390 likes | 586 Views
DNS. Agenda. DNS Basic Zone Delegation Half Class-C reverse lookup Webmin Tools 參考資料. DNS Basic. One of the main goals of the design of the Domain Name System was to decentralize administration. DNS Basic. Name Servers and Zones
E N D
Agenda • DNS Basic • Zone Delegation • Half Class-C reverse lookup • Webmin • Tools • 參考資料
DNS Basic • One of the main goals of the design of the Domain Name System was to decentralize administration
DNS Basic • Name Servers and Zones • The programs that store information about the domain name space are called name servers. • Name servers generally have complete information about some part of the domain name space, called a zone, which they load from a file or from another name server. The name server is then said to have authority for that zone.
DNS Basic The edu domain broken into zones
DNS Basic The berkeley.edu domain broken into zones
DNS Basic The Domain ca The Zone ca
DNS Basic • Name servers can be authoritative for multiple zones.
DNS Basic Root … arpa org edu gov com mil net tw uk jp cn in-addr mit … nyu nchu … nctu … apm ee www … www … www
DNS Basic • TLD (Top-Level Domains) • The original top-level domains divided the Internet domain name space organizationally into seven domains • comCommercial organizations, such as Hewlett-Packard (hp.com), Sun Microsystems (sun.com), and IBM (ibm.com) • edu Educational organizations, such as U.C. Berkeley (berkeley.edu) and Purdue University (purdue.edu)
DNS Basic • govGovernment organizations, such as NASA (nasa.gov) and the National Science Foundation (nsf.gov) • mil Military organizations, such as the U.S. Army (army.mil) and Navy (navy.mil) • net Networking organizations, such as NSFNET (nsf.net) • org Noncommercial organizations, such as the Electronic Frontier Foundation (eff.org) • int International organizations, such as NATO (nato.int)
DNS Basic • New Top Level Domain • ICANN is working to add seven new TLDs to the Internet's domain-name system. • In November 2000, after extensive discussions throughout the global Internet community, the ICANN Board selected seven TLD proposals to be included in the first addition of a global TLD to the Internet since the 1980s. • The selected TLDs are: .aero (for the air-transport industry), .biz (for businesses), .coop (for cooperatives), .info (for all uses), .museum (for museums), .name (for individuals), and .pro (for professions).
DNS Basic • .biz is already fully operational and accepting live registrations. For more information on these .biz, please visit the website of NeuLevel, Inc., the company selected to operate this new TLD: <http://www.nic.biz/>. • .info is also fully operational and accepting live registrations. More info on .info registration is availble at the website of the .info registry operator, Afilias Limited, at http://www.nic.info/>. • .name is fully operational and accepting live registrations. The company selected to operate .name, Global Name Registry, has posted an informational page at <http://www.nic.name/>.
DNS Basic • .museum is also operational. he .museum TLD is sponsored by Museum Domain Management Association (MuseDoma). MuseDoma's informational site can be ocated at <http://www.nic.museum/>. • .coop is operational. The .coop TLD is ponsored by the National Cooperative Business ssociation (NCBA). An informational site for .coop is available at <http://www.nic.coop/>. • .aero is operational and is sponsored by Societe Internationale de Telecommunications Aeronautiques SC (SITA). For more information on .aero, please visit <http://www.nic.aero>.
DNS Basic • The .pro registry agreement is still under negotiation. More information on .pro is available at the website of the registry operator, RegistryPro, Ltd., at <http://www.registrypro.com>.
DNS Basic - Resolver • Resolvers are the clients that access name servers. Programs running on a host that need information from the domain name space use the resolver. The resolver handles: • Querying a name server • Interpreting responses (which may be resource records or an error) • Returning the information to the programs that requested it • In BIND, the resolver is just a set of library routines that is linked into programs such as telnet and ftp. It's not even a separate process.
DNS Basic Resolution of girigiri.gbrmpa.gov.au on the Internet
DNS Basic The resolution process
DNS Basic addr.arpa domain
DNS Basic - Caching Resolving baobab.cs.berkeley.edu
DNS Basic - TTL • TTL (Time To Life) • Name servers can't cache data forever. • The administrator of the zone that contains the data decides on a time to live, or TTL, for the data. • The time to live is the amount of time that any name server is allowed to cache the data. After the time to live expires, the name server must discard the cached data and get new data from the authoritative name servers. • Deciding on a time to live for your data is essentially deciding on a trade-off between performance and consistency.
