Scribd
Upload
19 views14 pages

Comprehensive DNS Server Guide

Uploaded by

vik300744
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views14 pages

Comprehensive DNS Server Guide

Uploaded by

vik300744
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

DNS Server Study Guide

1. DNS Servers
DNS servers arecategorized into several types to manage and resolve domain names across
the Internet.

- Root Server: The top of the DNS hierarchy, knows locations of all TLD servers.

- TLD Server: Top-Level Domain servers manage domains like .com, .net, etc.

- Authoritative Name Server: Holds actual DNS records and responds to queries with
answers.
2. DNS Records
DNSrecordsareused to map domain names to IP addresses and other resources.

- A – Maps a domain to an IPv4 address.

- AAAA – Maps a domain to an IPv6 address.

- CNAME – Canonical name record, alias of one domain to another.

- MX – Mail exchange record; routes emails to correct server with priority.

- NS – Name server record indicating authoritative servers.

- SOA – Start of Authority, administrative information (primary NS, contact email, serial
number).
- SRV – Service locator; defines location (port, hostname) of servers for specific services.

- PTR – Pointer record, for reverse DNS lookups.

- TXT – Holds arbitrary text or structured data like SPF records.

3. Roles of Name Servers


-Caching-Only:Storesresponses temporarily; does not hold original DNS data.
-Authoritative: Stores DNS records locally and answers with original data.
4. Types of DNS Zones
- Forward Lookup Zone: Resolves domain names to IP addresses.

- Reverse Lookup Zone: Resolves IP addresses to domain names.

- Conditional Forwarder Zone: Forwards queriesto specific DNS servers based on


domain. It simply passes the queries to the designated name servers and returns

- Stube Zone: maintains only the necessary information to contact the authoritative DNS
servers, including NS records and A records required for resolution
5. DNS Query Types
1. Recursive queries
• Demand a name resolution or the answer “it can’t be found”
• Is between DNS client and its local DNS Server

2. Iterative queries
• Do not demand a name resolution, which means other DNSservers may
provide a name resolution if they know or simply respondwith a referral
• It between a local DNS server and other DNS servers
3. Non-Recursive queries
• is expected to provide the answer directly, either from its local cache or
from its authoritative zone data. If the server does not have the requested
information, it will respond with an empty or negative response,
• indicating that it cannot resolve the query, rather than forwarding the
request to other DNS servers

6. Resource Record (RR) Syntax


RR Syntax Format:
<domain-name> <TTL> <class> <type> <RDATA>

Example: [Link]. 3600 IN A [Link]


7. Zone Transfer
There aretwo modes of zone transfer over TCP are implemented

1. Full Zone Transfer (AXFR)


• AXFR stands for Asynchronous Full Zone Transfer.
• It transfers the entire DNS zone file from the master to the slave server.

Used when:

o The slave server is syncing for the first time.

o There are major changes or no incremental data available.

Key Characteristics:

• Transfers all records (A, MX, CNAME, etc.).


• Slower and uses more bandwidth than IXFR.

Triggered manually or when the serial number changes.

2. Incremental Zone Transfer (IXFR)

• IXFR stands for Incremental Zone Transfer.


• Only transfers the changed DNS records (deltas) since the last update.

Requires both servers to support IXFR and have a shared change history.

Key Characteristics:
• More efficient than AXFR.
• Faster, uses less bandwidth.

Ideal for frequently updated zones.

Summary Table

Feature AXFR (Full) IXFR (Incremental)

Transfer Type Entire zone Only changed records

Efficiency Lower Higher

Use Case Initial sync, major updates Frequent minor changes

Supported by Most DNS servers Only newer DNS servers


8. DNS Deployment Model
[Link](BerkeleyInternetName Domain)
• Most widely used DNS server on the internet.
• Developed by: Internet Systems Consortium (ISC)

Supports:

o Authoritative DNS Recursive


o DNS Caching DNSSEC Zone
o
transfers (AXFR/IXFR)
o

Use Case:
Full-featured DNS server for both authoritative and recursive needs.
Pros:

• Very flexible and customizable.


• Large community and documentation.
• Supports dynamic updates and views.

Cons:

• More complex to configure.


• Larger attack surface due to many features.

2. NSD (Name Server Daemon)

• Authoritative-only DNS server (no recursion).


• Developed by: NLnet Labs

Lightweight, high performance.

Use Case:
High-performance authoritative DNS server (e.g., for root/TLD servers).
Pros:

• Simple and secure.


• Very fast for authoritative responses.

Lower resource usage.

Cons:

• Does not support recursion or caching.

• Must be paired with a separate resolver (e.g., Unbound).

3. Unbound

• Recursive DNS resolver only (no authoritative zones).


• Developed by: NLnet Labs

Fast, secure, modern DNS resolver.

Use Case:
Caching recursive DNS server for internal or local networks.
Pros:
• High security (DNSSEC validation by default).

• Lightweight and easy to configure.

• Supports DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH).

Cons:

• Cannot serve authoritative DNS zones.

Typical DNS Deployment Model

Many modern setups separate roles:

• NSD for authoritative responses


• Unbound for internal recursive resolution

Or use BIND for both in small/medium systems

Zone Files Zone File


Engine Main Config File Control Keys
Used? Location
/var/cache/bi
nd/,
/etc/bind/zon
BIND /etc/bind/[Link] Yes es [Link]

/etc/nsd/zone
s/
NSD /etc/nsd/[Link] Yes nsd_control.key

No (uses N/A (uses


Unbound /etc/unbound/[Link] unbound_control.key
local-data) directives)

9. DNS Attacks
DNS can be a target for various types of attacks:
- DNS Spoofing/Poisoning – Redirecting traffic to malicious sites.
-DNS Amplification – DDoS using spoofed queries to produce largeresponses.

-NXDOMAIN Attack – Floods DNS with requests for nonexistent domains.


- DNS Tunneling – Encodes data in DNS queries/responses to bypass firewalls.

-Domain Hijacking – Takes control over a registered domain.

-Cache Poisoning – Inserts false data into DNS cache.


- DNS Reflection – Attacker spoofs victim's IP to trigger large DNS replies.

10. DNS Security Best Practices


- Use DNSSEC to authenticate responses.
- Restrict zone transfers to authorized IPs.

- Regularly patch DNS software.

- Configure rate-limiting and logging.

- Use split-horizon DNS where applicable.

- Avoid open resolvers unless necessary.

- Monitor DNS traffic for anomalies.

You might also like