Chapter 15: Implementing Security for DNS Servers

Previous page
Table of content
Next page

Chapter 15

Implementing Security for DNS Servers

A Domain Name System (DNS) server provides resolution of DNS names to Internet Protocol (IP) addresses and resolution of IP address to DNS names. The Active Directory directory service is dependent on DNS and uses DNS as its default name resolution service. The Microsoft Windows 2000 DNS service provides new features to ease administration and configuration of DNS. The new features introduced since the DNS service of Microsoft Windows NT 4.0 include the following:

  • Dynamic DNS updates

    A Windows 2000 DNS server can accept dynamic updates from DNS clients that support the dynamic update protocols described in RFC 2136, Dynamic Updates in the Domain Name System (DNS UPDATE).

  • Secure DNS updates

    To protect the DNS server against unauthorized updates, Windows 2000 can enforce DNS client authentication for updates. DNS clients must authenticate with the Windows 2000 DNS server by using the Generic Security Service Application Program Interface (GSS-API), as described in the RFC draft GSS Algorithm for TSIG (GSS-TSIG).

  • Active Directory integrated zones

    The security of DNS zone data is ensured by storing each DNS resource record as an individual Active Directory object. Each DNS resource record has its own discretionary access control list (DACL) that determines which security principals can modify the resource records.

  • Service (SRV) resource records

    Windows 2000 advertises its Active Directory services in DNS by using SRV resource records. SRV resource records identify the host name of the servers that host Active Directory services so that a DNS client can connect to the required Active Directory service. This is the format of the SRV resource record:

    _ldap._tcp.example.com. 600 SRV 0 100 389 dc1.example.com

    The following components are defined in an SRV resource record:

    • _ldap._tcp.example.com Refers to the advertised service (_ldap), the transport protocol (_tcp), and the domain (example.com). In this case, the Lightweight Directory Access Protocol (LDAP) service resolves LDAP queries for the example.com domain.

    • 600 Refers to the Time to Live (TTL), which is the amount of time, in seconds, that the SRV resource record will be cached at a DNS server or DNS client in the resolver cache.

    • SRV Indicates that the resource record is a service resource record that specifies the location of a network service.

    • 0 100 Refers to the priority and weight, which allow you to configure preferences for one SRV resource record over another SRV resource record for the same service.

    • 389 References the port upon which the service is listening. In this case, the LDAP service listens on Transmission Control Protocol (TCP) port 389.

    • dc1.example.com The network host where the LDAP service resides.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Cisco IOS Cookbook (Cookbooks (OReilly))
Cisco CallManager Fundamentals (2nd Edition)
Microsoft WSH and VBScript Programming for the Absolute Beginner
PMP Practice Questions Exam Cram 2
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy