1 / 43

DNS

DNS. Domain Name Systems Records. Types of DNS records. Types of DNS records. Important categories of data stored in DNS include the following: A record or address record maps a hostname to a 32-bit IPv4 address.

candra
Télécharger la présentation

DNS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DNS Domain Name Systems Records

  2. Types of DNS records

  3. Types of DNS records • Important categories of data stored in DNS include the following: • A record or address record maps a hostname to a 32-bit IPv4 address. • An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address. • CNAME record or canonical name record is an alias of one name to another • A record to which the alias points can be either local or remote (a foreign name server) • Useful when running multiple services from a single IP address • e.g. FTP and a Web server • Each service can then have its own entry in DNS • e.g. ftp.example.com. and www.example.com. • MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain • PTR record or pointer record maps an IPv4 address to the canonical name for that host • Setting up a PTR record for a hostname in the in-addr.arpa. domain that corresponds to an IP address implements reverse DNS lookup for that address • For example (at the time of writing), www.icann.net has the IP address 192.0.34.164, but a PTR record maps 164.34.0.192.in-addr.arpa to its canonical name, referrals.icann.org. • NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain • Delegations depend on NS records

  4. Types of DNS records • Important categories of data stored in DNS include the following: (cont.) • SOA record (start of authority record) specifies the DNS server • Provides authoritative information about an Internet domain, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone • TXT Record allows an administrator to insert arbitrary text into a DNS record. • For example, this record is used to implement the Sender Policy Framework and DomainKeys specifications • NAPTR records ("Naming Authority Pointer") a newer type of DNS record that supports regular expression based rewriting • Other types of records simply provide information (for example, a LOC record gives the physical location of a host), or experimental data (for example, a WKS record gives a list of servers offering some well known service such as HTTP or POP3 for a domain) • When sent over the internet, all records use the common format specified in RFC 1035 shown below

  5. DNS Records – Complete List • http://www.iana.org/assignments/dns-parameters

  6. A snippet of a Simplified Example DNS Record for logicbbs.org • First three lines describe valid name servers for logicbbs.org. • Next entry indicates that the mail exchanger for logicbbs.org has a priority of 10 and messages should be directed to mail.logicbbs.org • Priority values indicate where to send e-mail if a server is unavailable; the lower the priority value, the higher the priority of that server • Mail servers send e-mail to the server with the lowest priority value, and then work their way up the values listed as necessary. • The next line indicates that logicbbs.org (the second-level domain) is at 69.17.158.109 • The www and mail sub domains (www.logicbbs.org, mail.logicbbs.org) also point to 69.17.158.109 • The last two lines assign addresses to www.logicbbs.org and mail.logicbbs.org • If a fully qualified name is not shown the domain name is assumed to fill in • www  www.logicbbs.org • mail  mail.logicbbs.org • The DNS record is the reason why some internet addresses do not need the “www” prefix, while others do • If that particular domain has a www A record that differs from the basic A record, then anydomain.com may be different from www.anydomain.com, and the former may not work • Other sites, like logicbbs.org, have both the top-level domain and the www subdomain pointing to the same IP address, which reduces confusion and ambiguity IN NS ns.planix.com IN NS ns1.mydyndns.orgIN NS ns2.mydyndns.org IN MX 10 mailIN A 69.17.158.109 www IN A 69.17.158.109mail IN A 69.17.158.109

  7. Internationalized Domain Names • Domain names technically have no restrictions on the characters • Can include non-ASCII characters • Same is not true for host names • Host names are the names used for things like e-mail and web browsing • Host names are restricted to a small subset of the ASCII character set that includes • Roman alphabet in upper and lower case • Digits 0 through 9 • The dot “.” • The hyphen “-” • Prevents the native representation of names and words of many languages • ICANN has approved the Puny code-based IDNA system • Maps Unicode strings into the valid DNS character set • Workaround to this issue • Some registries have adopted IDNA

  8. Forward -vs- Reverse Lookups DNS

  9. Lookups • Forward DNS lookup • Using an Internet domain name to find an IP address • The most common use • Reverse DNS lookup • Using an Internet IP address to find a domain name http://searchsmb.techtarget.com/sDefinition/0,,sid44_gci213968,00.html

  10. Lookups • When you enter an address for a Web site at your browser • The address is typically transmitted to a nearby router • The router sends the request to a DNS server • It does a forward DNS lookup in a routing table to locate the IP address • Forward DNS lookup is the more common lookup • Most users think in terms of domain names rather than IP addresses • Occasionally you may see a Web page with a URL in which the domain name part is expressed as an IP address (sometimes called a dot address) and want to be able to see its domain name • nslookup: • An Internet facility that lets you do either forward or reverse DNS lookup yourself is called • Comes with some operating systems • Can download the program and install it in your computer

