DNS. Domain Name System

DNS Domain Name System OVERVIEW • General • Name space • Components • Resource records • IPv6 DNS • Tools • Troubleshooting 2 Why DNS? • Backgrou...
Author: Kerry Fields
1 downloads 0 Views 638KB Size
DNS Domain Name System

OVERVIEW • General • Name space • Components • Resource records • IPv6 DNS • Tools • Troubleshooting


Why DNS? • Background: TCP/IP networks (ARPA Internet) • Basic problem – IP-addresses ( are hard to remember

• /etc/hosts in every machine – each address has to be registered centrally – doesn’t scale well in networked environment

• Domain Name Service - DNS from 1983


Goals of DNS • Distributed database with local caching – distributed systems are scalable – distributed systems handle network errors well – cache improves performance

• Distributed administration (adding or deleting data) • General usage: – not for just one application (can be used by telnet, e-mail etc) – not for just one protocol

• Only the name space structure and query protocol fixed. • Three main components: name space structure, resolvers and name servers.


Name Space Structure "."
















Name Space Structure • Tree has nodes and arcs. • Each node has a label – its name relative to its parent. Sibling labels must be unique.

• Root has no name (null label). • Domain names are labels read from bottom up. Dot is used as a separator: tapas.nixu.fi.

• Fully Qualified Domain Name (FQDN) should technically end in a dot. It can NOT be omitted in DNS configuration!

• Domains are subtrees of the naming tree. Leaf nodes represent single hosts.

• Data is found by traversing the tree. Each node contains data called Resource Records (RR). Example: foo.nixu.fi.




Delegation • Domains are subtrees of the naming tree. • Domains can be delegated to an organization. • Delegation means transfer of authority and control. • Delegation is done by configuring in the parent name server the names of the servers which control the domain. "." com




delegated domain

delegated subdomain

tele ns


nixu www


www 7


Zones and Authority • A zone is usually the same as a domain – all the data from the specified naming subtree. – Exception: branches delegated to somewhere else aren’t part of a zone.

• Name server database consists of zones. – one file - one zone – If a name server has a zone in its database, it’s said to be authoritative for that zone.

• Zones consist of all resource records for that domain.


How About Address to Name? • Reverse mapping exists in in-addr.arpa domain. "." arpa fi



in-addr 193



nixu 209









237 24

tapas.nixu.fi 9

Problems with Reverses • Some services want to know which domain name the contacting IP-address corresponds to. They do a reverse query/lookup.

• Some services do not work if the reverse lookup doesn’t find anything.

• Problem: Reverse mapping is in a separate branch of the naming tree and in-addr.arpa branch is delegated differently from domain names.

• If a host needs to access all Internet services, BOTH the domain name AND the reverse pointer has to be configured correctly. 10

Internet Names • FQDN can be up to 254 characters in length [RFC882] • One label can be up to 63 characters [RFC882] • No limit on the number of labels • Allowed characters are A-Z, 0-9 and - [RFC952]. Periods allowed as delimiters in domain names

• Name should not end in • Domain names are not case sensitive, i.e FOO equals foo • All software MUST be able to handle 63 characters long names and SHOULD handle the maximum length


Internationalized Domain Names • IETF has standardized methods for using characters other than a-z in domain names

• Due to the large existing base of software, nationalized names are coded to the existing [a-z0-9-] namespace

• The client software (user interface) must translate the nationalized name to the encoding schema

• This issue is somewhat complex and also includes political aspects


Top Level Domains • In international use today – .com for commercial organizations (sendmail.com) – .org for non-commercial organizations (red-cross.org) – .net for network companies (internic.net) – and a growing number of new ones – .info, .biz ...

• Reserved for the USA government – .gov USA government (whitehouse.gov) – .mil USA military (army.mil)

• National domain names – ISO 3166 standard abbreviations (Finland = .fi, Sweden = .se, United Kingdom = .uk, ...)


Top Level Organizations • InterNIC – Primary for the root domain – Registers domains under the international TLDs (currently this is more messy)

• ARIN (American Registry for Internet Numbers) – Administration of the IP address space – Previously this was done by InterNIC

• RIPE (Réseaux IP Européens) – Administration of IP addresses in Europe – InterNIC has delegated some in-addr.arpa domains to RIPE – RIPE redelegates networks to European Internet operators

• APNIC (Asia Pacific Network Information Center)


National Organizations • Internic has delegated each country TLD to one organization. – In Finland that is Ficora (communications ministry) – In Sweden Network Information Center Sweden AB etc.

• Each organization delegates subdomains according to their policy.

