netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Transcription

1 Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group netkit lab dns Version Author(s) Web Description 2.2 G. Di Battista, M. Patrignani, M. Pizzonia, F. Ricci, M. Rimondini contact@netkit.org using the domain name system

2 copyright notice All the pages/slides in this presentation, including but not limited to, images, photos, animations, videos, sounds, music, and text (hereby referred to as material ) are protected by copyright. This material, with the exception of some multimedia elements licensed by other organizations, is property of the authors and/or organizations appearing in the first slide. This material, or its parts, can be reproduced and used for didactical purposes within universities and schools, provided that this happens for non-profit purposes. Information contained in this material cannot be used within network design projects or other products of any kind. Any other use is prohibited, unless explicitly authorized by the authors on the basis of an explicit agreement. The authors assume no responsibility about this material and provide this material as is, with no implicit or explicit warranty about the correctness and completeness of its contents, which may be subject to changes. This copyright notice must always be redistributed together with the material, or its portions.

3 about the dns takes care of associating names with ip addresses (and more ) the name system is distributed over several nodes (hosts) that are hierarchically organized to form a tree each node in the hierarchy corresponds to a name a domain in the name system is a subtree a node in the hierarchy may be delegated to handle names for a particular zone such a node is an authoritative server for that zone a zone is a domain which is devoid of those nodes having a different authoritative server (i.e., a tree without subtrees)

4 the dns name hierarchy each node corresponds to a name this node is nanoinside.net org dnsroot net lugroma3 dnsorg dnsnet nanoinside dnslug dnsnano pc2 this node is.lugroma3.org

5 the dns name hierarchy leaves always correspond to real hosts org dnsroot intermediate nodes may correspond to real hosts (in this example they do not) net lugroma3 nanoinside dnsorg dnsnet dnslug dnsnano pc2

6 domains domains are subtrees their name is the name of the root node every node (including leaves) defines a domain org domains do overlap dnsroot nanoinside.net domain net net domain lugroma3 dnsorg dnsnet nanoinside dnslug dnsnano pc2

7 a zone is a domain without the delegated subdomains org zones dnsroot zones cannot overlap each node falls into a single zone net lugroma3 nanoinside dnsorg dnsnet dnslug dnsnano pc2

8 zones have name servers they are not constrained to be inside the zone they serve zones served by dnsroot served by dnsorg.org org dnsroot net served by dnsnet.net lugroma3 nanoinside dnsorg dnsnet dnslug dnsnano pc2 served by dnslug.lugroma3.org served by dnsnano.nanoinside.net

9 more about the dns the dns hierarchy is orthogonal with respect to the actual network topology in order to focus on the behavior of the dns we choose a flat topology, consisting of a single collision domain

10 step 1 network topology dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

11 step 1 dns (zone) hierarchy abc domain name org net lugroma3 served by dnsroot nanoinside served by dnsorg.org served by dnsnet.net pc2 served by dnslug.lugroma3.org served by dnsnano.nanoinside.net

12 step 2 starting the lab host machine user@localhost:~$ cd netkit-lab_dns user@localhost:~/netkit :~/netkit-lab_dns$ lstart the lab is configured to start all the 7 vms automatically configure the network interfaces automatically configure the name servers automatically start the name server software (bind) on each name server

13 step 2 exploring the configuration configuration on the pcs consists of the specification of the default name server :~# cat /etc etc/resolv.conf nameserver search lugroma3.org :~# pc2 pc2:~# cat /etc etc/resolv.conf nameserver search nanoinside.net pc2:~# dnslug.lugroma3.org suffix to to append to to unqualified names (e.g. (e.g. asking to to resolve dummy results in in querying for for dummy.lugroma3.org) dnsnano.nanoinside.net

14 step 2 exploring the configuration configuration on the name servers specifies associations between zones and name servers information about the root name servers authoritative information associations between names and ip addresses

15 step 2 exploring the configuration configuration on the name servers specifies associations between zones and name servers dnslug dnslug:~# cat /etc etc/bind bind/named.conf named.conf... zone "." { type hint; file "/etc etc/bind bind/db.root db.root"; };... // add entries for other zones below here zone "lugroma3.org" { type master; file "/etc etc/bind bind/db.org.lugroma3"; }; dnslug:~# where to to find information about the root name server we are the primary master for for zone lugroma3.org where to to find data about the names in in this zone