  11. DNS Delegation/Parenting

  12. DNS Example http://www.comptechdoc.org/independent/networking/guide/netdns.html

  13. Host Names • Domain Name Service (DNS) is the service used to convert human readable names of hosts to IP addresses • Host names are not case sensitive and can contain alphabetic or numeric characters or the hyphen • A fully qualified domain name (FQDN) consists of the host name plus domain name as in the following example: • computername.domain.com • Resolver: • The part of the system sending the queries • On the client side of the configuration • Name server: • Answers the queries • Main function of DNS is mapping IP addresses to human readable names • Three main components of DNS • resolver • name server • database of resource records (RRs)

  14. Domain Name System (DNS) • Basically a huge distributed database • Resides on various computers • Overall contains the names and IP addresses of hosts on the internet and various domains

  15. Domain Name System (DNS) • Provides information to the Domain Name Service to use when queries are made • The service is the act of querying the database • The system is the data structure and data itself • Domain Name System is similar to a file system starting with a root • Branches attach to the root to create a huge set of paths • Each branch in the DNS is called a label • Each label can be 63 characters long, but most are less • Each text word between the dots can be 63 characters in length • The total domain name (all the labels) limited to 254 bytes in overall length • Domain name system database is divided into sections called zones • Name servers in their respective zones are responsible for answering queries for their zones • A zone is a subtree of DNS and is administered separately • There are multiple name servers for a zone • Must be at least two • One primary name server and one or more secondary name servers • A name server may be authoritative for more than one zone

  16. Domain Name System (DNS) • DNS names are assigned through the Internet Registries by the Internet Assigned Number Authority (IANA) • Domain name is a name assigned to an internet domain • For example, mycollege.edu represents the domain name of an educational institution • Names like microsoft.com and 3Com.com represent the domain names at those commercial companies • Naming hosts within the domain is up to individuals administer their domain • Access to the Domain name database through a resolver • May be a program or part of an operating system that resides on users workstations • In Unix the resolver is accessed by using the library functions "gethostbyname" and "gethostbyaddr“ • Resolver sends requests to the name servers to return information requested by the user • Requesting computer tries to connect to the name server using its IP address rather than the name

  17. Structure and message format • Drawing shows a partial DNS hierarchy • At the top is the root • Start of all other branches in the DNS tree • Designated by a period (.) • Each branch moves down from level to level • When referring to DNS addresses • Referred to from the bottom up • With the root designator (period) at the far right • Example: • "myhost.mycompany.com."

  18. DNS • DNS is hierarchical in structure • A domain is a subtree of the domain name space • From the root, the typical assigned top-level domains in the U.S. are: • GOV - Government body • EDU - Educational body • INT - International organization • NET - Networks • COM - Commercial entity • MIL - U. S. Military • ORG - Any other organization not previously listed. • Outside this list are top level domains for various countries • Each node on the domain name system is separated by a '.' • Example: "mymachine.mycompany.com." • Note that any name ending in a "." is an absolute domain name since it goes back to root

  19. DNS • Usage and file formats • If a domain name is not found when a query is made • Server may search for the name elsewhere • Return the information to the requesting workstation - or - • Return the address of a name server that the workstation can query to get more information • Special servers on the Internet provide guidance to all name servers • Known as root name servers • Do not contain all information about every host on the Internet • Do provide direction as to where domains are located (the IP address of the name server for the uppermost domain a server is requesting) • http://www.root-servers.org/ • Root name server is the starting point to find any domain on the Internet

  20. Name Server Types • Three types of name servers: • Primary master • Builds its database from files that were preconfigured on its hosts • Called zone or database files • The name server reads these files and builds a database for the zone it is authoritative for • Secondary masters • Provide information to resolvers just like the primary masters • Get their information from the primary • Any updates to the database are provided by the primary • Caching name server – • Gets all its answers to queries from other name servers • Saves (caches) the answers • It is a non-authoritative server • Caching only name server generates no zone transfer traffic • A DNS Server that can communicate outside of the private network to resolve a DNS name query is referred to as forwarder

  21. DNS Query Types • There are several types of queries issued: • Recursive queries received by a server forces that server to find the information requested or post a message back to the querier that the information cannot be found • Iterative queries allow the server to search for the information and pass back the best information it knows about. • This is the type that is used between servers. • Clients used the recursive query • Reverse - The client provides the IP address and asks for the name. • In other queries the name is provided, and the IP address is returned to the client. • Reverse lookup entries for a network 192.168.100.0 is "100.168.192.in-addr arpa" • Generally (but not always) • Server-to-server query is iterative • Client-resolver-to-server query is recursive. • Note: a server can be queried or it can be the entity placing a query • Therefore, a server contains both the server and client functions • A server can transmit either type of query • If it is handed a recursive query from a remote source • it must transmit other queries to find the specified name - Or - • send a message back to the originator of the query that the name could not be found

