4. DNS Configuration Types
Most DNS servers are schizophrenic - they may be masters (authoritative) for
some zones, slaves for others and provide resolver or forwarding services for
others. Many observers object to the concept of DNS types partly because of the
schizophrenic behaviour of most DNS servers (they are frequently of more than
one type) and partly to avoid confusion with the named.conf zone parameter
'type' which only allows master, slave, stub, forward, hint. Nevertheless, the
following terms are commonly used to describe the primary functionality of DNS
servers.
Notes:- Running any DNS server that supports recursive queries received from any or all users (an Open DNS) is an Extremely Bad Idea ™. While an Open DNS may look like a friendly and neighbourly thing to do such a server may be used in DDoS attacks and carries a significantly increased risk of cache poisoning. It is always possible to define the range of IP addresses that are allowed or permitted to use the recursive feature of any DNS server. Such a server is termed Closed. The various configurations have been modified to ensure that the DNS stays Closed to non-permitted users.
- One of the basic rules of security is that only the minimum services necessary to meet the objectives should be deployed. This means that a secure DNS server should provide only a single function, for instance, authoritative only, or caching only, not both capabilities in the same server. This is a correct but idealistic position, generally possible only in larger organizations. In practice many of us run mixed mode DNS servers. While much can be done to mitigate any security implications it must always be accepted that, in mixed configurations, increased risk is the downside of flexibility.
4.1 Master (Primary) Name Servers
A Master DNS defines one or more zone files for which this DNS is Authoritative
('type master'). The zone has been delegated (via an NS Resource Record) to this
DNS.
The term master was introduced with BIND 8.x and replaced the term 'primary'.
Diagram 1 DNS Master
Master status is defined in BIND by including 'type master' in the zone declaration
section of the named.conf file as shown by the following fragment.
// example.com fragment from named.conf
// defines this server as a zone master
zone "example.com" in
{
type master;
file "pri.example.com";
};
Notes:- The terms Primary and Secondary DNS entries in Windows TCP/IP network properties mean nothing, they may reflect the 'master' and 'slave' name-server or they may not - you decide this based on operational need, not BIND configuration.
- It is important to understand that a zone 'master' is simply a server which gets its zone data from a local source as opposed to a 'slave' which gets its zone data from an external (networked) source (typically the 'master' but not always). This apparently trivial point means that you can have any number of 'master' servers for any zone if it makes operational sense. You have to ensure (by a manual or other process) that the zone files are synchronised but apart from this there is nothing to prevent it.
- Just to confuse things still further you may run across the term 'Primary Master' this has a special meaning in the context of dynamic DNS updates and is defined to be the name server that appears in the SOA RR record.
- If caching behaviour is permitted and recursive queries are allowed the server will completely answer the request or return an error.
- If caching behaviour is permitted and Iterative (non-recursive) queries are allowed the server can respond with the complete answer (if it is already in the cache because of another request), a referral or return an error.
- If caching behaviour is NOT permitted (an 'Authoritative Only' DNS server) the server will return a referral or an error.
4.2 Slave Name Servers A Slave DNS gets its zone data using a zone transfer operation (typically from a zone master) and it will respond as authoritative for those zones for which it is defined to be a 'slave' and for which it has a currently valid zone configuration. It is impossible to determine from a query result that it came from a zone master or slave. DNS Master - Slave
Diagram 2 DNS Slave Server
The term 'slave' was introduced with BIND 8.x and replaced the term
'secondary'.
There can be any number of slave DNS's for any given zone.
Slave status is defined in BIND by including 'type slave' in the zone
declaration section of the named.conf file as shown by the following
fragment.
// example.com FRAGMENT FROM named.conf
// DEFINES THIS SERVER AS A ZONE SLAVE
zone "example.com" in
{
type slave;
file "sec/sec.example.com";
masters {192.168.23.17;};
};
Notes:- The master DNS for each zone is defined in the 'masters' statement of the zone clause and allows slaves to refresh their zone record when the 'expiry' parameter of the SOA Record is reached. If a slave cannot reach the master DNS when the 'expiry' time has been reached it will stop responding to requests for the zone. It will not use time-expired data.
- The file parameter is optional and allows the slave to write the transferred zone to disc and hence if BIND is restarted before the 'expiry' time the Slave server will use the saved data. In large DNS systems this can save a considerable amount of network traffic.
4.2.1 But Slaves can also be Masters Oh, stop this pain. This section can get a bit confusing. Read it only when accompanied by your favorite keep-me-awake-cos-I-can't-take-anymore-of-this-stuff beverage. The definition of a slave server is simply that it gets its zone data via zone transfer, whereas a master gets its zone data from a local file system. The source of the zone transfer could just as easily be another slave as a master. So what sane human would want to do that?
