Enterprise Open source domain Name Service security protection strategy and actual combat

Enterprise Open Source DNS Service Application Overview

In the Internet domain name and IP address is one by one corresponding, although the domain name is convenient for people to remember, but the machine can only know each other IP address, the transformation between them is called Domain name resolution, domain name resolution needs to be specialized domain name resolution server to complete, DNS is the domain name resolution server. DNS is the abbreviation for Domain Name System, which is used to name the computers and network services that are organized into the domain hierarchy. DNS names are used in TCP/IP networks such as the Internet to find computers and services through a user-friendly name. When a user enters a DNS name in an application, the DNS service can resolve the name to other information associated with it, such as an IP address. Because, users enter the Web site, is through the domain name resolution system to find the corresponding IP address, so as to access the Internet. In fact, the end point of the domain name is IP.

DNS is a hierarchical, decentralized name-matching system that looks a bit like a computer's directory tree structure. At the top is a "." (root), which is then divided into several basic category names, such as com, org, edu, and so on. The following is the name of the organization, such as Sun, Yale and so on. Then is the host name, such as Eng, CS, NTU and so on. The hierarchical structure of the DNS domain name space as shown in Figure 1:

Figure 1.DNS Hierarchical structure of domain name space

It is worth mentioning that, because the Internet was originated from the United States, so there was no country domain name. But with the development of the Internet, DNS has also been added such as CN, JP, AU and other countries domain name. So a full DNS name is like this www.xyz.com.cn and the entire name corresponds to an IP address. At the beginning there were only six organization categories under root:

Edu: Academic unit of education

ORG: Organizational structure

NET: Network communication unit

com: Corporate

Gov: Government Agencies

MIL: Military unit

However, since the name of the organization has been opened to a variety of different names have emerged, but in any case the rule of naming best fit the nature of the site. In addition to the original category information, which is managed by the United States NIC (Network Information Center), the other categories below the country domain are managed by the NIC in the country.

Composition of the DNS system

The DNS system is based on the client/server model and conceptually it consists of three parts:

(1) Domain name space: Records in the domain name space identify a set of hosts and provide information about them. Each node in the domain has a database of information about it. The query command attempted to extract the appropriate information from this database. Simply put, the domain name space is a list of all the different types of information that are domain names, IP addresses, mail aliases, and what can be found in DNS systems.

(2) Domain Name server: The program that maintains and maintains the data in the domain name space. Each domain name server contains complete information about a subset of the domain namespace and holds information about other parts. A domain name server has complete information about its scope of control. The control information is divided by district, and the area can be distributed on different domain name servers to provide services for each district. Each domain name server knows all the domain name servers that are responsible for other zones. If a request is made, it requests information about the area that the given domain name server is responsible for, then the domain name server simply returns information. However, if the request is a different area of information, then the domain name server and control of the appropriate server to contact the area.

(3) Parser: Parser is a simple program or subroutine library, it extracts information from the server in response to the domain name space host query.

DNS is a very complex concept, and the following table lists common DNS terms:

Domain: A logical entity or organization that represents a part of a network.

Domain name: A part of the host name that represents the domain that contains the host. It can be used with domain exchange.

Host: A computer on the network.

Node: A computer on the network.

Domain Name server: A computer that provides DNS services that converts DNS names to IP addresses.

Parsing: The process of translating a domain name into its corresponding IP address.

Parser: A program or library subroutine that extracts DNS information from a domain name server.

Reverse parsing: Converts the given IP address to its corresponding DNS name.

Spoofing: The act of making a network appear as if it has a different IP address or domain name.

Types of DNS Servers

DNS domain name servers are used to store host-domain-name mapping information, which can be categorized into 3 categories:

(1) Primary DNS server (primary name server): It is the authoritative source of information for all information in a particular domain. It loads domain information from a local disk file constructed by a domain administrator, which contains the most accurate information about a portion of the domain structure in which the server has administrative authority. The primary server is an authoritative server, because it answers any queries to its jurisdiction with absolute authority.

(2) Secondary DNS server (secondary name server): It replicates a complete set of domain information from the primary server. The zone files are copied from the primary server and stored as local disk files in the secondary server. This replication is called "zone File replication." There is a full copy of all domain information in the secondary domain name server, and you can answer queries to that domain authoritatively. Therefore, a secondary domain name server is also known as an authoritative server. Configuring a secondary domain name server does not require a raw cost locale file because the zone file can be downloaded from the primary server.

(3) cache server (caching-only server): Can run domain name server software, but no domain name database software. It gets the result of each domain name server query from a remote server, and once it gets one, it is placed in the cache and then answered with the same information later. The cache server is not an authoritative server because all the information it provides is indirect information. Only one cache file needs to be configured for the caching server, but the most common configuration includes a loopback file, perhaps the most common domain name server configuration.