The Domain Name System (DNS) is the best-known method for associating domain names with IP addresses. It's now a well-established methodology that, most of the time works perefectly, however there are occasions where it breaks down and that's when the sysadmin has to sort out what's wrong.
Here are the seven most common problems - the seven deadly sins of DNS.
- Using old versions of BIND - All but the most recent versions of BIND 9 (9.3.4-P1 and 9.4.1-P1) have serious, widely known vulnerabilities. Hackers can exploit these to bring down your name servers, break into the hosts that run them, and more.
- Putting all authoritative name servers on the same subnet - The failure of a single device - like a switch or router - or connection could make it impossible for users on the Internet to access your website or send you email.
- Allowing recursion to unauthorised queriers - Processing recursive queries for just any client exposes your name server to cache poisoning and denial of service attacks.
- Allowing zone transfers to unauthorised secondary name servers - Serving zone transfers to arbitrary requestors can bog down your name server as well as exposing it to attack.
- Failing to use forwarders - Many species of name servers, including Microsoft DNS Servers and older BIND name servers, don’t adequately protect themselves against cache poisoning, and others have vulnerabilities that can be exploited by malformed responses. Yet some administrators allow these name servers to query name servers on the Internet directly, without using a forwarder.
- Setting Start of Authority (SOA) values wrong - Many administrators have set their zones’ expire times too low, which can lead to outages if refresh queries or zone transfers begin to fail. Others haven’t reset their zones’ negative-caching TTL since RFC 2308 redefined it, leaving the value too high.
- Mismatched NS records in your delegation and zone data - Some administrators add or delete authoritative name servers and forget to request the corresponding changes to their zones’ delegation data through their registrar. This can lengthen the time it takes to resolve domain names in these zones and reduce resiliency.
You can hear Cricket Liu speak on deploying DNS and DHCP in the modern network at a special, free, seminar to be held in London on 7 November. Go here for further details.
Find your next job with techworld jobs