790 likes | 1.07k Views
DNS. How to find things…. Domain Name System. Associate human-friendly names with machine-friendly IP addresses Resolution of a given hostname to an IP address Domain Names, as opposed to IP addresses have the top-most element on the right
E N D
DNS How to find things…
Domain Name System Associate human-friendly names with machine-friendly IP addresses Resolution of a given hostname to an IP address Domain Names, as opposed to IP addresses have the top-most element on the right Each element can be up to 63 characters long, the full name can be no more than 255 characters Letters, numbers or dashes can be used in a name element 10/09/2014 2
DNS Allows machines to be grouped logically, by domain name Right-most element is called the (TLD) Top Level Domain The full name is referred to as the (FQDN) Fully Qualified Domain Name lugh.student.comp.dit.ie or lugh Internet Assigned Numbers Authority (IANA) controls the top-level domains Host names map to IP addresses in a one-to-many relationship, each machine may have many IP addresses, and each IP address may be associated with many machines 10/09/2014 3
E.G. Mail Routing using DNS Hosts that are designed to perform email routing, mail exchangers, have special-purpose records in DNS, MX records A domain should have multiple mail exchangers. Mail that cannot sent to one mail exchanger, can instead be delivered to an alternative server, providing a failsafe redundancy. 10/09/2014 4
Before DNS Before DNS, name resolution was accomplished solely by text file databases residing on each host (“hosts” files) The method is not scalable, and it requires centralised management of the text files 10/09/2014 5
Internet DNS Hierarchy Root Name Servers Provide references to the appropriate zone authoritative name servers for the top-level domains Zone-Authoritative name servers Master and slave servers for zones 10/09/2014 6
Root Name Servers There are 13 root-name servers Each has an associated letter name (a to m) No more names can be used because of protocol limitations UDP packet can only carry 512 bytes reliably A hint file with more than 13 servers would be larger than 512 bytes C, F, I, J, K and M servers now exist in multiple locations on different continents 10/09/2014 7
Root name servers 10/09/2014 8
A simplified domain-map (Root) .ie domain .com .org dit Posedion Taranaki wicklow Aisling wicklow.dit.ie. 10/09/2014 9
Domains Dividing domains into sub-domains is important in several regards Division of a namespace into sub-domains in an hierarchical manner Removes the requirement that the names of individual hosts be unique (FQDNs) must still be unique It allows for the decentralised management of the entire namespace Up to 127 levels deep! 10/09/2014 10
Comp.dit.ie domain-map (Root) .ie domain wicklow.student.comp.dit.ie. dit Comp ad Student ict MyLaptop Taranki Poseidon Aisling McCool 10/09/2014 11
Zones, Domains and Delegation A Domain is a complete sub-tree of the hierarchical namespace A zone is part of the domain managed by a particular server Sub domains may be delegated into additional zones A zone may directly manage some sub domains A zone represents the scope of administration for which one body is responsible 10/09/2014 12
Comp.dit.ie zones (?) (Root) .ie domain dit Comp ad Student ict MyLaptop Taranki Poseidon Aisling wicklow Wicklow.student.comp.dit.ie. 10/09/2014 13
Relationship between domains, zones and DNS Servers The DNS database is effectively spread across all servers DNS Servers are delegated to manage particular zones and the links to the rest of the database. Zone is not necessarily equivalent to domain A DNS server can manage one or more zones 10/09/2014 14
Comp.dit.ie dns-servers (Root) Cara: 147.252.224.80 Poseidon: 147.252.224.12 .ie domain dit Comp cara.comp.dit.ie. ad Student ict MyLaptop Taranki Aisling Poseidon Poseidon.ict.ict.ad.dit.ie. wicklow 10/09/2014 15
The DNS Server Server receives request from client If the server does not have the answer it will either ask a root server or it forwards the request to another name server This may happen a number of times until a name server is found that knows the answer When the server gets a response it will place a copy in its local cache and return a copy to the requesting client 10/09/2014 16
Name Server Hierarchy Master Name Server Contains the master copy of data for the zone Slave Name Server Provides an automatic backup to the master name server All slave servers maintain synchronisation with their master name server Both Master and Slave servers contain authoritative data Zone may have multiple slaves but only one master Slave may get its data from another slave 10/09/2014 17
Authoritative ? If the name server responding to a query is authoritative with respect to the query performed, the data returned is said to be authoritative Alternatively, responses may come from a name server which has cached the information, in which case the response is said to be non-authoritative The client may choose not to accept non-authoritative information 10/09/2014 18
Resolver The DNS client is called the resolver Resolver capability is built into any program that needs it by way of the resolver library calls Resolver functions implemented in libresolv.so DNS Clients and servers communicate using UDP packets in most cases UDP is fast, but packets can be no larger than 512 bytes If query or response is larger than 512bytes, it must be sent by TCP 10/09/2014 19
Resolution Configuration Files /etc/host.conf mainly used to indicate which source of information is to be used and in what orderorder hosts,bind 10/09/2014 20
Resolution Configuration Files /etc/resolv.conf is used to configure which servers are to be used and whether any domains are assumed for non qualified host namessearch student.comp.dit.ienameserver 147.252.224.70nameserver 147.252.224.73nameserver 147.252.1.37 10/09/2014 21
How did I find out the name servers? U:\>nslookup Default Server: poseidon.ict.ad.dit.ie Address: 147.252.224.12 > set type=ns > student.comp.dit.ie Server: poseidon.ict.ad.dit.ie Address: 147.252.224.12 Non-authoritative answer: student.comp.dit.ie nameserver = oisin.comp.dit.ie student.comp.dit.ie nameserver = cara.comp.dit.ie student.comp.dit.ie nameserver = cian.student.comp.dit.ie student.comp.dit.ie nameserver = lugh.student.comp.dit.ie oisin.comp.dit.ie internet address = 147.252.224.70 cara.comp.dit.ie internet address = 147.252.224.80 cian.student.comp.dit.ie internet address = 147.252.224.68 lugh.student.comp.dit.ie internet address = 147.252.224.73 10/09/2014 22
nslookup on Aisling rbradley@aisling:~$ nslookup wicklow Server: 147.252.224.80 Address: 147.252.224.80 Name: wicklow.student.comp.dit.ie Address: 147.252.224.79 rbradley@aisling:~$ nslookup DM-LFJLL02J.comp.dit.ie Server: 147.252.224.80 Address: 147.252.224.80 Name: DM-LFJLL02J.comp.dit.ie Address: 147.252.230.48 10/09/2014 23
Nslookup on my laptop U:\>nslookup wicklow Server: poseidon.ict.ad.dit.ie Address: 147.252.224.12 *** poseidon.ict.ad.dit.ie can't find mccool: Non-existent domain U:\>nslookup wicklow.student.comp.dit.ie Server: poseidon.ict.ad.dit.ie Address: 147.252.224.12 Non-authoritative answer: Name: wicklow.student.comp.dit.ie Address: 147.252.224.79 10/09/2014 24
Deeper into nslookup rbradley@aisling:~$ nslookup > set type=mx > comp.dit.ie Server: 147.252.224.80 Address: 147.252.224.80 comp.dit.ie mail exchanger = 15 mail.dit.ie. comp.dit.ie mail exchanger = 5 mail.comp.dit.ie. > 10/09/2014 25
Deeper into nslookup > set type=a > comp.dit.ie Server: 147.252.224.80 Address: 147.252.224.80 Name: comp.dit.ie Address: 147.252.224.70 Name: comp.dit.ie Address: 147.252.224.80 > 147.252.224.70 Server: 147.252.224.80 Address: 147.252.224.80 70.224.252.147.in-addr.arpa name = oisin.comp.dit.ie. > 10/09/2014 26
Berkeley Internet Name Domain BIND • Most widely used DNS server • Type: System-V managed servicePackages: bind, bind-utilsDaemons: namedConfig Files: /etc/named/conf and /var/named/*Related: redhat-config-bind, caching-nameserver, openssl
/etc/sysconfig/named • Used by the named script to allow options to be passed to the named at startup
Configuring BIND • Default config file is /etc/named.conf • Read by named during startup or service named reload • Text file specifying zones, options etc. • Check the log files to ascertain if the service started correctly
Config. File Basics • Comments can be in C, C++ or Shell style/* comment */// comment# comment • Directives such as options, zone and server precede blocks in bracesAll statements, including blocks end with semicolon • Relative pathnames will be prefixed with directory option, or /var/named if none specified
Global Options • Declared in the options directiveoptions { directory “/var/named”; forwarders { 147.252.1.37; }; allow-query { 147.252.234/24; }; allow-transfer { 147.252.234/24; };};
Global Options 2 • directory: Base directory of all relative paths specified in named.conf • forwarders: Server forwards queries it cannot answer to name servers at the addresses in this list, if it gets no answer, it will try a root-name server unless the forward-only option is set
Global Options 3 • allow-Query: Specifies the range(s) of IP addresses allowed to query this DNS server. If the option is not set, then all hosts can query this server • allow-Transfer: specifies hosts that are allowed to copy the database. Should be used to limit zone transfers. By default zone transfers are not permitted unless explicitly stated using the allow-transfer statement.
Master Zones • Declared with the zone directivezone “comp.dit.ie” {type master;file “comp.dit.ie.zone”;}; • Specified file should contain the zone's database, but its name is not critical
Slave Zones • Declared with the zone directivezone “comp.dit.ie” {type slave;masters {147.252.224.70; };file “comp.dit.ie.zone”;}; • The file directive is not essential, but if specified, it should probably match the name given on the master DNS in the corresponding zone file • When slave starts, it asks Master for the serial no. on the master zone file to see if they match
Reverse Lookup Zones • Zone name ends with special suffix.in-addr.arpa • Declared within the zone directivezone “1.10.14.in-addr.arpa” {type slave;masters {14.10.1.5;};file “1.10.14.in-addr.arpa”;};
Special Zones • Root zone: “.” zone “.” { type hint; file “named.ca”; }; • Loopback zone “0.0.127.in-addr-arpa” • Specified like other reverse lookup zones
Special Zones • Every BIND configuration should include a root zone. • The root zone is used when a query is unresolvable by any other configured zones, so it is the ‘default’ zone • Zone type is ‘hint’ (unless the server being configured is a root name server) • named.ca contains info about root servers on the internet • ftp://rs.internic.net/domain
Special Zones • Loopback zones should be configured, although they are not strictly necessary • Many programs use the loopback address to implement inter-process communication (IPC) • These programs use the loopback address 127.0.0.1
Address Match Lists • A list of semi-colon separated IP addresses, networks or named address match lists • Used with some directives for access control • Can use acl directive to create custom named address match list acl “mylist” {192.168.0/24; 192.168.1.12; }; • Trailing, non significant, zeros can be dropped
Address Match Lists • Some global options such as allow-query take an address list as an argument • 4 pre-defined match lists • none - No IP addresses match • any – All IP addresses match • localhost – Any IP address of the name server matches • localnets – Any network on which the name server has an IP address matches
Zone Files • Usually reside in /var/named • Begins with $TTL (time to live). This defines the default time in seconds which you want resolving nameservers to cache your zone’s information $TTL 86400 • First resource record is zone’s start of authority • Zone’s data in additional zone records • FQDNs in zone files end with a . • BIND assumes the names that don’t end with . need the name of the current domain appended
Resource Records • Three general types of Resource Records • Setup • Address mapping • Miscellaneous
Resource Records • SOA defines start of authority • NS specifies a name server • A associates names with IP addresses • CNAME aliases one name to another • PTR points an IP address to a name • MX specifies a mail exchanger
Resource Records Syntax [domain] [ttl] [class] <type> <rdata> • [domain] Specify domain or use current • [ttl] how long to cache the record • [class] record classification usually IN • <type> record type (SOA, MX, A etc) • <rdata> specific data for the record • TTL values may be set on a per-record basis, overriding the default ttl value. • Most common class is the IN (Internet) class
Setup Resource Records • The SOA designates the beginning of a zone’s data, and sets default parameters fo this domain • Should contain at least one DNS that is authoritative for the zone (may be a slave server to mask master server’s identity) • A list of name servers that can be references is commonly included
SOA • Every Zone must have one @ IN SOA ns.redhat.com, root.redhat.com. ( 2003120101; serial number 300; refresh 60; retry 1209600; expire 43200; minimum ttl for negative answers ) • Values can now be in seconds, minutes(M), hours(H), days(D) or weeks(W) The @ symbolises the current domain redhat.com in this example
SOA Explanation • Serial, for update comparison purposes • Refresh: slave server delay • Retry: Delay after slave server refresh failed • Expire: Upper limit of slave serving data in absence of update from master • Min TTL..: How long should a nameserver cache a ‘no such host’ answer from an authoritative nameserver in a different domain. • Last string specifies contact details.
Address Mapping Records • An A resource record maps a hostname (FQDN or not) and an IP address • A CNAME record should only point to an A record • PTR Records are the inverse of an A record, map an IP address to a hostname