Dynamic DNS Keeps Names Up to Date

Before DDNS was widely available in DHCP and DNS products, many enterprises used proprietary methods to update DNS. These approaches are OK, but often are self-contained and difficult to support and maintain. You'd do better to incorporate DDNS products into your infrastructure.

DDNS Up Close

DDNS includes three advanced DNS features: dynamic update, notify and IXFR (incremental transfer).

Dynamic update is the process by which your DHCP server or other IP address service notifies the DNS server of new information. Using a secure connection, the DNS server is told, for instance, that workstation-bill.accounting.example.com is now at IP address 10.35.99.124. The DNS server remembers this information, discards the old information and begins answering any requests for the name of 10.35.99.124 as workstation-bill.accounting.example.com.Most large organizations have more than one DNS server for redundancy and load sharing. In DNS terms, a zone is one of the parts of a DNS entry separated by a period: .accounting.example.com, for example. DNS information is stored and transferred relative to this zone. Internet Systems' BIND (Berkeley Internet Name Daemon) open-source DNS server software, for instance, typically updates a secondary DNS server's zone records every 15 minutes from its primary server, which doesn't give you real-time information. But the zone-notify feature of DDNS fixes that: The primary DNS server notifies secondary DNS servers of the new, updated version of the DNS zone records. The secondary DNS server then knows it needs to fetch an updated copy of the zone file so its configuration matches the new values on the server.

If you're not using DDNS, you have to transmit the entire copy of the zone to get that information across. This causes a problem for fully dynamic DNS entries--if you have a large or rapidly updating DNS zone, your servers will become bogged down. With DDNS' IXFR feature, the secondary server asks the primary server only for incremental changes. If you have 10,000 DNS entries in your zone file, for example, and only three have changed, these three are sent from the primary to the secondary servers, rather than the entire zone.

Open Source and Commercial Servers

If you want to deploy a DNS server in a large network, the safest bet is to use BIND server software. It is well-supported and stable.

There are commercial DDNS products as well, which typically go beyond just DNS management and handle overall IP address management, too. Some examples include Infoblox Network Identity appliances, Lucent Technologies VitalQIP software and MetaInfo Meta IP software. These are turnkey solutions to IP address management and DNS/ DDNS services.If you decide to run BIND, make sure it's at least version 9.2. Earlier versions have posed problems (see "Caught in a BIND," below). BIND works on Apple Mac OS X, Linux, Windows and Unix.

Keys Are Key

It is important to update your data securely. If you don't configure your DNS server to check who is sending updates, for instance, an intruder could redirect secure-intranet.example.com to www.i-am-a-hacker.com. Redundancy doesn't help here--with dynamic update and IXFR, your redundant DNS servers just update this bad information quickly.

So be sure to use cryptographically strong keys when configuring DDNS updating. There are two methods for secure DDNS communications: TSIG (Transaction Signature) and SIG(0). TSIG keys are symmetric HMAC-MD5 (Hashing Message for Authentication MD5) keys. Symmetric keys are basically shared secrets. If any machine sending updates to your DNS server is compromised, the cat's out of the bag because each machine and your DNS server share the same key. Still, TSIG keys typically are easy to set up and more widely supported in DNS and DHCP products than SIG(0) keys.

SIG(0) comprises a public/private key pair using any standard cryptographic method. It's more secure than HMAC-MD5, but you'll spend more time getting it to work. Each updater gets its own key, and most client software needs extra configuration to work with SIG(0).You also can have multiple keys in your DNS configuration file, so *.a.example.com could have a key different from that of *.b.example.com. This way, you can limit the potential damage compromised keys can cause. But be careful with permissions. In Internet Systems' BIND, for instance, the keys are in plain text in the configuration files, so you want to make sure the files have the proper permissions so only systems administrators can access them.

If your DDNS data is accessible from the Internet, how long should other Internet DNS servers cache your DDNS information? The length of time any DNS record should be cached is called the TTL (Time To Live). The lower this number, the quicker other Internet DNS servers learn about changes, but the more often they will be asking your DNS servers for information. The higher you make this number, the more out of date your DNS information could be on the Internet. But less frequent updates mean less load on your DNS servers.

Internet Systems' DHCPD, for instance, uses a default TTL of one-half of the DHCP lease time. However, you might want to consider a much lower number. It's not uncommon to use a time-out of about 30 seconds for rapidly changing networks.

During initial configuration, turn on all the logging features of your DNS and DHCP servers. After your DDNS system is up and running, you can dial back the settings to show only the errors you want to see--and can control. For example, DNS generates a lot of logs about poorly configured DNS servers on the Internet that are beyond your control, so there's no need to log all that data.

The next step in building a dynamic IP address updating system is to configure your DHCP server to update the DNS server. Internet Systems' DHCPD is the de facto standard DHCP server, and the current version, 3, sends dynamic updates to DNS. Internet Systems' DHCPD has many options, but pay careful attention to naming restrictions for your client machines, the zone they should be updating to and what to do when a computer isn't providing a host name.How Active Is Your Directory?

