dns
DESCRIPTION
Discussion of the Domain Name SpaceTRANSCRIPT
DNSDNS
Domain Name SystemDomain Name SystemFebruary 13,2001Professor Tom Mavroidis
DNSDNS
On all Linux systems, domain On all Linux systems, domain name service(DNS) is implemented name service(DNS) is implemented with the Berkley Internet Name with the Berkley Internet Name Domain (BIND) softwareDomain (BIND) software
BIND 8 is the most recent versionBIND 8 is the most recent version BIND DNS is a client/server systemBIND DNS is a client/server system
Client/ServerClient/Server
Client is called the resolverClient is called the resolver– it forms the queries and sends them it forms the queries and sends them
to the name serverto the name server– not a distinct process but a library of not a distinct process but a library of
software routinessoftware routines– every computer on network runs a every computer on network runs a
resolverresolver
Server SideServer Side
Answers Queries that come form Answers Queries that come form the resolverthe resolver
The name server daemon is called The name server daemon is called namednamed
Not necessary to run named on Not necessary to run named on every computer, only the name every computer, only the name serverserver
Why are name services Why are name services used?used?
A name service is a network A name service is a network information services that maps information services that maps names to addresses.names to addresses.
The service is accessed transparentlyThe service is accessed transparently The user is unaware of the The user is unaware of the
procedures used to find the IP procedures used to find the IP address address
www.yahoo.com => 216.32.74.50www.yahoo.com => 216.32.74.50
Why use domain names?Why use domain names?
Names are easier to remember Names are easier to remember than IP addressesthan IP addresses
Less chance of entering in an Less chance of entering in an incorrect nameincorrect name
If a site is moved to a new IP If a site is moved to a new IP address the name can remain the address the name can remain the samesame
In the beginning…In the beginning…
Host names were administered by Host names were administered by a central authoritya central authority
A new host would be added to the A new host would be added to the hosts.txt file located at the hosts.txt file located at the Network Information Center (NIC)Network Information Center (NIC)
The entire hosts.txt file would be The entire hosts.txt file would be propagated to every site in the propagated to every site in the Internet using FTPInternet using FTP
Problems included...Problems included...
A high probability of naming conflictsA high probability of naming conflicts Central name administration was a Central name administration was a
problem with the community in problem with the community in generalgeneral
Distribution Problems increased Distribution Problems increased dramaticallydramatically
Maintaining Consistency was Maintaining Consistency was impossibleimpossible
DNS is...DNS is...
A database which maps names to A database which maps names to addressesaddresses
The database is distributed across The database is distributed across the entire internetthe entire internet
It is independent of network It is independent of network topologytopology
DNS GoalsDNS Goals
Hosts need not download huge Hosts need not download huge hosts.txt fileshosts.txt files
You do not need to notify a central You do not need to notify a central agency if you add a new machine agency if you add a new machine to the networkto the network
Flat NamespaceFlat Namespace
Host are organized into a single treeHost are organized into a single tree Naming hierarchy is independent of Naming hierarchy is independent of
physical networksphysical networks Hosts are addressed by IP addressHosts are addressed by IP address Namespace refers to the set of all Namespace refers to the set of all
possible namespossible names flat namespace limits this setflat namespace limits this set
Hierarchical NamespaceHierarchical Namespace
Allows for an almost unlimited Allows for an almost unlimited choice of nameschoice of names
A domain is best described as a A domain is best described as a subtree of the namespacesubtree of the namespace
Each node in the subtree is named Each node in the subtree is named by a labelby a label
ConventionsConventions
Two conventions are being used Two conventions are being used when domains are chosenwhen domains are chosen
Organizational and geographicalOrganizational and geographical Organizational Organizational
= .com .edu .gov .mil .net .org .int = .com .edu .gov .mil .net .org .int Geographical = .fr .nl .ca .gb Geographical = .fr .nl .ca .gb
(follow ISO-3166)(follow ISO-3166)
LablesLables
May be both upper and lower caseMay be both upper and lower case Case is ignored Yahoo = yahooCase is ignored Yahoo = yahoo Must start with a letter, may end Must start with a letter, may end
with a letter or number, and may with a letter or number, and may contain letters, digits, or hyphenscontain letters, digits, or hyphens
Maximum length = 255 charactersMaximum length = 255 characters
Fully Qualified Domain Fully Qualified Domain Name FQDNName FQDN
Made up of all labels from the rootMade up of all labels from the root Written from left to rightWritten from left to right Labels must be unique within its Labels must be unique within its
parent domainparent domain May be absolute or relative -(see May be absolute or relative -(see
next slide)next slide)
NamesNames
Absolute - expressed relative to Absolute - expressed relative to the root i.e. senecac.on.ca .the root i.e. senecac.on.ca .
