Catálogo de publicaciones - libros

This chapter introduced a lot of terminology and concepts that will be used throughout the rest of the book. The text described the need for name servers, which translate the descriptive name of a resource to its physical network address, and identified them as being essential for the operation of a dynamic and flexible network of any size.

The Internet’s Domain Name System was introduced as being a specific implementation of the name server concept. You learned about the Internet’s DNS domain name hierarchy, in particular the separation of the Top-Level Domains into Generic TLDs, for which ICANN is fully authoritative, and Country Code TLDs, which are administered by the individual sovereign countries. You now also know the component parts of a domain name, for instance, www.example.com consists of a host name (www), an SLD (example), and a TLD (.com). You also encountered the key concepts of an authority, the entity or person, responsible for a particular node in the domain name hierarchy, and delegation, the process by which the authority at a higher level in the domain name hierarchy may transfer authority to lower levels. The chapter finally introduced DNS software, the server and resolver programs that execute the DNS function, including BIND, the most widely used and implemented DNS server software.

Chapter 2 describes zone files and the most common Resource Records used in these files.

This chapter described the format and content of zone files. You learned about the $TTL directive, used to set the default TTL for the zone. You also encountered the $ORIGIN directive, used to set the base name for the zone, and the $ORIGIN substitution rule, the cause of much DNS aggravation. Using the example zone file as a guide, the text explained the various Resource Record types used to construct basic zone files such as the Start of Authority, Name Server, Mail Exchanger, and Address Resource Records.

Chapter 3 explains DNS operations: the types of DNS queries that may be used; reverse mapping, the process by which an IP address may be mapped to a host name; zone transfers, the method by which zone files are updated from the master to the slave name servers; and finally, a brief overview of the security issues involved in running a DNS service.

This chapter described the various operations and services provided by the DNS protocol. These operations include queries, recursive and interative (nonrecursive); zone transfers; and dynamic update. I described the process known as reverse mapping, in which a normal query is used to obtain the name of a host given its IP address, and illustrated it with some examples. The chapter concluded with a brief overview of the security implications that necessarily arise from running any DNS service.

Chapter 4 describes a number of name server (DNS) types while recognizing that the majority of name servers are required to provide multiple functions.

This chapter described a number of commonly used DNS configurations and characteristics. Name servers rarely perform a single function. They are almost by their nature schizophrenic. Indeed, the strength of general-purpose DNS software, especially BIND, is that it can be used to precisely configure multifaceted solutions. You also learned about the behavior of zone masters, zone slaves, caching servers, forwarding servers, and authoritative-only servers. You saw the configuration of Stealth (or Split) servers used in perimeter defense employing both classic configurations and BIND’s new (as of BIND 9) view clause.

In Chapter 5, we look at the world of IPv6 and its implications for DNS.

This chapter described the use and implementation of IPv6 as it relates to the DNS. The chapter started by describing the long history of IPv6 starting around 1995 and suggested that a number of factors are currently causing a rapid increase in the spread and deployment of IPv6. A brief tutorial on IPv6 address notation was provided to allow the reader to become familiar with its format and usage.

The status of DNS support was clarified due to some confusion created by the withdrawal of support for bit labels and the A6 and DNAME RR by the IETF in RFC 3363. The current IETF IPv6 DNS recommendation specifies that forward mapping of IPv6 addresses will use the AAAA (Quad A) RR, and reverse mapping will use the PTR RR under the domain IPV6.ARPA.

In Chapter 6, we move from theory to practice by looking at the installation of BIND 9 on Linux, BSD (FreeBSD), and Windows platforms.

This chapter described the format and content of zone files. You learned about the $TTL directive, used to set the default TTL for the zone. You also encountered the $ORIGIN directive, used to set the base name for the zone, and the $ORIGIN substitution rule, the cause of much DNS aggravation. Using the example zone file as a guide, the text explained the various Resource Record types used to construct basic zone files such as the Start of Authority, Name Server, Mail Exchanger, and Address Resource Records.

Chapter 3 explains DNS operations: the types of DNS queries that may be used; reverse mapping, the process by which an IP address may be mapped to a host name; zone transfers, the method by which zone files are updated from the master to the slave name servers; and finally, a brief overview of the security issues involved in running a DNS service.

This chapter introduced a number of configuration samples that reflect widely used DNS types while bearing in mind that name servers are normally multifunctioned. The objective of the chapter is to acquaint you with the configuration of a set of building blocks, DNS types, from which more complex configurations can be constructed. The text described BIND 9’s powerful new view clause, together with its use in various Stealth configurations. This new clause provides many opportunities to reduce physical configurations in secure perimeter defenses, but careful attention to system design and especially named.conf file contents may be required to maximize its potential.

Chapter 8 presents some advanced DNS configurations including delegation of subdomains, load balancing, and resilience, among many others.

This chapter covered a number of common name server configurations and also illustrated some more subtle uses of the DNS system.

The next chapter describes the use of various DNS diagnostic tools and techniques to cover the situations where head-scratching fails to yield the required results.

This chapter described the use and implementation of IPv6 as it relates to the DNS. The chapter started by describing the long history of IPv6 starting around 1995 and suggested that a number of factors are currently causing a rapid increase in the spread and deployment of IPv6. A brief tutorial on IPv6 address notation was provided to allow the reader to become familiar with its format and usage.

The status of DNS support was clarified due to some confusion created by the withdrawal of support for bit labels and the A6 and DNAME RR by the IETF in RFC 3363. The current IETF IPv6 DNS recommendation specifies that forward mapping of IPv6 addresses will use the AAAA (Quad A) RR, and reverse mapping will use the PTR RR under the domain IPV6.ARPA.

In Chapter 6, we move from theory to practice by looking at the installation of BIND 9 on Linux, BSD (FreeBSD), and Windows platforms.

This chapter introduced DNS security by categorizing the topic into administrative security, zone transfers, dynamic updates, and zone integrity. The first three topics are covered in this chapter; zone integrity using DNSSEC.bis is described in Chapter 11.

The administrative security discussion covered the selection and configuration of DNS servers and discussed software updating, limiting functionality, limiting permissions (including sandboxes or chroot jails), log streaming, and the use of multiple sources of both OS and DNS software to reduce the risks involved in running DNS systems. The packaged installation of a chroot jail on Linux Fedora Core 2 and FreeBSD was described, as well as the manual installation of a chroot jail in the absence of an available package.

The chapter described the use of cryptographic techniques to secure various transactions. The various techniques were described in outline for readers unfamiliar with general cryptographic processes, including symmetric (shared-secret) systems, asymmetric (public-key) systems, message digests, MACs, and digital signatures.

The use of simple BIND statements to secure zone transfers using IP addresses and the use of TSIG (shared-secret) transactions to secure zone transfers was described and illustrated with example files.

The chapter described, with examples, the use of BIND commands to secure dynamic updates using IP addresses. Both SIG(0), using public-key or asymmetric cryptographic techniques, and TSIG (shared-secret) methods to secure dynamic updates were described and again illustrated with example files and configurations.

The next chapter describes the design intent and implementation of DNSSEC (colloquially referred to as DNSSEC.bis) to ensure the source and integrity of zone data during normal query operations.