6

I'm not as proficient at configuring DNS as I would like. What are some common DNS design schemes?

EDIT: Gah, it's hard to explain what i mean! I'm interested in learning how to classify/configure various styles of networks (eg: is there a term for networks that have intranet records they don't transfer vs networks that keep entirely public records... is there a terms for a network that uses dynamic dns... is there a term for networks that use load-balancing...)?

username
  • 4,755
  • 19
  • 55
  • 78

4 Answers4

7

One of the more common 'types' is 'Split-Horizon', or simply 'split' DNS.

This is where the DNS server gives different results depending on where the query is coming from. It is more commonly used in an organization where people are widely distributed ('local' hosts, WAN hosts, or Internet hosts), all of which may benefit from being redirected to different copies of the same server, or the same server but some are given the Internal address and some are given the external (usually NATted) address.

Gavin McTaggart
  • 1,846
  • 16
  • 14
5

Unlisted primary (aka shadow primary, unlisted/shadow master) is a configuration often found in strictly secured intranets. In short this is a primary server which has no NS record in the parent domain. In other words, primary server without delegation. The delegation is supposed to point to one or more slave servers instead.

Scenario: Your ACME company has an intranet and the main DNS server, used by most clients. It hosts "intranet.acme.com" zone. Now, you are setting up a strictly secured subnet, with a separate DNS server and domain "finances.intranet.acme.com".

  • You want the whole organization to be able to query the DNS records.
  • You don't want the whole organization to have network traffic to your DNS server.
  • You want to be the only one to change the DNS records.

Solution: Don't specify your server as NS for "finances.intranet.acme.com". Instead specify some other server as NS, as long as you can convince the admin to host "finances.intranet.acme.com" as a slave. (Organization's main DNS server, that would delegate the subdomain to you, surprisingly happens to be a good choice for such a slave.) Your precious local server will now be practically invisible in the DNS hierarchy. It will only provide zone transfers to the slave and (optionally) answer queries from a set of clients of your choice.

NB: it is up to you which server you specify in SOA record. It may be your "unlisted" server, as SOA record is not used to traverse the DNS hierarchy.

Similarly, you can also create unlisted slave server - a slave server for a domain, that is not listed in domain's NS records. Again, this server will only receive traffic from clients which know the IP address, as its address cannot be obtained from any other DNS server. It will answer queries as any other slave: authoritatively and quickly (i.e. using only local disk file).

Another scheme, which is somewhat incompatible with above "unlisted server" concept, but it's worth knowing. Author of dnscache and tinydns recommends that DNS servers should be strictly divided into two types:

  • DNS cache (aka recursive-only server, but I feel this is a misnomer) - a server that has no authoritative data, but performs recursive and iterative queries on behalf of the clients; it caches the answers;
  • authoritative-only server (aka non-recursive server) - a server that answers queries only about its authoritative data, but does not perform recursive nor iterative queries on behalf of anyone. This server does not need to implement cache, as it never needs to answer non-authoritatively. This server is useless for normal clients, because they need their questions answered completely (recursively). The "clients" that are supposed to query it are other DNS servers - to be more precise: DNS caches.

From the security standpoint, DNS cache is always very vulnerable to poison (bogus DNS records) and other types of attack, because it naturally has to connect to many untrusted DNS servers over the Internet. So the authoritative answers should be served by a different software, as you really really want to make sure that your DNS server does not spread bogus, authoritative data about your domain to the whole Internet.

kubanczyk
  • 13,812
  • 5
  • 41
  • 55
3

most probably you'll see:

  • recursive dns resolver with cache. machine that 'does the job' of answering dns queries for clients in your lan. you do not want to make this functionality [ recursive dns resolution ] reachable for all internet. it's considered harmful - can be [ab]used for amplification ddos attacks.
  • primary and secondary dns'es - if you are going to host dns server that is authoritative source of answers for some zone [ eg yourcompany.com or - probably not in your case .153.152.151.in-addr.arpa - for rev dns that is resolution of ip address into host name ]. possibly you might want to make private primary / secondary dns inside your corporation just for intranet use [ eg domain server for micorsoft's active directory ]

there can also be other cases - eg dns forwarder that just forward incoming dns queries to other name servers.

dyndns is a specific service that is linked with update program running on your machine or router. probably you'll be customer rather the operator of it. dyndns client checks if your machine changed address [eg due to reconnection to adsl operator] and if so sends update to dyndns operatortelling myhost.somedyndnsoperatorname.net should now point to new ip - 123.123.123.321.

you can take a look at wikipedia for more info or describe your case in details to get more precise answer.

pQd
  • 29,981
  • 6
  • 66
  • 109
3

See my answer to a similar question where I define:

  • authoritative servers
  • recursive servers
  • stub resolvers
  • forwarders
Community
  • 1
Alnitak
  • 21,191
  • 3
  • 52
  • 82