1 / 43

Domain Name System

Domain Name System. Resolve IP to a Name /etc/hosts. The /etc/hosts file is just a list of IP addresses and their corresponding server names. Your server will check this file before referencing DNS. Add following contents to your /etc/hosts: 68.142.197.84 myyahoo

gin
Télécharger la présentation

Domain Name System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain Name System

  2. Resolve IP to a Name /etc/hosts • The /etc/hosts file is just a list of IP addresses and their corresponding server names. • Your server will check this file before referencing DNS. • Add following contents to your /etc/hosts: • 68.142.197.84 myyahoo • You can open browser and type ‘myyahoo’ in the URL. • Usually use to resolve IP addresses of other hosts in the same network.

  3. Basic Commands to test domain name • host www.vtc.edu.hk • The host command accepts arguments that are either the fully qualified domain name or the IP address of the server when providing results. • host 202.75.80.237 • To perform a reverse lookup • nslookup www.vtc.edu.hk • Same result as host but can be run in WindowsXP

  4. Basic Concept of DNS • Domain Name System (DNS) converts the name of a Web site (www.vtc.edu.hk) to an IP address (202.75.80.237). • DNS Clients • A DNS client doesn't store DNS information; it must always refer to a DNS server to get it. • The only DNS configuration file for a DNS client is the /etc/resolv.conf .

  5. Authoritative DNS Servers • Authoritative servers provide the definitive information for your DNS domain • There are 13 root authoritative DNS servers (super duper authorities) that all DNS servers query first. • For example, when you register your domain my-site.com, you are actually inserting a record on the .com DNS servers.

  6. DNS Caching Name Server • Most servers don't ask authoritative servers for DNS directly, they usually ask a caching DNS server. • The caching DNS servers then store (or cache), the most frequently requested information to reduce the lookup overhead.

  7. Forward, reverse lookup • Forward Lookup • DNS resolution maps a fully qualified domain name (FQDN), such as www.vtc.edu.hk, to an IP address. • Reverse Lookup • DNS can determining the fully qualified domain name associated with an IP address. • Many different Web sites can map to a single IP address, but the reverse isn't true.

  8. Start DNS server • Use the ‘chkconfig’ command to configure DNS to start at boot: • chkconfig named on • Use ‘service named’ to start,stop, and restart DNS after booting: • service named start • service named stop • service named restart • Configuration file: /etc/named.conf

  9. Configure a Cache-Only DNS server • Change the named.conf to: • pid-file • Process ID file, filename to store its processes. options { pid-file "/var/run/named/named.pid"; forward only; forwarders { 168.95.1.1; 139.175.10.20; }; allow-query {any;} allow-transfer { none; }; };

  10. Configure a Cache-Only DNS server(2) • forward only • Cache Only, no other function. • forwarders • Real DNS servers’ IP address. • allow-query {any;} • Allow other hosts to query your DNS server. • allow-transfer {none;} • Do not allow other DNS server to copy your DNS server’s data.

  11. Configuring named.conf • named.conf only contains the information of ‘Zone’. • Each ‘Zone’ should contain a forward lookup zone file and a reverse lookup file. • All these files will store in ‘/var/named’ (by default, you can change it) • A well defined named.conf and a group of Zone files can let you easily setup your DNS.

  12. Configuring named.conf(2) • root ‘.’ Zone • A file which connect to 13 root authoritative DNS servers. • Zone filename is “named.ca” • type hint; • ‘Type’ for root zones. • You can find this file in /var/named. zone "." IN { type hint; file "named.ca"; };

  13. Configuring named.conf(3) • Zone “localdomain” • A sample zone for your local network. • allow-update {none;} • Do not allow to update this zone to root DNS. • Omit this line for a REAL ZONE. zone "localdomain" IN { type master; file "localdomain.zone"; allow-update { none; }; };

  14. Configuring named.conf(4) • Reverse Zone for “localdomain” • ‘in-addr.arpa’ is the predefined zone name for a fixed IP address. zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; };

  15. Configuring named.conf(5) • To create a Virtual Zone “alanpo.com” for network 192.168.1.0/24, add these statements to named.conf: zone "alanpo.com" { type master; file "named.alanpo.com"; }; zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1"; };

  16. Configuring Zone • Read the content of “localdomain.zone”: • TTL 86400 • Time to Live Value, default is 86400 seconds • The live time of this DNS record in a Cache DNS Server. • Other values: 3D (3 days), 3W (3 weeks) or 3M (3 months) $TTL 86400 @ IN SOA localhost root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost localhost IN A 127.0.0.1

