WORKSHOPINFRASTRUCTURE

tain. You’d do better to incorporate DDNS products Dynamic DNS into your infrastructure. DDNS Up Close Keeps Names DDNS includes three advanced DNS features: dynamic update, notify and IXFR (incremental transfer). Up to Date Dynamic update is the process by which your DHCP or other IP address service notifies the DNS By Jeff Ballard server of new information. Using a secure connection, the DNS server is told, for instance, that workstation- t’s a chore to track the computer moves and bill.accounting.example.com is now at IP address changes within departments and offices in your 10.35.99.124. The DNS server remembers this infor- organization. The Dynamic Host Configuration mation, discards the old information and begins IProtocol helps, but your System answering any requests for the name of 10.35.99.124 entries typically will lag behind your moves or require as workstation-bill.accounting.example.com. manual updates. A better approach for updating your Most large organizations have more than one DNS DNS entries is to use Dynamic DNS, which keeps your server for redundancy and load sharing. In DNS naming systems up to date automatically. terms, a zone is one of the parts of a DNS entry sepa- DHCP obviously goes a long way toward managing rated by a period: .accounting.example.com, for exam- computer IP addresses on an enterprise network. Work- ple. DNS information is stored and transferred rela- stations pick up their IP addresses and network configu- tive to this zone. Systems’ BIND (Berkeley rations from the DHCP server. When a department Internet Name Daemon) open-source DNS server soft- moves, its servers and workstations get new network ware, for instance, typically updates a secondary DNS configurations. But keeping track of your IP addresses server’s zone records every 15 minutes from its pri- and assigning meaningful DNS entries to your servers mary server, which doesn’t give you real-time infor- and network services can be challenging with DHCP mation. But the zone-notify feature of DDNS fixes alone. It’s better to associate IP addresses on your net- that: The primary DNS server notifies secondary DNS work with meaningful DNS names so you can identify servers of the new, updated version of the DNS zone your networked computers reliably and easily. With records. The secondary DNS server then knows it DNS, your core systems can perform a DNS lookup, needs to fetch an updated copy of the so its store that value and know which computer is using configuration matches the new values on the server. which IP address. If you’re not using DDNS, you have to transmit the But if you’re running DHCP and DNS without a entire copy of the zone to get that information across. Dynamic DNS system, your host names probably This causes a problem for fully dynamic DNS entries— don’t contain unique data about each computer— if you have a large or rapidly updating DNS zone, your they probably look like this: dhcp-192-168-12- servers will become bogged down. With DDNS’ IXFR 34.example.com. It’s more useful to have a DNS host feature, the secondary server asks the primary server name, such as accounting-sue.workstation.example.com, only for incremental changes. If you have 10,000 DNS appear in your logs. This kind of naming is made entries in your zone file, for example, and only three much easier with DDNS. DDNS bridges the gap have changed, these three are sent from the primary to between dynamic DHCP and DNS, recording dynamic the secondary servers, rather than the entire zone. DHCP lease records logged for your IP-based services (particularly Web servers). Open Source and Commercial Servers Before DDNS was widely available in DHCP and If you want to deploy a DNS server in a large network, DNS products, many enterprises used proprietary meth- the safest bet is to use BIND server software. It is well- ods to update DNS. These approaches are OK, but often supported and stable. are self-contained and difficult to support and main- There are commercial DDNS products as well,

