Home Resource Center Whitepapers DNS and DHCP Best Practices - Architectures That Work
mac oem software

DNS and DHCP Best Practices - Architectures That Work

Executive Summary

Security, performance and availability are fundamental design objectives for virtually every IP network. There are a number of recommended best practices that help network architects achieve these goals. This paper examines best practices related to DNS and DHCP, key services that enable modern IP networks.

For external DNS:

  • Configure the external primary DNS server as a hidden master. This configuration protects the primary server, provides maximum performance, and increases tolerance to failure. Where possible, deploy primary servers in high-availability clusters.
  • Deploy secondary servers in geographically-dispersed data centers to avoid a single point of failure scenario. Placing secondary servers within the corporate demilitarized zone (DMZ) minimizes the types of data traffic to which they are exposed, affording greater security.
  • Secure zone transfers using access control lists (ACLs) and transaction signatures (TSIGs). These security measures deter potential attackers.
  • Disable recursion on external servers to eliminate the risk of cache positioning.
  • Run DNS in a chroot jail to sandbox potential attacks and minimize damage.
  • Hide information that indicates the version of DNS server software deployed. This information benefits attackers who can exploit known vulnerabilities.

For internal DNS:

  • Locate internal DNS servers on the internal network, behind a firewall.
  • Use virtual private networks (VPNs) to connect remote users to internal resources.
  • To enhance performance and reliability, consider using a hidden master for the internal primary DNS server.
  • Where possible, deploy secondary servers at local sites locally to preserve network bandwidth. An analysis of bandwidth requirements – the frequency DNS queries on the local WAN link – can help determine whether small sites warrant secondary servers.
  • As alternatives to secondary servers, consider stealth secondary servers or caching-only servers for small sites. These require less network bandwidth.
  • The size and complexity of the internal DNS affects your design decisions. Consider deploying internal root servers for large, distributed networks, or those with complex namespaces. Internal root servers can enhance scalability, effi ciency and control.

For caching servers:

  • Use forwarders to separate authoritative services from caching services. Forwarding builds a centralized cache, which improves performance.

For DHCP:

  • The number of DHCP servers you deploy depends greatly on the requirements of your organization. Carefully plan your DHCP deployment to ensure maximum reliability and scalability.
  • To ensure service availability and eliminate single points of failure, deploy DHCP servers in redundant, failover configurations using DHCP Failover. Adopting these best practices will help reduce service outages and enhance network security considerably.



 
© 2001-2010 BlueCat Networks - All Rights Reserved
Solutions
IP Address Management
Windows® Management
IPv6
DNS and DHCP
DNSSEC
Voice Over IP
High Availability
Virtual Solutions
Auditing and Control
DDI 		Products
Proteus IP Address Management
Proteus Management Agent
Adonis DNS/DHCP 		Industries
Public Sector
Education
Financial Services
Health Care
Manufacturing
 Retail
Services
Telecommunications 		Resource Center
Whitepapers
Solution/Technical Briefs
Datasheets/Brochures
Video Library/Webinars
Case Studies 		Partners
Partner Support
Partner Benefits
Partner Types
Partner Requirements
Partner Portal Login
Partner Documents 		Customer Services
Customer Care
Care Login
End User License Agreement
End-Of-Life Process
Security Updates
Training 		Company
Management Team
Industry Alliances
Awards and Accolades
Customer Testimonials
Video Interviews
Careers
Articles & Reviews
Press Releases
Events and Speaking
Upcoming Events
Past Events
Request a Speaker
Contact Us

Secure, Simplified Next Generation DNS management, DHCP and IP address management Network Appliances. Security - hardened and purpose - optimized, BlueCat Networks'
Appliances are a leading choice for DNS Security Servers, DHCP Servers and Web based IP Address Management (IPAM) solutions. IPv4 and IPv6 DNS and DHCP compliant.