IPv6 DNS Recommendations
Domain name system migration considered as covering 30% of the overall migration process. Although we configure the devices such as web server, proxy server etc. to be working in a dual-stack mode, properly deployed DNS infrastructure should be there to govern the operations, performance and the reliability of the dual-stack environment.
There are various factors that define the IPv6 support in the domain name hierarchy. Root name servers and other higher level name servers should support IPv6 transport and the query processing. As well, locally, the DNS server and the resolver need to be IPv6 capable.
Apart from the basic configurations, dual stack DNS should be fine-tuned and secured with adhering to the best practices. Since address based port scan kind of attacks are very hard to carry out in an IPv6 infrastructure, domain names based attacks can be expected in such reconnaissance activities .
DNS infrastructure is far more complex, critical and vulnerable to threats in dual-stack or IPv6 environment than in IPv4. So it is a must to have the name resolution related trivial facts such as address selection mechanisms and priority on querying for conducting diligent troubleshooting procedures.
CURRENT DNS SERVER DETAILS
Operating System : Red Hat Linux release 9 (Shrike) - Kernel version is 2.4.20-8smp
DNS Server Software : Bind-9.2.1-16
IPv6 support in a DNS server needs to be defined in two ways.
1. DNS server software needs to support IPv6 related resource records
2. DNS server should support IPv6 transport (IPv6 packet processing)
These two factors are independent from each other but server is said to be IPv6 supported only if both the requirements are met.
Operating system and underlying hardware support for IPv6 is characterizing the IPv6 transport ability of the Server.
BIND version or any other DNS software being used defines the ability of processing resource records.
IPv6 support in Red Hat and related Fedora distributions is quite satisfactory. From kernel version 2.4 IPv6 support is adapted to the Linux distributions. (Linux kernel 2.3 does not support IPv6 ). So the existing Red Hat system is one of the early releases of IPv6 supported Linux distributions. But latest Red Hat and Fedora distributions are adapting whole lot of new IPv6 and related security features (Fedora 13 with Linux kernel 2.6.33 , Red Hat Enterprise Linux with kernel version 2.6.9 ).
Although the current BIND version preliminary supports IPv6, latest releases are far more IPv6 capable and enhanced with new security features.
PROPOSED DNS SETUP
In the new dual stack network, every host (ipv4 only or ipv6 only or dual stack) will be able to resolve their name requests irrespective of their IPv4 or IPv6 capability.
The proposed system is aimed at removing the drawbacks of the existing system and adapting the latest IPv6 support and security enhancements.
Hardware Platform : Should be replaced with a stable and enhanced hardware platform with a high performance. (already requested)
Operating System : Red Hat Linux release 9 (Shrike) With kernel version 2.6.x+
Use Fedora 10 with kernel 2.6.x+
DNS Server Software : Upgrade to BIND 9.7.0-P2+
Need to choose a server platform with good CPU performance, adequate RAM and hard disk storage, adequate Network Interface Cards for the network you will deploy it in, etc. as suggested above, it is better to have redundancy in the DNS system not only because of the consistency but of the security concerns.
Anew hardware platform for the DNS server is already requested.
Selected Operating system should be highly reliable, possible to secure well, have good anti-hacking mechanisms (like jails) and have a good DNS server daemon available for it that supports IPv6.
When considering the BIND, there are both Windows and Linux versions. But BIND over windows can be rejected due to the fact the underlying operating system is not as reliable or secure as Linux.
Upgrade to the Linux kernel version 2.6 is highly recommended in view of the fact that it is more stable, secured and enhanced with IPv6 support. Using a community release of Red Hat (Fedora 10 with kernel 2.6.27) is an alternative recommendation [http://tldp.org/HOWTO/Linux+IPv6-HOWTO/basic-history-ipv6-linux.html].
Current BIND production release is9.7.0-P2 and the latest version can be found in . DNSSEC kind of security enhancements and new IPv6 features are adapted in the new releases.
Proposed specification for the dual-stack DNS implementation will provide the user to experience the best performance, availability and security via both IPv4 and IPv6 infrastructures.