WORKSHOPINFRASTRUCTURE tain. You’d do better to incorporate DDNS products Dynamic DNS into your infrastructure. DDNS Up Close Keeps Names DDNS includes three advanced DNS features: dynamic update, notify and IXFR (incremental transfer). Up to Date Dynamic update is the process by which your DHCP server or other IP address service notifies the DNS By Jeff Ballard server of new information. Using a secure connection, the DNS server is told, for instance, that workstation- t’s a chore to track the computer moves and bill.accounting.example.com is now at IP address changes within departments and offices in your 10.35.99.124. The DNS server remembers this infor- organization. The Dynamic Host Configuration mation, discards the old information and begins IProtocol helps, but your Domain Name System answering any requests for the name of 10.35.99.124 entries typically will lag behind your moves or require as workstation-bill.accounting.example.com. manual updates. A better approach for updating your Most large organizations have more than one DNS DNS entries is to use Dynamic DNS, which keeps your server for redundancy and load sharing. In DNS naming systems up to date automatically. terms, a zone is one of the parts of a DNS entry sepa- DHCP obviously goes a long way toward managing rated by a period: .accounting.example.com, for exam- computer IP addresses on an enterprise network. Work- ple. DNS information is stored and transferred rela- stations pick up their IP addresses and network configu- tive to this zone. Internet Systems’ BIND (Berkeley rations from the DHCP server. When a department Internet Name Daemon) open-source DNS server soft- moves, its servers and workstations get new network ware, for instance, typically updates a secondary DNS configurations. But keeping track of your IP addresses server’s zone records every 15 minutes from its pri- and assigning meaningful DNS entries to your servers mary server, which doesn’t give you real-time infor- and network services can be challenging with DHCP mation. But the zone-notify feature of DDNS fixes alone. It’s better to associate IP addresses on your net- that: The primary DNS server notifies secondary DNS work with meaningful DNS names so you can identify servers of the new, updated version of the DNS zone your networked computers reliably and easily. With records. The secondary DNS server then knows it DNS, your core systems can perform a DNS lookup, needs to fetch an updated copy of the zone file so its store that value and know which computer is using configuration matches the new values on the server. which IP address. If you’re not using DDNS, you have to transmit the But if you’re running DHCP and DNS without a entire copy of the zone to get that information across. Dynamic DNS system, your host names probably This causes a problem for fully dynamic DNS entries— don’t contain unique data about each computer— if you have a large or rapidly updating DNS zone, your they probably look like this: dhcp-192-168-12- servers will become bogged down. With DDNS’ IXFR 34.example.com. It’s more useful to have a DNS host feature, the secondary server asks the primary server name, such as accounting-sue.workstation.example.com, only for incremental changes. If you have 10,000 DNS appear in your logs. This kind of naming is made entries in your zone file, for example, and only three much easier with DDNS. DDNS bridges the gap have changed, these three are sent from the primary to between dynamic DHCP and DNS, recording dynamic the secondary servers, rather than the entire zone. DHCP lease records logged for your IP-based services (particularly Web servers). Open Source and Commercial Servers Before DDNS was widely available in DHCP and If you want to deploy a DNS server in a large network, DNS products, many enterprises used proprietary meth- the safest bet is to use BIND server software. It is well- ods to update DNS. These approaches are OK, but often supported and stable. are self-contained and difficult to support and main- There are commercial DDNS products as well, www.nwc.com I 9.22.2005 I NETWORK COMPUTING 63 WORKSHOPINFRASTRUCTURE which typically go beyond just DNS management (Transaction Signature) and SIG(0). TSIG keys are sym- and handle overall IP address management, too. metric HMAC-MD5 (Hashing Message for Authentica- Some examples include Infoblox Network Identity tion MD5) keys. Symmetric keys are basically shared appliances, Lucent Technologies VitalQIP software secrets. If any machine sending updates to your DNS and MetaInfo Meta IP software. These are turnkey server is compromised, the cat’s out of the bag because solutions to IP address management and DNS/ each machine and your DNS server share the same DDNS services. key. Still, TSIG keys typically are easy to set up and If you decide to run BIND, make sure it’s at least more widely supported in DNS and DHCP products version 9.2. Earlier versions have posed problems (see than SIG(0) keys. “Caught in a BIND,” below). BIND works on Apple SIG(0) comprises a public/private key pair using any Mac OS X, Linux, Windows and Unix. standard cryptographic method. It’s more secure than HMAC-MD5, but you’ll spend more time getting it to Keys Are Key work. Each updater gets its own key, and most client It is important to update your data securely. If you software needs extra configuration to work with SIG(0). don’t configure your DNS server to check who is send- You also can have multiple keys in your DNS con- ing updates, for instance, an intruder could redirect figuration file, so *.a.example.com could have a key dif- secure-intranet.example.com to www.i-am-a-hacker.com. ferent from that of *.b.example.com. This way, you can Redundancy doesn’t help here—with dynamic update limit the potential damage compromised keys can and IXFR, your redundant DNS servers just update this cause. But be careful with permissions. In Internet Sys- bad information quickly. tems’ BIND, for instance, the keys are in plain text in So be sure to use cryptographically strong keys the configuration files, so you want to make sure the when configuring DDNS updating. There are two files have the proper permissions so only systems methods for secure DDNS communications: TSIG administrators can access them. Time To Live Caught in a BIND If your DDNS data is accessible from the Internet, how long should other Internet DNS servers cache There have been several incidents this year of DNS cache poisoning, with Internet Systems’ BIND DNS your DDNS information? The length of time any DNS server software acting as a forwarding name server. record should be cached is called the TTL (Time To TA DNS server can be optimized to use another, larger Live). The lower this number, the quicker other Inter- name server—typically your ISP’s DNS server—as the first net DNS servers learn about changes, but the more source for DNS information on the Internet. A forwarding often they will be asking your DNS servers for infor- name server is helpful because it greatly decreases the mation. The higher you make this number, the more turnaround time for answers to DNS queries. out of date your DNS information could be on the But a weakness in the DNS RFC specification Internet. But less frequent updates mean less load on could leave you vulnerable to DNS cache poisoning. your DNS servers. In cache poisoning, the attacker redirects informa- Internet Systems’ DHCPD, for instance, uses a tion about a well-known site such as www.nwc.com default TTL of one-half of the DHCP lease time. How- to a server he or she controls. The DNS server is ever, you might want to consider a much lower num- tricked into getting information on www.nwc.com ber. It’s not uncommon to use a time-out of about from the rogue ns1.i-am-a-hacker.com server, for 30 seconds for rapidly changing networks. example. So it always goes to the fake server for During initial configuration, turn on all the logging information on www.nwc.com. If www.nwc.com were features of your DNS and DHCP servers. After your your banking Web site, for instance, the attacker DDNS system is up and running, you can dial back the could steal all your financial information. settings to show only the errors you want to see—and Although this hole was patched when it was dis- can control. For example, DNS generates a lot of logs covered more than 10 years ago, BIND versions 4 about poorly configured DNS servers on the Internet and 8 acting as a forwarding name server will pass that are beyond your control, so there’s no need to log on this bad information. So if your ISP’s DNS server all that data. runs BIND 4 or 8, and you are using it as a forward- The next step in building a dynamic IP address ing name server, you could be receiving rogue data. updating system is to configure your DHCP server to The best bet is to use at least a BIND 9.2 server, update the DNS server. Internet Systems’ DHCPD is the which is immune to this cache poisoning, as your de facto standard DHCP server, and the current version, forwarding name server and for your internal DNS servers as well. 3, sends dynamic updates to DNS.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages3 Page
-
File Size-