1 guide to tcp/ip domain name system. 2 dns – tcp/ip application protocol name resolution protocol...
Post on 18-Dec-2015
249 views
TRANSCRIPT
2
DNS – TCP/IP Application Protocol• Name resolution protocol - robust, reliable & stable• Distributed database technology• What does it resolve?
– Maps the Internet – all valid domain names (symbolic) with IP addresses (numeric)
* Note: Win2K domain pertains to a group of computers & devises under one adm
DNS – domain is a node representing a partition in the DNS database.
Replaced manual task of updating HOSTS files in a network
5
DNS Background
• Early method – static text files HOSTS
• 1984 – JEEVES by Paul Mockapetris
• 1988 – BIND (Berkeley Internet Name Domain) by Kevin Dunlap– Works with UNIX and Win2K
6
DNS Structure (Domain Namespace)• Hierarchical – inverted tree with the root
on top and is designated by a single period (.)
• Partitions namespace into categories• Parent/child domains
– Top level primary domains– Organizational domain hierarchies: second-
level domains.– Host names
7
DNS Structure – an inverted tree
There are also 2 or 3-letter country codes. See ftp://ftp.ripe.net/iso3166-countrycode.txt
.uk
8
Structure - contd• Root server – provide ultimate source for all
name lookups• 13 root servers worldwide
– A.ROOT-SERVERS.NET– B.ROOT-SERVERS.NET
• At least one valid IP address for each unique domain name.– This name-to-address correlation is the most impt.
function of DNS• Structure of DNS database mirrors domain
namespace itself.
9
FQDN
• Fully Qualified Domain Name – consists of all the elements of the domain including the periods.
• Ex. Computer1.sales.microsoft.com.
RootHost name
Domain name – starts from bottom of tree and work their way up.Domain name – starts from bottom of tree and work their way up.
10
Domain Namespace
• *Structure of DNS database mirrors domain namespace itself.
• Partitioning – trees and subtrees• Delegation of Authority
– Domain – registration & fees central authority– Subdomain – arbitrary, local admin.
• Any valid domain name ultimately resides in master/primary servers– Copies can be made.
11
Domain Namespace – “partitioning”
• Zone – a portion of the domain namespace
ZONE 1 ZONE 2
Microsoft
Zone 1 Database file
Zone 2 database file
developmentsales
.com
Domain namespace divided into zones.
12
Zones - contd
• Zones allows a domain namespace to be partitioned into manageable sections.
• Root domain for zone 1 – microsoft
• Root domain for zone 2 - development
14
DNS Naming Conventions & Guidelines• Limit the number of domain levels.• Host entries should be 3-4 levels down,
no more than 5. The more levels you have, the more admin work.
• Use unique names. For ease of use, select simple names.
• Avoid lengthy names. Domain name can be up to 63 characters including the periods.
15
Naming Guides - contd
• FQDN cannot exceed 255 characters.• Not case sensitive.• Use standard DNS characters & Unicode
characters:– DNS characters: A thru Z, a thru z, 0 thru 9 and
the hyphen (-) RFC 1035– Unicode characters set includes additional
characters not found in ASCII; required for languages.
16
Unicode - contd
• Use Unicode characters only if all the servers support Unicode.
• For complete set of Unicode – RFC 2044
17
DNS DatabaseResource Records (RR) • RR – special database that contains
specific data relevant to DNS:• Address record (A) – stores domain
name-to-IP address translation data• Canonical name record (CNAME) –
used to create aliases• Name server record (NS) – used to
identify all DNS servers in the domain
18
RR - contd
• Pointer record (PTR) – stores IP address-to-domain name translation data; supports reverse DNS lookup
• Start of Authority record (SOA) – identifies the master DNS server for a specific domain or subdomain.
19
Other RR:
– Host information (HINFO) record– Mail exchange (MX) record– Text (TXT) record– Well-known services (WKS) record
20
DNS Structure – delegation of authority• Assignment of duties - hierarchy; zones; authoritative
servers for subdomains,• Easy and quick way to point to other name servers• Resource Records (RR) – will reflect this delegation
of authority.• DNS Servers – 3 kinds at any given subdomain:
– Primary– Secondary– Caching
21
DNS Servers – contd
• Primary or Master server – contains primary database files for the domain or subdomain.– Authoritative– Database file is called zone file, an ASCII
snapshot that is loaded into memory when the server runs.
– Only one primary/master on any given DNS zone.
22
DNS servers - contd
• Secondary or slave server – gets data from primary server; gets regular updates.
• Incremental zone transfer vs. full copy or replication.
– Every zone should have at least one slave server; multiple slaves allowed.
– Serves as backup (fault tolerance) and provides load balancing.
23
DNS servers - contd
• Caching servers – stores recently accessed DNS records– Stand-alone servers (primary & secondary
DNS can provide caching also)– Ideal for large companies & Internet
Service providers– Speeds access by storing lookup data
locally.– Does not provide DNS server functions.
