adam's notes

Internal vs External DNS

  • admins should ensure DNS servers are highly available and secure
    • prevent DNS spoofing
      • an attacker is able to supply false name resolution to clients
  • a company uses primary and secondary name servers to maintain authoritative zone records for the domains it manages
  • internal DNS zones refer to the domains used on the private network only
    • should only be available to internal clients

Example

  • Company may run a Windows Active Directory network using the domain name corp.515support.com.
  • The zone records for the subdomain corp.515.support.com are served from internal name servers
    • allows a client PC (pc1.corp.515support.com) to contact a local application server (crm.corp.515support.com)
    • name servers hosting these internal subdomain records must not be accessible from the Internet
  • external DNS zones refer to records that Internet clients must be able to access

Example

  • Company might run web and email servers on the domain 515support.com
  • in order for Internet hosts to use a web server at www.515support.com or send email to an @515support.com address,
    • zone records for 515support.com must be hosted on a name server that is accesssible over the Internet
  • companies must also provide name resolution services to support their internal clients contacting other domains
  • the function of a resolver is to perform recursive queries in response to requests from client systems (stub resolvers)
    • if a name server is not authoritative for the requested domain, it can either;
      • perform a recursive query to locate an authoritative name server
      • or forward the request to another name server
    • a recursive resolver must be configured with root hints file so that it can query the whole DNS hierarchy from the root servers down
    • DNS servers should allow recursive queries only from authorized internal clients
  • good idea to separate the DNS servers used to host zone records from ones used to service client request for nonauthoritative domains
  • possible for the same DNS server instance to perform in both name server and resolver roles
    • but typically these functions are separated to different servers for security reasons
  • alternative to recursion (or supplement it), name servers can be configured to resolve queries via forwarding
    • a forwarder transmits a client query to another DNS server and routes the replies it gets back to the client
    • a conditional forwarder performs this task for certain domains only
      • e.g., might configure a DNS server that is authoritative for the local private network (internal DNS), but that forwards any requests for Internet domains to an external DNS resolver run by the ISP

Graph View

Backlinks