The CO.ZA DNS Training Registration System
 © Copyright UniForum SA
 
 

 

There are no current DNS courses - please come back later

 
Courses are usually held twice a year, around i-Week time (September) and at the beginning of the year (late January to early February). Registration is open a month or so before each course. The courses are usually held in Johannesburg (Midrand) and Cape Town. There is an Intro course and an Advance course which alternate in these locations. The Intro course is the first course of any training session, followed by the Advance Course.
  
 

DNS Training Application Form

Applications are subject to a R500.00 refundable deposit on attendance. Applications will only be confirmed on receipt of the deposit. Applications will be closed once the total number of deposits have been received. Deposits of delegates that do not attend will forfeited, and in turn donated to the ISPA Teachers Training Program.

Deposits may be paid directly into the UniForum SA bank account using the Booking Reference number as a reference or paid by cheque directly at the UniForum SA offices.

Please fax proof of payment to 080 314 0088 (011 314 0088), or alternately email proof of payment to accounts@co.za for attention Lizette Els.

The training course starts at 9h00 and finishes at 17h00.

Documentation, Computer terminals, refreshments and lunch will be provided.

You are from: 38.107.179.243

General information

The DNS courses are presented by Johan Ihren and Mark Elkins.

The Lab exercises are conducted by using PC's running X Windows. The student uses the PC to connect via SSH (Secure SHell) to their (virtual) DNS Servers which are running on a BSD (Unix) system. Students may bring their own Laptops and/or USB memory sticks to keep copies of their work.

DNS Introduction Training Course Outline

Description

This course covers the fundamentals of DNS and all the important terminology is covered. In the course you will learn how to design DNS structure to achieve scalability and high availability. You will learn how to install and configure DNS name servers and you will get an understanding for how zones and domains are delegated, administratively as well as in technical solutions.

Target audience

The target audience for this course is networking people, network and DNS administrators as well as managers, people working with IT strategy, consultants, security people and others that need an understanding of DNS and DNS role on the Internet.

Pre-requisites

This course requires fundamental knowledge about the Internet and TCP/IP. Experience with a Unix text editor such as vi or emacs is helpful.

Duration: 3 days

Detailed Agenda

Introduction

  • Background, why was DNS created

Internet before DNS

  • DNS Design Requirements
  • Introduction to the Concept of a ”Resource Record”
  • The A and AAAA Records for IPv4 and IPv6 addresses
  • Structure Records and Data Records

Caching, TTL and Scalability

  • Delegation, the Key to Scalability
  • The SOA Record: the Start of a New Zone, the Serial Number
  • The NS Record
  • Zones and Domains
  • The Ice-floe Model

Name Server Roles

  • Authoritative Name Servers
  • Iterative Mode Resolvers (aka Recursive Name Servers)
  • Security Aspects and Threats
  • “Cache Poisoning”

Root Name Servers

  • The hints file
  • The System Query
  • Scalability
  • Problems with Erroneous Queries, the AS112 Project

Resolvers

  • Stub Resolver and Iterative Mode Resolver
  • Interpretation of Response Messages
  • Recursive and Non-recursive Queries
  • The NXDOMAIN Response
  • Referrals
  • CNAMEs
  • Authority at Delegation Points

Detailed Message Exchange Walk-through

Name server implementations

  • New server software and/or new client software
  • BIND (both authoritative and recursive server)
  • NSD (authoritative-only server)
  • Unbound (recursive-only server)
  • Other implementations
  • Differences, pros and cons

Lab Exercise: Compilation and installation of the DNS software

Debugging tools

  • dig, nslookup, others

Fundamental types of Resource Records

  • PTR: for address-to-name mappings
  • CNAME: aliasing
  • MX: mail exchange
  • SRV: generic server locator
  • TXT: publication of text strings

The named.conf configuration file

  • The “options” stanza for global configuration
  • The “logging” stanza for tuning of when, how and where to log

Lab Exercise: Configuration of caching only resolver

Private addresses, RFC1918

  • NAT, address translation

Name server terminology

  • Master and slave
  • Primary master
  • Hidden master
  • Stealth servers

Zones: the administrative entity of DNS

  • Zone directives in named.conf
  • Zone transfer
  • The AXFR operation
  • The IXFR operation
  • NOTIFY

Lab Exercise: Configuration of an authoritative server

  • The “child role”

Lab Exercise: Delegation of sub-domain

  • The “parent role”
  • Who is responsible for what?

IDN, Internationalized Domain Names

  • Problem statement
  • Character codes, Unicode
  • IDNA, Punycode
  • Requirements from and on applications
  • Application support

Lab Exercise: IDN

IPv6 and DNS

  • New data, new record types
  • Nibbles for IPv6 reverse zones, ip6.arpa
  • IPv6 data vs. IPv6 transport
  • The root name servers and IPv6
  • Resolver support

Lab Exercise: IPv6

”Reverse delegations”

  • Mappings from addresses to names
  • in-addr.arpa
  • ip6.arpa

Lab Exercise: Configuration and delegation of a reverse zone

Summary

DNS Advanced Training Course Outline

Description

The advanced course covers more complex DNS topics, such as DNS in combination with Firewalls and "Split-DNS". A complete treatment of DNSSEC (signing and authentication of DNS data) as well as TSIG (DNS Transaction Signatures, EDNS(0) and Views.

There is an obvious relation between DHCP and Dynamic DNS Updates and the course covers both these topics in detail, including lab exercises on each and also on the interaction between them.

