Domain Name System & Demilitarized ZonePrepared by: Iyad A. Hawili

SARA-IT (NSEU)*

SARA-IT (NSEU)

SARA-IT (NSEU)*DNSDOMAIN NAME SERVICE

SARA-IT (NSEU)

SARA-IT (NSEU)*HostnamesIP Addresses are great for computersIP address includes information used for routing.IP addresses are tough for humans to remember.IP addresses are impossible to guess.ever guessed at the name of a WWW site?

SARA-IT (NSEU)

SARA-IT (NSEU)*The Domain Name SystemThe domain name system is usually used to translate a host name into an IP address .

Domain names comprise a hierarchy so that names are unique, yet easy to remember.

SARA-IT (NSEU)

SARA-IT (NSEU)*DNS HierarchyeducomorglblauaubSARA-ITcom

SARA-IT (NSEU)

SARA-IT (NSEU)*Host name structureEach host name is made up of a sequence of labels separated by periods.Each label can be up to 63 charactersThe total name can be at most 255 characters.Examples:SARA-IT.co.ukSARA-IT.caSARA-IT.netSARA-IT.com

SARA-IT (NSEU)

SARA-IT (NSEU)*Domain NameThe domain name for a host is the sequence of labels that lead from the host (leaf node in the naming tree) to the top of the worldwide naming tree.

A domain is a subtree of the worldwide naming tree.

SARA-IT (NSEU)

SARA-IT (NSEU)*Top level domainsedu, gov, com, net, org, mil, Countries each have a top level domain (2 letter domain name).ca, qa, uk, fr, lb, sa, etc.

SARA-IT (NSEU)

SARA-IT (NSEU)*DNS OrganizationDistributed DatabaseThe organization that owns a domain name is responsible for running a DNS server that can provide the mapping between hostnames within the domain to IP addresses.So - some machine run by SARA-IT is responsible for everything within the SARA-IT.ca domain (LBC_ENTERPRISE).

SARA-IT (NSEU)

SARA-IT (NSEU)*.eduDNS DB.eduDNS DBDNS Distributed DatabaseThere is one primary server for a domain, and typically a number of secondary servers containing replicated databases.

LBC.comDNS DBAuthoritativeLbc.comDNS DBReplicasSARA-IT.ca DNS server

SARA-IT (NSEU)

SARA-IT (NSEU)*DNS ServersServers handle requests for their domain directly.Servers handle requests for other domains by contacting remote DNS server(s).Servers cache external mappings.

SARA-IT (NSEU)

SARA-IT (NSEU)*DNS ClientsA DNS client is called a resolver.Windows 2000 workstations has a DNS client serviceMost Unix workstations have the file /etc/resolv.conf that contains the local domain and the addresses of DNS servers for that domain (e.g. stretch & smartmail).

SARA-IT (NSEU)

SARA-IT (NSEU)*SARA-IT DNSOne DNS Server is availableIntegrated with Active DirectoryNo Replica databases for the DNSNo standard secondary or primary DNS Server is handling requests for other domains (smartmail, stretch,..)

SARA-IT (NSEU)

SARA-IT (NSEU)*Server - Server CommunicationIf a server is asked to provide the mapping for a host outside its domain (and the mapping is not in the server cache):The server finds a name server for the target domain.The server asks the nameserver to provide the host name to IP translation.To find the right nameserver, use DNS!

SARA-IT (NSEU)

SARA-IT (NSEU)*DNS DataDNS databases contain more than just hostname-to-address records:Name server recordsNSHostname aliases CNAMEMail ExchangersMXHost InformationHINFO

SARA-IT (NSEU)

SARA-IT (NSEU)*The Root DNS ServerThe root server needs to know the address of 1st (and many 2nd) level domain nameservers.educomorglbaublaucomSARA-IT

SARA-IT (NSEU)

SARA-IT (NSEU)*Server Operation If a server has no clue about where to find the address for a hostname, ask the root server.The root server will tell you what nameserver to contact.A request may get forwarded a few times.

SARA-IT (NSEU)

SARA-IT (NSEU)*RecursionA request can indicate that recursion is desired - this tells the server to find out the answer (possibly by contacting other servers).If recursion is not requested - the response may be a list of other name servers to contact.

SARA-IT (NSEU)

SARA-IT (NSEU)*UDP & TCPBoth UDP and TCP are used:

TCP for transfers of entire database to secondary servers (replication).

UDP for lookups

SARA-IT (NSEU)

SARA-IT (NSEU)*Lots moreThis is not a complete description ! If interested - look at:RFC 1034: DNS concepts and facilities.RFC 1035: DNS implementation and protocol specification.

SARA-IT (NSEU)

SARA-IT (NSEU)*DMZDIMILITARIZED ZONE

SARA-IT (NSEU)

SARA-IT (NSEU)*The threat is out thereSNMPSniffersRemote Control SoftwareAdministrative Interfaces (over intended functional protocols)

SARA-IT (NSEU)

SARA-IT (NSEU)*Demilitarized ZonesA no mans land analogyPublic services are put on the DMZAccess restrictions are placed between External network to DMZ and DMZ to internal corporate network

SARA-IT (NSEU)

SARA-IT (NSEU)*The Purpose of the DMZThe DMZ exists to lessen risk by isolating certain services and functions in a separate segment of the network.

Segmentation by isolation is generally not enough. Defense in depth, along with proper protection of internal hosts from the DMZ, is required.

SARA-IT (NSEU)

SARA-IT (NSEU)*The Purpose of the DMZ contd..Other problems in the DMZConstant changeToo many hands in the potService protocols not designed with security in mindSystems management protocols not designed with security in mindScalability mechanisms create additional separation and Obesity of a clean network designComplicity of disparate types of traffic going through the DMZ

SARA-IT (NSEU)

SARA-IT (NSEU)*Existing corporate NetworkWAPSMSC192.168.x.x212.98.x.x172.16.x.xRouter

SARA-IT (NSEU)

SARA-IT (NSEU)*Designing DNS & DMZ

SARA-IT Corporate IntranetWebUMSWAPDMZScreeningRouterDMZ DNSDNSDMZ-DNSScreeningRouter

SARA-IT (NSEU)

SARA-IT (NSEU)*Detailed Technical Design

SARA-IT (NSEU)

SARA-IT (NSEU)*The Purpose of DNS in the DMZ

Separate internal and external DNS serversLimit the information about our network that is publicly availableProtect the internal DNS server from attackReduce end user delaysEliminate redundant server response

SARA-IT (NSEU)

SARA-IT (NSEU)*The Purpose of DNS below ISPEnable the control over Domain namesEnable the changing of MX recordsIf ISP goes down we are still up (Redundancy)Eliminates large delays for users (name resolution is faster)

SARA-IT (NSEU)

SARA-IT (NSEU)*The Purpose of DNS below ISP contdEliminates a portion of Network Traffic specifically when original networks are downOff loading Router Traffic

SARA-IT (NSEU)

SARA-IT (NSEU)*Cost of another DNSAre inside of a Router and need publicly-accessible name serversMore Load on AdministratorCost of Server

SARA-IT (NSEU)

SARA-IT (NSEU)*Thanks

SARA-IT (NSEU)