Training > All Courses > Linux > Advanced DNS

Course Summary

Reliable, robust and secure operation of the DNS hierarchy - from the root servers to an individual domain name server - is critical to all Internet operations.

The course covers advanced uses of the DNS for ENUM and VoIP functions and concentrates on the use of DNSSEC for the control of Zone Transfers, DDNS and zone Integrity. While the primary focus of the course is BIND other DNS software will be discussed.

Jump To: Duration ObjectivesAudienceAdditional NotesOutline

Duration

2 days.

Objectives

Students will learn the theory behind the DNS hierarchy, the DNS protocol, forward and reverse mapping zone files. The major Zone file Resource Records are described and explained. A number of DNS types are introduced - including Master/Slave, Caching Only, Authoritative Only, Forwarding and Stealth - and the detailed zone files and BIND configuration files (named.conf) to control operational behavior are presented. Dynamic DNS, (DDNS), integration with DHCP, Zone Transfer, Diagnostic tools and simple security models are also covered. The course includes a number of hands on configuration exercises.

Audience

The course is designed for DNS administrators, Network and System Administrators, VoIP specialists and those who need a thorough understanding of DNS security.

Students should have taken the Basic DNS Course or have over 2 years exposure to DNS operations.

Additional Notes

This course is designed by Ron Aitchison. Ron is the author of Pro DNS and BIND (Apress ISBN 1-59059-494-0) which was the first book to cover the new DNS security protocols (DNSSEC). Ron has been involved in communications and networking for more years than he cares to admit and is president and founder of Zytrax, Inc. a company specializing in IP communications (wired and wireless), systems development and consulting in Montreal, Canada. He has been involved with Open Source systems for over 10 years.

Outline


DNS Refresher

  • The DNS hierarchy (name servers and resolvers)
  • Authoritative and cached responses
  • Delegation - Parent and child domains
  • Forward and Reverse mapping
  • DNS types
  • DIG
  • DNS software - options and overview

DNS and Telephony

  • VoIP overview (SIP, H.323)
  • The SRV RR
  • ENUM overview
  • The NAPTR RR
  • Exercise

DNS Security Basics

  • Security overview
  • Security threat analysis
  • DNS security scope (Zone transfer, DDNS, zone integrity)
  • Stealth configuration
  • BIND's view clause
  • Administrative security (jails, permissions, server configurations)
  • BIND Logs
  • BIND's server clause

Cryptographic Introduction

  • DNS usage of modern cryptography
  • Symmetric cryptography
  • Asymmetric cryptography
  • Message digests
  • Message authentication codes (MAC)
  • Digital signatures
  • Key Management
  • The KEY RR
  • BIND's key generation tools

Securing Zone Transfers

  • Methods - allow-transfer, TSIG, SIG(0) and TKEY
  • The TSIG (symmetric cryptography) process
  • Exercise
  • The OPT meta (or pseudo) RR

Securing DDNS

  • Methods - allow-update, update-policy, TSIG and SIG(0)
  • The SIG(0) (asymmetric cryptography) process
  • Exercise
  • The SIG RR

Zone Integrity

  • The DNS security environment
  • Security-aware and security oblivious
  • Securing zones - zone signing
  • Chains of trust and islands
  • Key rollover and maintenance
  • Current implementation status
  • Alternate chains of trust - DLV

Zone signing

  • Zone and key signing keys
  • The DNSKEY, NSEC, NSEC3, RRSIG and DS RRs
  • The dnssec-signzone utility
  • Exercise

Keyrollover and Maintenance

  • Double signing
  • Pre-publish
  • Exercise
  • Tools and utilities

Summary

  • DNS and Telephony
  • DNS and AD (Windows)
  • Security best practices
  • DNS resources
  • DNS software

Onsite Training

Request a Quote

For groups of five or more.
Can be customized.

Public Classroom Training