www.nwc.com I 9.22.2005 I NETWORK COMPUTING 63 WORKSHOPINFRASTRUCTURE

which typically go beyond just DNS management (Transaction Signature) and SIG(0). TSIG keys are sym- and handle overall IP address management, too. metric HMAC-MD5 (Hashing Message for Authentica- Some examples include Infoblox Network Identity tion MD5) keys. Symmetric keys are basically shared appliances, Lucent Technologies VitalQIP software secrets. If any machine sending updates to your DNS and MetaInfo Meta IP software. These are turnkey server is compromised, the cat’s out of the bag because solutions to IP address management and DNS/ each machine and your DNS server share the same DDNS services. key. Still, TSIG keys typically are easy to set up and If you decide to run BIND, make sure it’s at least more widely supported in DNS and DHCP products version 9.2. Earlier versions have posed problems (see than SIG(0) keys. “Caught in a BIND,” below). BIND works on Apple SIG(0) comprises a public/private key pair using any Mac OS X, Linux, Windows and Unix. standard cryptographic method. It’s more secure than HMAC-MD5, but you’ll spend more time getting it to Keys Are Key work. Each updater gets its own key, and most client It is important to update your data securely. If you software needs extra configuration to work with SIG(0). don’t configure your DNS server to check who is send- You also can have multiple keys in your DNS con- ing updates, for instance, an intruder could redirect figuration file, so *.a.example.com could have a key dif- secure-intranet.example.com to www.i-am-a-hacker.com. ferent from that of *.b.example.com. This way, you can Redundancy doesn’t help here—with dynamic update limit the potential damage compromised keys can and IXFR, your redundant DNS servers just update this cause. But be careful with permissions. In Internet Sys- bad information quickly. tems’ BIND, for instance, the keys are in plain text in So be sure to use cryptographically strong keys the configuration files, so you want to make sure the when configuring DDNS updating. There are two files have the proper permissions so only systems methods for secure DDNS communications: TSIG administrators can access them.

Time To Live Caught in a BIND If your DDNS data is accessible from the Internet, how long should other Internet DNS servers cache There have been several incidents this year of DNS cache poisoning, with Internet Systems’ BIND DNS your DDNS information? The length of time any DNS server software acting as a forwarding . record should be cached is called the TTL (Time To TA DNS server can be optimized to use another, larger Live). The lower this number, the quicker other Inter- name server—typically your ISP’s DNS server—as the first net DNS servers learn about changes, but the more source for DNS information on the Internet. A forwarding often they will be asking your DNS servers for infor- name server is helpful because it greatly decreases the mation. The higher you make this number, the more turnaround time for answers to DNS queries. out of date your DNS information could be on the But a weakness in the DNS RFC specification Internet. But less frequent updates mean less load on could leave you vulnerable to DNS cache poisoning. your DNS servers. In cache poisoning, the attacker redirects informa- Internet Systems’ DHCPD, for instance, uses a tion about a well-known site such as www.nwc.com default TTL of one-half of the DHCP lease time. How- to a server he or she controls. The DNS server is ever, you might want to consider a much lower num- tricked into getting information on www.nwc.com ber. It’s not uncommon to use a time-out of about from the rogue ns1.i-am-a-hacker.com server, for 30 seconds for rapidly changing networks. example. So it always goes to the fake server for During initial configuration, turn on all the logging information on www.nwc.com. If www.nwc.com were features of your DNS and DHCP servers. After your your banking Web site, for instance, the attacker DDNS system is up and running, you can dial back the could steal all your financial information. settings to show only the errors you want to see—and Although this hole was patched when it was dis- can control. For example, DNS generates a lot of logs covered more than 10 years ago, BIND versions 4 about poorly configured DNS servers on the Internet and 8 acting as a forwarding name server will pass that are beyond your control, so there’s no need to log on this bad information. So if your ISP’s DNS server all that data. runs BIND 4 or 8, and you are using it as a forward- The next step in building a dynamic IP address ing name server, you could be receiving rogue data. updating system is to configure your DHCP server to The best bet is to use at least a BIND 9.2 server, update the DNS server. Internet Systems’ DHCPD is the which is immune to this cache poisoning, as your de facto standard DHCP server, and the current version, forwarding name server and for your internal DNS servers as well. 3, sends dynamic updates to DNS. Internet Systems’ DHCPD has many options, but pay careful attention to

