HiddenOne

Recently while sifting through some logs at work, I discovered some odd traffic coming from our DHCP server. The server appeared to be sending DNS updates to external DNS servers. This traffic never made it out of our network since our egress policy was not expecting to see DNS traffic from the DHCP server, so the packets were dropped.

So why was our DHCP server trying to send these update outside of our network? We have two DNS servers locally that should be receiving all of the DNS updates.

My first step was to check out our primary DNS server and double-check the reverse lookup zones. Below is a list of some of the zones I found (IP addresses have been changed to protect the innocent):

10.1.5.x
10.1.8.x
10.1.20.x

Spot the problem? These are very specific reverse lookup zones. Say we have a subnet that has usable addresses spanning from 10.1.5.1 to 10.1.6.254. When the leases from the 10.1.5.1 – 10.1.5.255 range have been handed out and leases from the 10.1.6 group of addresses begin to be served out, the DNS updates for the 10.1.6 addresses have nowhere to go. Essentially we had reverse lookup zones for a very specific set of addresses.

The solution was to create the proper reverse zone that would cover all of the subnets we use. The zone, or zones, that need to be created depend on the address space your organization uses internally. Since we use addresses in the class A 10.0.0.0 range, I needed to create a reverse zone named “10.in-addr.arpa.”. Below is a quick list of the common private address blocks and the reverse lookup zones they require.

After creating the proper zone for our internal IP scheme, the DNS updates for all of the DHCP leases started to appear in DNS. Additionally, the log entries stating that our DHCP server was sending updates to external DNS servers stopped.

A common mistake is to think that you only need the reverse lookup zone for the subnet you are using. For example, if someone is using the 192.168.2.0/24 subnet, they may think they only need the “2.168.192.in-addr.arpa.” reverse lookup zone. In fact they still need to create the “168.192.in-addr.arpa.” zone and let their DNS server handle the rest.

This may seem like a basic rule to most people, but not everyone knows about reverse lookup zones. In my case the current design was inherited. Honestly I may not have noticed the problem with the reverse lookup zones if I wasn’t sifting through logs.

In a perfect world every MDF and IDF would have its own dedicated room with limited access. Since most of us live in the real world, compromises must be made.

About one year ago the organization I work for went through a complete network infrastructure upgrade in one of our buildings. Since space was limited and building renovations were not in the scope of the project, we ended up using locking 45U server cabinets to house the switching equipment as well as patch panels. Most of these cabinets were put in shared storage rooms, and only one was placed in a room the received steady traffic.
With the renovation of another one of our buildings this year, we had to make a decision on if we wanted to use locking cabinets or dedicate closets specifically for networking. My past experience and current opportunity allowed me to reflect one the pros and cons of both. Here is a quick breakdown that I came up with:

Network Cabinets:

• Allows flexible placement of distribution frames to maintain cabling standards
• Provides relative security when placed in trafficked areas

Network Closets:

• Security by obscurity
• Generally allows more flexibility for cable routing
• Easy access without interrupting others

These lists could be much longer and could contain many more technical arguments. In this case, I choose to look at the less technical reasons for choosing one over the other.

In my case, I believe that a dedicated network closet is superior to a locking cabinet in a public area. Placing anything in the public eye will by nature draw more attention to that object. Add some whirly fans along with blinking lights and even a grown adult will be drawn to a network cabinet. This attention may come with some unwanted consequences such as vandalism or even accidental damage. I strongly believe in security by obscurity. What’s out of sight is out of mind, and therefore people are less likely to tamper with the equipment.

Network closets are only superior if they are dedicated and secure. Closets that are shared will quickly become a place for others to store their junk. This increases the risk that someone might cause an outage or otherwise damage equipment. I often see custodians move their cleaning carts into these spaces, bringing with them all sorts of liquids and chemicals you don’t want on your equipment!

As with any project take your requirements into close consideration. Also ensure that you plan for the future and not just present needs. A properly designed network closet can easily scale to future needs, whereas with a cabinet you are more or less stuck between the posts.