  17. Configuring Zone(2) • The SOA Record • The first resource record is the Start of Authority (SOA) record, which contains general administrative and control information about the domain. • The format is: • Since the format is too long, usually we can use parenthesis to change them to multi lines and give a comment after a ‘;’. Name Class Type Name-Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTL

  18. Configuring Zone(3)

  19. Configuring Zone(4) • NS, MX, A And CNAME Records

  20. Configuring Zone(5) • Zone file for “alanpo.com” (filename is “named.alanpo.com”) $TTL 3D @ IN SOA ns1.alanpo.com. root.ns1.alanpo.com. ( 2006070101 ; Serial 8H ; Refresh 12H ; Retry 1W ; Expire 1D ) ; minimum @ IN NS ns1.alanpo.com. @ IN MX 10 ns1.alanpo.com. ns1 IN A 192.168.1.254 www IN CNAME ns1 ftp IN CNAME ns1 forum IN A 192.168.1.253

  21. Configuring Zone(6) • Reverse Zone file for “named.192.168.1” $TTL 3D @ IN SOA ns1.alanpo.com. root.ns1.alanpo.com. ( 2006070102 ; Serial 8H ; Refresh 12H ; Retry 1W ; Expire 1D ) ; minimum @ IN NS ns1.alanpo.com. 254 IN PTR ns1.alanpo.com. 253 IN PTR forum.alanpo.com.

  22. Slave DNS Server • A Slave DNS server can decrease the workload of Master DNS server (load balancing). • Add ‘allow-transfer’ to the named.conf of Master. • 192.168.1.252 is the IP address of Slave. zone "alanpo.com" { type master; file "named.alanpo.com"; allow-transfer { 192.168.1.252; }; }; zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1"; allow-transfer { 192.168.1.252; }; };

  23. Slave DNS Server(2) • Copy the named.conf from Master and then change the zone: • Zone file is not required in Slave. zone "alanpo.com" { type slave; file "named.alanpo.com"; masters { 192.168.1.254; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "named.192.168.1"; masters { 192.168.1.254; }; };

  24. Configuration of DNS Client • Configuration file of DNS Client is /etc/resolv.conf. • Add your private DNS at the first line. • Can you find any security problem in resolv.conf?

  25. Firewall • Cars have a component that separates the engine block from the passenger compartment. • If the car explodes, this component protects the passengers. • This component is known as Firewall. • A firewall in computer terms protects your network from invalid access. • Most firewalls are filtering incoming datagrams based upon the datagrams source address, destination address, higher level protocol. • This kind of firewall is known as ‘packet filtering’.

  26. ICF in WindowsXP • Microsoft XP designed the Internet Connection Firewall (ICF) for use in the home and small businesses. • To enable and configure ICF, do the following: • Go to ‘Control Panel’ and then click ‘Network’ Connection. • Click the network connection that you want to protect. • Under ‘Network Tasks’, click ‘Change Settings Of This Connection’. • In the ‘Advanced’ tab, select the ‘Protect My Computer And Network By Limiting Or Preventing Access To This Computer From The Internet’ check box. • To configure ICF, click ‘Settings’.

  27. ICF in WindowsXP(2)

  28. ICF in WindowsXP(3) • The ‘Services’ tab allows you to specify the services running on your network that Internet users can access. • The ‘Security Logging’ tab allows you to specify whether or not you want to log dropped packets and successful connections. • The ‘ICMP’ tab allows you to select which requests for information from the Internet this computer will respond to.

  29. Important ICF considerations • ICF should be enabled on your shared Internet connection if your network is using ICS to provide Internet access to multiple computers. • ICF also protects a single computer that is connected to the Internet with a cable modem, a DSL modem, or a dial-up modem. • ICF should not be enabled on VPN connections or on client computers; it will interfere with file and printer sharing.

  30. IP Filter in Linux • The IP datagram is received through a network adapter (usually known as eth0). (1) • The incoming IP datagram is examined to determine if it is destined for a process on this machine. • If the datagram is for this machine, it is processed locally.(2)

  31. IP Filter in Linux (2) • If it is not destined for this machine, a search is made of the routing table for an appropriate route and the datagram is forwarded to the appropriate interface or dropped if no route can be found. (3) • Datagrams from local processes are sent to the routing software for forwarding to the appropriate interface. (4) • The outgoing IP datagram is examined to determine if there is a valid route for it to take, if not, it is dropped. • The IP datagram is transmitted out through a PPP driver or another network adapter (usually known as eth1). (5)

  32. IP Chains in Linux (3) • INPUT and OUTPUT chain • The flows 1→2 and 4→5 represent the data input and output flows of a network program running on our local host. • FORWARD chain • The flow 1→3→5 represents our machine routing data (perform as a router) between a host on our Ethernet network to a host reachable via our PPP link (or other interface, e.g. another network adapter eth1).