  22. DNS Transport protocol • DNS resolvers first attempt to use UDP for transport, then use TCP if UDP fails • The DNS Database • A database is made up of records and the DNS is a database • Common resource record types in the DNS database are: • A - Host's IP address • Address record allowing a computer name to be translated into an IP address • Each computer must have this record for its IP address to be located • These names are not assigned for clients that have dynamically assigned IP addresses, but are a must for locating servers with static IP addresses • PTR - Host’s domain name, host identified by its IP address • CNAME - Host’s canonical name allows additional names or aliases to be used to locate a computer • MX - Host’s or domain’s mail exchanger • NS - Host’s or domain’s name server(s) • SOA - Indicates authority for the domain • TXT - Generic text record • SRV - Service location record • RP - Responsible person • HINFO - Host information record with CPU type and operating system • When a resolver requests information from the server, the DNS query message indicates one of the preceding types

  23. DNS Files • CACHE.DNS • DNS Cache file • This file is used to resolve internet DNS queries • On Windows systems: • Located in the WINNTROOT\system32\DNS directory • Used to configure a DNS server to use a DNS server on the internet to resolve names not in the local domain

  24. Resume 2/19

  25. Example Files • Following is a partial explanation of some records in the database on a Linux based system • This information explains some important DNS settings that are common to all DNS servers • An example /var/named/db.mycompany.com.hosts file follows:mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYYYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  26. MYCOMPANY.COM domain DNS example mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYYYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  27. First line entries: mycompany.com. Indicates this record is for the domain mycompany.com. IN Indicates Internet Name record SOA Indicates this server is the authority for its domain, mycompany.com. mymachine.mycompany.com. The primary nameserver for this domain root.mymachine.mycompany.com. Who to contact for more information Data within the parentheses is info for the secondary nameserver(s) which run as slave(s) to the master. Elements after a ; on a line are comments 1999112701 - Serial number If less than master's SN, the slave will get a new copy of this file from the master Must be a strictly increasing number when updated Note the de facto date standard: yyyymmddnn 10800 – Refresh Time in seconds between when the slave compares this file's SN with the master 3600 – Retry Time the server should wait before asking again if the master fails to respond to a file update (SOA request) 604800 – Expire Time in seconds the slave server can respond even though it cannot get an updated zone file 86400 – TTL Time to live in seconds that a resolver will use data received from a nameserver before it will ask for the same data again mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  28. Following is the nameserver resource record(s) May be several of these if there are slave name servers mycompany.com. IN NS mymachine.mycompany.com. Should match the entry in the SOA record May add slave server entries below this like: mycompany.com. IN NS ournamesv1.mycompany.com. mycompany.com. IN NS ournamesv2.mycompany.com. mycompany.com. IN NS ournamesv3.mycompany.com. E.g. mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN NS ournamesv1.mycompany.com. mycompany.com. IN NS ournamesv2.mycompany.com. mycompany.com. IN NS ournamesv3.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16 The above domain mycompany.com. has: 1 name server 3 slave servers mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  29. Next line indicates the mail server record mycompany.com. IN MX 10 mailmachine.mycompany.com. There can be several mail servers Numeric value on the line indicates the preference or precedence for the use of that mail server Lower number indicates a higher preference Range of values is from 0 to 65535 To enter more mail servers Enter a new line for each one similar to the nameserver entries above Be sure to set the preferences value correctly Different values for each mail server: Lowest number is used if available Goes to next lowest if lowest not available Same values for some name servers Services them "round-robin" mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  30. Rest of the lines are the name to IP mappings for the machines in the organization mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16 Note: nameserver and mailserver listed are listed here with IP addresses along with any other server machines required for your network mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  31. Aliases can be added with lines like the following: mymachine.mycompany.com IN CNAME nameserver.mycompany.com. george.mycompany.com IN CNAME dataserver.mycompany.com. Linux1.mycompany.com IN CNAME engserver.mycompany.com. Linux2.mycompany.com IN CNAME mailserver2.mycompany.com. When a client (resolver) sends a request if the nameserver finds a CNAME record: replaces the requested name with the CNAME finds the address of the CNAME value return this value to the client A host that has more than one network card which is set to address two different subnets can have more than one address for a name mymachine.mycompany.com IN A 10.1.0.100 IN A 10.1.1.100 When a client queries the nameserver for the address of a multi homed host, the nameserver will return the address that is closest to the client address If the client is on a different network than both the subnet addresses of the multi homed host, the server will return both addresses mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  32. Record with Aliases: mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ; Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ; Minimum TTL 86400=24Hours ) mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16Linux1.mycompany.com. IN A 10.1.4.32Linux2.mycompany.com. IN A 10.1.4.33 mymachine.mycompany.com IN CNAME nameserver.mycompany.com. george.mycompany.com IN CNAME dataserver.mycompany.com. Linux1.mycompany.com IN CNAME engserver.mycompany.com. Linux2.mycompany.com IN CNAME mailserver2.mycompany.com. mycompany.com. IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. ( 1999112701 ;Serial number as date & two digit number YYMMDDXX 10800 ; Refresh in seconds 28800=8H 3600 ; Retry in seconds 7200=2H 604800 ; Expire 3600000=1 week 86400 ) ; Minimum TTL 86400=24Hours mycompany.com. IN NS mymachine.mycompany.com. mycompany.com. IN MX 10 mailmachine.mycompany.com. mymachine.mycompany.com. IN A 10.1.0.100 mailmachine.mycompany.com. IN A 10.1.0.4 george.mycompany.com. IN A 10.1.3.16

