DNS Domain Name System
OVERVIEW • General • Name space • Components • Resource records • IPv6 DNS • Tools • Troubleshooting
Why DNS? • Background: TCP/IP networks (ARPA Internet) • Basic problem – IP-addresses (126.96.36.199) are hard to remember
• /etc/hosts in every machine – each address has to be registered centrally – doesn’t scale well in networked environment
• Domain Name Service - DNS from 1983
Goals of DNS • Distributed database with local caching – distributed systems are scalable – distributed systems handle network errors well – cache improves performance
• Distributed administration (adding or deleting data) • General usage: – not for just one application (can be used by telnet, e-mail etc) – not for just one protocol
• Only the name space structure and query protocol fixed. • Three main components: name space structure, resolvers and name servers.
Name Space Structure "."
Name Space Structure • Tree has nodes and arcs. • Each node has a label – its name relative to its parent. Sibling labels must be unique.
• Root has no name (null label). • Domain names are labels read from bottom up. Dot is used as a separator: tapas.nixu.fi.
• Fully Qualified Domain Name (FQDN) should technically end in a dot. It can NOT be omitted in DNS configuration!
• Domains are subtrees of the naming tree. Leaf nodes represent single hosts.
• Data is found by traversing the tree. Each node contains data called Resource Records (RR). Example: foo.nixu.fi.
Delegation • Domains are subtrees of the naming tree. • Domains can be delegated to an organization. • Delegation means transfer of authority and control. • Delegation is done by configuring in the parent name server the names of the servers which control the domain. "." com
Zones and Authority • A zone is usually the same as a domain – all the data from the specified naming subtree. – Exception: branches delegated to somewhere else aren’t part of a zone.
• Name server database consists of zones. – one file - one zone – If a name server has a zone in its database, it’s said to be authoritative for that zone.
• Zones consist of all resource records for that domain.
How About Address to Name? • Reverse mapping exists in in-addr.arpa domain. "." arpa fi
Problems with Reverses • Some services want to know which domain name the contacting IP-address corresponds to. They do a reverse query/lookup.
• Some services do not work if the reverse lookup doesn’t find anything.
• Problem: Reverse mapping is in a separate branch of the naming tree and in-addr.arpa branch is delegated differently from domain names.
• If a host needs to access all Internet services, BOTH the domain name AND the reverse pointer has to be configured correctly. 10
Internet Names • FQDN can be up to 254 characters in length [RFC882] • One label can be up to 63 characters [RFC882] • No limit on the number of labels • Allowed characters are A-Z, 0-9 and - [RFC952]. Periods allowed as delimiters in domain names
• Name should not end in • Domain names are not case sensitive, i.e FOO equals foo • All software MUST be able to handle 63 characters long names and SHOULD handle the maximum length
Internationalized Domain Names • IETF has standardized methods for using characters other than a-z in domain names
• Due to the large existing base of software, nationalized names are coded to the existing [a-z0-9-] namespace
• The client software (user interface) must translate the nationalized name to the encoding schema
• This issue is somewhat complex and also includes political aspects
Top Level Domains • In international use today – .com for commercial organizations (sendmail.com) – .org for non-commercial organizations (red-cross.org) – .net for network companies (internic.net) – and a growing number of new ones – .info, .biz ...
• Reserved for the USA government – .gov USA government (whitehouse.gov) – .mil USA military (army.mil)
• National domain names – ISO 3166 standard abbreviations (Finland = .fi, Sweden = .se, United Kingdom = .uk, ...)
Top Level Organizations • InterNIC – Primary for the root domain – Registers domains under the international TLDs (currently this is more messy)
• ARIN (American Registry for Internet Numbers) – Administration of the IP address space – Previously this was done by InterNIC
• RIPE (Réseaux IP Européens) – Administration of IP addresses in Europe – InterNIC has delegated some in-addr.arpa domains to RIPE – RIPE redelegates networks to European Internet operators
• APNIC (Asia Pacific Network Information Center)
National Organizations • Internic has delegated each country TLD to one organization. – In Finland that is Ficora (communications ministry) – In Sweden Network Information Center Sweden AB etc.
• Each organization delegates subdomains according to their policy.
