what you need to know - domain name system (dns)

© 2009 IBM Corporation

IBM Collaboration Solutions

What You Need to Know:Domain Name System (DNS)

Wes MorganWW ICS [email protected]


November 8, 2016

Directory Assistance for TCP/IP Networks

● Humans don't “do” numerical addresses● We like names● More to the point, we like organized names● DNS organizes hosts into domains, which it calls zones● DNS can also organize/advertise services● Zones may host other zones (aka “subdomains”)● There is only ONE authoritative source for each zone● DNS establishes a hierarchy of zones under a “root” zone

Doing a “DNS lookup” simply means that we travel up, down, and/or across the hierarchy until we find the information we need


November 8, 2016

DNS Zones and Individual Hosts

flamtap.lex.ky.us.uszone

.ky.uszone

lex.ky.uszone

rootzone

.com.org

.jp

.edu

.ny.us

.ca.us

.bg.ky.us

.lou.ky.us ruff

longroll

Top-Level Domains(TLDs)

Fully Qualified Domain Name(FQDN)

Individualhosts

booga


November 8, 2016

It's All About Resources...

● EVERYTHING in DNS is a resource● DNS provides resource records (RRs) in response to queries● So, a big part of “configuring DNS” is setting up RRs

correctly● As DNS has grown, so has the number of RRs supported● We'll only touch upon the RRs we most frequently

encounter:● SOA – Start of Authority● NS – Name Server● A – Address (IPv4)● AAAA – Address (IPv6) ● CNAME – Canonical Name● MX – Mail eXchanger ● SRV – Service● PTR – Pointer


November 8, 2016

SOA – Respect My Authority!

● Remember, there can be only one authority for each zone● However, customers may have separate internal/external

zones with the same name (aka “split horizon” DNS) with different authoritative name servers AND DIFFERENT DATA!

● The Start of Authority (SOA) record includes● The authoritative server for the zone (aka “origin” or “primary

name server”)● The email address of the responsible party (without @)● Other information used by secondary DNS servers in the

zone


November 8, 2016

SOA Examples

a

ibm.com(external)

ibm.com(internal)


November 8, 2016

NS Records – Nameservers

● NS records simply list all nameservers for a given zone● This does NOT mean that all of them are up and running!● Clients may send queries to any listed nameserver


November 8, 2016

A & AAAA Records – Give Me An IP Address!

● Almost all DNS queries lead to an actual Address (A/AAAA) record

● A records provide IPv4 address, while AAAA records are IPv6


November 8, 2016

A & AAAA Records – There Might Be More Than One!

● Multiple Address records may be provided for a single name● Usually indicates a clustered server environment

● Address records are not prioritized; multiple Address records returned in rotating order (aka “round-robin”)

● Clients will attempt to reach addresses in the order provided

}

}Note different order

of responses between the two

queries


November 8, 2016

CNAME – What's the REAL Name?

● End users like easy-to-remember names, but admins have to deal with real system names

● Canonical Name (CNAME) records specify the “real name” of the system queried● In other words, it lets us create aliases

● CNAME records can reference other CNAMEs (i.e. an alias pointing to another alias)● You may see this in queries whose responses change

according to geography (e.g. cloud resources)


November 8, 2016

CNAME – Chained Example

● Multiple levels of CNAMEs usually indicate dynamic DNS● May indicate geographic DNS

● Often seen with Akamai and other content delivery networks● When you see this, have affected users do queries too!

● They may be sent to different destinations!


November 8, 2016

MX Records – Where Can I Deliver Email to You?

● Mail eXchanger (MX) records list the email server(s) for the zone● Multiple systems can be designated as mail exchangers● MX records are be prioritized (usually in increments of 10)

● Clients will try to use the highest-priority (lowest-numbered) host first


November 8, 2016

SPF – Who Can Deliver Mail for Me?

● Sender Policy Framework (SPF) uses TeXT records (TXT) to specify what hosts can deliver mail on behalf of a given domain

● SPF used in mail security – if SPF fails, delivery attempt rejected● Example of leveraging DNS for application-layer information


November 8, 2016

SRV Records – Services of All Sorts

● Service (SRV) records announce specific services via DNS● General format is _service._protocol.dnsdomainname● Heavily used in Active Directory environments

_ldap._tcp.<DNSdomainName> – LDAP server for DNS domain_ldap._tcp.pdc._msdcs.<DNSdomainName> - Primary DC_kerberos._tcp.dc._msdcs.<DNDDomainName> - Kerberos DC

● Also seen in SIP and XMPP environments


November 8, 2016

PTR Records – I Have the Number, I Want the NAME!