16 step 2 exploring the configuration configuration on the name servers specifies information about the root name servers dnslug dnslug:~# cat /etc/bind/db.root. IN NS ROOT-SERVER. ROOT-SERVER. IN A dnslug:~# a resource record format of of a resource record <domain> <class> <type> <rdata> domain: the record owner (=domain to to which the record refers) class: usually IN IN (=Internet system); may be be HS HS (=hesiod) or or CH (=chaos) type: see next slide... rdata: record data (depends netkit on on [ lab: the dns ] record type)

17 step 2 exploring the configuration A A a a host host address. A6 address. A6 an an IPv6 IPv6 address. AAAA address. AAAA Obsolete Obsolete format format of of IPv6 IPv6 address AFSDB address AFSDB (x) (x) location location of of AFS AFS database database servers. servers. Experimental. CERT Experimental. CERT holds holds a a digital digital certificate. CNAME certificate. CNAME identifies identifies the the canonical canonical name name of of an an alias. DNAME alias. DNAME for for delegation delegation of of reverse reverse addresses. addresses. Replaces Replaces the the domain domain name name specified specified with another with another name name to to be be looked looked up. up. Described Described in in RFC RFC GPOS GPOS Specifies Specifies the the global global position. position. Superseded Superseded by by LOC. HINFO LOC. HINFO identifies identifies the the CPU CPU and and OS OS used used by by a a host. ISDN host. ISDN (x) (x) representation representation of of ISDN ISDN addresses. addresses. Experimental. KEY Experimental. KEY stores stores a a public public key key associated associated with with a a DNS DNS name. KX name. KX identifies identifies a a key key exchanger exchanger for for this this DNS DNS name. LOC name. LOC (x) (x) for for storing storing GPS GPS info. info. See See RFC RFC Experimental. MX Experimental. MX identifies identifies a a mail mail exchange exchange for for the the domain. domain. See See RFC RFC for for details. NAPTR details. NAPTR name name authority authority pointer. NSAP pointer. NSAP a a network network service service access access point. NS point. NS the the authoritative authoritative nameserver nameserver for for the the domain. NXT domain. NXT used used in in DNSSEC DNSSEC to to securely securely indicate indicate that that RRs RRs with with an an owner owner name name in in a a certain name certain name interval interval do do not not exist exist in in a a zone zone and and indicate indicate what what R PTR R PTR a a pointer pointer to to another another part part of of the the domain domain name name space. PX space. PX provides provides mappings mappings between between RFC RFC and and X.400 X.400 addresses. RP addresses. RP (x) (x) information information on on persons persons responsible responsible for for the the domain. domain. Experimental. RT Experimental. RT (x) (x) route-through route-through binding binding for for hosts hosts that that do do not not have have their their own own direct direct wide wide area network area network addresses. addresses. Experimental. SIG Experimental. SIG ("signature") ("signature") contains contains data data authenticated authenticated in in the the secure secure DNS. DNS. See See RFC RFC for details. for SOA details. SOA identifies identifies the the start start of of a a zone zone of of authority. SRV authority. SRV information information about about well well known known network network services services (replaces (replaces WKS). TXT WKS). TXT text text records. WKS records. WKS (h) (h) information information about about which which well well known known network network services, services, such such as as SMTP, SMTP, that that a domain a domain supports. supports. Historical, Historical, replaced replaced by by newer newer RR RR SRV. X25 SRV. X25 (x) (x) representation representation of of X.25 X.25 network network addresses. addresses. Experimental Experimental available record types

18 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL time to to live, in in seconds (determines how long a resource record should be be cached)

19 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry ; expire 0 ; negative cache ttl ) must be be all all on on a single line; line breaks can only be be introduced when using parentheses a a zone data file can contain only one SOA record Start of of Authority record

20 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry relative to to the ; expire origin 0 ; negative cache ttl ) this record is is referred to to the current origin (lugroma3.org) all domain names in in this data file that are not fully qualified (do not end with a. ). ) are the origin is is the domain name in in the zone statement of of the server configuration file: zone zone "lugroma3.org " lugroma3.org" " { type type master; master; file file "/etc/bind/db.org.lugroma3"; }; };

21 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry ; expire 0 ; negative cache ttl ) record class (Internet) record type (Start of of Authority) primary master (=authority) server for for this zone (dnslug.lugroma3.org); don t forget the trailing dot, or or the origin name (lugroma3.org) would be be appended!