Relative - represent the lower Relative - represent the lower labels of an incomplete domain labels of an incomplete domain name cs.senecac.on.caname cs.senecac.on.ca
Name ServersName Servers
Repositories of information that Repositories of information that make up the databasemake up the database
holds information for some parts of holds information for some parts of the namespacethe namespace
Parts of the namespace that is Parts of the namespace that is managed and has complete managed and has complete information is said to be information is said to be authoritative authoritative
ZonesZones
Information is organized into units Information is organized into units called zonescalled zones
Zones contain all of the Zones contain all of the information about a domain.information about a domain.
Internet DomainsInternet Domains
Need to be supported by at least Need to be supported by at least two nameservers for reasons of two nameservers for reasons of reliabilityreliability
These are known as Primary and These are known as Primary and Secondary NameserversSecondary Nameservers
Zones are replicated across both Zones are replicated across both nameserversnameservers
Primary NameserversPrimary Nameservers
Sometimes called master serversSometimes called master servers Master files are updated by local Master files are updated by local
system administratorssystem administrators Zone changes are made at the Zone changes are made at the
primary serverprimary server Secondary servers maintains a copy Secondary servers maintains a copy
of the data for a zone and periodically of the data for a zone and periodically updates its data from the primaryupdates its data from the primary
Resource RecordsResource Records
All data is stored in a standard All data is stored in a standard format called a Resource Record format called a Resource Record (RR) which consists of four parts(RR) which consists of four parts
Domain, Class, Type, InformationDomain, Class, Type, Information
Resource RecordResource Record
Domain - Name of the DomainDomain - Name of the Domain Class - class of record (IN for Class - class of record (IN for
Internet)Internet) Type - type of record, what it is Type - type of record, what it is
used forused for Information - data for the recordInformation - data for the record
Resource Record TypesResource Record Types
A = (IPv4 address)A = (IPv4 address) AAAA =(IPv6 address)AAAA =(IPv6 address) NS = nameserverNS = nameserver SOA = Start of AuthoritySOA = Start of Authority PTR = Pointer used to map names PTR = Pointer used to map names
to addressesto addresses and many moreand many more
ResolversResolvers
Clients process’s entry into the Clients process’s entry into the databasedatabase
extracts information in response to extracts information in response to the clients requestthe clients request
Steps necessary to extract Steps necessary to extract an address an address
Resolver function sends a query to Resolver function sends a query to its local nameserver (entered its local nameserver (entered during configuration on the local during configuration on the local machine)machine)
Local nameserver checks its own Local nameserver checks its own information (hosts.txt) information (hosts.txt)
If failed, request is sent to the root If failed, request is sent to the root serverserver
...continued...continued
If failed returns a referral to a server If failed returns a referral to a server closer to the domain of interest I.e. the closer to the domain of interest I.e. the .com dns server..com dns server.
