This page is a brief look into DNS, Domain Name SyStem or Domain Name Service, as I needed it to get Winroute firewall configured, in particular the rules regarding incoming and outgoing connections, to make sure that DNS would still function after I set up the firewall. But it can be read independent of these firewall pages as well.
Here's an excellent expose on Domain Name System, written by a fellow student, Hans Jonkers. It explains what DNS is, and then goes into setting up a Domain Name Server in a Windows 2000 domain. It's in dutch (if you don't know dutch you may want to look up the links).
In brief : nodes on a network find eachother by IP address. For the human users, these numeric addresses are hard to remember, so humans prefer tu use alfa-numeric addresses. www.playboy.com in stead of 223.99.121.15. pop3.ticali.be in stead of 212.35.35.4. For a computer to know which address to connect to, he needs to resolve the names, i.e. look up the address that matches the name. On a not to big, isolated network, this can be done making a list of addresses and corresponding names, and have the system read from the file. This is the 'hosts' file.
On larger networks, this list would get long, and it has to be maintained on every node. To avoid this hassle, the DNS system was invented : servers would translate names into addresses (and the other way around : reverse DNS). This is especially handy for the internet. Imagine having to make a 'hosts' file containing all the url's you want to visit.
The DNS system is hierarchical : authority is delegated from the top-leven DNS servers to the lower levels where servers manage the DNS for a specific doomain. Assume your connected to the internet through an account with Africa Online, and you want to browse to users.telenet.be/mydotcom/. Your browser asks the DNS server of Africa Online (its address is in the network configuration) to find the IP address of users.telenet.be. Africa Online's DNS server will then first ask the .be domain name server for the address of a DNS server in the telenet.be zone, and will then ask DNS server in the telenet.be zone for the address of users.telenet.be. With this address, your browser can connect to the web server at users.telenet.be and request the page /mydotcom/index.htm.
I assume you have a working a local area network, and you know how to connect your local network to the internet, using a router. The firewall discused here is Winroute.
Because we use a firewall to block unwanted connections from the internet, we have to make sure that somehow, the browsers and mail clients and so on our LAN can still get name resolution from a DNS server. There's 2 ways : a DNS server inside the firewall or a DNS server outside the firewall.
An additional problem with DNS is that DNS servers use TCP to communicate among each other, but UDP to communicate with clients. UDP is a bit more complex to handle in a firewall contect than TCP, because UDP is a connectionless protocol. There is no 'TCP-like' connection set up, so it's more difficult to set rules about permitting or denying incoming and outgoing packets.
This is a typical situation for a home network : you've used a router to connect your home network to the internet through an account at an Internet Service Provider. Obviously, you'll continue to use your ISP's DNS server(s).
You therefore need to allow DNS queries from the hosts on the internal network to pass through the firewall to the ISP's DNS server (port 53), and allow the reply to come in again. Packety filtering rules :
Additional settings
This situation is somewhat simplier and safer. The hosts on the internal LAN will send DNBS queries to the DNS server insidde the firewall (or in a DMZ). This DNS server will resolve the names to addresses, or pass on the request to an external DNS server (your internet provider's DNS server) if he can not resolbve the query. The reply from the external DNS server will be send to the internal DNS server, who will pass on the information to the host ho requested it.
This is a safer construction because you don't need to allow incoming UDP packets to random ports > 1023, what is in fact a serious hole in your firewall. DNS servers talk to each other on TCP port 53, so that's all you need to allow.
The hosts on the network, of course, need to be configured to have the internal DNS servers as DNS server.
This setup also allows external DNS queries regarding the hosts on your network or DMZ. It can be used bu external web browsers to resolve URLs to the web pages on your web server, fort instance. If you don't want this, be sure to set up DNS for your domain so that it will not give out this information. Or deny the establishing of incoming DNS requests by setting the appropriate packet filtering rule.
Because the internal DNS server' situation is safer, but not all home/ small office networks are running a DNS server, Winroute (and other firewalls) have a thing called 'DNS forwarding'. The DNS forwarder works similar to an internal DNS server, by chaching DNS requests and their resolution. Therefore, the internal LAN can send requests to the DNS forwarder (firewall IP address, port 53), which will reply from its cache, or get the information from an external DNS server.
This sounds very similar to the 'internal DNS server' setup, but the DNS forwarder is not a DNS server, and can not be queried to resolve the names on your domain. It's more like a DNS proxy.
The packet filtering rules are thus :
A complete overview of deal with DNS when applying firewall techniques is given in chapter 3 of the Guide to Firewall Configuration by the University of Hongkong Sience and Techology Dept.