  33. Notes: • Domain names ending with a dot are absolute names • Specify a domain name exactly as it exists in the DNS hierarchy from the root • Names not ending with a dot may be a subdomain to some other domain

  34. DNS Zones Forwarding

  35. DNS Forwarding • Large, well organized, academic or ISP networks have set up a forwarder hierarchy of DNS servers • Helps lighten the internal network load and the load on the outside servers • Not easy to know if inside such a network or not • By using the DNS server of your network provider as a ”forwarder”' you can make the responses to queries faster and less of a load on your network • Your nameserver forwards queries to your ISP nameserver • Each time this happens access a big cache of your ISPs nameserver • Speeding queries up, your nameserver does not have to do all the work itself • When using a modem this can be quite a win http://tldp.org/HOWTO/DNS-HOWTO-4.html

  36. DNS Zones Reverse http://en.wikipedia.org/wiki/Reverse_DNS_lookup

  37. DNS Reverse Lookup • Overview • Typically, the Domain Name System is used to determine what IP address is associated with a given domain name • To reverse-resolve a known IP address • Look up what the associated domain name is belonging to that IP address • Reverse lookup is often referred to as reverse resolving • More specifically reverse DNS lookup • Accomplished using a "reverse IN-ADDR entry" in the form of a PTR record

  38. DNS Reverse Lookup • IPv4 Reverse DNS • Reverse DNS lookups for IPv4 addresses use a reverse IN-ADDR entry in the special domain in-addr.arpa. • An IPv4 address is represented in the in-addr.arpa domain by a sequence of bytes in reverse order, represented as decimal numbers, separated by dots with the suffix .in-addr.arpa. • For example • the reverse lookup domain name corresponding to the IPv4 address • 10.12.13.140 • 140.13.12.10.in-addr.arpa. • A host name for 1.2.3.4 can be obtained by issuing a DNS query for the PTR record for that special address 4.3.2.1.in-addr.arpa.

  39. DNS Reverse Lookup • Classless Reverse DNS • Historically, IP addresses were allocated in blocks of 256 • Each block fell upon an octet boundary • Configuration of the PTR records easy • Dot separators delimited each block • IP addresses are now allocated in very much smaller blocks • Traditional way of configuring a nameserver to perform reverse DNS cannot work • A means of overcoming this problem was devised and published as RFC 2317 • Uses a CNAME entry which corresponds to each block

  40. Multiple PTR records • While most rDNS entries only have one PTR record, it is perfectly legal to have many different PTR records • Although it is perfectly legal having multiple PTR records for the same IP address it is generally not recommended, unless you have a specific need • For example, if a web server supports many virtual hosts • Can be one PTR record for each host • Some versions of name server software will automatically add a PTR record for each host • Multiple PTR records can cause a couple of problems • Including triggering bugs in programs that only expect there to ever be a single PTR record • In the case of a large web server, having hundreds of PTR records can cause the DNS packets to be much larger than normal

  41. Records other than PTR records • While uncommon compared with PTR records, it is also legal to put other types of records in the reverse DNS tree. • In particular, encryption keys can be placed there • for, example, • IPsec (RFC 4025) • SSH (RFC 4255) • IKE (RFC 4322) • Less standardized usages include • comments placed in TXT records and LOC records to identify the location of the IP address

  42. TLD is the leftmost name • True • False 30

  43. The root is: • The leftmost name • The rightmost name • Not used by most clients • A period at the end of the name 30

More Related