Episode 33

Here, at long last, is Episode 33, in which Matt announces a “Development with a capital D” (and a lowercase “yn”), and Matt and Cricket answer questions from Jason Weber about how to deal with web hosting and a hosted DNS zone; from Chuck Nelis about split DNS; from Michael Simoni about the (waning?) need for multiple zones; and from Matt Pounsett about the dangers of mixing recursion and authority on a single name server.

Play

2 comments.

  1. I’m interested in DNSSEC for a long time. Today i find this Podcast and i love it. Great work, thx…

  2. Wow, I’m behind. I kinda fell off listening and re-discovered the podcast again. I love the podcast. As the resident DNS expert for for our community and members, it’s something that still provokes thought and provides me with new knowledge as well as historical background.

    A few comments on this podcast from the trenches.

    1.) k12.nj.us domain question: As the delegated manager for k12.ks.us domains as well as the ISP/DNS hosting provider for many of those domains, I have personal experience dealing with this particular issue.

    Often I have seen web-hosting providers really want to host DNS for a domain so that they can make IP changes whenever they want without involving the customer regardless of static, shared hosting, etc. Often everyone can be happy if the hosting provider will provide an A/AAAA record like customer-name.hostingprovider.com and then the customer can just make http://www.xyz.k12.nj.us a CNAME to the customer-name.hostingprivider.com record.

    The bigger problem is with “lazy A” records at the zone apex. Most people want those records in place. Heck a lot of marketing people want browsers to redirect http://www.company.com to redirect to company.com so the URL looks prettier. In those cases we add that lazy A record anyway, but a few times a year the website just breaks because the hosting provide changes IPs, but does not notify the customer in advance.

    2.) Split DNS/Multiple Internal Zones/Delegations/AD. In university settings where they have lots of public IPs (Like /16s or more) often RFC 1918 address are not the default, even if they have stateful firewalls at the edges. Also, IPv6 which really tries to restore end to end connectivity encourages public IPs that are using stateful firewalls when needed rather than NAT. In Higher-Ed the ship has not always sailed on “stupid DNS tricks” and with large legacy IPv4 space can/often operate differently than the corporate world.

    If the only difference between Internal/External views of split DNS is the absence of records externally (rather than different answers), sub-domains can make things much simpler then split DNS. The records you don’t want publicly leaked can just be put in a sub-domain/zone that you don’t allow access to externally. IE, your Active Directory Domain and dynamic records.

    3.) Mixed Mode DNS servers. I mostly agree with you when speaking about modern BIND based servers. However Microsoft DNS Servers are a different beast. I have seen many schools try to use a single set of MS DNS servers for Authoritative Hosting and Recursive Resolution. Until recent Windows server versions (2012?) recursion was either on or off period. So a dual role MS DNS server that is serving publically facing DNS with both roles becomes an Open Resolver that is often abused in DDoS attacks with no real way to fix. In BIND its just adding config to limit recursion to your “Internal” IPs.

    With regards to BIND, I have heard the DNSSEC validation issue with dual role servers sited in security circuits and used the argument myself. Let’s sit aside the assumption that if you are authoritative for a zone you should be trusted. Perhaps the DNS Signing Key(s) are held in a hidden master, HSM, or even offline. The authoritative servers could be compromised and records modified, but you are not going to have valid signature and not validate. The clients pointing at the dual role server for recursion are not protected from that attack.

    The other place dual role serves caused me grief is when domain registrations change and/or expire. If you are hosting a domain on a dual role server and that domain registration expires and/or the owner decides to move to different DNS servers for hosting your clients using your dual role server for recursion start having resolution problems that “No One Else does” for that domain. The server keeps serving the answer(s) out of the authoritative data it has rather than walking the tree like every other recursive resolver. This is often even masked and shows up at random times if the client/customer/domain owner largely duplicates the old DNS records on the new DNS hosting provider. Then you only find out about it when a change is made and there is a mismatch of a high profile records like www. Separating the roles allows your recursive resolvers to walk the tree like every other resolver on the Internet regardless of what domains you are “hosting”.

Post a comment.