- Assume you want to hide your master servers in, say, a stealth configuration then at least one slave server will sit on the public side of a firewall, or similar configuration, providing perimeter defence. To provide resilience you would need two or more such public slaves. The second slave can be updated from the same master as the first or it could be updated from the slave server - we'll call it the 'boss' slave to avoid getting into tortuous terminology (is it a master-slave or a slave-master?). To configure this miracle the second slave server would define the 'boss' slave's IP in its masters statement. When the 'boss' slave has sucessfully transfered a zone file (from the master) it will send out NOTIFY messages (the default) unless configured not to do so. This type of configuration will marginally increase latency for updating the zone on the second slave - but that may be more than offset by increased stealth.
- In a DNSSEC environment the master will likely have all kinds of whizzo dodads concerned with keeping keys secure. Whereas DNSSEC slaves simply send the data in the zone file in response to queries and have no requirements for secure key maintenance. Hidden master configurations will become increasingly the norm in this environment.
4.3 Resolver or Caching Name Servers A DNS Reolver (frequently known as a caching or even recursive Name Server) obtains information from another server (a Authoritative Name Server) in response to a host query and then saves (caches) the data locally. On a second or subsequent request for the same data the Resolver (Caching Name Server) will respond with its locally stored data (from the cache) until the time-to-live (TTL) value of the response expires, at which time the server will refresh the data from the zone master. If the resolver (caching name server) obtains its data directly from a zone master it will respond as 'authoritative', if the data is supplied from its cache the response is 'non-authoritative'. The default BIND behaviour is to cache and this is associated with the recursion parameter (the default is 'recursion yes'). There are many configuration examples which show caching behaviour being defined using a type hint statement in a zone declaration. These configurations confuse two distinct but related functions. If a server is going to provide caching services then it must support recursive queries and recursive queries need access to the root servers which is provided via the 'type hint' statement. DNS Resolver (caching server)
Diagram 3 DNS Resolver (Recursive Server)
A Resolver (caching name server) will typically have a named.conf file which
includes the following fragment:
// options section fragment of named.conf
// recursion yes is the default and may be omitted
options
{
directory "/var/named";
version "not currently available";
recursion yes;
};
// zone section
....
// THE DOT INDICATES THE ROOT domain = all domains
zone "." IN
{
type hint;
file "root.servers";
};
Notes:- BIND defaults to recursive queries which by definition provides caching behaviour. The named.conf recursion parameter controls this behaviour.
- The zone '.' is shorthand for the root domain which translates to 'any domain not defined as either a master or slave in this named.conf file'.
- cache data is discarded when BIND is restarted.
- A DNS server acting as master or slave for one or more zones (domains) and as resolver (caching name server) for all other requests. This could be termed a general purpose DNS server.
- A Resolver only (caching only) server - typically used to minimise external access or to compensate for slow external links. This is sometimes called a Proxy server though we prefer to associate the term with a Forwarding server
- The response is received from a Zone master.
- The response is received from a Zone slave with non time-expired zone data.
- The response is received by a caching server directly from either a Zone master or slave. If the response is supplied from the cache it is not authoritative.
4.4 Forwarding (a.k.a Proxy) Name Servers A forwarding (a.k.a. Proxy, Client, Remote) server is one which simply forwards requests to another DNS and caches the results. On its face this looks like a pretty pointless exercise. It is, however, a frequently undervalued and extremely useful configuration in a number of situations:
- Where access to the external network is slow or expensive:
- Local DNS caching - results are cached in the forwarding server so that frequently requested domains will provide fast results from the cache.
- The Remote (forwarded to) DNS server provides recursive query support resulting in a single query across the network (from the forwarding DNS to the 'forwared to' DNS) thus reducing traffic congestion (on busy networks), traffic volume (on expensive networks) and increasing performance (on slow networks).
- Forwarding servers also can be used to ease the burden of local administration by providing a single point at which changes to remote name servers may be managed, rather than having to update all hosts. Thus, all hosts in a particular network section or area can be configured to point to a fixed forwarding DNS which can be configured to stream DNS traffic as desired and changed over time with minimal effort.
- Sanitizing traffic. Especially in larger private networks it may be sensible to stream DNS traffic for local domain access by forwarding to the local DNS servers while forwarding external DNS requests to a dirty or hardened caching DNS (or resolver).
- Forwarding can also be used as part of a Split Server configuration for perimeter defence.
Diagram 4 - DNS Forvarding Server
BIND allows configuration of forwarding using the forward and forwarders
parameters either at a 'global' level (in an options section) or on a per
-zone basis in a zone section of the named.conf file. Both configurations
are shown in the examples below:
Global Forwarding - All Requests
// OPTIONS SECTION FRAGMENT OF named.conf
// FORWARDERS CAN HAVE MULTIPLE CHOICES
options
{
directory "/var/named";
version "not currently available";
forwarders {10.0.0.1; 10.0.0.2;};
forward only;
};
// zone file sections
....
Per Domain Forwarding
// ZONE SECTION FRAGMENT OF named.conf
zone "example.com" IN
{
type forward;
forwarders {10.0.0.1; 10.0.0.2;};
};
Where dial-up links are used with DNS forwarding servers BIND's general
purpose nature and strict standards adherence may not make it an optimal
solution. A number of the Alternate DNS solutions specifically target
support for such links. BIND provides two parameters dialup and heartbeat
-interval (neither of which is currently supported by BIND 9) as well as a
number of others which can be used to minimise connection time.
