Module 06 - DNS %28ITA3564%29AY11
Download
Report
Transcript Module 06 - DNS %28ITA3564%29AY11
Network Administration
Module 6
Domain Name Service (DNS)
1
Overview
DNS is a client/server distributed database system which
provides
Host name to IP address mappings
IP address to host name mappings (reverse mapping)
Email routing
Network service location mechanism
Implemented as Berkeley Internet Name Domain (BIND) in
Linux (The most updated version is BIND 9.8.X)
http://www.isc.org/software/bind/documentation
Use port 53
2
3 Types of DNS Servers
Primary DNS Server / Master Server
Secondary DNS Server / Slave Server
Caching Server / Caching-Name Server
3
Primary DNS Server / Master Server
Primary DNS Server / Master Server: The primary master
name DNS server (or master server) is where the primary
DNS database files for the domain(s) or subdomain(s) for
which that server is authoritative reside.
The DNS data file is an ASCII snapshot of the DNS
database that the server loads into memory while it runs.
This database segment is called a zone (so, it is also called
zone file or zone data file).
4
Secondary Server / Slave Server
A secondary DNS server / secondary master / slave server
gets its zone data the master server.
In most DNS implementations, a secondary can read its data
from a local file, but always checks to see if its on-disk
version is as current as the version on the primary server. It
does so by checking a specific field in its SOA record and
comparing it to a corresponding value in the master server’s
database. Where differences are noted, the secondary can
update its database from the primary domain name server.
Secondary DNS servers are important because they provide a
back-up copy of the domain database for a specific zone.
5
Caching / Caching-Name Server
Caching Server store recently accessed DNS records from
other domains to avoid incurring the performance
overhead involved in making a remote query each time a
resource outside the local domain is accessed.
Note:
The cache-nameserver package in CentOS automatically set up a caching instance of
BIND for instant use (You need not rely on your’s ISP name service).
6
How Domain Name Servers Work
When a TCP/IP client uses a resolver to send a name query
to a DNS server, that client obtain the address for the DNS
server it queries from TCP/IP configuration data.
Servers are queried in the order in which they appear in
TCP/IP configuration files (/etc/named.conf).
DNS servers retrieve name data from the general domain
namespace.
If a given DNS server is authoritative, it provides data
about those zones for which it is authoritative.
7
How Domain Name Servers Work
When queried, any given DNS server will search its
cached domain name data and answer queries for
which that server is not authoritative, unless that query
originates from a root server (which requires the
authoritative DNS server for the zone in question to
respond).
8
How Domain Name Servers Work (Cont …)
When a local server does not have the information available
in its database or its name cache, it may turn to a cachingonly server or to other known name servers in the
“neighborhood”.
If none of these searches produces a result, the name server
sends a request for name resolution to a root server, which
directs the query to the authoritative server for the database
segment in question.
The root server locates the authoritative server by contacting
the root server for the domain and then following NS pointers
to the right authoritative server.
9
The Namespace
DNS namespace is a hierarchical tree of domains
Similar in concept to the Linux filesystem
Each node in the tree is managed by some name server
The top of the domain tree (the root) is called .(dot)
Two branches under the root
Forward branch
Provides host name to IP address mappings
Reverse branch
Provides IP address to host name mappings
Beneath the root are Top Level Domains (TLDs)
e.g. .com, .net and .us, .hk
Country Code Top Level Domain (ccTLD) - .hk, .us, .tv, .ru, … …
Generic top-level domains (gTLD)
- .asia, .com, .biz, .edu, .gov, .info, .net, .org, .mil, …
10
The Namespace
11
The Namespace (Cont)
Domain
A node immediately beneath a TLD
The term “domain” typically includes the TLD
e.g. The domain is example.com and
Managed & distributed by the TLD’s authorized registrars
The domain owner controls the sub-tree namespace
below itself
Others have no ability to utilize this namespace
Sub-domain
An n-level sub-tree beneath a domain
The nodes above the host, but below the domain
Host
A system on the Internet
12
The Namespace (Cont)
Fully Qualified Domain Name (FQDN)
This is similar to a full, rooted path in Linux
Uniquely specifies a single host on the Internet
Through name servers, this host can be found using
its FQDN
Hostname, sub-domain and domain joined by dots
Written from most to least specific
General form
hostname.subdomain.domain.
e.g.
