DNS. Domain Name System

DNS Domain Name System OVERVIEW • General • Name space • Components • Resource records • IPv6 DNS • Tools • Troubleshooting 2 Why DNS? • Backgrou...
Author: Kerry Fields
61 downloads 0 Views 638KB Size
DNS Domain Name System

OVERVIEW • General • Name space • Components • Resource records • IPv6 DNS • Tools • Troubleshooting

2

Why DNS? • Background: TCP/IP networks (ARPA Internet) • Basic problem – IP-addresses (123.123.123.123) are hard to remember

• /etc/hosts in every machine – each address has to be registered centrally – doesn’t scale well in networked environment

• Domain Name Service - DNS from 1983

3

Goals of DNS • Distributed database with local caching – distributed systems are scalable – distributed systems handle network errors well – cache improves performance

• Distributed administration (adding or deleting data) • General usage: – not for just one application (can be used by telnet, e-mail etc) – not for just one protocol

• Only the name space structure and query protocol fixed. • Three main components: name space structure, resolvers and name servers.

4

Name Space Structure "."

fi

com

namesurfer

www

dat

tele

ns

ns2

se

nixu

www

tapas

www

193.203.237.24

5

ns

Name Space Structure • Tree has nodes and arcs. • Each node has a label – its name relative to its parent. Sibling labels must be unique.

• Root has no name (null label). • Domain names are labels read from bottom up. Dot is used as a separator: tapas.nixu.fi.

• Fully Qualified Domain Name (FQDN) should technically end in a dot. It can NOT be omitted in DNS configuration!

• Domains are subtrees of the naming tree. Leaf nodes represent single hosts.

• Data is found by traversing the tree. Each node contains data called Resource Records (RR). Example: foo.nixu.fi.

IN

A

193.209.237.200

6

Delegation • Domains are subtrees of the naming tree. • Domains can be delegated to an organization. • Delegation means transfer of authority and control. • Delegation is done by configuring in the parent name server the names of the servers which control the domain. "." com

fi

se

namesurfer

delegated domain

delegated subdomain

tele ns

ns2

nixu www

tapas

www 7

ns

Zones and Authority • A zone is usually the same as a domain – all the data from the specified naming subtree. – Exception: branches delegated to somewhere else aren’t part of a zone.

• Name server database consists of zones. – one file - one zone – If a name server has a zone in its database, it’s said to be authoritative for that zone.

• Zones consist of all resource records for that domain.

8

How About Address to Name? • Reverse mapping exists in in-addr.arpa domain. "." arpa fi

com

se

in-addr 193

namesurfer

tele

nixu 209

www

dat

ns

ns2

www

tapas

www

ns

237 24

193.203.237.24

tapas.nixu.fi 9

Problems with Reverses • Some services want to know which domain name the contacting IP-address corresponds to. They do a reverse query/lookup.

• Some services do not work if the reverse lookup doesn’t find anything.

• Problem: Reverse mapping is in a separate branch of the naming tree and in-addr.arpa branch is delegated differently from domain names.

• If a host needs to access all Internet services, BOTH the domain name AND the reverse pointer has to be configured correctly. 10

Internet Names • FQDN can be up to 254 characters in length [RFC882] • One label can be up to 63 characters [RFC882] • No limit on the number of labels • Allowed characters are A-Z, 0-9 and - [RFC952]. Periods allowed as delimiters in domain names

• Name should not end in • Domain names are not case sensitive, i.e FOO equals foo • All software MUST be able to handle 63 characters long names and SHOULD handle the maximum length

11

Internationalized Domain Names • IETF has standardized methods for using characters other than a-z in domain names

• Due to the large existing base of software, nationalized names are coded to the existing [a-z0-9-] namespace

• The client software (user interface) must translate the nationalized name to the encoding schema

• This issue is somewhat complex and also includes political aspects

12

Top Level Domains • In international use today – .com for commercial organizations (sendmail.com) – .org for non-commercial organizations (red-cross.org) – .net for network companies (internic.net) – and a growing number of new ones – .info, .biz ...

• Reserved for the USA government – .gov USA government (whitehouse.gov) – .mil USA military (army.mil)

• National domain names – ISO 3166 standard abbreviations (Finland = .fi, Sweden = .se, United Kingdom = .uk, ...)

13

Top Level Organizations • InterNIC – Primary for the root domain – Registers domains under the international TLDs (currently this is more messy)

• ARIN (American Registry for Internet Numbers) – Administration of the IP address space – Previously this was done by InterNIC

• RIPE (Réseaux IP Européens) – Administration of IP addresses in Europe – InterNIC has delegated some in-addr.arpa domains to RIPE – RIPE redelegates networks to European Internet operators

• APNIC (Asia Pacific Network Information Center)

14

National Organizations • Internic has delegated each country TLD to one organization. – In Finland that is Ficora (communications ministry) – In Sweden Network Information Center Sweden AB etc.

• Each organization delegates subdomains according to their policy.

• Registering domain names: – Every subdomain needs to be "registered" with it’s parent. – The parent must configure in it’s zone file the existence of a subdomain. – Often the registration can be made with a WWW form. – Your Internet operator can assist you with the registration

15

Additional Information on Registrations • InterNIC http://www.internic.net/ • RIPE http://www.ripe.net/ • ARIN http://www.arin.net/ • APNIC http://www.apnic.net/ • Ficora http://www.ficora.fi/

16

DNS Components resolver query client

resolver

answer

nameserver

cache database every Internet host

cache

name server host

• Every TCP/IP host must have a resolver. • Only a few hosts need to run a name server. 17

Resolver • Every Internet host has a resolver. It comes with the TCP/IP package. Usually set of library routines linked to programs.

• Resolver accepts name server queries from client programs – telnet-commands, WWW-browsers etc.

• It checks whether it has the queried information in its own cache. If it has, resolver returns the data to the client.

• If it doesn’t have it, it sends the query to a name server. • The default name server(s) must be configured to the host’s TCP/IP software. – Unix-system configuration file /etc/resolv.conf – Sometimes DNS has to be switched on: /etc/nsswitch.conf

18

Resolver Configuration • /etc/resolv.conf can have several directives: domain research.nixu.fi nameserver 123.123.123.123 nameserver 213.213.213.213 search nixu.fi lab.nixu.fi

• domain: tells the host which domain it belongs to. • nameserver: tells the nearest nameservers • search is a list of domain-names to append to incomplete names (i.e names without the ending dot!): – telnet foo -> foo.research.nixu.fi. -> foo.nixu.fi. -> foo.lab.nixu.fi. > foo. – telnet ns.tele.fi -> ns.tele.fi.research.nixu.fi. -> ns.tele.fi.nixu.fi. -> ns.tele.fi.lab.nixu.fi. -> ns.tele.fi.

19

The Name Server • Receives queries from resolvers and from other name servers in the world and answers them based on the contents of its database and cache.

• Two types of replies: – authoritative: "I know this because my database says so. This data is always correct." – non-authoritative: "I know this from my cache, so this data may not be correct."

• If it has no knowledge of the queried name, it asks another nameserver – if it doesn’t know which name server knows, asks a root nameserver.

• List of root nameservers must be configured correctly into every name server. – ftp://rs.internic.net/domain/named.root

20

Querying 1

2 resolver

client 9

3 query answer 8

4

other name7 servers

nameserver 5

cache database every Internet host

6

cache

name server host

• 1: client sends query for the IP-address of www.nixu.fi. • 2: resolver checks if it has the data. No. • 3: resolver sends query to the nearest name server. 21

...Querying • 4-5: name server checks if it has the actual data or if the data is in the cache. No.

• 6: it asks a root name server. 7: Root name server gives a referral to fi name servers. Saves them into the cache.

• 6: it asks a fi name server and 7: gets back addresses of nixu.fi name servers. Saves them into the cache.