22 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry ; expire is is responsible for for the zone 0 ; negative cache ttl (root@dnslug.lugroma3.org) ) mail address of of the person that the first.. must be be replaced by by only meant to to be be used by by humans; has no no use within the dns service

23 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry ; expire configurations 0 ; negative cache ttl ) make sense for for master/slave server configurations

24 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry ; expire 0 ; negative cache ttl ) serial number determines how recent the information is is influences all all data within the zone conventional format: YYYYMMDDNN (year, month, day, # of of changes within that day)

25 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry (seconds) ; expire 0 ; negative cache ttl ) refresh interval tells a slave how often to to check that the data for for this zone is is up up to to date

26 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry between ; expire 0 ; negative cache ttl subsequent ) interval (seconds) subsequent attempts to to contact the master

27 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry (seconds) ; expire 0 ; negative cache ttl ) slave expire time if if the slave fails to to contact the master for for this amount of of time, it it considers the zone data too old and stops giving answers about it it

28 step 2 exploring the configuration configuration on the name servers specifies authoritative information dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial 28 ; refresh 14 ; retry ; expire 0 ; negative cache ttl ) ttl ttl for for negative responses from authoritative name servers

29 step 2 exploring the configuration configuration on the name servers specifies associations between names and ip addresses dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. record type ( ; serial (name server) 28 ; refresh 14 ; retry ; expire 0 ; negative cache ttl IN NS dnslug.lugroma3.org. dnslug IN A IN A dnslug:~# the authoritative name server for for this zone (lugroma3.org) is is dnslug.lugroma3.org (final dot fully qualified name)

30 step 2 exploring the configuration configuration on the name servers specifies associations between names and ip addresses dnslug dnslug:~# cat /etc etc/bind bind/db.org.lugroma3 $TTL IN SOA dnslug.lugroma3.org. root.dnslug.lugroma3.org. ( ; serial record 28 ; refresh type 14 ; retry (address) ; expire 0 ; negative cache appended) ttl IN NS dnslug.lugroma3.org. dnslug IN A IN A dnslug:~# two machines in in this zone: dnslug.lugroma3.org.lugroma3.org (the (the origin name is is automatically

31 step 2 exploring the configuration configuration on the name servers may specify an authority for a subdomain dnsorg dnsorg:~# cat /etc etc/bind bind/db.org db.org $TTL IN SOA dnsorg.org. root.dnsorg.org. ( ; serial zone (org) ; refresh ; retry ; expire 0 ; negative cache ttl IN NS dnsorg.org. dnsorg IN A dnsorg.org is is the authority for for this zone (org) dnslug.lugroma3.org is is the authority for for zone lugroma3(.org) lugroma3 IN NS dnslug.lugroma3.org. dnslug.lugroma3 IN A dnsorg:~#

32 step 3 experiment setting :~# ping pc2.nanoinside.net pc2 pc2:~# tcpdump n t port domain dnsroot.5 dnsorg dnsnet.1.2 dnslug dnsnano pc /24

33 pc2 step 3 the sniffer output pc2:~# tcpdump n t port domain no no timestamps needed capture packets to/from port domain (port 53) ip ipnumbers instead of of host names; port numbers instead of of service names

34 step 3 the sniffer output pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) query id id (+=recursion desired) query type (address) query value packet size (not (not including UDP UDP and and IP IP headers)

35 pc2 step 3 the sniffer output pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) IP > : [1au] A? pc2.nanoinside.net. (47) the query carries a response with an an additional record (an (an OPT OPT record, containing information about the the capabilities of of the the querier) query answer dnslug.lugroma3.org ( ) asks the root server ( ) last update: Computer Networks Apr 2007

36 pc2 step 3 the sniffer output query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (84) the root server ( ) answers with: 0 answers 1 authority (=name server) record (dnsnet.net) 2 additional records (dnsnet.net s IP IP address , and an an OPT record)