Ideally, you would configure Microsoft Active Directory to use DDNS, but that's your choice. Windows 2000 and above use DNS and SRV (service) records instead of WINS for computer name management. The good news: This can all be handled by the same DNS server. The bad news: Your Windows 2000 machines may attempt to alter your DNS server dynamically without your knowledge. Safely integrating them is straightforward but requires a little work.

You can integrate Active Directory into your DNS zone in several ways. You can have Active Directory manage all your DNS; just be part of the DNS that's in the Active Directory forest; or have Active Directory update a standard DNS server through dynamic updates. If you are an all-Microsoft shop and everything is contained within an Active Directory, the most straightforward method is to just use the Windows 2000x DNS services bundled with the OS.

If you want to integrate Active Directory into your existing DNS service, however, you can delegate specific zones to the directory. So *.ad.example.com would be handled by your Active Directory zones, and the rest of your DNS, by another server.

A step up from using Microsoft's DNS services is to delegate the special Active Directory zones from your primary DNS server to the directory server and not use DDNS directly to your main DNS server. These additional zones help the Active Directory servers locate one another as well as help client workstations locate servers. Active Directory will only want _tcp, _udp, _sites and _msdcs at the same name as its root. For example, the entry _msdcs.example.com contains the listing of all AD servers in the forest example.com. (Active Directory stores information on how to find various domain controllers, password servers and so on in that zone.) In this model, AD controls the information it needs.In a full-blown DDNS implementation, Active Directory sends dynamic updates directly to your main DNS server. This is more secure because it centralizes DNS information in one place and results in fewer servers that need patching, updating and monitoring.

Check Your Client

If using DHCP or Active Directory is not feasible for some of your computers that change IP addresses, you may need another tool such as BIND's nsupdate. This program is meant to be used manually or from scripts for directly updating DNS information (you could use it for DDNS updating without DHCP, for instance). Nsupdate uses standard input and output to update DDNS entries. You can find a simple script using nsupdate that lets a Linux machine update its IP address directly at www.knuthaugen.no/linux/ddns/.

Beware that Microsoft Windows 2000 and XP standalone workstations will try to register themselves automatically with the Active Directory-style DDNS entries on login and then hourly. If your DNS server is not configured to allow this, it may be causing lots of unnecessary traffic and error log entries. To disable automatic registration by 2000 and XP machines, set HKEY_LOCAL_MACHINESystem CurrentControlSetServicesNetlogonParameters UseDynamicDns to 0x0 (it defaults to 0x1). You can disable this by machine through the advanced DNS settings for the TCP/IP stack in the Windows Control panel settings for your network card. This will prevent the Windows 2000 or XP machine from attempting to send DDNS updates.

With the proper setup, DDNS can reduce your IP address-management workload and provide detailed and consistent information to the services on your network. You'll finally be able to update your name information dynamically while configuring your network with DHCP.Jeff Ballard is the Unix systems manager for the Computer-Aided Engineering Center at the University of Wisconsin-Madison. Send your comments on this article to him at [email protected].

There have been several incidents this year of DNS cache poisoning, with Internet Systems' BIND DNS server software acting as a forwarding name server.

A DNS server can be optimized to use another, larger name server--typically your ISP's DNS server--as the first source for DNS information on the Internet. A forwarding name server is helpful because it greatly decreases the turnaround time for answers to DNS queries.

But a weakness in the DNS RFC specification could leave you vulnerable to DNS cache poisoning. In cache poisoning, the attacker redirects information about a well-known site such as www.nwc.com to a server he or she controls. The DNS server is tricked into getting information on www.nwc.com from the rogue ns1.i-am-a-hacker.com server, for example. So it always goes to the fake server for information on www.nwc.com. If www.nwc.com were your banking Web site, for instance, the attacker could steal all your financial information.

Although this hole was patched when it was discovered more than 10 years ago, BIND versions 4 and 8 acting as a forwarding name server will pass on this bad information. So if your ISP's DNS server runs BIND 4 or 8, and you are using it as a forwarding name server, you could be receiving rogue data.The best bet is to use at least a BIND 9.2 server, which is immune to this cache poisoning, as your forwarding name server and for your internal DNS servers as well.

Dig is a handy, all-purpose command-line tool in the Internet Systems' BIND suite. Here's an example of its useful features:dig @a.root-servers.net . ns > named.root

This command gives you a new named.root file. Root name servers don't move much, so you can run this once a month to keep this file up to date. Your DNS server must know about those root name servers so it can ask for DNS information.

Another tool is the chaos query, which gives you the currently running version of the DNS server. Add @192.168.0.1 to get the version at a specific DNS server:

dig version.bind txt chaos0