If failed returns a referral to the server If failed returns a referral to the server for the domain root I.e. .senecac.on.cafor the domain root I.e. .senecac.on.ca
If failed returns a domain not found If failed returns a domain not found otherwise returns the address to the otherwise returns the address to the requested domainrequested domain
CachingCaching
Improves performance by maintaining a Improves performance by maintaining a copy of recent request in memorycopy of recent request in memory
Data may be out of date if changes Data may be out of date if changes have occurred since last cachehave occurred since last cache
Cached data is termed nonauthoritativeCached data is termed nonauthoritative Primary and secondary nameservers Primary and secondary nameservers
return authoritative answers only since return authoritative answers only since they are originators for the zonethey are originators for the zone
……Caching ContinuedCaching Continued
Cached data is eventually Cached data is eventually discarded by a timeout (TTL) fielddiscarded by a timeout (TTL) field
Mapping Addresses to Mapping Addresses to NamesNames
Domain IN-ADDR.ARPA is set up for Domain IN-ADDR.ARPA is set up for mapping addresses to namesmapping addresses to names
142.204.1.1 => senecac.on.ca142.204.1.1 => senecac.on.ca Some applications require this Some applications require this
service I.e. HTTPSservice I.e. HTTPS
Dynamic UpdatesDynamic Updates
Update request message is sent form a Update request message is sent form a client to its local serverclient to its local server
Message is forwarded to the Primary Message is forwarded to the Primary Master ServerMaster Server
Primary master checks prerequisites and Primary master checks prerequisites and the requestor is validated the requestor is validated
Data is written to storage in clientData is written to storage in client Server can send DNS notify messages to Server can send DNS notify messages to
slave servers RFC 1996slave servers RFC 1996
Alternate Naming ServicesAlternate Naming Services
WINS - Windows Internet Naming WINS - Windows Internet Naming ServiceService
Usually found on Microsoft clients Usually found on Microsoft clients and servers and servers
Resolves LAN requests for IP Resolves LAN requests for IP address’s same as DNSaddress’s same as DNS
Alternate Naming ServicesAlternate Naming Services
ACAP - Application Configuration ACAP - Application Configuration Access ProtocolAccess Protocol
Developed by the Internet Developed by the Internet Engineering Task Force (IETF)Engineering Task Force (IETF)
Gives applications access to Gives applications access to services such as address booksservices such as address books
Alternate Naming ServicesAlternate Naming Services
LDAP - Lightweight Directory LDAP - Lightweight Directory Access ProtocolAccess Protocol
Provides ACAP with a directory Provides ACAP with a directory structurestructure
Uses the OSI X.500 specificationsUses the OSI X.500 specifications
Setting up a NameserverSetting up a Nameserver
Three components are needed Three components are needed Nameserver software, nameserver Nameserver software, nameserver
boot file (not required in all boot file (not required in all systems), and the master files systems), and the master files (data files)(data files)
the software Linux uses is called the software Linux uses is called “named”“named”
named daemonnamed daemon
Also known as BIND (Berkely Internet Also known as BIND (Berkely Internet Name Daemon)Name Daemon)
Has become the de facto nameserverHas become the de facto nameserver The Internet Software Consortium The Internet Software Consortium
(ISC) controls BIND and its (ISC) controls BIND and its improvementsimprovements
named uses a boot file and local data named uses a boot file and local data filesfiles
Back to the ResolverBack to the Resolver
The resolver is configured by the The resolver is configured by the /etc/resolv.conf file/etc/resolv.conf file
The /etc/resolv.conf file is read The /etc/resolv.conf file is read each time it need to resolve an each time it need to resolve an addressaddress– this means you need not restart a this means you need not restart a
service when changes are madeservice when changes are made
Nameserver addressNameserver address
Nameserver address - defines the IP Nameserver address - defines the IP address of the nameserver the address of the nameserver the resolver should useresolver should use
Up to three nameserver addresses Up to three nameserver addresses can be usedcan be used
The second address is only queried The second address is only queried if the first server cannot be reached if the first server cannot be reached and the third only if the first two failand the third only if the first two fail
Domain Domain domainnamedomainname
Defines the local domain which is Defines the local domain which is used to expand the host name in a used to expand the host name in a query before it is sent to the query before it is sent to the nameservernameserver
If not defined the values in the If not defined the values in the search command are usedsearch command are used
Search Search searchlistsearchlist
Defines a list of domains that are Defines a list of domains that are used to expand a host name used to expand a host name before it is sent to the nameserverbefore it is sent to the nameserver
Contains up to six domain names Contains up to six domain names separated by spacesseparated by spaces
Each domain is searched until the Each domain is searched until the query is answeredquery is answered