37 step 3 the sniffer output pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (84) IP > : [1au] A? pc2.nanoinside.net. (47) the query carries an an additional OPT record dnslug.lugroma3.org ( ) asks dnsnet.net ( )

38 step 3 the sniffer output pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (84) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (85) dnsnet.net ( ) answers with: 0 answers 1 authority (=name server) record (dnsnano.nanoinside.net) 2 additional records (dnsnano.nanoinside.net s IP IP address , and an OPT record) , and netkit an OPT [ lab: record) dns ]

39 step 3 the sniffer output pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (84) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (85) IP > : [1au] A? pc2.nanoinside.net. (47) the the query carries an an additional OPT OPT record dnslug.lugroma3.org ( ) asks asks dnsnano.nanoinside.net ( )

40 step 3 the sniffer output pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on dnsnano.nanoinside.net eth0, link-type EN10MB (Ethernet), ( ) capture size answers 96 bytes with: IP > : 1 answer (pc2.nanoinside.net s IP A? pc2.nanoinside.net. IP address ) (36) IP authority (=name server) > : record (dnsnano.nanoinside.net) 2 additional records (dnsnano.nanoinside.net s [1au] A? pc2.nanoinside.net. IP IP address (47) IP , > : and and an an OPT OPT record) /1/2 (84) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : /1/2 (85) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : 64854* 1/1/2 A (101)

41 step 3 the sniffer output pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode dnslug.lugroma3.org listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : ( ) answers with: A? pc2.nanoinside.net. (36) IP > : IP IP address ) [1au] A? pc2.nanoinside.net. (47) IP > : 1 authority (=name server) record /1/2 (dnsnano.nanoinside.net) (84) IP > : 1 additional record [1au] (dnsnano.nanoinside.net s A? pc2.nanoinside.net. (47) IP IP > : address /1/2 (85) ) IP > : [1au] A? pc2.nanoinside.net. (47) IP > : 64854* 1/1/2 A (101) IP > : /1/1 (108) ( ) answers with: 1 answer (pc2.nanoinside.net s (dnsnano.nanoinside.net s IP

42 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

43 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

44 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

45 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

46 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

47 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

48 step 3 exchanged messages dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

49 step 3 exchanged messages recursive behavior dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

50 step 4 repeating the experiment :~# ping pc2.nanoinside.net pc2 pc2:~# tcpdump n t port domain dnsroot.5 dnsorg dnsnet.1.2 dnslug dnsnano pc /24

51 step 4 repeating the experiment pc2 query answer pc2:~# tcpdump n t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pc2.nanoinside.net. (36) IP > : /1/1 A (90) the name server cache helps reducing traffic

52 step 4 repeating the experiment dnsroot.5 abc machine name dnsorg dnsnet.1.2 dnslug dnsnano pc /24

53 step 5 restarting the name server the restart operation cleans up caches a new client query triggers the complete sequence of iterative queries dnslug dnslug:~# /etc/init.d/bind restart Stopping domain name service: named. Starting domain name service: named. dnslug:~# upon startup, the name server checks its root server configuration pc2 pc2:~# tcpdump -n -t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : [1au] NS?. (28) IP > : 15318* 1/0/2 NS ROOT-SERVER. (68)

54 step 6 non-existent target :~# ping pluto.nanoinside.net pc2 pc2:~# tcpdump n t port domain dnsroot.5 dnsorg dnsnet.1.2 dnslug dnsnano pc /24

55 step 6 non-existent target pc2 query answer pc2:~# tcpdump -n -t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pluto.nanoinside.net. (38) IP > : [1au] A? pluto.nanoinside.net. (49) IP > : /1/2 (86) IP > : [1au] A? pluto.nanoinside.net. (49) IP > : /1/2 (87) IP > : [1au] A? pluto.nanoinside.net. (49) IP > : NXDomain* 0/1/1 (98) IP > : NXDomain 0/1/0 (101)...

56 step 6 non-existent target pc2 query answer pc2:~# tcpdump -n -t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pluto.nanoinside.net. (38) IP > : [1au] A? pluto.nanoinside.net. all (49) all the iterative queries IP > : /1/2 (86) are performed again IP > : because of of the cache [1au] A? pluto.nanoinside.net. (49) IP > : flush /1/2 (87) IP > : [1au] A? pluto.nanoinside.net. (49) IP > : NXDomain* 0/1/1 (98) IP > : NXDomain 0/1/0 (101)...