• Registering domain names: – Every subdomain needs to be "registered" with it’s parent. – The parent must configure in it’s zone file the existence of a subdomain. – Often the registration can be made with a WWW form. – Your Internet operator can assist you with the registration


Additional Information on Registrations • InterNIC http://www.internic.net/ • RIPE http://www.ripe.net/ • ARIN http://www.arin.net/ • APNIC http://www.apnic.net/ • Ficora http://www.ficora.fi/


DNS Components resolver query client




cache database every Internet host


name server host

• Every TCP/IP host must have a resolver. • Only a few hosts need to run a name server. 17

Resolver • Every Internet host has a resolver. It comes with the TCP/IP package. Usually set of library routines linked to programs.

• Resolver accepts name server queries from client programs – telnet-commands, WWW-browsers etc.

• It checks whether it has the queried information in its own cache. If it has, resolver returns the data to the client.

• If it doesn’t have it, it sends the query to a name server. • The default name server(s) must be configured to the host’s TCP/IP software. – Unix-system configuration file /etc/resolv.conf – Sometimes DNS has to be switched on: /etc/nsswitch.conf


Resolver Configuration • /etc/resolv.conf can have several directives: domain research.nixu.fi nameserver nameserver search nixu.fi lab.nixu.fi

• domain: tells the host which domain it belongs to. • nameserver: tells the nearest nameservers • search is a list of domain-names to append to incomplete names (i.e names without the ending dot!): – telnet foo -> foo.research.nixu.fi. -> foo.nixu.fi. -> foo.lab.nixu.fi. > foo. – telnet ns.tele.fi -> ns.tele.fi.research.nixu.fi. -> ns.tele.fi.nixu.fi. -> ns.tele.fi.lab.nixu.fi. -> ns.tele.fi.


The Name Server • Receives queries from resolvers and from other name servers in the world and answers them based on the contents of its database and cache.

• Two types of replies: – authoritative: "I know this because my database says so. This data is always correct." – non-authoritative: "I know this from my cache, so this data may not be correct."

• If it has no knowledge of the queried name, it asks another nameserver – if it doesn’t know which name server knows, asks a root nameserver.

• List of root nameservers must be configured correctly into every name server. – ftp://rs.internic.net/domain/named.root


Querying 1

2 resolver

client 9

3 query answer 8


other name7 servers

nameserver 5

cache database every Internet host



name server host

• 1: client sends query for the IP-address of www.nixu.fi. • 2: resolver checks if it has the data. No. • 3: resolver sends query to the nearest name server. 21

...Querying • 4-5: name server checks if it has the actual data or if the data is in the cache. No.

• 6: it asks a root name server. 7: Root name server gives a referral to fi name servers. Saves them into the cache.

• 6: it asks a fi name server and 7: gets back addresses of nixu.fi name servers. Saves them into the cache.

• 6: it asks a nixu.fi name server and 7: gets an authoritative IP-address answer because nixu.fi name server has the address in its database (see phase 5).

• 8-9: the answer is relayed to the client.The name server queried by resolver (3) received a recursive query ("keep querying until you get an answer"). Other servers received an iterative/non-recursive query (6) ("just give me the nearest address you’ve got").


Types of Name Servers • Primary master (= primary) – Has zones in is database. Is authoritative for the zones it has. • Secondary master (= secondary) – Gets zone data by transferring the zones from the primary – – – –

master. The mechanism is called zone transfer. Zone transfers happen automatically by given intervals. Is authoritative for the zones it transfers. Used to spread answering load and making name service reliable.

• Caching only – Does not have a database, only cache. – Isn’t authoritative for any zones. – Answers only from it’s cache. – A server can be primary for one zone but secondary for another


DNS Data • Resource Records (RR) • Each domain/host has some resource records (data)

• A set of defined resource records • DNS can support other RR’s too, for example a new resource record AAAA which is a address record for IPv6.

• Resource records exist in the zone files.


SOA - Start Of Authority domain-name

the primary name server




jalopeno.nixu.fi. hostmaster.nixu.fi. ( 603011405


administrator's e-mail address

; serial


; refresh (3 hours)


; retry (1 hour)

name of RR345600

; expire (4 days)

86400 ) ; minimum (1 day)

• SOA Marks the beginning of a zone and is the first entry in a zone file

• E-mail address has a dot in place of the @-sign. 25

SOA Values – Serial number – just an integer to signal secondaries they need to do a zone transfer – must INCREMENT the serial number after each change – could be formatted according to a system: f.ex. YYYYMMDDX

• Refresh interval – tells secondaries how often they should check the primary for changed information (in seconds).