• 6: it asks a nixu.fi name server and 7: gets an authoritative IP-address answer because nixu.fi name server has the address in its database (see phase 5).

• 8-9: the answer is relayed to the client.The name server queried by resolver (3) received a recursive query ("keep querying until you get an answer"). Other servers received an iterative/non-recursive query (6) ("just give me the nearest address you’ve got").

22

Types of Name Servers • Primary master (= primary) – Has zones in is database. Is authoritative for the zones it has. • Secondary master (= secondary) – Gets zone data by transferring the zones from the primary – – – –

master. The mechanism is called zone transfer. Zone transfers happen automatically by given intervals. Is authoritative for the zones it transfers. Used to spread answering load and making name service reliable.

• Caching only – Does not have a database, only cache. – Isn’t authoritative for any zones. – Answers only from it’s cache. – A server can be primary for one zone but secondary for another

23

DNS Data • Resource Records (RR) • Each domain/host has some resource records (data)

• A set of defined resource records • DNS can support other RR’s too, for example a new resource record AAAA which is a address record for IPv6.

• Resource records exist in the zone files.

24

SOA - Start Of Authority domain-name

the primary name server

nixu.fi.

IN

SOA

jalopeno.nixu.fi. hostmaster.nixu.fi. ( 603011405

internetclass

administrator's e-mail address

; serial

10800

; refresh (3 hours)

3600

; retry (1 hour)

name of RR345600

; expire (4 days)

86400 ) ; minimum (1 day)

• SOA Marks the beginning of a zone and is the first entry in a zone file

• E-mail address has a dot in place of the @-sign. 25

SOA Values – Serial number – just an integer to signal secondaries they need to do a zone transfer – must INCREMENT the serial number after each change – could be formatted according to a system: f.ex. YYYYMMDDX

• Refresh interval – tells secondaries how often they should check the primary for changed information (in seconds).

• Retry interval – how often a secondary should retry checking if the first time fails (in seconds).

• Expire time – after how long should the secondary data be deleted if primary cannot be contacted (in seconds).

• Time to live – tells other name servers, how long this data can be kept in cache. After this time it’s deleted.

26

NS - Name Servers nixu.fi.

IN IN

NS NS

jalopeno.nixu.fi. ns.tele.fi.

• Tells the nameservers for the zone • The names given in the NS-records need to have a direct A-record. They may NOT be aliases (CNAME-records).

• Note the server names should be a FQDN. • A domain needs at least two different name servers.

27

A - Address ;nixu.fi file foo.nixu.fi. bar

IN IN

A A

193.209.237.200 193.209.237.206

• Tells the IP-address of the specified domain name.

• If the host name doesn’t end in the dot, name server software completes the name with the domain name of the zone file.

• Used by several applications (telnet, ftp, NFS...).

28

PTR - Reverse Pointer 200 206

IN IN

PTR PTR

foo.nixu.fi. bar.nixu.fi.

• PTR-record tells which domain name this IPaddress corresponds to.

• The PTR-records exist only in reverse network zone files,

• For example the above should be in zone file 237.209.193.in-addr.arpa.

29

TXT - Text Record foo.nixu.fi.

IN IN

A TXT

193.209.237.200 "Our test host."

• For entering comments and other information. • Need quotes for text containing white space. • Text can have 8-bit characters in it. • Maximum length 254 characters.

30

MX - Mail Exchanger nixu.fi.

IN IN

MX MX

10 20

jalopeno.nixu.fi. smtp.tele.fi.

• Used by mail transfer agents (sendmail etc) to decide where to send e-mail addressed to this host/domain.

• Mail exchanger names must have direct A-records, they may NOT be aliases.

• Priority is reversed, the lowest number is tried first. If that cannot be contacted, the next lowest is tried etc. A zero value is not recommended.

• MX’s have effect only on e-mail HOSTS, not user aliases.

31

CNAME - Canonical Name foo.nixu.fi. bar.nixu.fi.