Zone Delegation • edu.tw • moesun.edu.tw • a.twnic.net.tw • b.twnic.net.tw • c.twnic.net.tw • tc.edu.tw • nchud1.nchu.edu.tw • pds.nchu.edu.tw
Zone Delegation • tcc.edu.tw • dns.boe.tcc.edu.tw • chc.edu.tw • dns.chc.edu.tw • encntc.edu.tw • ntcg.encntc.edu.tw • 128.140.in-addr.arpa • pds.nchu.edu.tw • nchud1.nchu.edu.tw
Zone Delegation • 17.163.in-addr.arpa • pds.nchu.edu.tw • nchud1.nchu.edu.tw • 22.163.in-addr.arpa • pds.nchu.edu.tw • nchud1.nchu.edu.tw • 23.163.in-addr.arpa • dns.ncue.edu.tw • life.ncue.edu.tw
Half Class-C Reverse Lookup • RFC 2317 • Classless IN-ADDR.ARPA delegation • IN-ADDR.ARPA delegation on non-octet boundaries for address spaces covering fewer than 256 addresses. • The proposed method is fully compatible with the original DNS lookup mechanisms.
Half Class-C Reverse Lookup • Let us assume we have assigned the address spaces to three different parties as follows: • 192.0.2.0/25 to organization A • 192.0.2.128/26 to organization B • 192.0.2.192/26 to organization C
In the classical approach, this would lead to a single zone like this: Half Class-C Reverse Lookup $ORIGIN 2.0.192.in-addr.arpa. ; 1 PTR host1.A.domain. 2 PTR host2.A.domain. 3 PTR host3.A.domain. ; 129 PTR host1.B.domain. 130 PTR host2.B.domain. 131 PTR host3.B.domain. ; 193 PTR host1.C.domain. 194 PTR host2.C.domain. 195 PTR host3.C.domain.
Half Class-C Reverse Lookup • by using the first address or the first address and the network mask length (as shown below)in the corresponding address space to form the the first component in the name for the zones. • The following four zone files show how the problem in the motivation section could be solved using this method.
Half Class-C Reverse Lookup $ORIGIN 2.0.192.in-addr.arpa. @ IN SOA my-ns.my.domain. hostmaster.my.domain. (...) ;... ;<<0-127>>/25 0/25 NS ns.A.domain. 0/25 NS some.other.name.server. ; 1 CNAME 1.0/25.2.0.192.in-addr.arpa. 2 CNAME 2.0/25.2.0.192.in-addr.arpa. 3 CNAME 3.0/25.2.0.192.in-addr.arpa. ; ;<<128-191>>/26 128/26 NS ns.B.domain. 128/26 NS some.other.name.server.too. ; 129 CNAME 129.128/26.2.0.192.in-addr.arpa. 130 CNAME 130.128/26.2.0.192.in-addr.arpa. 131 CNAME 131.128/26.2.0.192.in-addr.arpa.
Half Class-C Reverse Lookup ; ;<<192-255>>/26 192/26 NS ns.C.domain. 192/26 NS ome.other.third.name.server. ; 193 CNAME 193.192/26.2.0.192.in-addr.arpa. 194 CNAME 194.192/26.2.0.192.in-addr.arpa. 195 CNAME 195.192/26.2.0.192.in-addr.arpa. $ORIGIN 0/25.2.0.192.in-addr.arpa. @ N SOA ns.A.domain. hostmaster.A.domain. (...) @ NS ns.A.domain. @ N S some.other.name.server. ; 1 PTR host1.A.domain. 2 PTR host2.A.domain. 3 PTR h ost3.A.domain.
Half Class-C Reverse Lookup $ORIGIN 128/26.2.0.192.in-addr.arpa. @ IN SOA ns.B.domain. hostmaster.B.domain. (...) @ NS ns.B.domain. @ NS some.other.name.server.too. ; 129 PTR host1.B.domain. 130 PTR host2.B.domain. 131 PTR host3.B.domain. $ORIGIN 192/26.2.0.192.in-addr.arpa. @ IN SOA ns.C.domain. hostmaster.C.domain. (...) @ NS ns.C.domain. @ NS some.other.third.name.server. ; 193 PTR host1.C.domain. 194 PTR host2.C.domain. 195 PTR host3.C.domain.
Dynamic Update • BIND 8 also supports the dynamic update facility described in RFC 2136. This permits authorized updaters to add and delete resource records from a zone for which the server is authoritative. An updater can find the authoritative name servers for a zone by retrieving the zone's NS records. If the server receiving an authorized update message is not the primary master for the zone, it will forward the update "upstream" to its master server(s). If they, in turn, are slaves for the zone, they will also forward the update upstream. command : nsupdate
Webmin URL : http://www.webmin.com
Tools • Nslookup • Dig • host
參考資料 • http://www.isc.org • RFC 2317 • Classless IN-ADDR.ARPA delegation • http://www.internic.net/faqs/new-tlds.html • Some of the important features of BIND 9 • DNS Security • DNSSEC (signed zones) • TSIG (signed DNS requests) • IP version 6 • Answers DNS queries on IPv6 sockets • IPv6 resource records (A6, DNAME, etc.) • Bitstring Labels • Experimental IPv6 Resolver Library
參考資料 • DNS Protocol Enhancements • IXFR, DDNS, Notify, EDNS0 • Improved standards conformance • Views • One server process can provide multiple "views" of the DNS namespace, e.g. an "inside" view to certain clients, and an "outside" view to others. • Multiprocessor Support • Improved Portability Architecture