Domain Name Server. Training Division National Informatics Centre New Delhi

Transcription

1 Domain Name Server Training Division National Informatics Centre New Delhi

2 Domain Name Service (DNS) I. History of DNS II. DNS structure and its components III. Functioning of DNS IV. Possible Configurations in DNS V. DNS Server configuration Files in LINUX VI. DNS Client Configurations in LINUX VII. DNS Tools VIII. Common Errors IX. DNS Debugging Tools X. DNS Operation Guidelines XI. Resolution of DNS query XII. Replication of DNS Information among Name Servers XIII.DNS Security

3 I.History of DNS Resources on the Internet was originally supported by HOSTS file. Names and the corresponding IP addresses were entered by the network administrators into this file. HOSTS file was maintained by the Network Information Centre (NIC) and contained the Host name to address mappings.

4 Updating the HOSTS file became difficult with the explosive growth of Internet. The file grew bigger and could not be partitioned as it used a flat namespace. The task became management intensive as networks grew. This called for a more sophistciated and well defined naming service structure that was hierarchically structured.

5 Thus DNS was introduced in the year 1984 for translating the resource names into IP addresses. The host names reside in a database and can be distributed among multiple servers. The hierarchical namespace also provided rules for dividing the namespace into subsets of names. Information about the host names and IP addresses could be partitioned and distributed.

6 II. DNS Structure and its components a. DNS domain namespace Structured hierarchy of domains to organize names. b. Resource records Maps DNS domain names to a specific type of resource information when the name is registered or resolved in the namespace. c. DNS Zones Zone is a range of responsibility within the domain name space that spans a subtree or a portion of a sub-tree d. DNS Name servers Stores and answer name queries for resource records. e. DNS clients or resolvers Query servers to look up and resolve names to a type of resource record specified in the query.

7 a. DNS Domain Namespace Domain name space is a hierarchical tree structure containing the names in a DNS database. The database consists of Hosts name and Domain name. A Domain Can be considered as a subtree of the domain name space. Domain names are of a specific pattern that is concatenation of node names eg.training.nic.in.

8 The Internet can be thought of as a single DNS namespace. The root or the top-most level of the Internet domain namespace is managed by the Internet name registration authority. The root has no name but is represented by a period or. Below the root DNS domain are the top level domains. The Top level domains are child of the root.

9 Three Types of Top Level Domains Organisational Are represented by a 3-character code that gives a clear indication of the primary activity of the domain.they are mainly for organisations within the United States. Geographical Are represented by a 2-character code that represents the country,region code.these codes are established by the International Standards organisation (ISO). Reverse Domains This is named as in-addr.arpa which is used for IP addressto-name mappings.

10 Name Domain levels Child of Domain Top-level domain Root in First-Level Domain Second-Level Domain Third-level Domain Top-level domain First-level domain Second-level domain nic.in delhi.nic.in gamma.delhi.nic.in

11 .com.arpa.in.gov.edu nic mah asm kar Domain Name System (Inverted Tree Structure)

12 Top-level domain Domain levels Description Domain name example.com Commercial organisation yahoo.com.edu Education institutions buffalo.edu.gov Government organisations nasa.gov

13 Zone in com org Zone nic training.nic.in domain nic.in domain Zone training Fig 1:Zones within the Domain Namespace

14 Zone in com org nic.in domain Zone nic asm Zone training.nic.in domain Zone training Fig 2:

15 DNS in the in-addr.arpa domain mapping numbers to Names - reverse DNS ROOT DNS net edu com arpa in in-addr apnic Whois in-addr.arpa

16 Why reverse DNS Service denial That only allow access when fully reverse delegated Ex: Anonymous ftp Diagnostics Assisting in trace routes etc

17 c. DNS Zones DNS database is comprised of multiple zones. Zones allowed the management of the domain space to be delegated.

18 Different types of queries from the DNS client to DNS Server A query for resolution of domain name into an IP address. A query for the resolution of an IP address into a domain name (Reverse DNS).