  33. iptables • The iptables is used to configure both IP filtering (filter) and Network Address Translation (nat). • Five built-in chains: • The INPUT and FORWARD chains are available for the filter table. • The PREROUTING and POSTROUTING chains are available for the nat table. • The OUTPUT chain is available for both tables. • In this chapter we'll discuss only the filter table. • The general syntax of most iptables commands is: • iptables command rule-specification extensions

  34. Commands of iptables • -A chain • Append one or more rules to the end of the nominated chain. • -I chain rulenum • Insert one or more rules to the start of the nominated chain. • -D chain • Delete one or more rules from the specified chain matching the rule specification. • -D chain rulenum • Delete the rule residing at position rulenum in the specified chain. • Rule positions start at 1 for the first rule in the chain.

  35. Commands of iptables(2) • -R chain rulenum • Replace the rule residing at position rulenum in the specific chain with the supplied rule specification. • -C chain • Check the datagram described by the rule specification against the specific chain. • -L [chain] • List the rules of the specified chain, or for all chains if no chain is specified. • -F [chain] • Flush the rules of the specified chain, or for all chains if no chain is specified.

  36. Commands of iptables(3) • -X [chain] • Delete the specified user-defined chain, or all user-defined chains if no chain is specified. • -Z [chain] • Zero the datagram and byte counters for all rules of the specified chain, or for all chains if no chain is specified. • -P chain policy • Set the default policy of the specified chain to the specified policy. • Valid firewalling policies are ACCEPT, DROP.

  37. Rule specification parameters • -p [!]protocol • Specifies the protocol of the datagram that will match this rule. Valid protocol names are tcp, udp, icmp. • If the ‘!’ character is supplied, the rule is negated and the datagram will match any protocol other than the specified protocol. • If this parameter isn't supplied, it will default to match all protocols.

  38. Rule specification parameters(2) • -s [!]address[/mask] • Specifies the source address of the datagram that will match this rule. • The address may be supplied as a hostname, a network name, or an IP address. • The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24). • -d [!]address[/mask] • Specifies the destination address and port of the datagram that will match this rule.

  39. Rule specification parameters(3) • -j target • Specifies what action to take when this rule matches. • Valid targets are ACCEPT, DROP. • -i [!]interface-name • Specifies the interface on which the datagram was received, e.g. eth0. • -o [!]interface-name • Specifies the interface on which the datagram is to be transmitted.

  40. Extensions • --sport [!] [port[:port]] • Specifies the port that the datagram source must be using to match this rule. • Ports may be specified as a range by specifying the upper and lower limits of the range using the colon as a delimiter, e.g. 20:25. • Again, the ! character may be used to negate the values. • --dport [!] [port[:port]] • Specifies the port that the datagram destination must be using to match this rule.

  41. Extensions(2) • --icmp-type [!] typename • Specifies the ICMP message type that this rule will match. • Some valid names are: echo-request, echo-reply, source-quench, time-exceeded, destination-unreachable, network-unreachable, host-unreachable, protocol-unreachable, and port-unreachable. • --mac-source [!] address • Specifies the host's Ethernet address that transmitted the datagram that this rule will match.

  42. Examples • Clear all the chains. • iptables -F OUTPUT • iptables -F FORWARD • iptables -F INPUT • iptables –X • By default, do not allow any connection! • iptables -P INPUT DROP • iptables -P OUTPUT DROP • iptables -P FORWARD DROP

  43. Examples(2) • Allow all traffic at the interface lo. • iptables -A INPUT -i lo -j ACCEPT • iptables -A OUTPUT -i lo -j ACCEPT • Open ports 20 to 23 for INPUT and OUTPUT tables to the all hosts. • iptables -A INPUT -p tcp --dport 20:23 -j ACCEPT • iptables -A OUTPUT -p tcp --sport 20:23 -j ACCEPT • Open port 80 for INPUT and OUTPUT tables to the network 192.168.1.0/24 • iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT • iptables -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 80 -j ACCEPT • Allow other hosts to ‘ping’ this machine • iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

More Related