chapter 4 planning a name resolution strategy. determining name resolution requirement what is name...
TRANSCRIPT
CHAPTER 4CHAPTER 4PLANNING A NAME RESOLUTION STRATEGY
Determining Name Determining Name Resolution RequirementResolution Requirement
What is name resolution ?◦The name into 32-bit IP address
conversion.◦The names does not affect the TCP/IP
computers communication◦When you type the name in the URL,
the first thing your computer does is resolve that name into IP address only then it will know where to send the message.
Determining Name Determining Name Resolution RequirementResolution Requirement
What types of names need to be resolved? DNS names Network Basic Input/Output System (NetBIOS) names
◦The names you associate with internet and type in the URLs are resolved by DNS name servers.
◦All ISPs have DNS servers which they make available to their clients.
◦Windows operating system prior to Windows 2000, used NetBIOS names to identify computers on the network which you assign during the operating system installation.
Determining Name Resolution Determining Name Resolution RequirementRequirement
Using the DNSAt its core, DNS is still a list of names & its
IP addresses & these information is distributed among servers all over the internet.
When a DNS servers gets requests from resolvers, they first check their own records for the IP address meant for the name & if it doesn’t have it, then it will forward the request to other DNS server until it reaches the authoritative server for that name. Then the authoritative server supplies the IP address back to the requesting server which relays it back to resolver
Determining Name Determining Name Resolution RequirementResolution Requirement◦Domain is an administrative entity that
consists of a group of hosts, when a DNS server is an authoritative source for a domain, it will possess information about the hosts in that domain in the form of resource records.
◦Full name for a computer in the DNS consists of 2 parts; host name & domain name! just like IP.
Request Request
Reply Reply
Resolver DNS server Authoritative DNS server
Determining Name Determining Name Resolution RequirementResolution Requirement
DNS name consists of 2 or more words separated by periods (.)
A complete full name for a particular computer is called fully qualified domain name (FQDN)◦Ex: www.adatum.com
First checks the root name server = com, & returns source records that contains the IP addresses of authoritative servers for com domain
Then checks the top level domain = adatum through the root name server, then returns the IP address for the source records which is www.
Then check on the 2nd level domain = www host, & now the client can send the request directly to the receiver
Determining Name Determining Name Resolution RequirementResolution RequirementSpeeding up the DNS
The use of top level domains such as com, org, net etc are actually hosted by the root name servers.
DNS server caches information
Understanding domain hierarchy levels Root servers does nothing but responding to
millions of requests by sending out the addresses of the authoritative servers in their domain.
Each top level domain has its collection of 2nd level domains. Organizations & individuals may lease these domains for their own use.
Determining DNS Determining DNS RequirementsRequirementsHosting an Internet Domain
First you must register a second level domain name & give the IP addresses of your servers to your domain registrar.
It must have a registered IP address & visible in the internet all times.
You may use your ISP’s DNS server with some fee !
Hosting Internet Servers To host internet servers on your network, you
must have access to a registered domain on the internet with authoritative DNS servers.
Using NetBIOS NamesUsing NetBIOS NamesComputers running on versions earlier to
Windows 2000 uses NetBIOS names which consists of single name up to 16 characters long.
It is not hierarchical hence, it is not scalable as DNS & only suitable for private networks.
Uses several name resolution mechanism for NetBIOS names ;
WINS Broadcast Transmission Lmhosts NetBIOS name cache
Designing a DNS Designing a DNS NamespaceNamespace
Using an existing namespaceWhen to use existing name
The organization which your designing network for already has a domain name in use.
Or has a computer naming strategy already in place
What is possible when using existing name? Use the existing domain name / expand to
include internal subdomains. Continue using the DNS server / migrate the
DNS services to the new network your designing.
Designing a DNS Designing a DNS NamespaceNamespace
Creating Internet Domain◦Selection of 2nd level domain name
depends on what is available & in the case the name you want to use is already taken; Choose different domain name Register the name in different top-level domain Attempt to buy the domain name from its
current owner.
◦Organizations maintains multiple sites on the internet for various reasons; Involvement in several separate businesses Have independent divisions with different sites. Different sites for customers, suppliers etc
Designing a DNS Designing a DNS NamespaceNamespace
2 basic ways to implement multiple sites on the internet;◦ Register single 2nd level domain & then create
multiple subdomains beneath it. Price of single domain registration can
create as many third level domains Can maintain a single brand across all sites Contoso.com = patients.contoso.com,
staff.contoso.com etc◦ Register multiple 2nd level domains
Suitable for company that operates various unrelated businesses.
Register each domain separately & maintain separate DNS namespace for each server.
Designing a DNS Designing a DNS NamespaceNamespace
Creating internal domains◦ If company is consists of HQ & branches,
choose single active directory & assign a name to that domain, create branch names under the main domain.
◦ Ex: adatum.com, miami.adatum.com, ny.adatum.com
◦ Rules when selecting internal domain: Keep domain names short Avoid an excessive number of domain levels Create a naming convention & stick to it Avoid obscure abbreviations Avoid names that are difficult to spell
Designing a DNS Designing a DNS NamespaceNamespace
Rules when designing an internal DNS namespace for a network that connects to the internet.