• Retry interval – how often a secondary should retry checking if the first time fails (in seconds).

• Expire time – after how long should the secondary data be deleted if primary cannot be contacted (in seconds).

• Time to live – tells other name servers, how long this data can be kept in cache. After this time it’s deleted.


NS - Name Servers nixu.fi.



jalopeno.nixu.fi. ns.tele.fi.

• Tells the nameservers for the zone • The names given in the NS-records need to have a direct A-record. They may NOT be aliases (CNAME-records).

• Note the server names should be a FQDN. • A domain needs at least two different name servers.


A - Address ;nixu.fi file foo.nixu.fi. bar



• Tells the IP-address of the specified domain name.

• If the host name doesn’t end in the dot, name server software completes the name with the domain name of the zone file.

• Used by several applications (telnet, ftp, NFS...).


PTR - Reverse Pointer 200 206



foo.nixu.fi. bar.nixu.fi.

• PTR-record tells which domain name this IPaddress corresponds to.

• The PTR-records exist only in reverse network zone files,

• For example the above should be in zone file 237.209.193.in-addr.arpa.


TXT - Text Record foo.nixu.fi.


A TXT "Our test host."

• For entering comments and other information. • Need quotes for text containing white space. • Text can have 8-bit characters in it. • Maximum length 254 characters.


MX - Mail Exchanger nixu.fi.



10 20

jalopeno.nixu.fi. smtp.tele.fi.

• Used by mail transfer agents (sendmail etc) to decide where to send e-mail addressed to this host/domain.

• Mail exchanger names must have direct A-records, they may NOT be aliases.

• Priority is reversed, the lowest number is tried first. If that cannot be contacted, the next lowest is tried etc. A zero value is not recommended.

• MX’s have effect only on e-mail HOSTS, not user aliases.


CNAME - Canonical Name foo.nixu.fi. bar.nixu.fi.


A CNAME foo.nixu.fi.

• Used to call one host with several names. • Should be read: "bar.nixu.fi’s canonical (= real) name is foo.nixu.fi". Can be read "bar is an alias for foo".

• There is no way to query what aliases a certain host has. • Query for bar’s IP-address gets both the CNAME record and foo’s A-record.

• Aliases should NOT have any other RR’s (MX’s etc).


Other Rare RR’s bar.nixu.fi.



lea.nixu.fi. .

• RP - responsible person – Pointer to more info should be a domain name having a TXT record with free form info about the person. A plain dot (root domain) indicates no info. soda.nixu.fi.



"PC" "Linux"

• HINFO - host information foo.nixu.fi.




telnet smtp

• WKS - well known services (not really used)


Glue records • How can we delegate a subdomain, when the nameserver is in the subdomain itself?

• In the fi. -zone: nixu.fi. jalopeno.nixu.fi.



jalopeno.nixu.fi. ns.tele.fi.

• The A record of the nameserver in the subdomain is placed in the higher zone


DNS for IPv6 • RFC 1886, 2873, 2874, being updated • Initially a new record type AAAA for IPv6 addresses – 128 bits = 4 x 32 bits (A), hence 4 x A $ORIGIN example.net. host-ipv4 IN A host-ipv6 IN AAAA 3ffe:8050:201:1860:42::1

– Note the :: in this notation, it indicates that an appropriate amount of zero bits should be inserted here

• Now A6 appears a more likely record format – Supports prefixes, only the last part of the address needs to be specified

• Reverse map under ip6.arpa (vs. in-addr.arpa) – Resolution 4 bits (one hex digit) vs. 8 bits in IPv4

• DNS for IPv6 has not stabilized yet 35

A6 and PTR records for IPv6 • The A6 record stores the end part of the address chain myhost A6 64 ::02d0:09ff:fef7:6d2c mynet.provider.net.

– note the bit boundary (64) • Another A6 record holds the initial part $ORIGIN providier.net. mynet A6 0 2345:00C0:88A3:1212::

• “A6 0” is equal to AAAA • Reverse data is split on the nibble (4 bit) boundary c.2.d.6.7.f.e.f.f.f.9.0.0.d. .9.1.e.f.f.3.ip6.arpa. PTR fiifaafoo.nixu.fi

• The DNAME record can be used to hold part of the reverse address

\[x3ffe19004545/48].ip6.arpa DNAME IP6.provider.dujour.