IN IN

A CNAME

193.209.237.200 foo.nixu.fi.

• Used to call one host with several names. • Should be read: "bar.nixu.fi’s canonical (= real) name is foo.nixu.fi". Can be read "bar is an alias for foo".

• There is no way to query what aliases a certain host has. • Query for bar’s IP-address gets both the CNAME record and foo’s A-record.

• Aliases should NOT have any other RR’s (MX’s etc).

32

Other Rare RR’s bar.nixu.fi.

IN

RP

lea.nixu.fi. .

• RP - responsible person – Pointer to more info should be a domain name having a TXT record with free form info about the person. A plain dot (root domain) indicates no info. soda.nixu.fi.

IN

HINFO

"PC" "Linux"

• HINFO - host information foo.nixu.fi.

IN

WKS

1.2.3.4

TCP

telnet smtp

• WKS - well known services (not really used)

33

Glue records • How can we delegate a subdomain, when the nameserver is in the subdomain itself?

• In the fi. -zone: nixu.fi. jalopeno.nixu.fi.

IN IN IN

NS NS A

jalopeno.nixu.fi. ns.tele.fi. 194.197.118.20

• The A record of the nameserver in the subdomain is placed in the higher zone

34

DNS for IPv6 • RFC 1886, 2873, 2874, being updated • Initially a new record type AAAA for IPv6 addresses – 128 bits = 4 x 32 bits (A), hence 4 x A $ORIGIN example.net. host-ipv4 IN A 192.168.42.1 host-ipv6 IN AAAA 3ffe:8050:201:1860:42::1

– Note the :: in this notation, it indicates that an appropriate amount of zero bits should be inserted here

• Now A6 appears a more likely record format – Supports prefixes, only the last part of the address needs to be specified

• Reverse map under ip6.arpa (vs. in-addr.arpa) – Resolution 4 bits (one hex digit) vs. 8 bits in IPv4

• DNS for IPv6 has not stabilized yet 35

A6 and PTR records for IPv6 • The A6 record stores the end part of the address chain myhost A6 64 ::02d0:09ff:fef7:6d2c mynet.provider.net.

– note the bit boundary (64) • Another A6 record holds the initial part $ORIGIN providier.net. mynet A6 0 2345:00C0:88A3:1212::

• “A6 0” is equal to AAAA • Reverse data is split on the nibble (4 bit) boundary c.2.d.6.7.f.e.f.f.f.9.0.0.d.2.0.2.0.0.0.5.4.5.4.0.0 .9.1.e.f.f.3.ip6.arpa. PTR fiifaafoo.nixu.fi

• The DNAME record can be used to hold part of the reverse address

\[x3ffe19004545/48].ip6.arpa DNAME IP6.provider.dujour.

– Almost same as the CNAME, but for domains

36

DNSsec • Aims: – Data origin authentication – Transaction and request authentication – Public key cryptography key storage

• Three separate problems solved with one work – complex result

• Results: – RFC2535, Domain Name System Security Extensions – Several related RFCs and Internet Drafts

• Could be used to hold other keys besides those needed for DNSsec – Should not be used as a PKI hierarchy

• International deployment is still on hold

37

Data origin authentication • Zone data digitally signed by the private key of the zone

• A new SIG resource record for the signature – Several possible algorithms, currently only MD5/RSA defined

• Zone re-signed after each change - zone key can be off line

• A separate mechanism for an authoritative “name does not exist” capability – (a NXT record)

38

Transaction authentication • Transactions authenticated with the SIG record attached to each transaction

• Transaction signature is calculated on the fly - the host private key needs to be on line – One of the reasons DNSsec is not in common use, think about the root servers

39

Public key storage • A new KEY resource record • Able to hold different types of keys – Algorithm identifier – Key parameters

