Sysadmin’s Guide to Network Services
Network administrators utilize services every day to make their lives easier. These network services run on the application layer of the OSI model and above. Services, when configured and administered correctly, can automate administrative processes and do work that may in the past have had to do manually.
Out of all of the different services that administrators work with, DHCP and DNS are ones that are integral to every network. Almost every business class router offers settings for both of these servers. Every PC technician knows how to configure these settings on individual PCs.
DHCP is used to automatically assign IP addresses to devices on your network. DNS is used to convert domain names to associated IP addresses. Every modern business network should have a server for each of these services. Administrators that take advantage of both of these services have an inside track on the configuration of their network.
DHCP (or Dynamic Host Configuration Protocol) servers hand out IP addresses to devices that don't have them statically assigned. A network without a DHCP server must have static assignments on all existing hosts. some network administrators that feel that they have more control of their network by. manually configuring each device's network card. However, most modern business networks have a DHCP server.
Now that we understand what a NAS does and what it consists of, let's consider the questions you should ask yourself when picking a NAS.
Software or hardware-based servers.
In many cases, DHCP servers are installed on physical machines running server operating systems. In simpler cases, these servers can be managed from a router. Almost every router available today offers a DHCP server. While software DHCP servers may be more configurable and offer more options, a router-based server will meet the needs of most businesses.
Static assignments over manual configurations.
There are some devices on every network that need to keep the same IP address at all times. This can be done in two ways - manual configurations at the device level or static reservations configured in the DHCP server. Using static reservations simplifies the process by keeping all of the IP address information, both static and dynamic, all in one place.
DHCP Best Practices
Following a few DHCP best practices will keep your network running at it's best. You need to make sure you have appropriately sized DHCP scopes. You should also be sure that those scopes aren't overlapping IP addresses that are already being used. As always, be sure to take security measures into an account. Here's an overview of DHCP best practices.
Have an appropriate amount of established IP addresses.
You need to have a good idea of the number of IP addresses that are going to need to have IP addresses assigned. It's important to remember that in today's networks, we're talking about more than just computers. Other devices that may be requesting IP addresses are VoIP phones and mobile devices, just to name a few. On top of all that, your DHCP scope should leave room for future growth as well.
Avoid overlapping static addresses.
While you can use DHCP server settings to assign static reservations to most devices, there will still be some devices on your network that need to keep the same IP address via manual configuration. When creating your DHCP scope, be sure to have an understanding of any IP addresses that are already being used with manual configurations. You can do a network scan or refer to your network map to see what IP addresses are already being used.
DHCP security best practices
You need to make sure that you are not allowing unwelcome devices to infiltrate your network. There are a few things to do to prevent this. Here's a list of DHCP security best practices:
- Keep your business networks and guest networks separate.
- If you are using a managed switch, be sure to disable unused ports.
- Generate alerts from your DHCP server when an unrecognized device sends a DHCP request.
Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:
- a ready-to-print PDF file
- an Excel file to help create a customizable assessment resource
DNS (or Domain Name System) is a service used primarily for translating domain names to IP addresses. In reality, this is just part of what DNS does. For our purposes - the role of DNS plays on a local network - we only need to be concerned about this base understanding. Very often, the DNS settings on a local server are ignored. Administrators who want more control of their network are sure to take advantage of these options.
Taking advantage of DNS on your network can be powerful. It's easy to take the simple router and forward on the DNS servers provided by your internet service provider to your PCs and walk away. With a little bit of work, however, you can configure a local DNS server to make your job as a network administrator easier. This involves setting up local naming on the network for easier device lookups, and using DNS for content filtering or blocking ads.
Global DNS servers or local servers
There are a number of popular, widely regarded global DNS servers available for doing most of your translation for you. Here are the most popular ones out there today:
- Google. 126.96.36.199, 188.8.131.52, and 184.108.40.206.
- OpenDNS. 220.127.116.11 and 18.104.22.168.
- Level 3. 22.214.171.124 through 126.96.36.199.
While administrators should take advantage of having their own local DNS server, requests domain name translation to websites on the internet should be sent to one of these global DNS servers.
Local network naming
When we consider domain name resolution, a lot of times we are thinking about resolving domain names for websites on the internet. One of the best uses of DNS, however, is resolving hostnames on your local network.
Instead of having to memorize the IP addresses of your servers, use hostnames instead. Additionally, you can use your local DNS server to set up multiple names to resolve to a specific IP address.
There are a number of different devices on your network that will make things simpler. These include the following.
- Printers. Printer selection made clearer with descriptive hostnames, rather than memorized IP addresses.
- Terminal servers. Connect to your servers by name.
- PCs. Recognize and identify trouble computers instantly.
Having devices such as printers, servers, and PCs named accurately helps administrators do their job more efficiently.
Can be used for content filtering or ad blocking
Administrators can take advantage of DNS server settings for security purposes as well. With a few different third-party tools, you can use DNS to filter web content and block ads.
Administrators can use services such as OpenDNS to filter web content. In this example, your DNS server is configured to send website resolution requests to the OpenDNS servers (188.8.131.52 and 184.108.40.206). Configurations can be made to block requests (by category or by domain name) from specific source IP addresses.
Administrators that are knowledgeable in configuring Linux servers can install a PiHole server on their network to utilize DNS to block ads on websites. Your PiHole server will check in with a central database to recognize domain names and IP addresses that are used by web advertisers and block requests to them.
DNS Best Practices
Like DHCP, there are a number of best practices to follow for DNS as well. There are a number of different things to consider, and a few will be covered here. To reduce confusion, descriptive hostnames should be used on local networks. Additionally, all unrecognized, Untrusted DNS servers should be forbidden outbound access.
Use descriptive hostnames on local networks
The larger your network grows, the more confusing things get. You need to make sure you use a logical naming scheme for all of the devices on your network. The hostnames that you assign your devices should be easily recognized for troubleshooting and configuration purposes.
An example of a naming scheme could include device location, purpose, and a numerical value. Here are a few examples of this.
- A PC in the accounting office: ACCTPC01
- The second server in the communications room: COMMSERV02
- The printer in the branch office in Springfield: SPRINGPRINT001
Your naming scheme doesn't have to be the same as this. The main point is that it is descriptive enough to save you time when the device needs to be recognized.
Forbid Untrusted DNS servers
Ideally, all of the devices on your network are provided DNS server settings via DHCP. Even so, there still may be devices on your network that use manually configured DNS servers for resolution requests. As a security practice, you should have a list of DNS servers that are allowed to perform resolution requests, and forbid all others.
Some DNS servers aren't updated fast enough and won't be able to translate all requests. Other more malicious DNS servers will intentionally direct traffic to malicious websites for the purposes of infiltrating your network. Allowing requests to these servers outbound access creates a security loophole that you want to keep closed.
Knowledgeable network administrators take full advantage of available network services to manage their network. DHCP can be used to assign IP addresses and DNS servers. DNS servers are used to translate hostnames and domain names on both locally and on the internet.
Your DHCP server should be configured correctly from the start along with proper implementation of DHCP security best practices. You should have a fair understanding amount of IP addresses that you need in your scope, and where your static IP addresses lie and how you want to configure them. For DNS, administrators should enforce policies that forbid untrusted public servers and strict naming schemes.
Administrators who have a handle on their DHCP and DNS servers are taking a huge step in the direction of knowledgeable network management. With both of these tools, you'll have a better idea of what's going on in your network.