• Registering domain names: – Every subdomain needs to be "registered" with it’s parent. – The parent must configure in it’s zone file the existence of a subdomain. – Often the registration can be made with a WWW form. – Your Internet operator can assist you with the registration
Additional Information on Registrations • InterNIC http://www.internic.net/ • RIPE http://www.ripe.net/ • ARIN http://www.arin.net/ • APNIC http://www.apnic.net/ • Ficora http://www.ficora.fi/
DNS Components resolver query client
cache database every Internet host
name server host
• Every TCP/IP host must have a resolver. • Only a few hosts need to run a name server. 17
Resolver • Every Internet host has a resolver. It comes with the TCP/IP package. Usually set of library routines linked to programs.
• Resolver accepts name server queries from client programs – telnet-commands, WWW-browsers etc.
• It checks whether it has the queried information in its own cache. If it has, resolver returns the data to the client.
• If it doesn’t have it, it sends the query to a name server. • The default name server(s) must be configured to the host’s TCP/IP software. – Unix-system configuration file /etc/resolv.conf – Sometimes DNS has to be switched on: /etc/nsswitch.conf
Resolver Configuration • /etc/resolv.conf can have several directives: domain research.nixu.fi nameserver 188.8.131.52 nameserver 184.108.40.206 search nixu.fi lab.nixu.fi
• domain: tells the host which domain it belongs to. • nameserver: tells the nearest nameservers • search is a list of domain-names to append to incomplete names (i.e names without the ending dot!): – telnet foo -> foo.research.nixu.fi. -> foo.nixu.fi. -> foo.lab.nixu.fi. > foo. – telnet ns.tele.fi -> ns.tele.fi.research.nixu.fi. -> ns.tele.fi.nixu.fi. -> ns.tele.fi.lab.nixu.fi. -> ns.tele.fi.
The Name Server • Receives queries from resolvers and from other name servers in the world and answers them based on the contents of its database and cache.
• Two types of replies: – authoritative: "I know this because my database says so. This data is always correct." – non-authoritative: "I know this from my cache, so this data may not be correct."
• If it has no knowledge of the queried name, it asks another nameserver – if it doesn’t know which name server knows, asks a root nameserver.
• List of root nameservers must be configured correctly into every name server. – ftp://rs.internic.net/domain/named.root
3 query answer 8
other name7 servers
cache database every Internet host
name server host
• 1: client sends query for the IP-address of www.nixu.fi. • 2: resolver checks if it has the data. No. • 3: resolver sends query to the nearest name server. 21
...Querying • 4-5: name server checks if it has the actual data or if the data is in the cache. No.
• 6: it asks a root name server. 7: Root name server gives a referral to fi name servers. Saves them into the cache.
• 6: it asks a fi name server and 7: gets back addresses of nixu.fi name servers. Saves them into the cache.
• 6: it asks a nixu.fi name server and 7: gets an authoritative IP-address answer because nixu.fi name server has the address in its database (see phase 5).
• 8-9: the answer is relayed to the client.The name server queried by resolver (3) received a recursive query ("keep querying until you get an answer"). Other servers received an iterative/non-recursive query (6) ("just give me the nearest address you’ve got").
Types of Name Servers • Primary master (= primary) – Has zones in is database. Is authoritative for the zones it has. • Secondary master (= secondary) – Gets zone data by transferring the zones from the primary – – – –
master. The mechanism is called zone transfer. Zone transfers happen automatically by given intervals. Is authoritative for the zones it transfers. Used to spread answering load and making name service reliable.
• Caching only – Does not have a database, only cache. – Isn’t authoritative for any zones. – Answers only from it’s cache. – A server can be primary for one zone but secondary for another
DNS Data • Resource Records (RR) • Each domain/host has some resource records (data)
• A set of defined resource records • DNS can support other RR’s too, for example a new resource record AAAA which is a address record for IPv6.
• Resource records exist in the zone files.
SOA - Start Of Authority domain-name
the primary name server
jalopeno.nixu.fi. hostmaster.nixu.fi. ( 603011405
administrator's e-mail address
; refresh (3 hours)
; retry (1 hour)
name of RR345600
; expire (4 days)
86400 ) ; minimum (1 day)
• SOA Marks the beginning of a zone and is the first entry in a zone file
• E-mail address has a dot in place of the @-sign. 25
SOA Values – Serial number – just an integer to signal secondaries they need to do a zone transfer – must INCREMENT the serial number after each change – could be formatted according to a system: f.ex. YYYYMMDDX
• Refresh interval – tells secondaries how often they should check the primary for changed information (in seconds).
• Retry interval – how often a secondary should retry checking if the first time fails (in seconds).
• Expire time – after how long should the secondary data be deleted if primary cannot be contacted (in seconds).
• Time to live – tells other name servers, how long this data can be kept in cache. After this time it’s deleted.
