Page 778 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 778

NS          Name           Designates the FQDN and IP address of an
                            server         authorized name server
                            record

                SOA         Start of       Specifies authoritative information about the
                            authority zone file, such as primary name server, serial
                            record         number, time-outs, and refresh intervals


               Originally, DNS was handled by a static local file known as the HOSTS
               file. This file still exists, but a dynamic DNS query system has mostly
               replaced it, especially for large private networks as well as the internet.
               When client software points to an FQDN, the protocol stack initiates a

               DNS query in order to resolve the name into an IP address that can be
               used in the construction of the IP header. The resolution process first
               checks the local DNS cache to see whether the answer is already
               known. The DNS cache consists of preloaded content from the local
               HOSTS file plus any DNS queries performed during the current boot
               session (that haven’t timed out). If the needed answer isn’t in the
               cache, a DNS query is sent to the DNS server indicated in the local IP
               configuration. The process of resolving the query is interesting and

                                                                                2
               complex, but most of it isn’t relevant to the (ISC)  CISSP exam.
               DNS operates over TCP and UDP port 53. TCP port 53 is used for zone
               transfers. These are zone file exchanges between DNS servers, for
               special manual queries, or when a response exceeds 512 bytes. UDP
               port 53 is used for most typical DNS queries.


               Domain Name System Security Extensions (DNSSEC) is a security
               improvement to the existing DNS infrastructure. The primary function
               of DNSSEC is to provide reliable authentication between devices
               during DNS operations. DNSSEC has been implemented across a
               significant portion of the DNS system. Each DNS server is issued a
               digital certificate, which is then used to perform mutual certificate

               authentication. The goal of DNSSEC is to prevent a range of DNS
               abuses where false data can be injected into the resolution process.
               Once fully implemented, DNSSEC will significantly reduce server-
               focused DNS abuses.
   773   774   775   776   777   778   779   780   781   782   783