19 Creating Forward Lookup Query Forward Lookup IP IP address for for trglab.nic.in IP IP address = DNS Server

20 Creating Reverse Lookup Query Reverse Lookup Name for for ? Name = trglab.nic.in DNS Server

21 Different types of Zones and Zone files There are two types of Zones A query uses forward zone when resolution starts with a domain name and result in an IP address. A query uses reverse zone when the resolution starts with an IP address and results in a domain name.

22 d.dns Name Servers DNS zone database is stored in and accessed through a name server. Name servers can store data for one zone or multiple zones. A name server is said to have authority for the domain namespace that the zone encompasses. There must be at least one name server for a zone

23 b.resource Records DNS database consists of Resource Records(RR). Each resource record is a member of a class.(internet Class is the most popular) The Class is further broken down into Types. The type corresponds to the type of data stored in the record. eg: server1.com IN A 124.x.y.z (IN stands for INTERNET and A stands for address information.)

24 RECORD TYPE DESCRIPTION USAGE A An address record Maps FQDN into an IP address PTR A pointer record Maps an IP address into FQDN NS A name server record Denotes a name server for a zone SOA A Start of Authority record Specifies many attributes concerning the zone, such as the name of the domain (forward or inverse), administrative contact, the serial number of the zone, refresh interval, retry interval, etc. CNAME A canonical name record Defines an alias name and maps it to the absolute (canonical) name MX A Mail Exchanger record Used to redirect for a given domain or host to another host

25 III.Functioning of DNS DNS uses a client/server architecture. Domain name clients are called name resolvers. DNS client requests information from a DNS Server s database. The request include type of information and a key(either a domain name or IP address).

26 IV.Possible DNS configurations Master Server Slave Server Caching-only Server Resolver-only client (DNS Client) Also other variants of above configurations

27 Configuring Standard Zones A Primary Zone DNS Server A Zone Information B Secondary Zone (Master DNS Server = DNS Server A) Secondary Zone (Master DNS Server = DNS Server A) C DNS Server B DNS Server C

28 V. DNS Files in Linux Zone File Reverse zone file Configuration file (named.conf)

29 Master File Format of Zone File DIRECTIVES $ORIGIN Syntax: $ORIGIN domain-name ;comments Ex: $ORIGIN nic.in. $ORIGIN ren www A is equivalent to

30 Master File Format DIRECTIVES $INCLUDE Syn: $INCLUDE filename origin ; comment Ex: $INCLUDE nicnet.www nic.in $INCLUDE nicnet.www

31 Master File Format DIRECTIVES $TTL Syn: $TTL default-ttl ;comment Set the default Time to Live (TTL) for subsequent records with undefined TTL s Valid TTL s are of the range (TTL is in seconds) Ex: $TTL 1800

32 Master File Format RESOURCE RECORDS SOA, NS, A, MX, CNAME, PTR(reverse zone) Syn : ttl class type rdata All resource records have the same basic syntax. Ex: nic.in 60 IN NS nicnet.nic.in. nicnet 180 IN A MX 0 nicnet.nic.in.

33 Master File Format SOA RECORDS Syn : ttl class SOA host address ( serial number refresh; refresh time retry; retry time expire ; expire time minimum ; default ttl) All resource records have the same basic syntax.

34 Master File Format SOA IN SOA nicnet.nic.in. root.nicnet.nic.in.( ; Serial (yyyymmddhh) 3600 ; Refresh 1 hour 600 ; Retry 10 mins ; Expire 10 days ); Minimum 3 hours,default,negative.

35 Reverse Zone File It should contain following records SOA NS PTR SOA and NS records are similar to previous zone file. Example of PTR Record in.addr.arpa. IN PTR cabin7.training.nic.in.

