows Server 2012 (SP2) 2016 (SP1)

This appearance and operation of DNS MMC is the same regardless of:

whether Windows Server is running in 32-bit or 64-bit mode

the Windows Server variants (Standard, Enterprise, etc.).

5.1 Microsoft DNS server terminology/optionsMicrosoft’s DNS does not use the terms forward first or forward only explicitly; rather there are options in their DNS MMC that effectively select which configuration is in use. The options are described and set differently in Windows 2003 and Windows 2008 (SP2 and R2). In both Windows 2003 and 2008 though, the default is forward first.

Below are basic forwarding configurations for Microsoft DNS Servers – Windows 2003 and Windows 2008 variants.

Section 8) describes how to set forwarding behaviour for Microsoft DNS Servers (to forward first or forward only).



5.2 Windows 2003Once the Windows 2003 DNS MMC is launched from Start > Programs > Administrative Tools > DNS, the server Properties should be selected:

On the server Properties page, select the Forwarders tab:



In the DNS domain area, make sure that All other DNS domains is highlighted. Then, in the Selected domain’s forwarder IP address list: enter the cns0 and cns1 IP addresses - 194.72.7.137 and 194.72.7.142. By selecting All other DNS domains, you are implementing “Global Forwarding”.

Note: This tab is also where Microsoft implements “Zone Forwarding”, which they term “Conditional Forwarding”. Further discussion of zone/conditional forwarding is beyond the scope of this document.

The default number of seconds before forward queries time out: is 5 seconds. This is intolerant of many transient network conditions that may affect the DNS requests; since DNS packets are most often User Datagram Protocol (UDP)

This approach is more susceptible to being dropped on an IP network. Additionally, there is no retry logic with forwarding on Windows 2003. That is, the first IP address in the forwarder list is tried, the time out value waited, the second IP address in the forwarder list is tried and the timeout valued waited. After the two attempts, once only to each server, this DNS server will then respond to the client based on the setting of the Do not use recursion for this domain. If that box is checked, the DNS server will go no further and respond to the querying client with the response (or lack of) received. The Do not use recursion for this domain will be discussed in more detail later on.It is suggested that the default value in the Number of seconds before forward queries time out: field be changed to a value of at least 15 seconds. This is more in line with non-Microsoft DNS server timeout values.

5.3 Windows 2008, SP2 and R2Once the Windows 2008 DNS MMC is launched from Start > Programs > Administrative Tools > DNS, the server Properties should be selected:



Alternatively, the Windows 2008 Server Manager can be used to access DNS configuration operation.On the server Properties page, select the Forwarders tab. Unlike Windows 2003, this tab only deals with Global Forwarding. Zone/Conditional Forwarding is defined elsewhere in the DNS MMC.

Select the “Edit…” button.



Enter the IP Addresses of cns0 and cns1 (194.72.7.137 and 194.72.7.142) by typing them into the

<Click here to add an IP Address or DNS Name> field.

The Number of seconds before forward queries time out: checkbox is the same function as in Windows 2003. However, the Windows 2008 default is 3 seconds; even less tolerant than Windows 2003.

Again, the suggested value for this is at least 15 seconds, to compensate for transient conditions on the network that may delay the packets from being received.

5.4 Windows Server 2012 (SP2) and 2016 (SP1) Adds server level forwarders to a DNS server:

The Add-DnsServerForwarder cmdlet adds one or more forwarders to the forwarders list of a Domain Name System (DNS) server. If you prefer one of the forwarders, put that forwarder first in the series of forwarder IP addresses. After you first use this cmdlet to add forwarders to a DNS server, this cmdlet adds forwarders to the end of the forwarders list.

Add-DnsServerForwarder [-IPAddress] <IPAddress[]> [-ComputerName <String>] [-PassThru]

[-CimSession <CimSession[]>] [-ThrottleLimit <Int32>] [-AsJob] [-WhatIf] [-Confirm] [<CommonParameters>

Example : Add a forwarder to a DNS server by using an IP addressPS C:\> Add-DnsServerForwarder -IPAddress 194.72.7.137 -PassThru

PS C:\> Add-DnsServerForwarder -IPAddress 194.72.7.142 -PassThru

This command adds the IP address 194.72.7.137 and 194.72.7.142 to the list of forwarders on a local DNS server.



6. Setting Microsoft DNS server forwarding behaviour6.1 Windows 2003

On the Forwarders Tab of the server Properties, there is a checkbox next to an option Do not use recursion for this domain.

This is where the terminology used by Microsoft might be confusing.i. Forward first is implemented by NOT checking the checkbox

ii. Forward only is implemented by checking the checkbox

Do not use recursion for this domain might suggest that forwarding can be done using iterative queries. That is not the case, since forwarding always uses recursive queries. Rather this checkbox controls the forward first or forward only behaviour. The default setting for this box is unchecked; meaning that forward first is the default behaviour.



6.2 Windows 2008 (SP2 and R2)On the Forwarders tab of the server Properties, there is a checkbox next to an option Use root hints if no forwarders are available.

This option much more clearly describes the forward first behaviour, which is the default (box checked). Windows 2008 did clarify the terminology and setting. However, it still may create some confusion. This option is entitled Use root hints if no forwarders are available. This is not technically accurate or at least it is incomplete. The servers that are being forwarded to may certainly be available and responding. It’s just that in addition to a Timeout (server not being available) the response may be an NXDOMAIN or SERVFAIL.

Broadly then we can say: Forward first is implemented by checking the checkbox

Forward only is implemented by NOT checking the checkbox

6.3 Windows DNS server checklist – for forwarding only

To summarise:

1. Add the two forwarder servers – 194.72.7.137 and 194.72.7.1422. Set Number of seconds before forward queries time out: to 15 seconds.

3. Set forwarding only behaviour:a. For Windows Server 2003, check the Do not use recursion for this domain checkbox.

b. For Windows Server 2008, uncheck the Use root hints if no forwarders are available checkbox.



7.BIND DNS server forwardingBIND (Berkeley Internet Name Daemon) is the most widely used (open-source) DNS server application on the internet and within private networks.

BIND configuration is contained within a text file called named.conf. Configuration of (global) forwarding behaviour for BIND is straightforward, but is included here for completeness and comparison. Below are examples of the named.conf configuration lines for BIND 9.x.x, to set forwarding behaviour for local DNS servers operating within the TN network.

7.1 BIND 9.x.x forward onlyoptions {

...

forwarders { 194.72.7.137; 194.72.7.142; };

forward only ;

...

7.2 BIND 9.x.x forward firstoptions {

...

forwarders { 194.72.7.137; 194.72.7.142; };

forward first ;

...


Date post:	12-Jul-2018
Category:	Documents
Upload:	ngothuy
View:	221 times
Download:	0 times

Transition Network (TN) guidance for DNS local forwarding ... · Web view6.2Windows 2008 (SP2 and...

Documents