In this video, Chaim Krause compares and contrasts several of the many possible configurations. There is no configuration that is always the best choice. Each network is unique so your configuration requirements are too.
- [Instructor] What to call this video was a bit of a challenge. As there is no commonly accepted name for anything other than a single purpose name server. Many times the real world is not so clear cut. Often you are going to use one or more name servers configured in a variety of ways to meet your particular needs. Many names are thrown around when it comes to deploying named servers in various manners. These are some of the terms I have seen used. However, what yo call them is not so important as meeting your needs.
So, let's look together at some configurations that tend to be used in certain situations. First example is of a single server. The biggest down side of a single server is that you are exposing everything to the outside world. And providing a target for hackers. And that is your single DNS server inside your firewall. What this is good for is practicing in your sandbox setting up something temporary. Or maybe you're just a hobbyist that you want to tinker with this and see how these things fit together.
You might also want to test a setup that you're going to tear down quickly. Another consideration that you might have in some cases is if you're short on hardware and funds and you cannot afford to have multiple servers in multiple locations. You can use this as sort of your starter set to get you up and running. What it looks like is your internal clients are connected to a DNS named server behind your firewall.
And everybody in the public internet gets access to that named server by port forwarding port 53. Our next example falls pretty much on the complete opposite end of the spectrum. In this case we actually have two servers. One is inside the firewall. The other is outside the firewall. This way none of the people in the public internet are going to be interacting with anything inside your firewall at any time.
So, if the outside named server is hacked There's no vulnerability into the internal network. One of the down sides is that you're going to have some duplication of records. You're going to have to update both the records in the private DNS and the public DNS when things change. My next two examples are similar. The first one here we have a Multihomed Bastion host. By Bastion host I mean a server that serves a single purpose and sits on both the internal and external networks.
In this case both the internal and external networks are treated in the same fashion. If a query comes in from the outside it's going to get the same result as if a query comes from the inside. This could be a popular set up when most of your infrastructure is outsourced to third parties. If you have your website hosted externally. Your email hosted externally. Maybe your vendors and suppliers are external. And all you're going to be using are CNAMEs to point to them.
Since there's no A records involved you're not describing your internal network. So, it's much safer. However, you still do have a Bastion sitting both inside and outside of your firewall. Our last example is similar to our prior example. We have a Multihomed Bastion host standing between both the outside network and the inside network. What we have here that is different is the feature that was added in version nine of the BIND software.
And that is Vuse. Instead of having a single zone file serving up answers to both internal and external queries by using Vuse you are able to have separate zone files and provide different answers to external and internal queries. One of the benefits of this is that you have a reduced hardware cost as you don't need to have multiple named servers hosted both internally and externally. As I said before in real situations you are most likely to use a little bit of everything you have seen here.
That is why I suggest setting up your own named server sandbox to test your configurations before you go live.
- Working with different types of name servers
- Working with zone files
- Setting up a basic name server
- Creating, verifying, loading, and testing the zone file
- Allowing queries from localnets
- Configuring an advanced name server
- Serving a website or email
- Adding security