NS - Name Servers nixu.fi.
• Tells the nameservers for the zone • The names given in the NS-records need to have a direct A-record. They may NOT be aliases (CNAME-records).
• Note the server names should be a FQDN. • A domain needs at least two different name servers.
A - Address ;nixu.fi file foo.nixu.fi. bar
• Tells the IP-address of the specified domain name.
• If the host name doesn’t end in the dot, name server software completes the name with the domain name of the zone file.
• Used by several applications (telnet, ftp, NFS...).
PTR - Reverse Pointer 200 206
• PTR-record tells which domain name this IPaddress corresponds to.
• The PTR-records exist only in reverse network zone files,
• For example the above should be in zone file 237.209.193.in-addr.arpa.
TXT - Text Record foo.nixu.fi.
220.127.116.11 "Our test host."
• For entering comments and other information. • Need quotes for text containing white space. • Text can have 8-bit characters in it. • Maximum length 254 characters.
MX - Mail Exchanger nixu.fi.
• Used by mail transfer agents (sendmail etc) to decide where to send e-mail addressed to this host/domain.
• Mail exchanger names must have direct A-records, they may NOT be aliases.
• Priority is reversed, the lowest number is tried first. If that cannot be contacted, the next lowest is tried etc. A zero value is not recommended.
• MX’s have effect only on e-mail HOSTS, not user aliases.
CNAME - Canonical Name foo.nixu.fi. bar.nixu.fi.
• Used to call one host with several names. • Should be read: "bar.nixu.fi’s canonical (= real) name is foo.nixu.fi". Can be read "bar is an alias for foo".
• There is no way to query what aliases a certain host has. • Query for bar’s IP-address gets both the CNAME record and foo’s A-record.
• Aliases should NOT have any other RR’s (MX’s etc).
Other Rare RR’s bar.nixu.fi.
• RP - responsible person – Pointer to more info should be a domain name having a TXT record with free form info about the person. A plain dot (root domain) indicates no info. soda.nixu.fi.
• HINFO - host information foo.nixu.fi.
• WKS - well known services (not really used)
Glue records • How can we delegate a subdomain, when the nameserver is in the subdomain itself?
• In the fi. -zone: nixu.fi. jalopeno.nixu.fi.
IN IN IN
NS NS A
jalopeno.nixu.fi. ns.tele.fi. 18.104.22.168
• The A record of the nameserver in the subdomain is placed in the higher zone
DNS for IPv6 • RFC 1886, 2873, 2874, being updated • Initially a new record type AAAA for IPv6 addresses – 128 bits = 4 x 32 bits (A), hence 4 x A $ORIGIN example.net. host-ipv4 IN A 192.168.42.1 host-ipv6 IN AAAA 3ffe:8050:201:1860:42::1
– Note the :: in this notation, it indicates that an appropriate amount of zero bits should be inserted here
• Now A6 appears a more likely record format – Supports prefixes, only the last part of the address needs to be specified
• Reverse map under ip6.arpa (vs. in-addr.arpa) – Resolution 4 bits (one hex digit) vs. 8 bits in IPv4
• DNS for IPv6 has not stabilized yet 35
A6 and PTR records for IPv6 • The A6 record stores the end part of the address chain myhost A6 64 ::02d0:09ff:fef7:6d2c mynet.provider.net.
– note the bit boundary (64) • Another A6 record holds the initial part $ORIGIN providier.net. mynet A6 0 2345:00C0:88A3:1212::
• “A6 0” is equal to AAAA • Reverse data is split on the nibble (4 bit) boundary c.2.d.6.7.f.e.f.f.f.9.0.0.d.22.214.171.124.0.0.5.4.126.96.36.199 .9.1.e.f.f.3.ip6.arpa. PTR fiifaafoo.nixu.fi
• The DNAME record can be used to hold part of the reverse address
\[x3ffe19004545/48].ip6.arpa DNAME IP6.provider.dujour.
