DNS Domain name management explained

Domain name system (DNS) stores and associates many types of information with domain names. It translates domain names to Internet Protocl (IP) addresses. Computers use IP addresses to talk to each other and find websites. People however find it easier to remember words and names, so DNS hosting makes it possible to attach easy to remember domain names (such as "DNS-manager") to hard to remember IP addresses (such as 77.250.300.150). DNS enables you to interact with your computer, its network, and the Internet using street or 'friendly' names while, largely in the background, these 'friendly' names are resolved to an address. How is a DNS server request fulfilled? 1. You ask your web browser to go to "http://www.dns-manager.eu" and press return. 2. The computer's Transmission Control Protocol (TCP) stack doesn't know what address "www.dns-manager.eu" points to, so it calls upon its DNS server for the address. 3. The DNS server runs the zone "netscape" and doesn't handle "dns-manager.eu". It first looks in its cache to see if its looked it up before, if so it just returns the address. Unfortunately the server hasn't looked up "" before (or its cache entry has timed out), so it queries the server above it ".com" name server at the InterNIC (Internet Information Center) for the "dns-manager.eu" server. 4. Cached lookups on a domain name server are given "time-out values." This rids us of the problem of old entries being passed around. Time-out values are usually a minutes (for often-changed names) to more than a week. 5. Time-out values are set by the person who runs the name server for a zone. This means that the administrator of "dns-manager.eu" can only set the time-out values for "dnsmanager.eu" entries, and cannot modify "netcom.net" or "apple.com" entries, etc. 6. You must register your domain name to keep the hierarchy in tact so it works. 7. The root servers pass the request to the ".eu" root server. 8. The ".eu" root server passes looks up the "dns-manager.eu" server and finds it, so it passes the request to "dns-manager.eu"'s name server. 9. The "dns-manager" name server looks in its table for a "www" entry. It finds it, and returns its address, which is a list of numbers as an IP address. 10. The request goes back to the sender, who's address has been retained the entire time as the originator of the name query. 11. The address for "dns-manager.eu" is added to the name server's cache with a 1 day timeout, which means that it doesn't have to take the above steps again for an entire day. 12. The DNS request process is very structured, which is why it has been widely accepted as the standard for name/address resolution on the Internet.

DNS security information

Domain Name System (DNS) is vulnerable to attackers as it was originally designed as an open protocol. Through the addition of security features, Windows Server 2003 DNS has improved the ability to prevent an attack on your DNS infrastructure. You should be aware of the common threats to DNS security before considering which of the security features to use, and the level of DNS security in your organisation. DNS security threats The following are the typical ways in which your DNS infrastructure can be threatened by attackers: Footprinting This is the process by which DNS zone data is obtained by an attacker. The attacker is then provided with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker will commonly begin an attack by using this DNS data to diagram, or footprint, a network. DNS domain and computer names usually indicate the function or location of a domain or computer in order to help users remember and identify domains and computers more easily. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network. Redirection This is when an attacker is able to redirect queries for DNS names to servers under the control of the attacker. One method of redirection involves the attempt to pollute the DNS cache of a DNS server, with erroneous DNS data that may direct future queries to servers under the control of the attacker. If a query were originally made for example.ukfast.net, for example, and a referral answer provided a record for a name outside of the ukfast.net domain, such as malicious-user.com, then the DNS server would use the cached data for malicious-user.com to resolve a query for that name. Redirection can be accomplished whenever an attacker has writable access to DNS data, such as with insecure dynamic updates. Data modification

This is an attempt by an attacker (that has foot printed a network using DNS) to use valid IP addresses in IP packets that have been created by the attacker, thereby giving these packets the appearance of coming from a valid IP address in the network. This is commonly called IP spoofing. With a valid IP address (an IP address within the IP address range of a subnet), the attacker can destroy data or conduct other attacks by gaining access to the network. Denial-of-service attack This is when an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with recursive queries. Its CPU usage will eventually reach its maximum as a DNS server is flooded with queries, and the DNS Server service will become unavailable. Network services that use DNS will become unavailable to network users without a fully operating DNS server on the network.

If you have any questions about DNS then visit our DNS FAQ section for more help.

DNS security levels

Three levels of DNS security The following three levels of DNS security will enable you to increase the DNS security of your organisation and help you understand your current DNS configuration. Low-level security Low-level security is a standard DNS deployment without any security precautions configured. Only deploy this level of DNS security in network environments where there is no concern for the integrity of your DNS data or in a private network where there is no threat of external connectivity.

Zone transfers to any servers are permitted by all DNS servers. On all DNS servers, cache pollution is prevention is disabled. For all DNS zones, dynamic update is allowed. The DNS infrastructure of your organisation is fully exposed to the Internet. All DNS servers in your network perform standard DNS resolution. User Datagram Protocol (UDP) and Transmission Control Protocol/Internet Protocol (TCP/IP) port 53 is open on the firewall for your network for both source and destination addresses. All DNS servers are configured to listen on all of their IP addresses. All DNS servers are configured with root hints pointing to the root servers for the Internet.

Medium-level security Medium-level security uses the DNS security features available without running DNS servers on domain controllers and storing DNS zones in Active Directory.

Proxy servers and gateways perform all Internet name resolution. For any of the DNS zones, non-secure dynamic update is not allowed. There is limited exposure to the Internet for the DNS infrastructure of your organisation. All DNS servers enable cache pollution prevention. With a limited list of source and destination addresses allowed, internal DNS servers communicate with external DNS servers through the firewall. DNS servers are configured to listen on specified IP addresses. Root hints pointing to the root servers for the internet are used to configure external DNS servers in front of your firewall. All DNS servers limit zone transfers to servers listed in the name server (NS) resource records in their zones. All DNS servers are configured to use forwarders to point to a specific list of internal DNS servers when they cannot resolve names locally.

High-level security High-level security uses the same configuration as medium-level security. It also uses the security features available when the DNS Server service is running on a domain controller and DNS zones are stored in Active Directory. In addition, high-level security completely eliminates DNS communication with the Internet. This is recommended whenever Internet connectivity is not required, however it is not a typical configuration.

All DNS servers have cache pollution prevention enabled. Internal DNS server IP addresses can only be used by DNS servers that are configured with forwarders. All DNS servers limit zone transfers to specified IP addresses. There is no Internet communication by internal DNS servers for the DNS infrastructure of your organisation. All authority for DNS zones is internal as your network uses an internal DNS root and namespace. Internal DNS servers are configured with root hints pointing to the internal DNS servers hosting the root zone for your internal namespace. DNS servers are configured to listen on specified IP addresses. Domain controllers are what all DNS servers run on. A discretionary access control list (DACL) is configured on the DNS Server service to only allow specific individuals to perform administrative tasks on the DNS server. Active Directory is where all DNS zones are stored. A DACL is configured to only allow specific individuals to create, delete, or modify DNS zones.

DACL?s are configured on DNS resource records to only allow specific individuals to create, delete, or modify DNS data. Secure dynamic update is configured for DNS zones, except the top-level and root zones, which do not allow dynamic updates at all.

If you have any questions about DNS then visit our DNS FAQ section for more help.