24
DNS Root-Level Servers
• Top of the hierarchy• Has access to all elements of the hierarchy
(subdomains)• Any queries that can’t be handled locally go
to the root server• Follows NS (Name Server) records in the
zone database until it finds the authoritative server that contains the SOA name
25
QUERY (Client)
Local – ZONE
Authoritative Server
Neighborhood/Caching Server
ROOT – Authoritative Servers following NS
If DNS server is authoritative, it gives data.
This process always produces some kind of answer, even error message.
How Domain Name Servers Work:
26
Root-level Servers: Types of Queries
• Recursive – “query that keeps working until an answer of some kind is forthcoming.”– FIRST DNS server issues further queries on its
behalf– When other server responds to first server,
they provides answer from own dbases/caches OR
– Provide pointers to other “closer” name servers.
27
Types of queries - contd
• Iterative or non-recursive – queries to authoritative server which may or may not generate a reply.– FIRST DNS server that receives the recursive
query issues repeated iterative queries to other servers
– It will either : get an answer or error message
– What is the difference between a DNS server that receives a recursive and a server that receives iterative query?
28
Queries - contd
• Why is caching important to a DNS server?
• What is non-authoritative response? Authoritative response?
29
Resource Record (RR) FormatsRFC 1034. 2052, 2065
A and CNAME records:
; Host addresseslocalhost.tree.com. IN A 127.0.0.1
pear.tree.com. IN A 172.16.1.2
apple.tree.com. IN A 172.16.1.3
peach.tree.com. IN A 172.16.1.4
30
RR format
; Multi-homed hosthedge.tree.com. IN A 172.16.1.1hedge.tree.com. IN A 172.16.2.1
; Aliasespr.tree.com IN CNAME pear.tree.comh.tree.com IN CNAME hedge.tree.comh1.tree.com IN CNAME 172.16.1.1
Note: CNAME do not end in period.
31
Start of Authority (SOA) Record (p. 325)• tree.com IN SOA apple.tree.com. sue.pear.tree.com (
1 ; Serial (incremented after each update)
10800 ; Refresh after 3 hours (sync w/ primary) 3600 ; Retry after 1 hour (interval before trying another refresh)
604800 ; Expire after 1 week (zone db no longer auth.)
86400 ) ; Minimum TTL of 1 day (how long an entry can persist outside of a zone.)
• “IN” indicates the record is an Internet class of record types
• “SOA” indicates the record is a Start of Authority record
32
Client Side DNS Errors
• Client side DNS errors may stem from any of the following causes– Invalid domain name or Invalid IP address– Inability to locate an IP address that
corresponds to the requested domain name
– Inability to reach an authoritative name server for the requested domain
33
Reverse DNS Lookup – mapping addresses to names
• Used to verify if an IP address matches the domain name of the source.
• Good for identifying IP spoofing
• Format – reverse order (4th octet first)
• Example:1.1.16.172.in-addr-arpa. IN PTR hedge.tree.com
2.1.16.172.in-addr-arpa. IN PTR pear.tree.com
This string defined IP address for Internet formerly known as Arpanet
34
NSLOOKUP Command
• Queries default name server; provides info from default server or from a server/IP address you provide.
• Command-line utility• C:\>nslookup
– should give you default server– Let see if we can find default DNS server
for nvcc.edu.
38
Other DNS Issues
• Dual Purpose: DNS allows your users to “reach out”; Outsiders can “reach in”– Provide name resolution to your users– Providing the authoritative hostname-to-IP mapping for
services you choose to provide
• Dynamic DNS (DDNS) – name servers & clients within a network automatically update the zone database files– Linkage: need to link DNS and Active Directory.– DHCP, WINS, Active Directory or LDAP Lightweight
Directory Access Protocol) keep track of IP address space; keeps track of domain name-to-address changes over time.
39
DNS Issues - contd
• DDNS & DHCP – DHCP service generates dynamic updates– Active Directory (with DHCP) keeps track of
name-to-address changes over time– Synchronize master copies of zone files– DHCP allows client to add his/her A (host)
records to the zone– DHCP adds the PTR (pointer) to the zone– DHCP also cleans up when zone expires
40
DNS Issues - contd
• Remember the query process? How does caching play a role?
• Propagation Delay – How long will the cached values catch up with “master copies”?– Depends on TTL clause. Default TTL – 24
hours.– Any change will add another 24 hrs to the
default TTL before it kicks in.
41
DNS issues - contd
• Security : if possible, separate your internal & external DNS servers. How?– Single DNS server can leak info about
internal hosts.
42
Security Structure
DNS, Web, FTP, E-mail,etc
How can we separate our external and internal servers?
43
Split DNS Architecture
• 2 DNS servers:
External DNS
Server
Internal DNS
Server
Query
BastionHost