Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 1 of 22

Session 4

DNS Network Design

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 2 of 22

Dynamic host configuration protocol (DHCP) automates the allocation of IP addresses, the subnet mask, the default gateway and the WINS server.

The DHCP servers supply IP addresses to requesting DHCP clients

The DHCP process takes place in four phases, namely: IP lease request IP lease offer IP lease selection IP lease acknowledgement

DHCP service can be designed for: LAN Routed Networks Non-Microsoft clients

Review

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 3 of 22

DHCP can be secured by stopping rogue servers and using firewalls

One DHCP server can support thousands of DHCP clients in a local area network

DHCP client uses the dynamic host communication protocol to communicate with the DHCP relay agent

DHCP relay agent sends unicast packets to the DHCP server

Review Contd…

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 4 of 22

Objectives Explain DNS and its features Identify the requirements for a DNS

design Identify methods to secure the DNS

Network Identify methods to increase DNS

performance and availability

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 5 of 22

Domain Name System Used for conversion of Web addresses to IP

addresses and IP addresses to Web addresses

TCP/IP is the protocol mainly used for communication over the Internet

Data is passed between computers in the form of datagrams

The process of conversion of web addresses to IP addresses is called as name resolution

Reverse name resolution is the process of conversion of IP addresses to web addresses

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 6 of 22

Domain Name System Contd…

The two types of requests that DNS servers accept are: Iterative Queries Recursive Queries

The naming scheme in DNS is a hierarchical structure called as the DNS namespace

The DNS namespace consists of a root domain with several sub-domains under it

DNS can be integrated with the following services: DHCP WINS Active Directory

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 7 of 22

DNS Network Design - Zones

Refers to a portion of the DNS namespace that is contiguous

Formation of zones makes name resolution easier Consists of single or multiple domains that

contain sub-domains under them Every zone in the DNS namespace contains a

database that contains resource records of the domains in the zone

Three types of zones in DNS server are: Primary Zone Secondary Zone Stub Zone

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 8 of 22

Creating Zones We can create

zones using the New Zone Wizard

Select Action New Zone to start the New Zone Wizard

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 9 of 22

Resource Records A resource record contains the names and IP

addresses of the computer name in a zone Resource records can be created in a zone To create a resource record, select New Host (A)

from the Action menu in the DNS console

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 10 of 22

Domains Second-level domains have to be registered Naming conventions for domains are:

Use short and easy names Keep the number of levels to five or less Avoid usage of shortened names that are not readable

Advantages of multiple DNS servers on a network are: Division of load amongst various DNS servers Improvement of performance Reduction of the risk of failure Reduction of traffic arising out of unmanageable load

on a single DNS server

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 11 of 22

Types of DNS Servers Two types of DNS servers are:

Forwarders – Receives name resolution requests from other DNS servers

Caching-Only servers – Contains only cached requests and do not contain zones

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 12 of 22

Active Directory Integrated zones

Provide read/write multi master copies of the zones

Secure the dynamically updated DNS zones automatically

Considered as traditional DNS servers by BIND DNS servers

Traditional zones contain a single primary zone

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 13 of 22

Server Location DNS server location is based on the type

of DNS zone used The types of zones are:

Active Directory integrated Primary Secondary Delegated domain

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 14 of 22

Security Threats to a DNS Server

Flooding the DNS with an unmanageable amount of requests

Forwarding DNS requests from a DNS server to another DNS server that is under the control of an attacker

Intercepting DNS traffic on the network to gain IP addresses which are then used to gain access to protected information

DNS Server

Requests

DNS

Server -I

DNS

Server -II

Attacker

Sending request

Attacker

Diverted

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 15 of 22

Secure Dynamic Updates Receives the IP

address of DNS clients when the DNS server starts up

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 16 of 22

Limiting Interface Reduces the number

of network interfaces from which a DNS server can receive requests

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 17 of 22

Securing Zone Transfer Limits the numbers

of servers that can take part in a zone transfers

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 18 of 22

Protecting a DNS Server Prevents attackers

from filling incorrect or unrelated information in a DNS server cache

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 19 of 22

DNS Network Performance The performance of a DNS server is

evaluated in terms of its response time To improve DNS performance:

Use upgraded hardware Reducing query resolution time by

using multiple DNS servers Reducing network congestion caused

by replication.

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 20 of 22

Summary DNS servers convert Web addresses to IP addresses

and IP addresses to Web addresses Name resolution is the process of conversion of web

addresses to IP addresses Reverse name resolution is the process of conversion

of IP addresses to IP addresses DNS servers accept iterative and recursive queries A zone is a contiguous part of the DNS namespace Consists of single or multiple domains that contain

sub-domains under them

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 21 of 22

Summary Contd… Resource records are part of zonal databases that

contain web addresses and their equivalent IP address

Multiple DNS servers are useful for division of load amongst various DNS servers

Two types of DNS servers are: Forwarders Caching-Only servers

Active directory integrated zones secure the dynamically updated DNS zones automatically

Microsoft Windows Server 2003 Network Infrastructure – Planning and Maintenance/ Session 4 / Slide 22 of 22

Summary Contd… Security threats to a DNS server include:

Flooding the DNS with requests Forwarding DNS requests to a DNS server under the

control of an attacker Intercepting DNS traffic

Secure dynamic updates receive the IP address of DNS clients when the DNS server starts up

Limiting interface reduces the number of network interfaces from which a DNS server can receive requests

Securing zone transfer limits the numbers of servers that can take part in a zone transfers

The performance of a DNS server is evaluated in terms of its response time