• Cannot be used unless there is sufficient data origin authentication

40

Hostname Command • Prints out the name of the machine $ hostname tapas.nixu.fi

• Sets the name of the machine $ hostname tapas.nixu.fi

• Standard tool in all Unixes

41

Nslookup • Old standard tool to query name servers. • Syntax: nslookup -opt host.na.me srv.na.me • Example: 10 lea@tapas $ nslookup -q=mx www.nixu.fi Server: jalopeno.nixu.fi Address: 193.209.237.20 www.nixu.fi canonical name = jalopeno.nixu.fi nixu.fi nameserver = jalopeno.nixu.fi nixu.fi nameserver = ns.tele.fi nixu.fi nameserver = ns2.tele.fi jalopeno.nixu.fiinternet address = 193.209.237.20 ns.tele.fi internet address = 193.210.18.18 ns.tele.fi internet address = 193.210.19.19 ns2.tele.fi internet address = 193.210.19.190

42

Dig • Syntax: dig @name.ser.ver host.na.me rr • Simpler to use than nslookup, much more output: 54 lea@tapas $ dig @ns.tele.fi tapas.nixu.fi a ; DiG 2.1 @ns.tele.fi tapas.nixu.fi ;; res options: init recurs defnam dnsrch ;; got answer: ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 3, Addit: 4 ;; QUESTIONS: ;; tapas.nixu.fi, type = A, class = IN ;; ANSWERS: tapas.nixu.fi. 86400 A 193.209.237.24 ;; AUTHORITY RECORDS: nixu.fi. 86400 NS jalopeno.nixu.fi. nixu.fi. 86400 NS ns.tele.fi. nixu.fi. 86400 NS ns2.tele.fi. ;; Total query time: 205 msec ;; FROM: tapas.nixu.fi to SERVER: ns.tele.fi 193.210.19.19 43

Named-Xfer • The tool BIND uses for zone transfers • Good for testing zone transfers host% named-xfer -z zone.fi -f file -d level -l debug.file name.server host% echo $?

• The exit code (echo $?) tells how the zone transfer succeeded: – 0 – no transfer, data up to date – 1 – successful transfer – 2 – error not logged – 3 – error logged

44

The Usual Errors in syslog • Lame server on 'www.xxxx.com' (in xxxx.com)[1.2.3.4].53 server.na.me – This means somebody somewhere has created a lame delegation, so a name server which is supposed to know about a domain, doesn’t. – Not dangerous unless the domain or name server is yours.

• Secondary zone "xxxx.com" expired – Your secondary hasn’t been able to contact primary and the zone has been expired.

• Zone "86.88.192.in-addr.arpa" SOA serial# (199803011) rcvd from [1.6.2.4] is < ours (1998021271) – The SOA serial number in primary host is LESS than ours.

45

The Most Common Errors in Data • NS- and/or MX-records point to a CNAME record. • Missing end-dot in a FQDN. • SOA timers are not smart. • CNAME-records have other data (MX’s etc). • SOA name server and/or admin e-mail address point to an invalid address.

• Only syntax errors are reported via syslog. Most of these common errors are semantic.

• See RFC1912. 46

Troubleshooting Name Server • Problem: Name server cannot find any external hosts. – Answer: Check the root cache. Without it a name server cannot function correctly.

• Problem: Root cache is OK. Still cannot find external hosts. – Answer: Check if UDP port 53 isn’t blocked in either way in a router. Also the return packets must be able to pass.

• Problem: Somebody is giving out old data. • Answer: Check the expire times in zone SOA.

47

Troubleshooting Secondaries • Problem: Secondary cannot get any data from primary. – Answer: Check if TCP port 53 is blocked in a router. Normal name service queries use UDP port 53, but zone transfers use TCP.

• Problem: Secondary got data from primary at first, but any new changes won’t be transferred. – Answer: Did the primary manager forget to increment the SOA serial number on the zone? Did she restart the named?

• Problem: Serial number is changed but secondary cannot still load the data. – Answer: Check for any syntax errors in data. Syntax errors can cause named-xfer to exit abnormally. 48