– Almost same as the CNAME, but for domains


DNSsec • Aims: – Data origin authentication – Transaction and request authentication – Public key cryptography key storage

• Three separate problems solved with one work – complex result

• Results: – RFC2535, Domain Name System Security Extensions – Several related RFCs and Internet Drafts

• Could be used to hold other keys besides those needed for DNSsec – Should not be used as a PKI hierarchy

• International deployment is still on hold


Data origin authentication • Zone data digitally signed by the private key of the zone

• A new SIG resource record for the signature – Several possible algorithms, currently only MD5/RSA defined

• Zone re-signed after each change - zone key can be off line

• A separate mechanism for an authoritative “name does not exist” capability – (a NXT record)


Transaction authentication • Transactions authenticated with the SIG record attached to each transaction

• Transaction signature is calculated on the fly - the host private key needs to be on line – One of the reasons DNSsec is not in common use, think about the root servers


Public key storage • A new KEY resource record • Able to hold different types of keys – Algorithm identifier – Key parameters

• Cannot be used unless there is sufficient data origin authentication


Hostname Command • Prints out the name of the machine $ hostname tapas.nixu.fi

• Sets the name of the machine $ hostname tapas.nixu.fi

• Standard tool in all Unixes


Nslookup • Old standard tool to query name servers. • Syntax: nslookup -opt host.na.me srv.na.me • Example: 10 [email protected] $ nslookup -q=mx www.nixu.fi Server: jalopeno.nixu.fi Address: www.nixu.fi canonical name = jalopeno.nixu.fi nixu.fi nameserver = jalopeno.nixu.fi nixu.fi nameserver = ns.tele.fi nixu.fi nameserver = ns2.tele.fi jalopeno.nixu.fiinternet address = ns.tele.fi internet address = ns.tele.fi internet address = ns2.tele.fi internet address =


Dig • Syntax: dig @name.ser.ver host.na.me rr • Simpler to use than nslookup, much more output: 54 [email protected] $ dig @ns.tele.fi tapas.nixu.fi a ; DiG 2.1 @ns.tele.fi tapas.nixu.fi ;; res options: init recurs defnam dnsrch ;; got answer: ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 3, Addit: 4 ;; QUESTIONS: ;; tapas.nixu.fi, type = A, class = IN ;; ANSWERS: tapas.nixu.fi. 86400 A ;; AUTHORITY RECORDS: nixu.fi. 86400 NS jalopeno.nixu.fi. nixu.fi. 86400 NS ns.tele.fi. nixu.fi. 86400 NS ns2.tele.fi. ;; Total query time: 205 msec ;; FROM: tapas.nixu.fi to SERVER: ns.tele.fi 43

Named-Xfer • The tool BIND uses for zone transfers • Good for testing zone transfers host% named-xfer -z zone.fi -f file -d level -l debug.file name.server host% echo $?

• The exit code (echo $?) tells how the zone transfer succeeded: – 0 – no transfer, data up to date – 1 – successful transfer – 2 – error not logged – 3 – error logged


The Usual Errors in syslog • Lame server on 'www.xxxx.com' (in xxxx.com)[].53 server.na.me – This means somebody somewhere has created a lame delegation, so a name server which is supposed to know about a domain, doesn’t. – Not dangerous unless the domain or name server is yours.

• Secondary zone "xxxx.com" expired – Your secondary hasn’t been able to contact primary and the zone has been expired.

• Zone "86.88.192.in-addr.arpa" SOA serial# (199803011) rcvd from [] is < ours (1998021271) – The SOA serial number in primary host is LESS than ours.


The Most Common Errors in Data • NS- and/or MX-records point to a CNAME record. • Missing end-dot in a FQDN. • SOA timers are not smart. • CNAME-records have other data (MX’s etc). • SOA name server and/or admin e-mail address point to an invalid address.

• Only syntax errors are reported via syslog. Most of these common errors are semantic.

• See RFC1912. 46

Troubleshooting Name Server • Problem: Name server cannot find any external hosts. – Answer: Check the root cache. Without it a name server cannot function correctly.

• Problem: Root cache is OK. Still cannot find external hosts. – Answer: Check if UDP port 53 isn’t blocked in either way in a router. Also the return packets must be able to pass.

• Problem: Somebody is giving out old data. • Answer: Check the expire times in zone SOA.


Troubleshooting Secondaries • Problem: Secondary cannot get any data from primary. – Answer: Check if TCP port 53 is blocked in a router. Normal name service queries use UDP port 53, but zone transfers use TCP.

• Problem: Secondary got data from primary at first, but any new changes won’t be transferred. – Answer: Did the primary manager forget to increment the SOA serial number on the zone? Did she restart the named?

• Problem: Serial number is changed but secondary cannot still load the data. – Answer: Check for any syntax errors in data. Syntax errors can cause named-xfer to exit abnormally. 48