66 NETWORK COMPUTING I 9.22.2005 I www.nwc.com WORKSHOPINFRASTRUCTURE

naming restrictions for your client machines, the zone DDNS directly to your main DNS server. These addi- they should be updating to and what to do when a tional zones help the servers locate computer isn’t providing a host name. one another as well as help client workstations locate servers. Active Directory will only want _tcp, _udp, How Active Is Your Directory? _sites and _msdcs at the same name as its root. For Ideally, you would configure Microsoft Active Directory to example, the entry _msdcs.example.com contains the use DDNS, but that’s your choice. and listing of all AD servers in the forest example.com. above use DNS and SRV (service) records instead of WINS (Active Directory stores information on how to find for computer name management. The good news: This various domain controllers, password servers and so on can all be handled by the same DNS server. The bad in that zone.) In this model, AD controls the informa- news: Your Windows 2000 machines may attempt to alter tion it needs. your DNS server dynamically without your knowledge. In a full-blown DDNS implementation, Active Direc- Safely integrating them is straightforward but requires a tory sends dynamic updates directly to your main DNS little work. server. This is more secure because it centralizes DNS You can integrate Active Directory into your DNS information in one place and results in fewer servers zone in several ways. You can have Active Directory that need patching, updating and monitoring.

Check Your Client In a full-blown DDNS If using DHCP or Active Directory is not feasible for implementation, AD sends some of your computers that change IP addresses, you dynamic updates directly may need another tool such as BIND’s nsupdate. This program is meant to be used manually or from scripts to your DNS server. for directly updating DNS information (you could use it for DDNS updating without DHCP, for instance). manage all your DNS; just be part of the DNS that’s in Nsupdate uses standard input and output to update the Active Directory forest; or have Active Directory DDNS entries. You can find a simple script using update a standard DNS server through dynamic nsupdate that lets a Linux machine update its IP updates. If you are an all-Microsoft shop and every- address directly at www.knuthaugen.no/linux/ddns/. thing is contained within an Active Directory, the most Beware that Microsoft Windows 2000 and XP straightforward method is to just use the Windows standalone workstations will try to register them- 2000x DNS services bundled with the OS. selves automatically with the Active Directory-style If you want to integrate Active Directory into your DDNS entries on login and then hourly. If your existing DNS service, however, you can delegate specific DNS server is not configured to allow this, it may be zones to the directory. So *.ad.example.com would be causing lots of unnecessary traffic and error log handled by your Active Directory zones, and the rest of entries. To disable automatic registration by 2000 and your DNS, by another server. XP machines, set HKEY_LOCAL_MACHINE\System\ A step up from using Microsoft’s DNS services is to CurrentControlSet\Services\Netlogon\Parameters\ delegate the special Active Directory zones from your UseDynamicDns to 0x0 (it defaults to 0x1). You can primary DNS server to the directory server and not use disable this by machine through the advanced DNS settings for the TCP/IP stack in the Windows Control panel settings for your network card. This will pre- Deeper vent the Windows 2000 or XP machine from attempt- Dig is a handy, all-purpose command-line tool in the ing to send DDNS updates. Internet Systems’ BIND suite. Here’s an example of its With the proper setup, DDNS can reduce your IP useful features: address-management workload and provide detailed Ddig @a.root-servers.net . ns > named.root and consistent information to the services on your net- This command gives you a new named.root file. work. You’ll finally be able to update your name infor- Root name servers don’t move much, so you can run mation dynamically while configuring your network this once a month to keep this file up to date. Your with DHCP. NWC DNS server must know about those root name servers so it can ask for DNS information. Jeff Ballard is the Unix systems manager for the Computer- Another tool is the chaos query, which gives you Aided Engineering Center at the University of Wisconsin- the currently running version of the DNS server. Add Madison. Send your comments on this article to him at @192.168.0.1 to get the version at a specific DNS server: [email protected]. Post a comment or question on this dig version. txt chaos story at www.nwc.com/go/ask.html.

68 NETWORK COMPUTING I 9.22.2005 I www.nwc.com