It is crucial to be aware of security issues. Especially when you think of the importance the Internet plays today and how it influence on your network.
Simple Failover provide update possibility to DNS servers through four different methods to the DNS servers it is monitoring. In this section we will describe some of the common security issues related to maintaining a DNS system, either in your own network or by an ISP. We will also try to give you an idea of how solutions to mentioned issues can be construction.
Security issues and solutions
In today's often hectic and chaotic world, it can sometimes be difficult to keep up with the security issues on the diverse network systems. Simple Failover has built-in features
The DNS servers you want to update with requests performed by Simple Failover can call for security settings in the update string.
Users, and in this case - Simple Failover is asked to provide user name and password to authenticate through security mechanism on the DNS server and on Simple Failover.
Standard dynamic DNS updates
If you open your DNS server for standard dynamic updates, then it is open for anyone. This leaves the DNS database insecure. Nobody wants to enable their network for "hijackers" and loose control to unknown "outsiders". The conclusion is to only use this method in an otherwise secure environment, such as an intranet.
If you decide to use the standard dynamic DNS updates method, you also need to solve and protect the web services from the security problems related to the method, by defining which IP addresses that are allowed to perform the updates. An example of this protection method can be seen in the section: Simple DNS Plus.
Standard dynamic DNS updates with restricted update possibility
The protection through a defined list of which IP addresses are allowed to perform the updates can also raise problems. The restriction method is easy to spoof if you know the IP address of a trusted host and change the IP packet header. The system that checks for a valid IP address validates the IP address by looking in the packet header. If the trusted IP address is contained in the header, then the originator is trustworthy! There is no connection check and this renders the solution very vulnerable. The check is performed at the packet header and not on the originator.
The solution to this problem can be a change in the way you run a DNS system. Normally it is running over UDP protocol of IP networks. To make enhance security, you can run DNS over the TCP protocol instead of the UDP protocol. Even this is actually not a solution, because the TCP packets can also be spoofed. It is just more cumbersome to act as a sender of spoofed packets.
This is not possible to secure a DNS update unless you select to combine the DNS update with other security mechanism.
The conclusion is to place Simple Failover behind a firewall on the same side as the DNS server. Otherwise would dynamic DNS updates from internal IP addresses, send from outside the firewall be considered as spoof attacks and rejected by today's typical firewalls.
If you want to make the dynamic DNS updates over the Internet, you're advised to use a VPN connection and gain from the security tools provided by VPN and thereby being virtually on the same side of the firewall in the network.
To connect to a non-secure DNS server, you only have to enable standard dynamic DNS update and as stated previously being on the same physical network behind a firewall.
The mechanisms Simple Failover uses to connect to a secure DNS server is defined in RFC2136 - DNS Update.
To connect to a secure DNS server, you have to prepare your systems in advance to let both the client advertise the correct tokens and let the servers recognize the tokens.
Security issues when Simple Failover cannot see any Web services
What happens if Simple Failover is unable to see any servers running a Web service that Simple Failover tries to poll? What will Simple Failover try to update then?
The answers to the questions are divided between different solutions.
|- The most common reason to the problem is that Simple Failover have lost the connection to the network or the Internet, thus is also unable to perform any updates. The result is therefore that no changes is made at all to any Server Sets in this situation.
|- Simple Failover will try to take the next server in the list and poll if it is available, or select a server from a Round Robin list if configured. Simple Failover will continue the cycling of poll-tests on Server Sets until it can connect with at least one server, and then all the DNS requests to that Server Set will be redirected to the server available. If a server in a Round Robin list becomes unavailable, the server is then taken out of the Round Robin list until it is reachable again.
BESKRIVELSE via tegning.
INTERNET -> DMZ (Slave/Secondary) DNS -> Internal (AD DNS) + SFO. AD DNS kan kun acceptere interne DNS opdateringer. Der må kun komme opdateringer den anden vej til DMZ slaven. Alle internet brugere spørger KUN dmz-fætteren.
Se JH's flotte tegning.