DNS Configuration Types
Most DNS servers are schizophrenic - they may be masters (authoritative) for some zones, slaves for others and provide caching or forwarding for all others. Many observers object to the concept of DNS types partly because of the schizophrenic behaviour of most DNS servers and partly to avoid confusion with the name.conf zone parameter 'type' which only allows master, slave, stub, forward, hint). Nevertheless, the following terms are commonly used to describe the primary function or requirement of DNS servers.Notes
- Running any DNS server that does not need to support recursive queries for external users (an Open DNS) is a bad idea. While it may look like a friendly and neighbourly thing to do it carries with it a possible threat that it may be used in DDoS attacks as well as an increased risk of cache poisoning. The various configurations have been modified to ensure that the DNS stays Closed to non-permitted users.
- One of the basic rules of security is that only the minimum services necessary to meet the objectives should be deployed. This means that a secure DNS server should provide only a single function, for instance, authoritative only, or caching only, not both capabilities in the same server. This is a correct but idealistic position, generally possible only in larger organizations. In practice many of us run mixed mode DNS servers. While much can be done to mitigate any security implications it must always be accepted that, in mixed configurations, increased risk is the downside of flexibility.
Contents
-
Master (a. k. a. Primary) DNS Server
-
Slave (a. k. a. Secondary) DNS Server
- But Slaves can also be Masters
-
Caching (a. k. a. Hint) DNS Server
-
Forwarding (a. k. A Proxy, Client, Remote) DNS Server
-
Stealth (a. k. a. DMZ, Split or Hidden Master) DNS Server
-
Authoritative only DNS Server
-
Split Horizon DNS Server