.
ftp.example.com
Includes
the trailing dot
13
Creating Domains and Subdomains
Several domain name registrars have been authorized
by the Internet Corporation for Assigned Names and
Numbers (ICANN),
To obtain a domain, apply to a registrar for authority to
create a domain under one of the top-level domains.
Once the authority to create a domain is granted,
additional domains (sub-domains) can be created.
14
Linux - BIND (Berkeley Internet Name Domain)
Resolver (Client of DNS Server)
Queries a DNS server for information
Standard C library software linked with networking
applications
Usage controlled via name service switch
/etc/nsswitch.conf
Name server daemon – named
Responds to queries from the resolver
Loads DNS configuration files into memory
Linux Commands(for verification of DNS operation)
host
nslookup
dig
You should install the following components
1. bind
2. bind-utils
3. bind-libs
15
How BIND works
Zone
A sub-tree in the domain tree namespace
authoritatively managed and controlled by a single
name server
Further sub-dividing a zone is called delegation
A zone is delegated when
Another name server is granted authoritative
control over the zone
Its parent’s servers are updated with the new
name server
16
How BIND works (Cont)
Authoritative Name Servers
Each zone has one or more authoritative name
servers
They respond to queries about the zones
members, or
They give referral to the name server that
controls a child zone
17
The DNS Database
The DNS database is a large set of distributed zone files
Every zone is defined by its set of zone files
Zone files contain:
Host name/IP information about the hosts in the zone
Pointers to name servers for delegated zones
Mail forwarding information
A name server is only authoritative for its own zone
It is the information in the zone files that a name server
shares
18
BIND Query Algorithm
BIND employs a recursive querying algorithm
A FQDN determines the name servers to be queried
It implicitly specifies the ordered list of name servers to
be employed
Hence, BIND always requires FQDNs
BIND starts a query at the root zone’s name servers
It then recursively travels down the domain tree
It queries each encountered zone’s name servers
Until a response is given
Every zone knows about its children
A name server may respond with a referral to another
name server
19
Server Operation Modes
Non-recursive (Server-to-Server)
Will not take responsibility for resolving queries
A non-recursive server only answers a query if
It is authoritative for the zone being queried
It has an answer already in its cache
Otherwise, it returns a referral to a name server one
level down or an error if no response is possible
Recursive (Client-to-Server)
Will resolve queries by following referrals to other
name servers
A recursive name server must return an answer to a
query, or an error if no response is possible
20
DNS Query
21
DNS System Configurations
Resolver-only (Client only)
Uses other DNS servers
Master server
The authoritative single source of control for a
domain’s zone files
Slave server
Authoritative server adding redundancy to master
server
Caching-only
Caches queries only; does not control any domain
/etc/resolv.conf
22
Resolver-only (Client only)
Very simple configuration
The named name server daemon is not run on the system
Resolver uses remote DNS server
Only requires resolver configuration file /etc/resolv.conf
Tells the resolver which servers to use to resolve queries
Helps resolver handle non-FQDNs
May be created automatically when using DHCP
23
Resolver-Only Configuration
/etc/resolv.conf
domain
Domain name to append to non-FQDNs
Use either domain or search (not both)
search
List of domains to append to non-FQDNs
Maximum of 8 domains
nameserver <DNS-server-IP-addr>
Maximum of 3 name servers can be specified
Name servers are queried in the order listed
Servers listed must be recursive servers
24
Resolver-Only Configuration
Testing your configuration
Create /etc/resolv.conf file
Specify default domain(s) to use using either
domain or search
Specify up to three nameserver lines to use for
queries
Configure /etc/nsswitch.conf to use DNS
Include dns keyword on hosts line
Ensure network is properly configured
Use nslookup, host, dig commands to query DNS
25
Master Server
Answers queries authoritatively
Exactly one master name server for a zone
The master server owns the domain’s zone files
The domain’s zone files reside and are maintained on this
server
Zone files are the definitive information about the zone
Required configuration files, created by domain
administrator
/etc/named.conf
Hint file
Store under /var/named/
Zone file(s)
Loopback zone file
26
DNS Configuration Files
/etc/named.conf
named’s configuration file
Specifies the type of server for a zone
Information about the zone’s zone files
Sets global and zone-specific options for named
Zone files
