Types of DNS servers
As we stated in previous part of DNS tutorial, here we'll talk about types of DNS servers. This is only theoretical part, as time passes by we will put some tutorials on DNS server configuration, but for practical part you need theory knowledge.
There are several types of DNS server:
- Master (Primary) server
- Slave (Secondary) server
- Caching (Hint) server
- Forwarding (Proxy) server
- Authoritative Only DNS server
- Stealth DNS server
- Split Horizon DNS server
Master Name server
A master name server is authoritative for one or more DNS zones. Each server maintains its data in database files, and may transfer this data periodically to a slave server if one exists in the zone. The term 'master' was first introduced in BIND 8 and replaced the term 'primary'.
When a master DNS receives Queries for a zone for which it is authoritative then it will respond as 'Authoritative' (AA bit is set to 1 or True). A server may serve as a master server for one or more zones and as a slave server for other zones.
Slave Name server
A slave name server functions as a backup to the master server, in case the master is unreachable or down. It maintains a copy of the zone file (the host database for the zone) and, at a specified interval defined by the refresh variable, retrieves the contents of the master's file. If it cannot reach the master for a refresh, it tries again at intervals defined by the retry variable and, if it cannot reach the master within the time specified by the expire variable, the data is flushed.
A Slave DNS gets its zone data using a zone transfer operation (typically from a zone master) and it will respond as authoritative for those zones for which it is defined to be a 'slave' and for which it has a currently valid zone configuration. It is impossible to determine from a query result that it came from a zone master or slave.
Caching Name server
A Caching Server obtains information from another server (a Zone Master) in response to a host query and then saves (caches) the data locally. On a second or subsequent request for the same data the Caching Server will respond with its locally stored data (the cache) until the time-to-live (TTL) value of the response expires at which time the server will refresh the data from the zone master.
Caching-only servers may use forwarders, servers with connections to outside networks that build up a large database of data. In this case, the caching-only server first queries a forwarder (rather than following its default resolution process), which in turn queries other servers, if necessary, to find the desired data. This limits traffic outside the zone to traffic to and from the forwarders. If the forwarder does not answer, the caching-only server tries the master server for its zone.
If not configured to only use forwarders, a caching-only server may ask name servers outside its zone (including root domain servers) to help answer queries.
Forwarding Name server
A forwarder is a DNS server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside of your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.
Without having a specific DNS server designated as a forwarder, all DNS servers can send queries outside of a network using their root hints. As a result, a lot of internal, and possibly critical, DNS information can be exposed on the Internet. In addition to this security and privacy issue, this method of resolution can result in a large volume of external traffic that is costly and inefficient for a network with a slow Internet connection or a company with high Internet service costs.
Authoritative-Only Name server
Since "authoritative-only" isn't a standard term (nor is "nonrecursive," really), a few words of explanation are in order. A nonrecursive or authoritative-only name server is one that only answers nonrecursive queries from remote name servers. It can't directly serve resolvers , since all resolvers send recursive queries by default, but you can delegate zones to it, and it's nearly invulnerable to spoofing attacks, since it normally doesn't send queries. It's also more resistant to denial of service attacks, since it doesn't process resource- intensive recursive queries.
This type of servers can be described by two rules:
- The server will deliver Authoritative Responses - it is a zone master or slave for one or more domains.
- This type of server will not cache data
Stealth Name server
A stealth server is defined as being a name server which does not appear in any publicly visible NS Records for the domain. The stealth server can be roughly defined as having the following characteristics:
- The organisation needs a public DNS to enable access to its public services e.g. web, mail ftp etc..
- The organisation does not want the world to see any of its internal hosts either by interrogation (query or zone transfer) or should the DNS service be compromised.
The external server(s) is(are) configured to provide Authoritative Only responses and no caching (no recursive queries accepted). The zone file for this server would be unique and would contain ONLY those systems or services that are publicly visible e.g. SOA, NS records for the public (not stealth) name servers, MX record(s) for mail servers and www and ftp service A records. Zone transfers can be allowed between the public servers as required but they MUST NOT transfer or accept transfers from the Stealth server. While this may seem to create more work, the concern is that should the host running the external service be compromised then inspection of the named.conf or zone files must provide no more information than is already publically visible.
Split-Horizon Name server
The term Split Horizon is normally used to describe a DNS server that will give different responses (IP addresses) based on the source address, or some other characteristic, of the query. While it has similar configuration properties to the Stealth Server it can also be used in a varity of unique situations such as:
- Geographic Mapping: Assume that, for example, a web service is replicated in a number of locations (for either performance or access latency reasons) then a specific IP address may be returned based on the source address of the query to ensure the shortest possible path from the user to the service. For those familiar with anycast you could consider this as a poor man's anycast service.
- Naming Consistency: Assume that you have, say, a corporate in-house LDAP service and that you want to keep certain highly secure data on one server only accessible to certain individuals or organizational sections, which have unique or identifiable IP addresses or address ranges, but for reasons of consistency (scripts, configuration files etc) you want both the secure and insecure LDAP services to be named, say, ldap.example.com.
- Load Balancing: Assume that an analysis of incoming service users shows that their source-ip addresses can be separated into contiguous ranges: 50% from a to b, 50% from b to c. In this case rather than simply provide multiple A/AAAA RRs (where load balancing is essentially random) it may be more effective to use a split-horizon strategy.
In next part of tutorial we will discuss types of records in DNS....
No comments:
Post a Comment