Objective 1.11
Scope Options
• A DHCP scope is a set of configurations for a particular network segment• The scope is defined by its base network address and subnet mask• Scope options are additional information for the clients:• Address of the default gateway• Domain name to be used (a favorite technique of ISPs)• Address of the WINS server (deprecated Microsoft LAN name resolution server)• NetBIOS node type (deprecated)• Scopes also have other configuration options such as lease time, reservations, and exclusions• A DHCP server will have one scope for each network segment/subnet it services
DHCP Pool
• A block of available IP addresses for a particular DHCP scope• May or may not include the entire range of possible addresses for that subnet• Probably has a few addresses excluded from the pool
DHCP Relay Agent/IP helper
• A hardware device or software program that can pass DHCP or BOOTP messages between DHCP clients and servers• Necessary if the DHCP server is on a different subnet from its clients• Most routers can be configured as DHCP relay agent
Internet Protocol Address Management (IPAM)
• A method of automatically tracking and managing IP address usage in your enterprise• You can monitor and ascertain:• Free IP address space exists• Subnets that are in use are as expected and who is using them• The status of each IP address (permanent or temporary)• Default routers that the various network devices use them• The host name associated with each IP address• The specific hardware associated with each IP address
Internal vs. External DNS
• An External DNS server contains only records that the general public needs to know:• Web server• Mail exchanger• Public DNS servers• An Internal DNS server contains all of the private DNS records that the company uses (for all of the internal servers and resources)• It might also include public records for internal clients that need to go out to the Internet to access those services
Record Types
• Domain Name Services contain:• Resource Records• Information Types• Other and Pseudo Records
Canonical Name (CNAME)
• Domain name aliases• Computers on the Internet often performs multiple roles such as web-server, ftp-server, chat-server etc..• To mask this, CNAME records can be used to give a single computer multiple names (aliases)• For example, a server may be both a web-server and an ftp-server, so two CNAME records configured• You also need the original A record to find out the actual IP address of the host• The CNAME records point to the A record• This way, you only need to update one record if the IP address changes
DHCP Process Time to Live (TTL)
• During the lease process a DHCP client sends a request for IP information• If no DHCP server responds to the client request, the client sends DHCP Discover messages at intervals of 0, 4, 8, 16, and 32 seconds, plus a random interval of between -1 second and 1 second. • If there is no response from a DHCP server after one minute, the client can proceed in one of two ways:• If the client is using the Automatic Private IP Addressing (APIPA) alternate configuration, the client self-configures an IP address for its interface.• If the client does not support alternate configuration, such as APIPA, or if IP autoconfiguration has been disabled, the client network initialization fails
Forward vs. Reverse Lookup
• Forward lookup = you know the name but you need the IP • Reverse lookup = you know the IP but you need the name• Nslookup is a useful command line tool to query a DNS server• It uses reverse lookups• You won't be able to use it to query a DNS server that does not have a reverse lookup zone configured
IP Exclusions
• IP addresses in a subnet range that are set aside for static configuration• Ensures that these addresses are not accidentally leased out to clients• Exclusions often include the first 10, 20, or even more IP addresses in a subnet• These addresses are then used to statically configure the router, switches, servers, printers, etc
DHCP DORA Lease Process
• Layer 2 Broadcast• Lease can be limited time or indefinite• Lease will include:• IP Address• Subnet Mask• Lease can include options:• Default Gateway• DNS Server(s)• DNS Domain Name• Other options
Domain Name System
• Maps IP addresses to "friendly" host names• Exists for human convenience• Allows IP addresses to change• Places all organizations in a single hierarchy• Uses a hierarchical naming scheme• Distributed database management and name lookup permits organizations to manage their own records
Service (SRV)
• Specifies the location of a service• The record is made of 3 parts:• Service• Protocol (usually TCP/UDP)• Domain name• A common implementation is in Active Directory• SRV records point to the domain controllers responsible for the various roles
TXT (SPF, DKIM)