– Almost same as the CNAME, but for domains
DNSsec • Aims: – Data origin authentication – Transaction and request authentication – Public key cryptography key storage
• Three separate problems solved with one work – complex result
• Results: – RFC2535, Domain Name System Security Extensions – Several related RFCs and Internet Drafts
• Could be used to hold other keys besides those needed for DNSsec – Should not be used as a PKI hierarchy
• International deployment is still on hold
Data origin authentication • Zone data digitally signed by the private key of the zone
• A new SIG resource record for the signature – Several possible algorithms, currently only MD5/RSA defined
• Zone re-signed after each change - zone key can be off line
• A separate mechanism for an authoritative “name does not exist” capability – (a NXT record)
Transaction authentication • Transactions authenticated with the SIG record attached to each transaction
• Transaction signature is calculated on the fly - the host private key needs to be on line – One of the reasons DNSsec is not in common use, think about the root servers
Public key storage • A new KEY resource record • Able to hold different types of keys – Algorithm identifier – Key parameters
• Cannot be used unless there is sufficient data origin authentication
Hostname Command • Prints out the name of the machine $ hostname tapas.nixu.fi
• Sets the name of the machine $ hostname tapas.nixu.fi
• Standard tool in all Unixes
Nslookup • Old standard tool to query name servers. • Syntax: nslookup -opt host.na.me srv.na.me • Example: 10 [email protected]
$ nslookup -q=mx www.nixu.fi Server: jalopeno.nixu.fi Address: 188.8.131.52 www.nixu.fi canonical name = jalopeno.nixu.fi nixu.fi nameserver = jalopeno.nixu.fi nixu.fi nameserver = ns.tele.fi nixu.fi nameserver = ns2.tele.fi jalopeno.nixu.fiinternet address = 184.108.40.206 ns.tele.fi internet address = 220.127.116.11 ns.tele.fi internet address = 18.104.22.168 ns2.tele.fi internet address = 22.214.171.124
Dig • Syntax: dig @name.ser.ver host.na.me rr • Simpler to use than nslookup, much more output: 54 [email protected]
$ dig @ns.tele.fi tapas.nixu.fi a ; DiG 2.1 @ns.tele.fi tapas.nixu.fi ;; res options: init recurs defnam dnsrch ;; got answer: ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 3, Addit: 4 ;; QUESTIONS: ;; tapas.nixu.fi, type = A, class = IN ;; ANSWERS: tapas.nixu.fi. 86400 A 126.96.36.199 ;; AUTHORITY RECORDS: nixu.fi. 86400 NS jalopeno.nixu.fi. nixu.fi. 86400 NS ns.tele.fi. nixu.fi. 86400 NS ns2.tele.fi. ;; Total query time: 205 msec ;; FROM: tapas.nixu.fi to SERVER: ns.tele.fi 188.8.131.52 43
Named-Xfer • The tool BIND uses for zone transfers • Good for testing zone transfers host% named-xfer -z zone.fi -f file -d level -l debug.file name.server host% echo $?
• The exit code (echo $?) tells how the zone transfer succeeded: – 0 – no transfer, data up to date – 1 – successful transfer – 2 – error not logged – 3 – error logged
The Usual Errors in syslog • Lame server on 'www.xxxx.com' (in xxxx.com)[184.108.40.206].53 server.na.me – This means somebody somewhere has created a lame delegation, so a name server which is supposed to know about a domain, doesn’t. – Not dangerous unless the domain or name server is yours.
• Secondary zone "xxxx.com" expired – Your secondary hasn’t been able to contact primary and the zone has been expired.
• Zone "86.88.192.in-addr.arpa" SOA serial# (199803011) rcvd from [220.127.116.11] is < ours (1998021271) – The SOA serial number in primary host is LESS than ours.
The Most Common Errors in Data • NS- and/or MX-records point to a CNAME record. • Missing end-dot in a FQDN. • SOA timers are not smart. • CNAME-records have other data (MX’s etc). • SOA name server and/or admin e-mail address point to an invalid address.
• Only syntax errors are reported via syslog. Most of these common errors are semantic.
• See RFC1912. 46
Troubleshooting Name Server • Problem: Name server cannot find any external hosts. – Answer: Check the root cache. Without it a name server cannot function correctly.
• Problem: Root cache is OK. Still cannot find external hosts. – Answer: Check if UDP port 53 isn’t blocked in either way in a router. Also the return packets must be able to pass.
• Problem: Somebody is giving out old data. • Answer: Check the expire times in zone SOA.
Troubleshooting Secondaries • Problem: Secondary cannot get any data from primary. – Answer: Check if TCP port 53 is blocked in a router. Normal name service queries use UDP port 53, but zone transfers use TCP.
• Problem: Secondary got data from primary at first, but any new changes won’t be transferred. – Answer: Did the primary manager forget to increment the SOA serial number on the zone? Did she restart the named?
• Problem: Serial number is changed but secondary cannot still load the data. – Answer: Check for any syntax errors in data. Syntax errors can cause named-xfer to exit abnormally. 48