Example configuration files for a forwarding DNS are provided.
4.5 Stealth (a.k.a. DMZ or Hidden Master) Name Server A stealth server is defined as being a name server which does not appear in any publicly visible NS Records for the domain. The stealth server can be roughly defined as having the following characteristics:
- The organisation needs a public DNS to enable access to its public services e.g. web, mail ftp etc..
- The organisation does not want the world to see any of its internal hosts either by interrogation (query or zone transfer) or should the DNS service be compromised.
Figure 4-5 Stealth Server Topology
The external server(s) is(are) configured to provide Authoritative Only
responses and no caching (no recursive queries accepted). The zone file for
this server would be unique and would contain ONLY those systems or services
that are publicly visible e.g. SOA, NS records for the public (not stealth)
name servers, MX record(s) for mail servers and www and ftp service A
records. Zone transfers can be allowed between the public servers as
required but they MUST NOT transfer or accept transfers from the Stealth
server. While this may seem to create more work, the concern is that should
the host running the external service be compromised then inspection of the
named.conf or zone files must provide no more information than is already
publically visible. If 'master', 'allow-notify','allow-transfer' options are
present in named.conf (each of which will contain a private IP) then the
attacker has gained more knowledge about the organisation - they have
penetrated the 'veil of privacy'.
There are a number of articles which suggest that the view statement may be
used to provide similar functionality using a single server but this does
not address the problem of the DNS host system being compromised and by
simple inspection of the named.conf file additional data about the
organisation could be discovered. In our opinion 'view' does not provide
adequate security in a 'Split DNS' solution.
A minimal public zone file is shown below:
; public zone master file
; provides minimal public visibility of external services
example.com. IN SOA ns.example.com. root.example.com.
(
2003080800 ; se = serial number
3h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
3h ; min = minimum
)
IN NS ns1.example.com.
IN NS ns2.example.com.
IN MX 10 mail.example.com.
ns1 IN A 192.168.254.1
ns2 IN A 192.168.254.2
mail IN A 192.168.254.3
www IN A 192.168.254.4
ftp IN A 192.168.254.5
The internal server (the Stealth Server) can be configured to make visible
internal and external services, provide recursive queries and all manner of
other services. This server would use a private zone master file which could
look like this:
; private zone master file used by stealth server(s)
; provides public and private services and hosts
example.com. IN SOA ns.example.com. root.example.com.
(
2003080800 ; se = serial number
3h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
3h ; min = minimum
)
IN NS ns1.example.com.
IN NS ns2.example.com.
IN MX 10 mail.example.com.
; public hosts
ns1 IN A 192.168.254.1
ns2 IN A 192.168.254.2
mail IN A 192.168.254.3
www IN A 192.168.254.4
ftp IN A 192.168.254.5
; private hosts
joe IN A 192.168.254.6
bill IN A 192.168.254.7
fred IN A 192.168.254.8
....
accounting IN A 192.168.254.28
payroll IN A 192.168.254.29
Using BIND 9's view statement can provide different services to internal and
external requests can reduce further the Stealth server's visibility e.g.
forwarding all DNS internal requests to the external server.
Example configuration files for a stealth DNS are provided.
4.6 Authoritative Only Server The term Authoritative Only is normally used to describe two concepts:
- The server will deliver Authoritative Responses - it is a zone master or slave for one or more domains.
- The server will NOT cache.
- As the public or external server in a Stealth (a.k.a. DMZ or Hidden Master) DNS used to provide perimeter security.
- High Performance DNS servers. In this context general purpose DNS servers such as BIND may not provide an ideal solution and there are a number of Open Source Alternatives some of which specialise in high performance Authoritative only solutions.
4.7 Split Horizon DNS Server This section was introduced at the suggestion of Maren Leizaola - many thanks for both taking the time to write and for providing interesting usage examples. The term Split Horizon is normally used to describe a DNS server that will give different responses (IP addresses) based on the source address, or some other characteristic, of the query. While it has similar configuration properties to the Stealth Server it can also be used in a varity of unique situations such as:
- Geographic Mapping: Assume that, for example, a web service is replicated in a number of locations (for either performance or access latency reasons) then a specific IP address may be returned based on the source address of the query to ensure the shortest possible path from the user to the service. For those familiar with anycast you could consider this as a poor man's anycast service.
- Naming Consistency: Assume that you have, say, a corporate in-house LDAP service and that you want to keep certain highly secure data on one server only accessible to certain individuals or organizational sections, which have unique or identifiable IP addresses or address ranges, but for reasons of consistency (scripts, configuration files etc) you want both the secure and insecure LDAP services to be named, say, ldap.example.com.
- Load Balancing: Assume that an analysis of incoming service users shows that their source-ip addresses can be separated into contiguous ranges: 50% from a to b, 50% from b to c. In this case rather than simply provide multiple A/AAAA RRs (where load balancing is essentially random) it may be more effective to use a split-horizon strategy.