57 step 6 non-existent target pc2 query answer pc2:~# tcpdump -n -t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pluto.nanoinside.net. (38) IP > : the requested domain [1au] (pluto.nanoinside.net) A? pluto.nanoinside.net. (49) IP > : /1/2 does (86) not exist (NXDomain) IP > : [1au] A? *=authoritative pluto.nanoinside.net. answer (49) IP > : /1/2 (87) IP > : [1au] A? pluto.nanoinside.net. (49) IP > : NXDomain* 0/1/1 (98) IP > : NXDomain 0/1/0 (101)...

58 step 6 non-existent target (cont d) pc2 query answer... IP > : A? pluto.nanoinside.net.lugroma3.org. (51) IP > : NXDomain* 0/1/0 (99) since the query has failed, tries once more with the domain search path configured inside its its /etc/resolv.conf: nameserver search lugroma3.org

59 step 6 repeating the experiment :~# ping pluto.nanoinside.net pc2 pc2:~# tcpdump n t port domain dnsroot.5 dnsorg dnsnet.1.2 dnslug dnsnano pc /24

60 step 6 repeating the experiment pc2 query answer pc2:~# tcpdump -n -t port domain tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes IP > : A? pluto.nanoinside.net. (38) IP > : 2449 NXDomain 0/1/0 (87) IP > : A? pluto.nanoinside.net.lugroma3.org. (51) IP > : 2450 NXDomain* 0/1/0 (99) the name server negative cache has stored the negative answer

61 step 7 advanced queries resource records can be searched by using dig highly customizable queries detailed responses :~# dig pc2.nanoinside.net

62 step 7 advanced queries :~# dig pc2.nanoinside.net ; <<>> DiG <<>> pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;pc2.nanoinside.net. IN A ;; ANSWER SECTION: pc2.nanoinside.net IN A ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; ADDITIONAL SECTION: dnsnano.nanoinside.net IN A ;; Query time: 129 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 14:49: ;; MSG SIZE rcvd: 90

63 step 7 advanced queries :~# dig pc2.nanoinside.net ; <<>> DiG <<>> pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;pc2.nanoinside.net. IN A answer ;; ANSWER SECTION: flags: pc2.nanoinside.net IN A qr: qr: query response rd: rd: recursion desired (the (the user user asked for for a recursive lookup) ra: ra: recursion available (the (the server allows recursive lookups) ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; ADDITIONAL SECTION: dnsnano.nanoinside.net IN A ;; Query time: 129 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 14:49: ;; MSG SIZE rcvd: 90

64 step 7 advanced queries :~# dig pc2.nanoinside.net ; <<>> DiG <<>> pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;pc2.nanoinside.net. IN A ;; ANSWER SECTION: pc2.nanoinside.net IN A ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; ADDITIONAL SECTION: dnsnano.nanoinside.net IN A these sections correspond to to those contained in in DNS packets ;; Query time: 129 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 14:49: ;; MSG SIZE rcvd: 90

65 step 7 advanced queries :~# dig pc2.nanoinside.net ; <<>> DiG <<>> pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;pc2.nanoinside.net. IN A ;; ANSWER SECTION: pc2.nanoinside.net IN A ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; ADDITIONAL SECTION: dnsnano.nanoinside.net IN A ;; Query time: 129 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 14:49: ;; MSG SIZE rcvd: 90 records being searched (class: IN, type: A address records) a dns dns message never contains more than than one one question section

66 step 7 advanced queries :~# dig pc2.nanoinside.net records that form the answer to to the question ; <<>> DiG <<>> pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 may may be be more than than one one ;; QUESTION SECTION: ;pc2.nanoinside.net. IN A ;; ANSWER SECTION: pc2.nanoinside.net IN A ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; ADDITIONAL SECTION: dnsnano.nanoinside.net IN A ;; Query time: 129 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 14:49: ;; MSG SIZE rcvd: in 90 in /etc/resolv.conf) time time to to live live of of a resource record that that is is cached on on the the server try try invoking dig digonce more to to see see it it decreasing constant if if the the record is is not not cached (i.e., (i.e., it it is is stored on on the the name server being queried by by default the the one one configured

