2.7. Naming and Directory ServicesA naming service translates between the names that people use and the numerical addresses that machines use. Different protocols use different naming services; the primary protocol used on the Internet is the Domain Name System (DNS), which converts between hostnames and IP addresses.In the early days of the Internet, it was possible for every site to maintain a host table that listed the name and number for every machine on the Internet that it might ever care about. With millions of hosts attached, it isn't practical for any single site to maintain a list of them, much less for every site to do so. Instead, DNS allows each site to maintain information about its own hosts and to find the information for other sites. DNS isn't a user-level service, per se, but it underlies SMTP, FTP, Telnet, and virtually every other service users need, because users want to be able to type "telnet fictional.example" rather than "telnet 10.100.242.32". Furthermore, many anonymous FTP servers will not allow connections from clients unless they can use DNS to look up the client host's name, so that it can be logged. The net result is that you must both use and provide name service in order to participate in the Internet. The main risk in providing DNS service is that you may give away more information than you intend. For example, DNS lets you include information about what hardware and software you're running, information that you don't want an attacker to have. In fact, you may not even want an attacker to know the names of all your internal machines. Chapter 20, "Naming and Directory Services", discusses how to configure name service in order to make full information available to your internal hosts, but only partial information to external inquirers. Using DNS internally and then relying on hostnames for authentication makes you vulnerable to an intruder who can install a deceitful DNS server. This can be handled by a combination of methods, including:
Older Microsoft Windows networks use Windows Internet Name Service (WINS) to map NetBIOS hostnames to IP addresses. The name is unintentionally misleading; WINS is not an Internet name service (one intended to function on the worldwide Internet) but an internet name service (one intended to function on an internet, a collection of local area networks). The service that WINS extends, NetBIOS name service, functions only on a single local area network. Popular terminology has changed since the service was named, and now it might more appropriately be called Windows Intranet Name Service. As WINS has evolved, the interrelationship between it and DNS has become ever more complex and confusing. WINS servers can consult DNS servers, and Microsoft DNS servers can consult WINS servers. The important things to remember about WINS are:
Some sites use Sun's Network Information Service (NIS), formerly known as Yellow Pages (YP) to distribute hostname information internally. It is not necessary to do this. You can use DNS clients instead on any platform that supports NIS, but NIS may be more convenient for configuring your internal machines. It is certainly neither necessary nor advisable to provide NIS service to external machines. NIS is designed to administer a single site, not to exchange information between sites, and it is highly insecure. For example, it would not be possible to provide your host information to external sites via NIS without also providing your password file, if both are available internally.
|
|