Figure SS Single Local DNS Server

Master DNS

Server 193,0.2.52

Master DNS

Server 193,0.2.52

Oulsidc DNS Server

The firewall access control policies to implement this design are as follows. Only the DNS-related portior of the ACL are shown. Bogon and ingress filtering are excluded for clarity. These ACLs assume that the remote DNS server is a slave as opposed to another master. This means the slave can update by zone transfers. If the slave were a master, you would need to determine another way to synchronize the data

Inbound on the inside interface:

IPermit the DNS Queries from Internal hosts to the DNS server access-list 101 permit udp 10.8.0.0 0.0.255.255 host 192, access-list 101 permit tcp 10.8.0.0 0.0.255.255 host 192. !Deny all other DNS traffic access-list 101 deny udp any any eq 53 access-list 101 deny tcp any any eq 53

52 eq 53 52 eq 53

Inbound on the outside interface:

IPermit outside hosts to make DNS queries (recursive and zone transfer

Irestrictions are up to the application) access-list 102 permit udp any host 192.0.2.52 eq 53 access-list 102 permit tcp any host 192.0.2.52 eq 53 IDeny all other DNS traffic access-list 102 deny udp any any eq 53 access-list 102 deny tcp any any eq 53

Inbound on the public services interface:

IPrevent DNS server from querying the internal network access-list 103 deny udp host 192.0.2.52 10.8.0.0 0.0.255.255 eq 53 access-list 103 deny tcp host 192.0.2.52 10.8.0.0 0.0.255.255 eq 53 IPermit DNS queries to any other host access-list 103 permit udp host 192.0.2.52 any eq 53 access-list 103 permit tcp host 192.0.2.52 any eq 53 IDeny all other DNS traffic access-list 103 deny udp any any eq 53 access-list 103 deny tcp any any eq 53

Distributed DNS Design

This design is appropriate for midsize to large organizations. The only difference between the two sizes the number of servers in each part of the network. The number of servers you need has more to do wit performance and resilience than security. Figure 8-6 shows the topology. In this design, application configuration is used to enforce certain DNS rules, but the security is increased through the use of multiple layers of separation in the DNS architecture.

Figure 8-6. Distributed DNS Design

Figure 8-6. Distributed DNS Design

Internal clients are configured through DHCP to use a local DNS server in close network proximity. Thes DNS servers (there can be dozens) forward all queries they can't locally answer to a smaller group of forwarders that are allowed to make requests of the Internet at large. The internal servers have their o' view of the domain and do not need to communicate with the perimeter or external DNS servers, thoug they are not expressly forbidden from doing so. External users can resolve addresses in your domain by querying either your local master DNS server or another master or slave somewhere on the Internet. These servers respond only to nonrecursive queries for your domain and allow zone transfers only from external slave servers. This configuration is made in the application.

The firewall access control policies to implement this design are as follows. Only the DNS-related portior of the ACL are shown. Don't forget that the method you use to synchronize the data between your mas' servers must be added to these rules. (Master-to-master synchronization is not part of the DNS protoco

Inbound on the inside interface:

IPermit queries from the forwarders outbound to the Internet access-list 101 permit udp host 10.8.8.5 any eq 53

access-list 101 permit tcp host 10.8.8.5 any eq 53

access-list 101 permit udp host 10.8.8.6 any eq 53

access-list 101 permit tcp host 10.8.8.6 any eq 53

IDeny all other DNS traffic access-list 101 deny udp any any eq 53

access-list 101 deny tcp any any eq 53

Inbound on the outside interface:

IPermit outside hosts to make DNS queries (recursive and zone transfer

Irestrictions are up to the application)

access-list 102 permit udp any host 192.0.2.52 eq 53

access-list 102 permit tcp any host 192.0.2.52 eq 53

IDeny all other DNS traffic access-list 102 deny udp any any eq 53

access-list 102 deny tcp any any eq 53

Inbound on the public services interface:

!Deny all DNS traffic (remember, this is a non-recursive responder !only meaning it never has to make requests of other servers.

!It only offers answers to questions about its own domain. Master master sync !still needs to be facilitated in some manner) access-list 103 deny udp any any eq 53 access-list 103 deny tcp any any eq 53

NOTE

An extension to DNS called DNSSEC is on the standards track within the Internet Engineering Task Force (IETF). RFCs 2535 and 3007 provide a good overview of the technology. DNSSEC is not measurably deployed in the Internet's infrastructure today.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment