Typical Internet Connectivity Design

With these security concerns now established, let's look at a typical Internet connectivity design and specifically at the way the DNS servers would be configured. Below is a diagram of a typical large company which has several internal and external resources which require DNS services.

There are several items which should be noted about this example network before we begin discussing the DNS configurations. These items are:

• Acme has a primary and secondary DNS server for their external services which they maintain (that is dns-server1.acme.com and dns-server2.acme.com). There is also a secondary DNS server for their acme.com zone which is maintained by their Internet Service Provider for redundancy (that is dns13.my-isp.net). These name servers are authoritative for domains acme.com and 100.250.192.in-addr.arpa.
• Some external services are being maintained on multiple mirrored servers.
• Multiple mail servers are used to supply SMTP mail connectivity to acme.com.
• This network design uses packet filtering at the router as well as using multihomed proxy servers to implement security.
• The internal network is using WINS for registration/lookup of Microsoft-based clients and servers.
• Some intranet services (that is Web Services) are being provided on internal servers running Windows NT Server.
• DNS services on the internal network are isolated from the Internet DNS services.
• The internal network is displayed as a simple non-routed environment for clarity.

With these details in mind, let's look at how this would affect the DNS
architecture. We will go through the thought process of configuring the external DNS server first and then we will discuss the internal DNS server.

External DNS Server Configuration

After installing the DNS service on the Windows NT Server-based machines (that is dns-server1 and dns-server2), we use the Microsoft DNS Manager tool to create a primary zone for domain acme.com and a reverse lookup primary zone for 100.250.192.in-addr.arpa on dns-server1. This will create an SOA record which contains the primary name server "dns-server1.acme.com." and the e-mail address for the administrator of the DNS server "web-master@acme.com" as well as a separate NS record for dns-server1. Since the remaining default parameters for this zone are sufficient, we will not modify them and the defaults will be placed in the SOA record.

The following additional records must be created in the acme.com domain and should be done with the "Create Associated PTR Record" enabled where applicable.

Name server records (NS) should be created for dns-server2 and dns13.my-isp.com. Mail exchange records (MX) should be created for mail-server1 and mail-server2. We will set the preference for both of these to 10 for equal load balancing. Address records (A) should be created for each of the computers which connect directly to the "Exposed Internet Network."

The actual name of the gopher server in our example is "gopher-server1.acme.com". The "defacto" standard for supplying services on the Internet is to serve them on computers with host names that correspond with the service being supplied. To allow users to easily locate our gopher service by connecting to the standard "gopher.acme.com", we will use a canonical name (that is alias) for this server. To do this, we create a canonical name record (CNAME) for "gopher" and associate it with "gopher-server1".

Since there are multiple mirrored web servers and FTP servers providing services to external users, there needs to be a way of grouping these so that load balancing across the servers can occur. There are several ways to do this with "round robin" techniques. The method which we will use here is to associate each of the mirrored servers with the same alias name. We will use the popular names of the services as the alias (that is www, FTP, etc.) which will allow easier location of the services by users. To do this, we create a canonical name record (CNAME) for each of the mirrored servers with the service name as the alias and the server name for the host. With this arrangement, each query to a particular DNS server for a particular server name using its alias (that is www.acme.com), will return the list of servers in a "round robin" fashion with a different server being listed first in the list each time. Since most resolvers try the first returned entry first, as described previously in this paper, this will provide load balancing between servers.

Once this zone has been setup on the primary DNS server, the acme.com and 100.250.192.in-addr.arpa zones should be created on the secondary DNS servers. These secondary zones should be pointing back to the primary DNS server as the master for the zone transfers.

Here is the resulting zone file for the external DNS servers:

;-----------------------------------------------------------------------------------
;
; Database file acme.dns for acme.com. zone. (External DNS Server)
;  Zone version: 10
;

@     IN    SOA    dns-server1.acme.com.    web-master.acme.com.    (
      10    ; serial number
      3600    ; refresh
      600    ; retry
      86400    ; expire
      3600    ) ; minimum TTL

;
; Zone NS records
;

@      IN    NS    dns-server1
@      IN    NS    dns-server2
@      IN    NS    dns13.my-isp.com.

;
; Zone records
;

@      IN    MX    10    mail-server1
@      IN    MX    10    mail-server2
dns-server1    IN    A    192.250.100.11
dns-server2    IN    A    192.250.100.12
FTP-server1    IN    A    192.250.100.41
FTP-server2    IN    A    192.250.100.42
gopher-server1    IN    A    192.250.100.31
mail-server1    IN    A    192.250.200.81
mail-server2    IN    A    192.250.200.82
proxy-server1    IN    A    192.250.100.101
proxy-server2    IN    A    192.250.100.102
proxy-server3    IN    A    192.250.100.103
;
www-server1    IN    A    192.250.100.21
www-server2    IN    A    192.250.100.22
www-server3    IN    A    192.250.100.23
www-server4    IN    A    192.250.100.24
;
FTP      IN    CNAME    FTP-server1
FTP      IN    CNAME    FTP-server2
;
gopher    IN    CNAME    gopher-server1
;
www    IN    CNAME    www-server1
www    IN    CNAME    www-server2
www    IN    CNAME    www-server3
www    IN    CNAME    www-server4
;
;-----------------------------------------------------------------------------------

Internal DNS Server Configuration

After installing the DNS service on the Windows NT Server-based machines (that is dns-internal1 and dns-internal2), we use the Microsoft DNS Manager tool to create a primary zone for the internal domain acme.com and a reverse lookup primary zone for 200.55.157.in-addr.arpa on dns-internal1. This will create an SOA record which contains the primary name server "dns-internal1.acme.com." and the e-mail address for the administrator of the DNS server "web-master@acme.com" as well as a separate NS record for dns-internal1. Since the remaining default parameters for this zone are sufficient, we will not modify them and the defaults will be placed in the SOA record.

After creating these zones, we will enable WINS Lookup on the acme.com zone and enter the IP addresses of the two internal WINS servers. This will create a WINS record (WINS) in this zone file. We will also enable WINS Reverse Lookup on the 200.55.157.in-addr.arpa zone and enter the DNS host domain as "acme.com.". This will create a WINS reverse lookup record (WINS-R) in this zone file.

The following additional records must be created in the internal acme.com domain and should be done with the "Create Associated PTR Record" enabled where applicable.

A name server record (NS) should be created for dns-internal2. Address records (A) should be created for each of the computers which connect directly to the "Isolated Corporate Network" which are not WINS clients. It may be that all of the servers within the corporate network are WINS aware and therefore no static entries would be needed, but just to show how you can mix static entries with WINS, we will statically define the proxy servers and the DNS servers in the DNS zone file. We will also create a "localhost" address record for the local address 127.0.0.1.

Since there are multiple mirrored web servers providing services to internal users, we will use the "round robin" technique using canonical names as we did on the external network and associate these mirrored servers with "corpweb.acme.com". The difference here is that there are no associated address records (A) for the internal Web servers (that is www-internal1, www-internal2, www-internal3) since these are WINS clients and the DNS server will query the WINS server for these addresses when needed.

Once this zone has been setup on the primary DNS server, the acme.com and 200.55.157.in-addr.arpa zones should be created on the secondary DNS server. These secondary zones should be pointing back to the primary DNS server as the master for the zone transfers.

Here is the resulting zone file for the internal DNS servers:

;-----------------------------------------------------------------------------------

;
; Database file acme.dns for acme.com. zone. (Internal DNS Server)
;  Zone version: 12
;

@      IN    SOA    dns-internal1.acme.com.    web-master.acme.com.(
      12    ; serial number
      3600    ; refresh
      600    ; retry
      86400    ; expire
      3600    ) ; minimum TTL

;
; Zone NS records
;

@      IN    NS    dns-internal1
@      IN    NS    dns-internal2

;
; WINS lookup record
;

@      IN    WINS    157.55.200.91 157.55.200.92

;
; Zone records
;

dns-server1    IN    A    157.55.200.11
dns-server2    IN    A    157.55.200.12
proxy-server1    IN    A    192.250.100.101
proxy-server2    IN    A    192.250.100.102
proxy-server3    IN    A    192.250.100.103
localhost         IN     A    127.0.0.1
;
corpweb     IN    CNAME    www-internal1
corpweb     IN    CNAME    www-internal2
corpweb     IN    CNAME    www-internal3
;
;-----------------------------------------------------------------------------------