36 Named Configuration named.conf in Linux OPTIONS options { directory "/var/named"; allow-transfer{ /16; }; allow-query{ /16; }; };

37 Named Configuration zone "." { type hint; file "nicnet.ca"; }; zone "nic.in"{ type master; file "nicnet.hosts"; allow-transfer{! ; /16;

38 Named Configuration }; allow-query{ any; };

39 Named Configuration zone "delhi.nic.in"{ type master; file "delhi.hosts"; allow-transfer{ /16; };

40 Named Configuration zone "ap.nic.in"{ type slave; file "ap.hosts"; masters{ ; }; allow-query{ any;}; }; zone " in-addr.arpa"{ type slave; file "ap.rev"; masters{ ; }; allow-query{any;}; };

41 Named Configuration logging{ channel dnsqry{ file "log/querylog" versions 3 size 10m; print-time yes; }; category queries{ dnsqry; default_debug; };

42 VI. Client Side Configuration Make following changes in the resolv.conf Search training.nic.in Nameserver

43 VII. DNS TOOLS Nslookup DIG (Domain Information Groper) Host

44 VIII. Common Errors Domain not fully qualified Entries in Zone which do not belong there NS not reachable, NS not set up CNAME Problem Host name contains unusual characters Ambiguous MX records

45 IX. DNS Debugging Tools named-checkconf Used for checking the syntax of named.conf file. named-checkzone Used for checking the syntax for the forward and reverse zone files.

46 X. DNS Operation Guidelines Daily Check up 1.Check whether named is running (# ps -ef grep named ) OR (# ps ax grep named ) If not running, execute the following #/usr/sbin/named Verify whether named process started. If not started, please see the /var/log/messages file for the possible cause.

47 DNS Operation Guidelines Daily Check up Possible Causes may be : named.conf file is missing or some errors in it. Host files is missing or syntax errors Zone file missing or syntax errors 2.Use nslookup command to query some popular sites like hotmail.com, yahoo.com etc, in case of any problem try to rectify it on the basis of error message generated by nslookup.

48 DNS Operation Guidelines Weekly Backup 1. Create bak directory under /var/named or any other directory 2. copy all the dns files of your zone, training.nic.zone and rev 3. copy /usr/local/etc/named.conf (In case of SunOS ) or /etc/named.conf (In case of Linux OS ) file which ever is applicable to bak directory.

49 DNS Operation Guidelines Always Remember!!! After making any addition, deletion and modification following points to be followed: 1.Always increase serial number 2. Kill the named daemon (ps -ef grep named) kill -9 pid (process id) 3. Restart it (/usr/sbin/named). 4.For ensuring it is working fine, refer Daily checkup.

50 XI. Resolution A DNS Server receives two types of requests Recursive Iterative DNS clients always makes recursive requests whereas DNS server uses both types of requests.

51 The following is a list of responses : Positive authoritative NonAuthoritative Referral Negative

52 4 DNS Server Primary zone Root. 6 DNS Server Primary zone in in DNS Server Primary zone nic.in nic DNS Server 1 2 Cache <empty> 9 10 DNS Server Primary zone training.nic.in training 1 11 DNS Client Fig1:Iterative Name Resolution starting from the root name server. training.nic.in domain

53 4 DNS Server Primary zone Root. 6 DNS Server Primary zone in in DNS Server Primary zone nic.in nic DNS Server 1 2 Cache <empty> 9 10 DNS Server Primary zone training.nic.in training 1 11 DNS Client training.nic.in domain Fig 2

54 XII. Replication of DNS Replicating a zone file to multiple name servers is called zone transfer. Zone transfer is accomplished by copying the zone file information from master server to slave server. There are two types of zone file replication Full zone transfer (AXFR), replicates the entire zone file. Incremental zone transfer (IXFR), replicates only the changed records of the zone.

55 Zone Transfer Process DNS Server (Master) DNS Server Master Zone Database File trglab Client Zone Database File expt1 expt2 Zone 1

56 Zone Types,Zone Names and Zone File Standard Zones Change Zone Transfer Master Zone Slave Zone

57 XIII. DNS Security Cache Poisoning Client Flooding Dynamic Update Vulnerabilities Information Leakage Compromise of DNS server s authoritative data