Options Options optionoption
Debug - turns on debuggingDebug - turns on debugging timeout:n - initial query timeoutfor timeout:n - initial query timeoutfor
the resolver (default 5 seconds)the resolver (default 5 seconds) attempts:n - the number of times attempts:n - the number of times
the resolver retries a query (default the resolver retries a query (default 2)2)
rotate - round robin selection of rotate - round robin selection of nameserversnameservers
Options (cont)Options (cont)
No-check-names - disables No-check-names - disables checking of domain names for checking of domain names for RFC952 complianceRFC952 compliance
inet6 - query for IPv6 addressesinet6 - query for IPv6 addresses
Search ListSearch List
Say you entered “search Say you entered “search senecac.on.ca”senecac.on.ca”
if a user enters “titanic” instead of if a user enters “titanic” instead of titanic.senecac.on.catitanic.senecac.on.ca– the senecac.on.ca is automatically the senecac.on.ca is automatically
extended to it extended to it
Linux supports three basic Linux supports three basic name server name server
configurationsconfigurations
Master (primary) - the main DNS Master (primary) - the main DNS domain - loads from disk - considered domain - loads from disk - considered authoritativeauthoritative
Slave (secondary) - copy of the Slave (secondary) - copy of the primary - also authoritativeprimary - also authoritative
Caching server - nonauthoritative - Caching server - nonauthoritative - gets its answers from other DNS gets its answers from other DNS servers - used to speed up resolutions servers - used to speed up resolutions
To verify your DNS server To verify your DNS server is installed correctlyis installed correctly
You need root authorityYou need root authority type “which named” - response type “which named” - response
should be /usr/sbin/namedshould be /usr/sbin/named or type rpm -q bind8 - response or type rpm -q bind8 - response
should be bind8-8.2.2-?? Or closeshould be bind8-8.2.2-?? Or close
To start, test, and stopTo start, test, and stop
To start Type “NDC start” press enterTo start Type “NDC start” press enter To test Type “ nslookup” press enterTo test Type “ nslookup” press enter Type “server 127.0.0.1” press enterType “server 127.0.0.1” press enter ask for the address of any name, if an IP ask for the address of any name, if an IP
address is returned than it is workingaddress is returned than it is working To stop Type “NDC stop”To stop Type “NDC stop”
Configuration filesConfiguration files
Up to five different files are Up to five different files are required for a named configurationrequired for a named configuration– named.confnamed.conf– hints filehints file– local host filelocal host file– zone filezone file– reverse zone filereverse zone file
Named.confNamed.conf
Defines the basic parameters and Defines the basic parameters and points to the sources of domain points to the sources of domain database informationdatabase information
usually in the /etc directoryusually in the /etc directory
Hints fileHints file
Also known as cacheAlso known as cache Provides the names and addresses Provides the names and addresses
of the root DNS server that are of the root DNS server that are authoritative for the top level authoritative for the top level domains of the DNS hierarchy domains of the DNS hierarchy like .com .edu .orglike .com .edu .org
usually in the /var/named directoryusually in the /var/named directory
Local host fileLocal host file
Local zone file for resolving the Local zone file for resolving the loopback address to the host name loopback address to the host name localhostlocalhost
Zone fileZone file
Defines most of the informationDefines most of the information maps host names to addressesmaps host names to addresses identifies mail serversidentifies mail servers usually in the /var/named directoryusually in the /var/named directory
Reverse zone fileReverse zone file
Maps IP addresses to host namesMaps IP addresses to host names Opposite of the zone fileOpposite of the zone file Usually in the /var/named directoryUsually in the /var/named directory
Named.confNamed.conf
Seven valid configuration statementsSeven valid configuration statements– acl - access control list of IP addressesacl - access control list of IP addresses– include - includes another file into configinclude - includes another file into config– key - defines security keyskey - defines security keys– logging - what is logged and where storedlogging - what is logged and where stored– options - global config optionsoptions - global config options– server - remote servers characteristicsserver - remote servers characteristics– zone - defines a zonezone - defines a zone
Options statementOptions statement
Defines global parameters and Defines global parameters and sets defaultssets defaults
Only one is allowedOnly one is allowed options {options {
– directory “var/named”;directory “var/named”;– };};
Zone statementZone statement
Defines a zone services by this Defines a zone services by this nameservernameserver
defines the type of name server defines the type of name server (primary or secondary) can include (primary or secondary) can include different typesdifferent types
defines source of domain info, data defines source of domain info, data can be loaded from disk or can be loaded from disk or transferred from mastertransferred from master
Example zone statementExample zone statement