Target audience

The target audience for this course is networking people, network and DNS administrators as well as managers, people working with IT strategy, consultants, security people and others that must get a deeper understanding of both traditional DNS as well as more recent extensions.

Pre-requisites

This course requires knowledge corresponding to our DNS Introductory Course.

Duration: 3 days

Course Outline

Quick repetition of traditional DNS

Principles behind the DNS protocol:

  • autonomy, coherence, redundancy

Packet format:

  • The different parts of the DNS message and their usage

Name server implementations

  • BIND (both authoritative and recursive server)
  • NSD (authoritative-only server)
  • Unbound (recursive-only server)
  • Other implementations
  • Differences, pros and cons

Lab Exercise: Compilation and installation of the DNS software

DNS Vulnerabilities overview

Role separation for name servers:

  • inevitable when deploying DNSSEC
  • different implementation alternatives
  • usage together with TSIG
  • pitfalls

TSIG: signing DNS transactions

  • Symmetric encryption
  • Symmetric algorithms: HMAC-SHA1, HMAC-SHA256
  • Securing zone transfers (server-server)
  • Securing queries (client-server)
  • BIND: TSIG Configuration in named.conf:
    • key, server and masters directives
  • NSD: TSIG Configuration in nsd.conf:
    • key: attributes and the use of the NOKEY keyword
  • Securing the transport vs securing the data

Lab Exercise: Using TSIG between master and slave

  • Configuration
  • Need for synchronized clocks
  • Debugging

BIND: rndc

  • remote management via rndc: pros and cons
  • Key management
  • Configuration of rndc.conf

Firewall issues

  • Split-DNS
  • Forwarding
  • Internal delegations
  • Queries “leaking” to the wrong side
  • management of internal connections
  • multiple versions of the name space and DNS coherency
  • varying functionality in different implementations
  • “forward” zones and stub zones
  • Split-DNS in conjunction with DNSSEC

Lab Exercise: firewalls, forwarding, split-DNS

EDNS(0):

  • framework for DNS protocol extensions
  • usage of the OPT pseudo-RR
  • fields in the DNS packet that are expanded via EDNS(0) and their use

Introduction to DNSSEC

  • Background, threat scenario, the Kaminsky attack, etc
  • Walkthrough of the concepts

DNSSEC: Validation of signed DNS data

  • “Trusted keys” and validation of data
  • What does ”security apex” mean?
  • What should happen when data doesn’t validate?

Lab Exercise: Configuration of a validating resolver

DNSSEC: Publication of signed DNS data

  • Asymmetric encryption with public keys
  • Asymmetric algorithms: RSA, DSA
  • KSK and ZSK: different operational uses for keys

DNSSEC: Protocol extensions and new record types:

  • RRSIG: digital signature of DNS records
  • DNSKEY: public keys stored and distributed via DNS
  • DS: identification of the ”KSK” in use

DNSSEC low-level tools:

  • dnssec-keygen to create keys
  • dnssec-signzone to sign zones

Lab Exercise: Publishing a DNSSEC signed zone

  • Create the configuration
  • Generate the keys and add them to the zone
  • DNSSEC Zone Signing

DNSSEC Key Rollover: Replacing old keys with new keys

  • Policy management
  • Delegation Signer and parent interaction
  • Parent/child interaction with examples
  • Tools to simplify DNSSEC management

Lab Exercise: The DS record and interacting with your parent

  • Closing the signature chain from the parent
  • Verification of the signature chain
  • Debugging

Resolver issues

  • Suitable API
  • Securing the ”last mile”
  • The requirement for a ”clear path”

Lab Exercise: Key Rollover of ZSK and KSK

  • Logging

DNSSEC Protocol extension: ADE (Authenticated Denial of Existence)

  • Why is ADE so important?
  • NSEC: Filling out the empty space to facilitate ADE
  • NSEC3: When zone contents must not be listed

Lab Exercise: NSEC3

DNSSEC high-level tools

  • OpenDNSSEC
    • Lab: OpenDNSSEC
  • BIND 9.9 inline-signing
    • Lab: inline-signing
  • others

International outlook:

  • Signing different Top-Level domains
  • Signing the root zone
  • Development and and adjustment of different systems for DNSSEC

Introduction to DHCP

  • Problem statement
  • The need for address management
  • Not only address management but a generic infrastructure for resource management and allocation
  • Prococol structure: the message chain between client and server
  • DHCP Relays: effect on protocol and design
  • What rights and options does the client have?

DHCP Server Configuration

  • Topology description: how is the local environment constructed
  • Policies: what principles should guide resource allocation?
  • Design choices
  • Redundancy management

Introduction to DHCPv6

Dynamic Update

  • The four different roles: Client, Authoritative name server for forward zone, Authoritative name server for backward zone and the DHCP server
  • Security policies
  • Granularity in access rights: control over nodes or entire sub-trees, retrictions on available record types
  • update-policy{}
  • Alternatives for authentication: TSIG (symmetric key), SIG(0) (asymmetric key), GSS-TSIG
  • Comparison SIG(0) vs TSIG

Lab exercise: Manual dynamic update

  • Name server configuration
  • How to trigger the dynamic update automatically
  • Client configuration
  • Name server configuration
  • Design choices in environments with a mix of dynamic and static DNS data
  • Dynamic update of DNSSEC secured data: key management, signatures

Lab Exercise: Automatic dynamic update (with DHCP)

  • Name server configuration
  • Relation DHCP server and name server

Summary

 

Last modified: Wednesday, 01st February, 2012 @ 02:07pm - dnstraining.coza.net.za.dnstraining.coza.net.za