1 / 34

Module 7

Module 7. Advanced Zone Files. Objectives. Understand failover strategies using DNS Understand domain delegation Understand Glue Records Understand the SRV RR Understand the NAPTR RR. Load Balancing/Failover. Basic Strategy Multiple RRs Mail Servers – 2 strategies

stew
Télécharger la présentation

Module 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 7 Advanced Zone Files

  2. Objectives • Understand failover strategies using DNS • Understand domain delegation • Understand Glue Records • Understand the SRV RR • Understand the NAPTR RR

  3. Load Balancing/Failover • Basic Strategy • Multiple RRs • Mail Servers – 2 strategies • MX natural failover/load balancing • Multiple RRs • RRs delivered in round-robin order • BIND provides alternate controls

  4. Mail Servers – MX RRs ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) - backup IN MX 20 mail.example.net. 3w = TTL Priority 10 simply means you can add a more important mail server with only one change

  5. Mail Servers – Multiple RRs ; zone file fragment IN MX 10 mail.example.com. IN MX 10 mail1.example.com. IN MX 10 mail2.example.com. .... mail IN A 192.168.0.4 mail1 IN A 192.168.0.5 mail2 IN A 192.168.0.6 OR ; zone file fragment IN MX 10 mail.example.com. .... mail IN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6

  6. Mail Servers • No difference in two approaches • All local mail servers must have access to common mail filestore • Backup servers (priority 20) are configured to forward mail to real (priority 10) mail servers • MX RRs can be set to very high TTLs • A or AAAA RRs may change

  7. Mail Server Reverse Map ; reverse-map file fragment ; for 0.168.192.IN-ADDR.ARPA .... 4 PTR mail.example.com. 5 PTR mail.example.com. 6 PTR mail.example.com.

  8. Other Services • Typically uses multiple A (AAAA) RRs • Multiple RRs called RRsets • In case of web - browser will do IP failover in 2 – 3 minutes • Dynamic updating of IP with short TTL will failover in 30 minutes (MSIE) • DNS load balances on IP address • Works for flat loads • If transaction loads vary must use load-balancer

  9. Load Balance – Multiple RRs ; example.com zone file fragment .... ftp IN A 192.168.0.4 ftp IN A 192.168.0.5 ftp IN A 192.168.0.6 www IN A 192.168.0.7 www IN A 192.168.0.8 ; example.com zone file fragment .... ftp IN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6 www IN A 192.168.0.7 IN A 192.168.0.8

  10. Parent and Child domains • Parent of any domain is the next level in the hierarchy • Parent contains NS RRs which are not Authoritative • Child contains NS RRs which are Authoritative

  11. Parent and Child domains

  12. DNS Subdomain Delegation • www.ramq.example.com • Two methods • Full delegation • Needs separate name servers • Complete control to delegated authority • Method used by domain system • Multiple zone files • Virtual subdomain • Does not need name servers • Single zone file to maintain

  13. Parent Zone File ; IPv4 zone file for example.com $TTL 2d ; default TTL for zone $ORIGIN example.com. ; base domain-name ; Start of Authority record defining the key characteristics of the zone (domain) @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ) ; name servers Resource Records for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain). IN NS ns2.example.net. ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) IN MX 20 mail.example.net. ; domain hosts includes NS and MX records defined previously ; plus any others required ns1 IN A 192.168.254.2 mail IN A 192.168.254.4 joe IN A 192.168.254.6 www IN A 192.168.254.7 ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net.

  14. DNS Subdomain Delegation ;; subdomain definitions in the same zone file; $ORIGIN directive simplifies and clarifies definitions$ORIGIN ramq.example.com. ; all subsequent RRs use this ORIGIN; two name servers for the subdomain@ IN NS ns3.ramq.example.com.; the preceding record could have been written without the $ORIGIN as; ramq.example.com. IN NS ns3.ramq.example.com.; or @ IN NS ns3; the second name server points back to preceding ns1 IN NS ns1.example.com.; A records for name server ns3 required - the glue recordns3 IN A 10.10.0.24 ; glue record; the preceding record could have been written as; ns3.ramq.example.com. A 10.10.0.24 if it's less confusing

  15. Child Zone File ; zone file for subdomain us.example.com $TTL 2d ; zone default of 2 days $ORIGIN ramq.example.com. IN SOA ns3.ramq.example.com. hostmaster.ramq.example.com. ( 2003080800 ; serial number 2h ; refresh = 2 hours 15m ; update retry = 15 minutes 3w12h ; expiry = 3 weeks + 12 hours 2h20m ; minimum = 2 hours + 20 minutes ) ; subdomain name servers IN NS ns3.ramq.example.com. IN NS ns1.example.com. ; see following notes ; subdomain mail server IN MX 10 mail.ramq.example.com. ; A records for preceding name servers ns3 IN A 10.10.0.24 ns1.example.com. IN A 192.168.0.3 ; 'glue' record ; A record for preceding mail server mail IN A 10.10.0.25 ; next record defines our ftp server ftp IN A 10.10.0.28

  16. Full Subdomain Delegation • One of the Parent name servers provides NS services (slave) – common but not essential • Mail is also delegated – not essential could use mail.example.com • Needs one DNS server in this case (ns3.ramq.example.com) • Zone file controlled by delegated authority • Can delegate further

  17. Virtual Subdomains $ORIGIN ramq.example.com. IN MX 10 mail ; preceding record could have been written as ; ramq.example.com. IN MX 10 mail.ramq.example.com. ; A record for subdomain mail server mail IN A 10.10.0.28 ; the preceding record could have been written as ; mail.ramq.example.com. A 10.10.0.28 if it's less confusing ftp IN A 10.10.0.29 ; the preceding record could have been written as ; ftp.ramq.example.com. A 10.10.0.29 if it's less confusing .... ; other subdomain definitions as required $ORIGIN mderr.example.com.

