Distributed Name Service (DNS) Subsystem
Distributed Name Service (DNS) Subsystem
DNS is part of the set of the Distributed Systems Management (DSM) subsystem.
DNS simplifies management of relationships between objects in a NonStop system or an Expand network by managing a distributed and partly replicated name database that models those objects.
DNS provides facilities that:
Maintain names of objects controlled by the HP server and other types of systems
Provide alternative names (aliases) for objects
Translate an alias for subsystem-object names, allowing command interpreters to accept meaningful names
Translate subsystem-object names to aliases, allowing event-processing applications to report meaningful names to operators
Organize objects into groups
Provide a single name for a set of objects
Translate a group name to the names of the members of that group, allowing network management applications (NMAs) to implement group-oriented commands
Almost anything can be defined as an object to DNS: employee names, phone numbers , locations, and departments, for example. The DNS subsystem allows assignment of names to these objects to make object management easier.
The DNS subsystem is generally created and managed by a SUPER Group person responsible for the naming of a system or network. DNS should not be available for write access to general users.
RISK Names must be monitored and maintained to eliminate duplication, which will cause ambiguity and possible errors.
DNS Components
The components of DNS are (See Figure 6-4):
Figure 6.4: DNS Components
DNSCOM
Local Node
Remote Node
DNSCONF
DNSEXP
DNSHELP
DNSMGR
DBDDLS
LOAD
ENFORM Report and Query Subsystem
DNSCOM
The user interface to the DNS subsystem. It is used to create DNS databases, control the DNS processes, and perform inquiries and updates against DNS databases.
This interface allows one to create the DNS database, control the DNS processes, and perform inquiries and update of names.
DNSCONF
DNS configuration file as defined by the =_DNS_CONFIG system define. The default is $SYSTEM.SYSTEM.DNSCONF.
DNSEXP
DNSEXP is the executable code file for the DNS name exporter. All replication of name definitions from one node to another is handled by the name exporter processes. Each replicated DNS database has its own name exporter; consequently, there may be multiple name exporters running simultaneously on a single system.
DNSHELP
A data file containing DNS help and error and warning messages.
DNSMGR
DNSMGR is the executable name manager for DNS. All interactions between programs (including DNSCOM) and DNS databases are performed by name managers. Each DNS database has its own name manager process. There may be multiple name managers running simultaneously on a single system.
A name manager processes requests from DNSCOM and user applications using Subsystem Programmatic Interface (SPI) requests .
LOAD
The load file is a command file that can be read by DNSCOM to initially load the DNS database with the definitions of some commonly used subsystems and their object types.
DBDDLS & ENFORM Reports
DBDDLS is the DDL source file describing the DNS database. ENFORM uses this file to create a data dictionary capable of generating reports on the DNS database.
DNS Database Configuration
Each DNS database is associated with a DNS configuration created with the INITIALIZE DNS command. Each DNS database consists of 15 key- sequenced files. The files need not reside on the same disk volume.
Securing DNS Components
BP-FILE-DNS-01 DNSCOM should be secured "UUCU".
BP-OPSYS-OWNER-02 DNSCOM should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DNSCOM must reside in $SYSTEM.SYSTEM.
BP-FILE-DNS-02 DNSCONF should be secured "CCCU".
BP-OPSYS-OWNER-02 DNSCONF should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DNSCOMF must reside in $SYSTEM.SYSTEM.
BP-FILE-DNS-03 DNSEXP should be secured "UUNU".
BP-OPSYS-OWNER-02 DNSEXP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DNSEXP must reside in $SYSTEM.SYSTEM.
BP-FILE-DNS-04 DNSHELP should be secured "NUUU".
BP-OPSYS-OWNER-02 DNSHELP should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DNSHELP must reside in $SYSTEM.SYSTEM.
BP-FILE-DNS-05 DNSMGR should be secured "UUNU".
BP-OPSYS-OWNER-02 DNSMGR should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-02 DNSMGR must reside in $SYSTEM.SYSTEM.
BP-FILE-DNS-06 LOAD should be secured "CCCU".
BP-OPSYS-OWNER-03 LOAD should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 LOAD resides in $SYSTEM.ZDNS.
BP-FILE-DNS-07 DBDDLS should be secured "CCCU".
BP-OPSYS-OWNER-03 DBDDLS should be owned by SUPER.SUPER.
BP-OPSYS-FILELOC-03 DBDDLS resides in $SYSTEM.ZDNS.
If available, use Safeguard software or a third party object security product to grant access to DNSCOM object files only to users who require access in order to perform their jobs.
BP-SAFE-DNS-01 Add a Safeguard Protection Record to grant appropriate access to the DNSCOM object file.
| Discovery Questions | Look here: | |
|---|---|---|
| FILE-POLICY | Is DNS used on the system | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DNSCOM file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DNSCONF file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DNSEXP file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DNSHELP file? | Fileinfo |
| OPSYS-OWNER-02 | Who owns the DNSMGR file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the LOAD file? | Fileinfo |
| OPSYS-OWNER-03 | Who owns the DBDDLS file? | Fileinfo |
| FILE-POLICY | Who is allowed to run DNSCOM on the system? | Policy |
| FILE-DNS-01 | Is the DNSCOM object file correctly secured with the Guardian or Safeguard system? | Fileinfo Safecom |
| FILE-DNS-02 | Is the DNSCONF object file secured correctly? | Fileinfo |
| FILE-DNS-03 | Is the DNSEXP object file secured correctly? | Fileinfo |
| FILE-DNS-04 | Is the DNSHELP object file secured correctly? | Fileinfo |
| FILE-DNS-05 | Is the DNSMGR object file secured correctly? | Fileinfo |
| FILE-DNS-06 | Is the LOAD object file secured correctly? | Fileinfo |
| FILE-DNS-07 | Is the DBDDLS object file secured correctly? | Fileinfo |
