|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
A unique address must be assigned to every IT system in a TCP/IP network. The Internet Protocol (IP) specifies this address as four decimal numbers separated by a dot, each with a value range of between 0 and 255. As many numeric addresses are difficult to remember, meaningful host names can be assigned to the IT systems as well, e.g. www.bsi.bund.de. Resolution of host names into IP addresses can be performed using two different mechanisms. Under the first, an ASCII text file called HOSTS, which is stored in the SYS:ETC directory, can be manually created. From a security and administrative viewpoint this method should only be used in small networks as the HOSTS file has to be stored individually on each server and each workstation to enable local resolution. Special routines (e.g. login scripts) can be used to automate distribution of the HOSTS file.
The second mechanism entails using a DNS server. Some of the aspects of setting up and configuring a DNS server under Novell NetWare 4.11 which require especial consideration in relation to system security are considered below.
Function of the DNS components
The two main components of DNS are the name server and the resolver, which is loaded on the client and queries the name server.
DNS server configuration - initial steps
With a NetWare 4.11 server, DNS is configured via UNICON.NLM. First of all DNS Client Access needs to be activated. This is done via Configure Server Profile - Manage Global Objects. At least one name server which performs address resolution must be listed. A maximum of three name servers can be entered. To speed up entry of a large address area and ensure that name resolution can be performed, the entries for the three name servers should be utilised. The sequence in which the name servers are listed determines the query sequence and should be determined in the manner which results in the fastest name resolution.
The first name server can be the main DNS server of the authority or company. Even if this server cannot resolve every host outside its own domain, it allows host names to be resolved rapidly within the organisation.
The second name server can belong to the Internet Service Provider (ISP), enabling access to a wider data pool of host names. This has the effect that due to the higher utilisation, the remoteness and the available bandwidth, resolution is usually somewhat slower than with the local name server. If redundancy of the local domain is a priority, then the server with the write-protected copy of the DNS database (secondary name server) should be registered as the second name server.
The third name server defined can be a so-called root server. This type of server holds the data for all the registered domains. A list of root servers can be obtained from ftp://rs.internic.net/netinfo/root-servers.txt.
Configuration of the DNS server
The configuration and administration functions for the Domain Name System are accessed by selecting Manage Services DNS from the UNICON.NLM main menu. To set up a master database or a write-protected replica database, the Administer DNS menu option should be selected.
The domains and zones for which the primary name server is authorised are entered by selecting Manage Services DNS Administer DNS - Manage Master Database - Delegate Subzone Authority from the UNICON.NLM main menu.
The DNS database entries are entered via Manage Services - DNS - Administer DNS - Manage Master Database. With a standard implementation of DNS, the Start of Authority (SOA), which identifies the starting point for the authority of a zone within the DNS hierarchy, and the record type Name Server (NS) must be entered. The primary name server must receive entries for all the secondary name servers of the zone. Linking of this zone with the DNS hierarchy is achieved through name server entries for primary name servers which possess authority for superordinate and subordinate zones. To ensure name resolution for the hosts in the zone, record type Address (A) must be entered for every terminal device to be addressed.
The entries needed in record type SOA include the name and address of the zone supervisor. The default setting for this address is root.
The refresh validity period determines the time within which a secondary name server continues to reply to queries from hosts after it has tried unsuccessfully to contact the primary name server. The shorter this time is set to, the lower the likelihood that the secondary name server will send invalid DNS entries and thus prevent name resolution. To make the system fail-safe, this time should not be set too short since, if the primary name server should fail, the Domain Name System for this zone will then no longer work. A compromise must be found for this parameter between the probability of being unable to resolve individual host names and if too short a period is set the probability of being unable to address any terminal devices by individual host names.
The minimum caching interval determines the time for which information from queries is retained in the cache of the primary name server. If too short a time is selected, this can increase the load on the network where the same hosts are queried frequently and delay resolution of the host names into IP addresses. On the other hand, if too long a minimum caching interval is defined, this can result in out-of-date information being passed on.
Connection to the external DNS hierarchy
Queries involving host addresses outside the local domain are automatically executed as long as the DNS server is running. The DNS server receives information about the DNS hierarchy from the file SYS:ETC\DNS\ROOT.DB, which contains a list of name servers of the US Top Level Domains. Manage Services DNS Administer DNS - Link to existing DNS Hierarchy provides access to two different methods of building a direct connection to other domains, namely Link Direct and Link Indirect via Forwarder. If certain domains are accessed frequently, these procedures can speed up host name resolution.
Checking of name servers
The menu option Manage Services - DNS - Administer DNS - Query Remote Name Server allows checking of what information is held on other name servers as well as allowing one to determine whether a particular name server is responding to queries. In either case, the name or IP address of the server must be entered. The resource record type which is being interrogated and the domain from which the information is required must also be specified.
Backing up the DNS database
The DNS database should be backed up at regular intervals. Such backups can be used, for example,
The menu option Manage Services - DNS - Save DNS Master to Text Files is used to save the database to SYS:ETC/DBSOURCE/DNS/HOSTS.
Use of UNICON.NLM
Restrict accessThe Domain Name System settings are entered with UNICON. For administrative and security reasons, it is sometimes necessary to split up tasks and restrict access. When a NetWare product that is controlled via UNICON is installed, group objects which control certain task areas within UNICON are created in the NDS directory tree. Users who are required to perform particular tasks with UNICON are made members of the relevant group.
| Group name | Area of responsibility | Available UNICON menu options |
| UNICON MANAGER | Full functionality of UNICON | Access to all menu options |
| UNICON SERVICES MANAGER | Starting, stopping and managing services | Start/Stop Services und Manage Services |
| UNICON HOST MANAGER | Changing host entries | Manage Global Objects - Manage Hosts |
Compatibility with bind (Berkeley Internet Name Domain)
TCP/IP networks were developed from the Unix environment. The most widely used DNS program for Unix is bind. It is therefore important that other DNS products are compatible with bind. The Novell DNS service is fully compatible with bind version 4.8.3.| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |