400 likes | 514 Views
Domain Name Service (DNS). Cosc 4750. IP Addresses. Machines on the Internet need an addressing scheme (or couldn’t receive packets!) Each machine has a 32-bit address assigned by the Internet Corporation for Assigned Names and Numbers (ICANN).
E N D
Domain Name Service (DNS) Cosc 4750
IP Addresses • Machines on the Internet need an addressing scheme (or couldn’t receive packets!) • Each machine has a 32-bit address assigned by the Internet Corporation for Assigned Names and Numbers (ICANN). • In the U.S., American Registry for Internet Numbers (ARIN) • In Europe, Réseaux IP Européens (RIPE) • Addresses are written in dotted decimal notation: • 128 . 2 . 218 . 2 10000000 00000010 11011010 00000010 • Current max number of IP addresses = 232 ~ 4,000,000,000
Domain Names • IP addresses are inconvenient to remember 129.72.216.5 v. meru.cs.uwyo.edu (fully qualified) • Domain names are alphanumeric aliases for IP addresses. They form a tree structure of FQDNs: ROOT .GOV .COM .MIL .NET .EDU .ORG .IT UWYO PITT MIT AMAZON MCKINSEY YAHOO 208.216.182.15 207.237.113.94 GSIA SDVC CS HEINZ YEN MERU DOLLAR K2 129.72.216.5 129.72.216.12
DNS services • Name to IP translations • Host aliasing • asuwlink.uwyo.edu, also know as w3.uwyo.edu, ftp.uwyo.edu, etc. • Mail server aliasing • In Cosc, all mail goes to one machine, even if sent to different machines in the department • Load Distribution • One DNS name points to different machines, the DNS then uses round robins (or better algorithms) to give out IP numbers.
How it works • At one point it was a single host for all machines • provided single point of failure • Traffic volumes could overwhelm it • Distant centralized database • Maintenance • Would be a real problem now.
Today, it functions in a hierarchy of name servers • Lots of local name servers • Provides easy updates and quick response since local. • Local name servers have local name servers above them. • 10-15 root servers, right now • root servers point to top level local servers, don’t hold any hosts names except root servers. • Each name server has authoritative name servers (one level higher in the hierarchy usually) to kept rogue name servers from misdirecting people.
DNS Namespace • Two sorts of top-level domains (TLD) • US: .edu, .net, .com, .gov, .mil, .arpa (rarely used) • Rest of the world • two letter country codes: .us (USA), .au, .de, .fi, .dk, .is, .md, .tv dozens of others. • New ones are being added, .biz and several others. • .edu, .com, .net, .arpa are used outside us.
DNS names • several countries have sold their domain • .md sold to a company, now used for doctors and residents of Maryland • .tv now used for Television stations • Squatting • purchase a name, but not using it. Then sell it to a company for a huge profit. • used for nationally/internationally recognized names • Also used for people using similar names • ie. www.whitehouse.com (Porn site), www.whitehouse.gov • Companies are now successfully suing and getting the names changed.
BIND software • two versions common. v4 and v9 • 4 has been discontinued (v 4.9.X), but very stable • 9 has many new features, but security issues • the daemon that does the work is called named. • Name servers, come in three types: • master, slave, cache/forwarding
Example name servers structure ROOT .GOV .COM .MIL .NET .EDU .ORG .IT UWYO PITT MIT AMAZON MCKINSEY YAHOO GSIA SDVC CS HEINZ BIGHORN MERU
Config files Forward lookup files: meru.cs.uwyo.edu IN A 129.72.216.4 <hostname> IN A <IP> Other parts www.cs.uwyo.edu IN CNAME hive.cs.uwyo.edu <alias hostname> IN canonical name <real hostname> www.cs.uwyo.edu IN MX 0 alameda.cs.uwyo.edu <alias hostname> IN mail <weight> <hostname to send the mail to> IN NS pike.cs.uwyo.edu <no name> IN Name server <hostname> Also you can multiple names for CNAME, MX, A: named uses a round-robin method for handing them out hive.cs.uwyo.edu IN A 129.72.216.51 IN A 129.72.216.50
Subdomains in DNS • meru.cs.uwyo.edu IN A 129.72.216.4 • pike.cs.uwyo.edu IN A 129.72.216.13 • cs IN NS meru.cs.uwyo.edu • IN NS pike.cs.uwyo.edu • These are uwyo.edu records, when it gets a request for cs.uwyo.edu, it then sends the name server to meru or pike.
Reverse Name files • 129.72.216.4 IN PTR meru.cs.uwyo.edu. • <IP number> IN PTR <name> • NS records are also included in the reverse name files as well.
nslookup & dig • nslookup meru.cs.uwyo.edu • provides the IP • nslookup <return> • enter the shell programs • >meru • returns the ip number, 129.72.216.4 • >129.72.216.4 • returns the name, meru
>set type=MX • >hive.cs.uwyo.edu • returns the mail server redirection, alameda • dig provides same info, but stat’s number of requests, and query time
/etc/resolv.conf • File on UNIX listing the name servers nameserver 10.216.218.13 nameserver 10.216.218.12 nameserver 10.84.60.8 search cs.uwyo.edu uwyo.edu (OR) domain cs.uwyo.edu
win2k • changed the standard for DNS • microsoft: embrace, extend, exterminate or change two things and call it microsoft’s • Win2k comes with it own version of DNS (needs updated before using). • BIND version 8 and 9 will accept microsoft’s implementation of DNS • needs to understand the _ and - • dynamic updates, but not with kerberos 5 (secure updates)
NFS and NS Cosc 4750
NFS • NFS = Network File System • NFS is almost transparent to the users and is “stateless”, meaning that no information is lost when an NFS server crashes • Introduced by Sun in 1985 • Used for sharing a “filesystem” from a server to client machines
Currently two versions in use • NFS version 2 • All UNIX O/S can use this version • NFS version 3 • Used by Sun, Sgi, HP-UX, and FreeBSD • used by most linux distro’s, but a little buggy. • NFS version 4 • still new, lot of problems with configurations. • Is supposed to be able to deal with firewalls.
Filesytems and file ownership • The Server assumes that the client is using the same UIDs and GIDs • The server and the client had better be using the same set or there will be major security problem.
Root access • An exported NFS filesystem can be set to block incoming root (UID 0) requests. • Since root can su into another users account, root can still gain access to the files. • the nobody account • UID –2, or -65,534 [2’s complement of –2] are also blocked.
File locking • NFS file locking has a tendency to be “flaky”. • Since so many machines can be using the same file at the same time, it is a difficult process handled by lockd and statd. • Disk quotas • handled by the server’s stated filesystem, but the users on a remote system won’t know that unless rquotad is running on the server.
Security • By default NFS provides no security • You can Sun’s public key system or Kerberos for NFS • If you have a firewall, you can block port 2049 (UDP and TCP) • unless you are using Sun’s WebNFS
Server-Side NFS • It uses, nfsd, mountd, and portmap (since NFS relies on rpc) • mountd and nfsd rely on a file, that tells them what filesystems are to be exported • /etc/exports (solaris: /etc/dfs/dfstab) • To tell mountd and nfsd you changed the file, you must run: exportfs –a (solaris: shareall)
exports file • The syntax is different between vendors • 1 line for each filesystem to be exported and the following can (are) listed. • the filesystem • computers that have read/write priv’s • computers that have read only priv’s • computers that have root priv’s
If a machine is listed by it’s name (NOT the IP number) • Then the machine name and IP number must be listed in the /etc/hosts file. Otherwise, it will be denied access • Some NFS servers allow a wildcard * • Fedora/Redhat linux does
Example • Redhat version • /home meru(rw,no_root_squash) *.cs.uwyo.edu(rw) • /usr/local *.cs.uwyo.edu(rw) • /var *.cs.uwyo.edu(ro) • Standard NFS (Not used by many venders though) • /meru3 rw,access=meru:alameda:k2,root=meru
Client-side NFS • Uses the mountd daemon (can also use the nfsiod daemon as well). • auto mounting on boot • uses the /etc/fstab (/etc/vfstab for Sun) • manual mounting • uses the mount command • mount <machine>:<filesystem> <mount point>
fstab file, used for both nfs and local drives • What it looks like: • <machine>:<filesystem> <mount point> <flags> 0 0 • flags: (some of them) • rw Read/Write ro Read Only • bg background the mount of the filesystem • soft If nfs server fails, access fails with an error • hard if nfs server fails, access to blocked until server returns • intr Allows users to interrupted blocked operations
Stat’s and debugging • nfsstat –s • shows stat’s and information about an nfs server, rpc stat’s, timeouts, and many filesystem commands • nfsstat -c • shows stat’s and information about an nfs client, rpc stat’s, timeouts, and many filesystem commands
Showmount • List all hosts that have mounted a nfs filesystem • showmount –a • list all hosts and what they mounted • showmount –d • list all the fileystems that have been mounted • showmount –e • list all exported filesystems and who can mount them • showmount [-a –e –d] <host> • Same as above, but for a remote host.
automatic mounting • Besides mounting at boot time, an automouting daemon can be setup to mount the filesystem only when needed and removed when not used. • Allows you to provide a list of replicated filesystems, for that case that a nfs server fails.
NIS • NIS: the Network Information Service • originally called Sun Yellow Pages (yp), but sued by the AT&T and changed the name. • Allows you to share account information (passwd, shadow, group), as well as other system files, like hosts and services.
Advantages • You can setup a user account on one machine and the information is distributed out to the other machines in the group. • The user can then login into any machine in group • Combined with NFS, the user has the same file space and account information on a variety of computers.
How it works. • One computer acts as a master server • Other machines can act as slave server • Client machines then ask for information from the server (master or slave). • Example of a password file: … normal password line +seker::::::: User seker can have access + All NIS accounts have access
All information about the user is gotten from the server password file • So for user seker, it will ask the server which shell to use • For security reasons, only UID over 100 are shared out in Fedora/Redhat. • Can be configured to share all UIDs, except root.
ypserv is the server program • yppasswd (maybe part of ypserv), used on the server for new passwords • ypbind is the client program, which also runs the server • ypasswd, used on the client machine instead of passwd to change a users password.
The reason that ypbind runs on server machines that all server machines are also client machines.
Q A &