A set of files that creates the database that
defines a zone
Typically one forward file and one reverse file
Hints file
Specifies the location of the root servers
27
Slave Server
Authoritative
Has same information as the master server
Should at least one slave name server per zone
Required configuration files
/etc/named.conf
Hint file
Loopback zone file
Zone file(s) are downloaded from the master server
Called a Zone File Transfer
28
Caching-only System
Simple Configuration (using forward)
Most common configuration type
Non-authoritative
Information is second-hand (Came from some server’s
cache)
Caches responses to resolver queries
May resolve its own queries via named or use other
DNS servers
Required configuration files
/etc/named.conf
Hint file
Loopback zone file
29
Zone File Format
Zone files are simple ASCII textfiles
Contain a list of resource records (RRs)
The set of RRs together define a zone
The zone file parser provides:
Many default values for unspecified fields in RRs
Convenient macro commands for specifying RRs
These are not part of zone database
They are expanded by the BIND syntax parser when
the file is read
30
Resource Record Format
Syntax <name> <ttl> <class> <type> <data>
name
– Name of the entity
ttl
– Time to live
class – Typically IN, meaning Internet
type
– Type of RR
data
– Type-specific data
Special Characters
@
- Current domain name
;
- Comment
( )
- Grouping, for multi-line record
*
- Wildcard (name field)
31
Resource Record Fields
The name Field
Specifies the name of this RR entity
Usually a host or domain name
Must be in the first column of the file
Can be a relative name or a FQDN
BIND internally uses only FQDN
Bind appends relative names with the current
domain + a final dot
The current domain is either
the zone’s domain
the domain specified by $ORIGIN
32
Resource Record Fields (Cont)
The TTL Field
Number of seconds record is valid in cache
Defaults to either
The value of the $TTL parser macro at the top
of the zone file
Value set in SOA RR
The class Field
Value is one of: IN, CH or HS
IN (Internet), is the most common [default]
CH (ChaosNet), mostly obsolete
HS - Hesiod
33
Resource Record Fields (Cont)
The type Field
Specifies the type of RR
SOA,NS
– Zone-defining and linking RRs
A,PTR, MX
– Basic RRs
CNAME,SRV,WKS – Optional RRs
LOC, RP, TXT
– Informational only
KEY, NXT, SIG – Security-related RRs
The data Field
The data specific to each type of RR
34
Resource Record Types
Type: SOA
Start of Authority
This record defines a zone
Each zone has exactly one SOA record
Specifies
The master name server for the zone
The zone administrator’s email address
Slave server update information
Typically is first RR in zone file
Should be an SOA for both forward & reverse
branches
35
Resource Record Types (Cont)
@
IN
SOA ns1.example.com. admin.example.com (
2001041802
; serial
3600
; refresh
900
; retry
System Administrator’s
1209600
; expire
email
43200
; default_ttl
)
36
Resource Record Types (Cont)
Type: NS
Name server record
Identifies authoritative servers for the zone
i.e. the master and all slaves
Delegates sub-domains to other organization
Used by named to identify slaves for zone changes
Typically comes immediately after SOA record
@
@
IN
IN
NS
NS
ns1.example.com.
ns2.example.com.
37
Resource Record Types (Cont)
Type: A
Address record
Provides host name to IP address mapping
Similar to /etc/hosts
Must have one per interface
OK to use single host name for all interface or
unique host name for each interface
ftp
IN
A
203.186.89.173
38
Resource Record Types (Cont)
173
Type: PTR
Pointer record
Provides IP address to host name mapping (for reverse
zone only)
Must have one per interface
OK to use single host name for all interface or
unique host name for each interface
IN
PTR
www.example.com.
39
Resource Record Types (Cont)
@
@
Type: MX
Mail exchanger record
Helps route mail efficiently via central hub(s)
Looked-up and used by mailers
Assists in mail delivery when hosts are down
Can be used by hosts not directly connected to internet
Every host should have an MX record
IN
IN
MX
MX
5
10
mail1.example.com.
mail2.example.com.
priority
40
Resource Record Types (Cont)
Type: CNAME
Canonical Name record
A host’s real name is called its canonical name
Assigns a nickname to a host – an alias
Allows functional name (i.e. www.domain, ftp.domain …
etc.)
CNAMEs can nest up to 8 deep
can point to another CNAME
Other records must use real name, not a CNAME
www
IN
CNAME
ns1.example.com.
41
Resource Record Types (Cont)
ftp
ssh
Type: SRV
Services record
Specifies the location of services in a domain
Allows query of domain to find a host supporting some
service
E.g. ftp, www, finger … etc.
IN
IN
SRV
SRV
0
0
0
1
21
22
ftp.example.com.
ssh.example.com.
42
Summary DNS Database Records Types (RFC1035)
Record
Types
Address
record
Symbol
A
Description
An address (A) record stores domain name-to-IP
address translation data.