  18. Virtual Subdomain • Requires no new name servers • Functionally identical to full delegation • Zone file controlled by main zone administrators • Shows delegation of mail – not essential – could use mail.example.com • Further delegation possible under control of main zone administrators

  19. GLUE Records • Widely and erroneously used term • Glue is a A (AAAA) RR pointing to a authoritative name server for the child zone • Glue is essential • At the parent • For in-zone name servers • All others are technically normal A (AAAA) RRs

  20. Glue – Why Essential? • Client needs A RR to get to host • Client needs a name server to get to host record • Client needs A RR of name server to get name server • Not required if out-of-zone – normal lookup for out-of-zone will get an in-zone name server glue record!

  21. DNS – SRV RR • SRV provides a means to find a host that offers a service within domain • srvce = symbolic name of service (standardized by IANA) _ftp • prot = protocol name _tcp • name = domain (zone name) can be omitted (substitution) srvce.prot.name ttl class rr pri weight port target

  22. DNS – SRV RR • pri = relative priority – lower is more important like the MX RR (0 – 65535) • weight = when pri is the same defines the frequency of delivery of the SRV (0 – 65535) • port = the port number of the service (only time that DNS deals with ports and allows for non-standard ports) srvce.prot.name ttl class rr pri weight port target

  23. DNS – SRV RR • target = name of the host that provides the service srvce.prot.name ttl class rr pri weight port target

  24. SRV RR $ORIGIN example.com. ….. ; left hand name is _http._tcp.example.com = query target _http._tcp SRV 10 1 80 slow.example.com. SRV 10 3 80 fast.example.com. ; if neither slow or fast available, switch to ; an external backup web server but use port 8100 not port 80 SRV 20 0 8100 backup.example.net. slow A 192.168.254.3 fast A 192.168.254.4

  25. SRV RR • Extensive use made by modern services such as: • SIP (voip) • LDAP • Windows AD (kerberos and others) • Web browsers rarely use SRV

  26. NAPTR RRs • NAPTR (Naming Authority Pointer Record) is a general purpose RR for Dynamic Delegation Discover System (DDDS). Sister or SRV. Application unique format. • order = low is highest like MX • pref = if order is same pref (lower is highest) is used to find best RR NAPTR order pref flag params regexp replace

  27. NAPTR RRs • flag = Optional. Enclosed in quotes. Unique to application • params = Optional. Enclosed in quotes. Unique to application. • regexp = regular expression applied to Application User String (AUS) NAPTR order pref flag params regexp replace

  28. NAPTR RRs • replace = Replaces the Application User String (AUS). Dot if not used. NAPTR order pref flag params regexp replace

  29. ENUM Use of NAPTR • ENUM is a service which allows a telephone number to be converted into one or more methods to reach a human • Domain name is .e164.arpa • Assume we want to contact +44-111-555-1212 (AUS = +441115551212) • First Well Known Rule (ENUM specific) creates 2.1.2.1.5.5.5.1.1.1.4.4.E164.ARPA – DNS lookup

  30. ENUM Use of NAPTR

  31. ENUM Use of NAPTR ; zone file fragment for 5.5.5.1.1.1.4.4.E164.ARPA $TTL 2d ; zone TTL default = 2 days or 172800 seconds $ORIGIN 5.5.5.1.1.1.4.4.E164.ARPA. .... 2.1.2.1 NAPTR ( 10 ;order 100 ; preference "U" ; flag "E2U+sip" ;svc "!^\\+44111555(.+)$!sip:7\\1@sip.example.com!" ;ere .) ; replace NAPTR 10 101 "u" "E2U+pres" "!^.*$!mailto:sheila@example.com!" .

  32. ENUM Result • First NAPTR RR gives sip:71212@sip.example.com • "!^\\+44111555(.+)$!sip:7\\1@sip.example.com!" • If this fails second NAPTR gives mailto:sheila@example.com • "!^.*$!mailto:sheila@example.com!" Regular Expression Quick Key ! = delimiter, () group, $ = EoL, \1 = backref (group), ^ = SoL + = 1 or more times, * = 0 or more times \ escaped for DNS only (\\1), on-wire escape char removed (\1)

  33. Quick Quiz • Normal strategy for load balancing? • MX failover/load balancing strategies? • Does virtual subdomain delegation require name servers? • What is the parent of ramq.example.com • Are NS RRs in the parent authoritative • Are GLUE records necessary for out-of-zone name servers? • What do SRV records do?

  34. Zone File Exercise • Zone files for domain delegation • Full delegation • Parent is gov.lc • Child is nic.gov.lc • Mail will go to the parent domain • Two NS servers ns1.nic.gov.lc, ns2.nic.gov.lc

More Related