• TXT (Text) records contain free form text of any type• A fully qualified domain name may have many TXT records• TXT records usually easily read information about a server, network, data center, or other information• The most common uses for TXT records are:• Sender Policy Framework (SPF)• DomainKeys (DK)• DomainKeys Identified E-mail (DKIM)• An SPF record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of an organization• DKs are a deprecated e-mail authentication system• Verify the domain name of an e-mail sender and the message integrity• DKIM is an email authentication method designed to detect email spoofing
DNS Hierarchical Structure
• The DNS hierarchy is comprised of the following elements• Root Level, Top Level Domains, Second Level Domains, Sub-domain, and Hosts• The DNS root zone is the highest level in the DNS hierarchy tree• It answers the requests for records in the root zone• Provides a list of authoritative name servers for the appropriate TLD (top-level domain)• They are the first step in resolving a domain name• The next level in the DNS hierarchy is Top level domains (there are many)• They are organizational hierarchy and geographic hierarchy • The next level in the DNS hierarchy is Top level domains (there are many)• They are organizational hierarchy and geographic hierarchy• The next level in the DNS hierarchy is the Second Level Domains• This includes the main part of the domain name• The sub-domain is the next level in the DNS hierarchy• The sub-domain can be defined as the domain that is a part of the main domain• The only domain that is not also a sub-domain is the root domain
Name Server (NS)
• The DNS servers that are authoritative for a zone• Have a copy of the database• A zone should contain one NS-record for each of its DNS servers (primary and secondary servers)• This is important for zone transfer (replication) purposes• NS records have the same name as the zone in which they are located.• A very important function of the NS-record is delegation• A DNS server that is higher up in the name space tree points down to the next DNS server that has the records for an independent child domain• For example, the .com DNS server delegates control to the Microsoft.com server
DHCP Lease Time
• The length of time (in days or hours) that a client may use the IP address• The client is responsible for enforcing the lease and attempting to renew the lease before the lease time is up• If a client does not renew its lease, the DHCP server marks the address as potentially unused• Eventually the IP address is returned to the pool for another client to use
A, AAAA
• The most basic type of DNS record • Map friendly names to IP addresses• The AAAA (also quad-A record) specifies IPv6 address for given host• It works the same way as the A record
Pointer (PTR)
• Used for reverse lookups • Maps IP addresses to friendly names• The reverse of what A-records and AAAA-records do• An IPv4 PTR record shows the IP address in reverse, with "in-addr.arpa" appended to the end• An IPv6 PTR record shows each hex digit of the IP address in reverse order• dots between each digit• "ip6.arpa" appended to the end• PTR records are often used for security• A node using an IP address must be able to identify the domain it's from
Mail Exchanger (MX)
• Used to specify the e-mail server(s) responsible for a domain name• Each MX-record points to the name of an e-mail server and holds a preference number for that server• If a domain name is handled by multiple e-mail servers, a separate MX-record is used for each e-mail server• You also need the A record to know the actual IP address of the server
Network Time Protocol (NTP)
• Used to synchronize the clocks of computers over a network• The NTP client initiates a time-request exchange with the NTP server, then creates a link• Once synchronized, the client updates the clock about once every 10 minutes, usually requiring a single message exchange• NTP servers, of which there are thousands around the world, have access to highly precise atomic clocks and GPS clocks• A typical implementation is to have a local NTP server• Synchronizes with a public service• Then synchronizes all internal servers• Active Directory PDC Emulator domain controller is an example
Third-party/Cloud-hosted DNS
• You can outsource the management of your DNS servers to a third party• Most commonly done for public records• Also done as part of a cloud deployment• Advantages:• Faster resolution of external facing servers• Internal to external resolution• Better security and protection against newest threats• Redundancy to avoid single-points of failure• Disadvantages:• You might not have direct control over the records• You might have to request the provider update the records for you, resulting in delay times
MAC Reservations
• You can reserve specific IP addresses in a DHCP pool for particular hosts• Based on MAC addresses• When the host broadcasts a discover message, the DHCP server checks to see if its MAC address matches any of the reservations• This ensures that the same MAC always gets the same IP address• Useful if you need to ensure that servers always have the same IP address, but that other DCHP configuration options might be updated