Zone “senecac.on.ca” in {Zone “senecac.on.ca” in {– type master;type master;– file “senecac.hosts”;file “senecac.hosts”;– };};
– in keyword means this zones contains IP in keyword means this zones contains IP addresses and Internet domain namesaddresses and Internet domain names
– type master means master server for the type master means master server for the domaindomain
– File senecac.hosts pointes to the file that File senecac.hosts pointes to the file that contains the domain database informationcontains the domain database information
Caching-Only Caching-Only ConfigurationConfiguration
All servers cache informationAll servers cache information zone “.” {zone “.” {
– type hint;type hint;– file “named.ca”;file “named.ca”;– };};– zone “0.0.127.in-addr.arpa” {zone “0.0.127.in-addr.arpa” {– type master;type master;– file “named.local”;file “named.local”;– };};
– hint file helps the server locate the root hint file helps the server locate the root servers during startupservers during startup
– second zone make the server the master for its second zone make the server the master for its own loopback addressown loopback address
Hints fileHints file
Contains the names and addresses of the Contains the names and addresses of the root name serversroot name servers
helps the local server locate a root server helps the local server locate a root server during the startupduring the startup
once located an authoritative list of root once located an authoritative list of root server is downloaded form that serverserver is downloaded form that server
named.conf points to the location of the named.conf points to the location of the hints file (common names are named.ca, hints file (common names are named.ca, named.root and root cache)named.root and root cache)
Local hosts fileLocal hosts file
Is a reverse domainIs a reverse domain maps the loopback address maps the loopback address
127.0.0.1 to the local name 127.0.0.1 to the local name localhostlocalhost
the most common name for the the most common name for the local host file is named.local but it local host file is named.local but it is sometimes called 127.0.0.zoneis sometimes called 127.0.0.zone
Secondary or slaveSecondary or slave– zone “senecac.on.ca” {zone “senecac.on.ca” {– type slave;type slave;– file “senecac.on.ca.zone”;file “senecac.on.ca.zone”;– masters {192.168.1.1; };masters {192.168.1.1; };– };};
– file is the name of a text file the file is the name of a text file the information is to be stored in information is to be stored in automaticallyautomatically
– master is the name of the primary master is the name of the primary server the info is to come fromserver the info is to come from
Zone directivesZone directives
First record in a zone fileFirst record in a zone file $TTL 1d$TTL 1d specifies the time this record will specifies the time this record will
be cached on other servers, from be cached on other servers, from our entry one dayour entry one day
SOA record (start of SOA record (start of authority)authority)
@ IN SOA senecac.onca. Admin.senecac.on.ca. (@ IN SOA senecac.onca. Admin.senecac.on.ca. (– 2000021222 2000021222 ; serial; serial– 216000216000 ; refresh; refresh– 18001800 ; retry; retry– 4w4w ; expire; expire– 1h1h ; negative cache TTL; negative cache TTL
– @ - Refers to the domain name defined in @ - Refers to the domain name defined in the zone statementthe zone statement
– senecac.on.ca = host name of the master senecac.on.ca = host name of the master server for this zoneserver for this zone
– admin.senenca.on.ca = email of person admin.senenca.on.ca = email of person responsible for this domainresponsible for this domain
SOA record (start of SOA record (start of authority)authority)
Serial - if master is > slave’s then entire Serial - if master is > slave’s then entire zone is transferredzone is transferred
refresh is length of refresh cyclerefresh is length of refresh cycle retry is length or retry cycle if master is retry is length or retry cycle if master is
busybusy expire is time the slave should continue expire is time the slave should continue
caching data when primary is no longer caching data when primary is no longer respondingresponding
neg cache - time remember dropsneg cache - time remember drops
MX records (Mail server)MX records (Mail server)
ININ MXMX 10 titanic.senecac.on.ca.10 titanic.senecac.on.ca. IN MX IN MX 20 mail.senecac.on.ca.20 mail.senecac.on.ca. First record says that titanic is the First record says that titanic is the
mail server for the senecac.on.ca mail server for the senecac.on.ca domaindomain
second entry says that if titanic is second entry says that if titanic is unavailable than send mail to unavailable than send mail to mail.senecac.on.camail.senecac.on.ca
Reverse Zone FileReverse Zone File
Maps IP addresses to host namesMaps IP addresses to host names Some sites will deny access if it cannot Some sites will deny access if it cannot
do a reverse loolkup (HTTPS)do a reverse loolkup (HTTPS) all IP addresses for the host are written all IP addresses for the host are written
in reverse ie. 192.168.1 is 1.168.192.in-in reverse ie. 192.168.1 is 1.168.192.in-addr.arpa addr.arpa
contain same fields as forward zone file contain same fields as forward zone file and provide same service in reverseand provide same service in reverse
Automating DNS startupAutomating DNS startup
Change to the runlevel’s directory Change to the runlevel’s directory cd /etc/rc.d/rc3.dcd /etc/rc.d/rc3.d
create a link to start bindcreate a link to start bind ln -s /etc/rc.d/init.d/ndc ln -s /etc/rc.d/init.d/ndc