67 step 7 advanced queries :~# dig pc2.nanoinside.net ; <<>> DiG <<>> pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 records describing authoritative name servers are returned here ;; QUESTION SECTION: ;pc2.nanoinside.net. IN A ;; ANSWER SECTION: pc2.nanoinside.net IN A ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; ADDITIONAL SECTION: dnsnano.nanoinside.net IN A ;; Query time: 129 msec ;; SERVER: #53( ) ;; additional WHEN: Tue Apr records 17 14:49: ;; MSG SIZE rcvd: 90 are returned here

68 step 8 an iterative query :~# dig +noquestion +noadditional +norecurse pc2.nanoinside.net et avoid displaying question and additional sections disable recursion

69 step 8 an iterative query :~# dig +noquestion +noadditional +norecurse pc2.nanoinside.net et ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: IN NS ROOT-SERVER. ;; Query time: 21 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 16:07: ;; MSG SIZE rcvd: 76 :~# the server answers by by specifying the authoritative name server to to be be contacted to to get the desired information

70 step 8 an iterative query :~# dig +noquestion +noadditional pc2.nanoinside.net ; <<>> DiG <<>> +noquestion +noadditional pc2.nanoinside.net ; (1 server found) ;; global options: printcmd ;; Got answer: server (dnsroot) ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: net IN NS dnsnet.net. query a specific name ;; Query time: 22 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 16:14: ;; MSG SIZE rcvd: 73 :~# dnsnet.net is is the authoritative name server for for zone net

71 step 8 an iterative query :~# dig +noquestion +noadditional pc2.nanoinside.net ; <<>> DiG <<>> +noquestion +noadditional pc2.nanoinside.net ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; Query time: 22 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 16:21: ;; MSG SIZE rcvd: 74 :~# query a specific name server (dnsnet.net) dnsnano.nanoinside.net is is the authoritative name server for for zone nanoinside.net

72 step 8 an iterative query :~# dig +noquestion +noadditional pc2.nanoinside.net ; <<>> DiG <<>> +noquestion +noadditional pc2.nanoinside.net ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; ANSWER SECTION: pc2.nanoinside.net IN A ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; Query time: 24 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 16:23: ;; MSG SIZE rcvd: 90 query a specific name server (dnsnano.nanoinside.net)

73 step 8 an iterative query just to confirm that name servers cache information during recursive queries... :~# dig +noquestion +noadditional pc2.nanoinside.net [...] :~# a recursive query (default behavior of of dig)

74 step 8 an iterative query just to confirm that name servers cache information during recursive queries... :~# dig +noquestion +noadditional pc2.nanoinside.net [...] :~# dig +noquestion +noadditional +norecurse pc2.nanoinside.net et an an iterative query

75 step 8 an iterative query just to confirm that name servers cache information during recursive queries... :~# dig +noquestion +noadditional pc2.nanoinside.net [...] :~# dig +noquestion +noadditional +norecurse pc2.nanoinside.net et ; <<>> DiG <<>> +noquestion +noadditional +norecurse pc2.nanoinside.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; Query time: 19 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 16:45: ;; MSG SIZE rcvd: 74

76 step 8 an iterative query just to confirm that name servers cache information during recursive queries... :~# dig +noquestion +noadditional pc2.nanoinside.net [...] :~# dig +noquestion +noadditional +norecurse pc2.nanoinside.net et the ttl ttl is is expiring ; <<>> DiG <<>> +noquestion +noadditional +norecurse pc2.nanoinside.net ;; global ( this options: is is a cached printcmd ;; Got answer: information) ;; ->>HEADER<< >>HEADER<<- opcode: QUERY, status: NOERROR, the id: ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: recursive query 1, ADDITIONAL: 1 dnslug.lugroma3.org immediately answers with the authoritative name server for for zone nanoinside.net, which it it has learned during ;; AUTHORITY SECTION: nanoinside.net IN NS dnsnano.nanoinside.net. de.net. ;; Query time: 19 msec ;; SERVER: #53( ) ;; WHEN: Tue Apr 17 16:45: ;; MSG SIZE rcvd: 74