Cononical
name
record
CNAME
A canonical name (CNAME) record is used to create
aliases.
Host
Information
record
HINFO
A host information (HINFO) record stores
descriptive information about a specific Internet host.
MX
A mail exchange (MX) record is used to route
SMTP-based email on the Internet and identify the IP
address for a domain’s master email server
Mail
Exchange
record
43
Summary DNS Database Records Types (RFC1035)
Record
Types
Symbol
Description
Name
Server
record
NS
Pointer
record
PTR
A pointer (PTR) record stores IP address-to-domain
name translation data and supports the operation
known as a reverse DNS lookup.
Start of
Authority
record
SOA
A Start of Authority (SOA) record identifies the
name server that is authoritative for a specific DNS
database segment; in other words, it identifies the
master DNS server for a specific domain or
subdomain.
A name server (NS) record is used to identify all
DNS servers in a domain.
44
Summary DNS Database Records Types (RFC1035)
Record
Types
Symbol
Description
Text record
TXT
A text (TXT) record may be used to add arbitrary
text information to a DNS databases, usually for
documentation.
Service
record
SRV
SRV (service) records are a generalization and
expansion of features provided by MX records.
Where MX records work only for mail delivery and
provide "failover" via the Priority value, SRV
records add in support for load balancing (via the
Weight value) and port selection (via the Port value).
Well-known
services
record
WKS
A well-known services (WKS) record lists the IPbased services, such as Telnet, FTP, HTTP, and so
forth that an Internet host can supply.
45
Reverse Maps
Reverse Branch of Domain Tree
Maps IP addresses to host names
Reverse branch resides on the domain in-addr.arpa.
Allows IP addresses to fit into the domain tree
Organized with network addresses towards root
Zones separated on IP address octet boundaries
The name of that zone is the IP octet
Separate zone file
Must contain SOA and other RRs
46
Additional Zone Files
Zone File for localhost
Allows local name server to be authoritative for
localhost
localhost.<domain>
localhost.
127.0.0.<x>.in-addr.arpa.
Avoids queries to a root server for obviously local
names
47
Considerations when using DNS
Program will require valid FQDNs
NFS, /etc/exports, infamous sendmail hang!
DNS, /etc/hosts and NIS/NIS+
/etc/nsswitch.conf file indicates order of usage
Boot-time name resolution deadlock
Is DNS required to be used during boot before DNS is
running?
Server Considerations
BIND consumes a fair amount of memory
BIND’s advanced features are CPU-intensive
Run named continuously – not via inetd/xinetd
48
Master - Sample /etc/named.conf
(1)
options {
directory "/var/named";
query-source port 53 { 127.0.0.1;192.168.1.0/24 };
allow-transfer { localhost; };
allow-query { locahhost; 192.168.1.10/24; };
recursion yes;
};
zone "." IN {
type hint;
file "named.ca";
};
IP addresses of the 13
super servers
49
Master Sample /etc/named.conf
(2)
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
50
Master Sample /etc/named.conf
(3)
/* Forward Zone */
zone “example.com" {
type master;
file "named.example.zone";
};
/* Reverse Zone */
zone "39.18.172.in-addr.arpa" {
type master;
file "named.172.18.39.zone";
};
include "/etc/rndc.key";
51
Sample – Forward zone file
$TTL 86400
@
IN
SOA
example.com. admin.example.com. (
2009042701
; Serial
28800
; Refresh
14400
; Retry
3600000
; Expire
86400 )
; Minimum
; Name servers
IN
NS
IN
NS
; Mail server for domain
IN
MX
IN
MX
; Public servers
ns1
IN
A
ns2
IN
A
mail
IN
A
www
IN
A
ftp
IN
CNAME
mail2
IN
CNAME
ns1.example.com.
ns2.example.com.
10 mail.example.com.
20 mail2.example.com.
123.45.67.1
123.45.67.2
123.45.67.3
123.45.67.4
mail.example.com.
www.example.com.
52
Master Sample – Reverse zone
$TTL 86400
@
IN
1
2
3
4
SOA
ns1.example.com admin.example.com. (
2006042701
; Serial
28800
; Refresh
14400
; Retry
3600000
; Expire
86400 )
; Minimum
IN
NS
ns1.example.com.
IN
IN
IN
IN
PTR
PTR
PTR
PTR
example.com.
ns2.example.com.
ftp.example.com.
www.example.com.
53