● Pointer (PTR) records associate numbers back to names● Commonly called “reverse DNS”

● Reverses the IP address & uses a pseudo-domain of “in-addr.arpa”● Many mail security systems require valid reverse DNS before

accepting email from a given host● Not generally required, but can be useful


November 8, 2016

So, What Actually Happens When I Send a Query to DNS?

● Most DNS servers are recursive● They will follow the trail until they have your answer● Your client doesn't do the legwork

● Almost all DNS servers cache responses● Cache lifetime (aka time-to-live or TTL) of each RR is set by its

authoritative server (in seconds)● So, you give a command like “ping -c 2 www.facebook.com” and it

executes against an IP address, like so:

...but how did DNS get me from 'www.facebook.com' to 157.240.2.35?

http://www.facebook.com/



November 8, 2016

Behind the Scenes on the DNS Server

● Assuming that no cached information was available, the DNS server took your query for 'www.facebook.com' and started working backwards

● It went to the root zone nameservers and asked for .com NS ● It went to a .com name server and asked about facebook.com NS● It went to a .facebook.com name server and asked about

www.faceboook.com ● It got a CNAME RR in response, so it had to ask a .facebook.com

nameserver about the canonical name● It had valid cached info for .com and .facebook.com, so it didn't

have to repeat those queries● It finally received an A record, which it returned to your client

If you want to see what this process looks like for any FQDN, check out http://simpledns.com/lookup-dg.aspx

(It's a good thing that we have caching servers and TTLs, huh?)


http://www.faceboook.com/


November 8, 2016

A Food-for-Thought Exercise


November 8, 2016

Easing the Burden – Forwarding DNS Servers

● Going all the way to the root zone for every query would be prohibitively slow/costly and consume significant resources

● Use of forwarding servers spreads the work● Forwarding DNS servers are NOT recursive; they pass queries

for which they have no answers cached to the “next server up”● As queries and responses are sent up and down the line, each

server caches the responses (according to its TTL)● Clients do not know if forwarding servers are used● Responses might be from the forwarded server's perspective!● Most ISPs offer forwarding DNS services, but don't require

customers to use them

dns.ap.company1.com

dns.na.company1.com

dns.eu.company1.com

Internet


November 8, 2016

Troubleshooting Connectivity? ALWAYS Check DNS!

● If DNS is wrong, NOTHING will work!● Do NOT trust, use, or recommend “hosts files”

● “Hosts files” supplant DNS – DNS won't be queried if the “hosts file” has a matching entry

● Many customer issues caused by outdated hosts file entries● Don't use IP addresses in configurations – use FQDNs!

● FQDNs in configuration + working DNS survives server/address changes

● Use of VPN may change DNS servers!● Presence of round-robin DNS = no load balancers in use● Single A record for FQDN of a cluster = load balancer in use● Different answers internal/external may indicate split horizon

DNS or (with cloud) content delivery networks (e.g. Akamai)● Other names might be yielding different answers, too!

● Different answers within an enterprise may indicate Global Load Balancing (GLB) in use

● Using tcpdump/Wireshark? DNS query/response is udp/53, server/server (zone transfer) is tcp/53


November 8, 2016

DNS Tools

● nslookup – built-in tool for Windows, Macintosh, AIX, Linux● Uses system's DNS server as default● Use “server A.B.C.D” to send queries to specific DNS server● Use “set type=<RR type>” to query specific records● Use “set type=ANY” to see all records associated with name

● dig – part of the BIND reference implementation of DNS● Open-source package from Internet Systems Consortium

● BIND is (by FAR) the most widely used DNS server● Built-in for Macintosh and many Linux distributions ● https://www.isc.org/downloads/bind/ for Windows binaries

and Linux source code● Windows: install “Tools Only” unless you want to run your

own DNS server● Allows quick command-line queries, e.g. “dig ns google.com”● Allows “any” keyword to see all records, e.g. “dig any ibm.com”

https://www.isc.org/downloads/bind/


November 8, 2016

Closing Exercise – What Do You See?


November 8, 2016

Questions&

Answers