Use registered domain names Do not use top level domain names or names
of commonly known products or companies. Use only characters that are compliant with
internet standard
Primary reason for creating subdomains beneath the domain is to delegate administrative authority for parts of the namespace.
Preventing bottleneck that could affect name resolution performance.
Designing a DNS Designing a DNS NamespaceNamespace
Combining Internal & External domains◦ When combining internal & external domains,
there are 3 strategies to use;a) Use the same domain name internally &
externally Creates havoc in the resolution process due to the
duplication
b) Create separate & unrelated internal & external domains
Need to maintain 2 different DNS namespace & causes confusion.
c) Make the internal domain a subdomain of the external domain.
Register 1 domain & use it for external, then create subdomains under it to use for the internal.
Designing a DNS Designing a DNS NamespaceNamespace
Creating host names◦ Create hosts in the same way you create
domains, by using a naming rule & sticking to it.
◦ rules are based on users, geographical locations & functions of the computer.
◦ Guidelines to follow; Create easily remembered names Use unique names throughout the
organization Do not use case to distinguish names Use only characters supported by all of your
DNS servers.
How Many DNS ServersHow Many DNS ServersPrivate networks uses multiple
DNS servers for reasons other than heavy client load, which are;
Providing redundancy Improving performance Balancing traffic load Reducing WAN traffic Delegating authority Supporting active directory
Understanding DNS server Understanding DNS server typestypes
Caching-only servers◦DNS server that contains no zones &
hosting no domain is called caching-only servers
Using forwarders◦Is a DNS server that receives queries from
other DNS servers that are explicitly configured to send them
Chaining forwarders◦DNS server that is functioning as a
forwarder can also forward its queries to another forwarder
Creating ZonesCreating ZonesZones – administrative entity that you create
on a DNS server to represent a discrete portion of the namespace.
Valid zones must consists of contiguous domains.
Understanding zone types◦ Every zone consists of a zone database that contains
records for that zone. 3 zone types are as follows; Primary zone – contains the master copy of the zone’s
database Secondary zone – contains a backup copy of the primary
zone database Stub zone – copy of primary zone that contains Start of
Authority (SOA), Name Server (NS) resource records & Host (A) records that identifies the authoritative server for the zone.
Determining DNS security Determining DNS security threatsthreats
Primary security threads in DNS :◦ Denial-of-service (DOS) attacks
Flooding DNS server with huge number of queries can force to 100% usage, & DNS will deny any more queries.
◦ Footprinting Intruders can capture DNS traffic & learn about
the domain name, hosts, IP addresses to plan his attacks!
◦ IP spoofing Interuders use ligitimate IP addresses
(footprinting) to send damaging packages, & spoofing enables it to get thru.
◦ Redirection Intruders causes the DNS server to forward name resolution
request messages to incorrect server under the intruder’s control.
Securing DNSSecuring DNSProviding redundant DNS services
◦ When you register domain names, your DNS server must be accessible from the internet therefore vulnerable to attacks.
◦ To overcome this, use multiple DNS servers
Limiting DNS Interface◦ Limit the network interfaces over which the
server can receive name resolution requests.◦ If you are using multiple IP addresses, specify
1 IP over which DNS client can use to contact server.
Securing DNSSecuring DNSSecuring Zone Replication
◦ Deploy all your DNS servers on your domain controllers & store all your zones in active directory which will perform all zone replication.
◦ Performs mutual authentication procedure before they exchange data.
Preventing Cache Corruption◦ Check box ’secure cache against pollution’ in
the DNS server’s property dialogue box.◦ Prevents the server from caching unrelated
resource records included in reply messages.◦ Ignores all records for names in other domains.
Securing DNSSecuring DNSUsing secure dynamic update
Dynamic update feature will trigger the DNS clients to send message to DNS servers during start-up
Message contains the IP addresses the DHCP has assigned to their client, & these information is used to update its resource records, making it possible for intruders to send fake message saying that the IP address of your internet web server is changed.
This forces your DNS server to add a counterfeit address to the resource records, redirecting the traffic to server under intruders.
Solution: create active directory-integrated zones & configure them to accept only secure dynamic updates
Zone properties dialog box, general tab, dynamic updates drop down list, select Secure Only !
Troubleshooting DNS server Troubleshooting DNS server problemproblem
Non functioning DNS server ◦If client can ping the DNS server but not
receiving replies to name resolution requests, then DNS service is not running. Display services console & check whether
status is started. Check the logs in event viewer console
Troubleshooting DNS server health Dcdiag/test:DNS ,
dcdiag/test:CheckSecurityError Tests your DNS & returns a summary of the
results.
Troubleshooting DNS server Troubleshooting DNS server problemproblemTroubleshooting incorrect name
resolution3 possibilities;
◦Incorrect resource records – for manual updates by the administrator, possibility for typographical errors exists.
◦Dynamic updates failed to occur – sometimes the update is not recognized.
◦Zone transfers fail to occur – if DNS is incorrectly resolving names then problem may be with the zone tranfers.
Troubleshooting DNS server Troubleshooting DNS server problemproblemTroubleshooting outside Name
resolution failuresCan resolve names for which it is
authority but fails to resolve names in other names.
Problem arises when the server is not forwarding queries correctly.