Sie sind auf Seite 1von 33

Domain Name System

&
Demilitarized Zone
Prepared by: Iyad A. Hawili

SARA-IT (NSEU)

DNS
DOMAIN NAME
SERVICE

SARA-IT (NSEU)

Hostnames
IP Addresses are great for computers
IP address includes information used for
routing.

IP addresses are tough for humans to


remember.
IP addresses are impossible to guess.
ever guessed at the name of a WWW site?
SARA-IT (NSEU)

The Domain Name System


The domain name system is usually
used to translate a host name into an IP
address .
Domain names comprise a hierarchy so
that names are unique, yet easy to
remember.
SARA-IT (NSEU)

DNS Hierarchy
edu

com

org

lau aub

lb

com
SARA-IT
SARA-IT (NSEU)

Host name structure


Each host name is made up of a sequence of
labels separated by periods.
Each label can be up to 63 characters
The total name can be at most 255 characters.

Examples:

SARA-IT.co.uk
SARA-IT.ca
SARA-IT.net
SARA-IT.com
SARA-IT (NSEU)

Domain Name
The domain name for a host is the
sequence of labels that lead from the
host (leaf node in the naming tree) to
the top of the worldwide naming tree.
A domain is a subtree of the worldwide
naming tree.
SARA-IT (NSEU)

Top level domains


edu, gov, com, net, org, mil,

Countries each have a top level domain


(2 letter domain name).
ca, qa, uk, fr, lb, sa, etc.

SARA-IT (NSEU)

DNS Organization
Distributed Database
The organization that owns a domain name
is responsible for running a DNS server
that can provide the mapping between
hostnames within the domain to IP
addresses.
So - some machine run by SARA-IT is
responsible for everything within the
SARA-IT.ca domain (LBC_ENTERPRISE).

SARA-IT (NSEU)

DNS Distributed Database


There is one primary server for a
domain, and typically a number of
secondary servers containing replicated
databases.
SARA-IT.ca DNS server
LBC.com

DNS DB
Authoritative
SARA-IT (NSEU)

Lbc.com

.edu
DNS.edu
DB
DNS
DNSDB
DB
Replicas
10

DNS Servers
Servers handle requests for their
domain directly.
Servers handle requests for other
domains by contacting remote DNS
server(s).
Servers cache external mappings.

SARA-IT (NSEU)

11

DNS Clients
A DNS client is called a resolver.
Windows 2000 workstations has a DNS
client service
Most Unix workstations have the file
/etc/resolv.conf that contains the local
domain and the addresses of DNS
servers for that domain (e.g. stretch &
smartmail).
SARA-IT (NSEU)

12

SARA-IT DNS

One DNS Server is available


Integrated with Active Directory
No Replica databases for the DNS
No standard secondary or primary
DNS Server is handling requests for
other domains (smartmail, stretch,..)
SARA-IT (NSEU)

13

Server - Server Communication


If a server is asked to provide the
mapping for a host outside its domain
(and the mapping is not in the server
cache):
The server finds a name server for the
target domain.
The server asks the nameserver to provide
the host name to IP translation.

To find the right nameserver, use DNS!


SARA-IT (NSEU)

14

DNS Data
DNS databases contain more than just
hostname-to-address records:
Name server records
Hostname aliases
Mail Exchangers
Host Information

SARA-IT (NSEU)

NS
CNAME
MX
HINFO

15

The Root DNS Server


The root server needs to know the
address of 1st (and many 2nd) level
domain nameservers.

edu
lau

com

org

lb
co
m
SARA-IT

aub
SARA-IT (NSEU)

16

Server Operation
If a server has no clue about where to
find the address for a hostname, ask
the root server.
The root server will tell you what
nameserver to contact.
A request may get forwarded a few
times.
SARA-IT (NSEU)

17

Recursion
A request can indicate that recursion is
desired - this tells the server to find out
the answer (possibly by contacting
other servers).
If recursion is not requested - the
response may be a list of other name
servers to contact.
SARA-IT (NSEU)

18

UDP & TCP


Both UDP and TCP are used:
TCP for transfers of entire database to
secondary servers (replication).
UDP for lookups

SARA-IT (NSEU)

19

Lots more
This is not a complete description !
If interested - look at:
RFC 1034: DNS concepts and facilities.
RFC 1035: DNS implementation and
protocol specification.

SARA-IT (NSEU)

20

DMZ
DIMILITARIZED
ZONE

SARA-IT (NSEU)

21

The threat is out there

SNMP
Sniffers
Remote Control Software
Administrative Interfaces (over intended
functional protocols)

SARA-IT (NSEU)

22

Demilitarized Zones
A no mans land analogy
Public services are put on the DMZ
Access restrictions are placed between
External network to DMZ and DMZ to
internal corporate network

SARA-IT (NSEU)

23

The Purpose of the DMZ


The DMZ exists to lessen risk by
isolating certain services and functions
in a separate segment of the network.
Segmentation by isolation is generally
not enough. Defense in depth, along
with proper protection of internal hosts
from the DMZ, is required.
SARA-IT (NSEU)

24

The Purpose of the DMZ contd..


Other problems in the DMZ
Constant change
Too many hands in the pot
Service protocols not designed with security in
mind
Systems management protocols not designed with
security in mind
Scalability mechanisms create additional
separation and Obesity of a clean network design
Complicity of disparate types of traffic going
through the DMZ
SARA-IT (NSEU)

25

Existing corporate Network


Internet
212.98.x.x
WAP
Router
192.168.x.x
Demilitarized Zone
(DMZ)
172.16.x.x

Router
SARA-IT
Corporate Network

Web

SARA-IT (NSEU)

Mail

SMSC UMS
26

Designing DNS & DMZ


SARA-IT
Corporate Intranet
DMZ DNS

DNS

INTERNET

Screening
Router

Web

DMZ

Screening
Router

UMS

WAP
DMZ-DNS

SARA-IT (NSEU)

27

Detailed Technical Design

SARA-IT (NSEU)

28

The Purpose of DNS in the DMZ


Separate internal and external DNS
servers
Limit the information about our network
that is publicly available
Protect the internal DNS server from attack
Reduce end user delays
Eliminate redundant server response

SARA-IT (NSEU)

29

The Purpose of DNS below ISP


Enable the control over Domain names
Enable the changing of MX records
If ISP goes down we are still up
(Redundancy)
Eliminates large delays for users (name
resolution is faster)

SARA-IT (NSEU)

30

The Purpose of DNS below ISP


contd

Eliminates a portion of Network Traffic


specifically when original networks are
down
Off loading Router Traffic

SARA-IT (NSEU)

31

Cost of another DNS


Are inside of a Router and need
publicly-accessible name servers
More Load on Administrator
Cost of Server

SARA-IT (NSEU)

32

Thanks

SARA-IT (NSEU)

33