Computer System Security and Management SMD139 Lecture 5: Domain Name System Peter A. Jonsson DNS Translation of Hostnames to IP addresses Hierarchical distributed database DNS Hierarchy The Root Name Servers Root name server.com name server....se name server Keeps track of all top level domains Google.com name server LTU.se name server Do not use as your ordinary name server on your PC
Top Level Domains Centralizing DNS Two types: cctld s, (.fi,.se) - country code TLD s gtld s (.com,.org) - generic TLD s http://www.icann.org/tlds Single point of failure Not scalable Traffic volume Response time Three Kinds of Queries Recursive Example #1 Recursive query Iterative query - mandatory to support! Reverse query - what is the domain name for this MX query Scenario: You want to know the IP of kerberos.kth.se Resolver (you/your computer) asks local NS for kerberos.kth.se, lets assume it doesn t have it cached - have to keep digging NS queries root server for the host, which gives the TLD servers for.se in return
Recursive Example #2 Iterative Example #1 NS queries TLD server for IP of kerberos.kth.se, gets a reply of the NS for kth.se NS queries NS for kth.se for IP of host, zone file defines a CNAME which shows kerberos is an alias for himinbjorg and returns that and the A record (130.237.48.16) Send this information back to the resolver, transaction complete Scenario: You want to know the IP of kerberos.kth.se Resolver (you/your computer) asks local NS for kerberos.kth.se, lets assume it doesn t have it cached - have to keep digging NS replies with referral to root servers Iterative Example #2 Registering Domains Resolver queries root servers for kerberos.kth.se, gets TLD servers for.se in return Resolver queries TLD for the host, gets NS for kth.se in return Resolver queries kth.se which has the information, replies with both the CNAME and A record Register with the proper authority for the TLD you want. cctld s: www.iana.org/root-whois gtld s: www.icann.org/registrars Transaction done
About Domain Names Not case-sensitive Each subdomain component limited to 63 characters The Client Side FQDN is limited to 255 characters räksmörgås.se is a bad name DNS clients Name Service Switch Configured via /etc/resolv.conf in most Unices First line: search csee.ltu.se ltu.se If you try to lookup krb1 and it can t be found, it will first try to find krb1.csee.ltu.se, then krb1.ltu.se Second/Third line: nameserver <ip> Solaris and Linux provides /etc/nsswitch.conf, for specifying where to look for certain data Example line: hosts: files dns Specifies that to find a host it should first look in /etc/hosts, if not there perform a dns lookup
Managing DNS The Server Side Most common server: Bind, consists of: The resolver library (used by gethostbyname() and relatives) The name server, often called named Make sure to watch out for security holes Record types in DNS More Record Types SOA: Start of Authority NS: Name Server definition A: Host name to IP address mapping CNAME: Canonical name, host alias PTR: IP address to host name mapping SRV: Service record AAAA: IPv6 host name to address mapping MX: Mail server definition
Reverse Records Name Servers Resides in in-addr.arpa domain IP number is reversed: 1.1.240.130.inaddr.arpa is really 130.240.1.1 Reverse mapping is *NOT* optional! If a name server has authority of a zone, it has all data for the zone in question Two kinds of name servers - primary and secondary masters. Often referred to as master/slave The slave pulls its data from the master Name Servers #2 Guidelines and Rules The pulling is called a Zone transfer A single name server can be authoritative for several zones. It could also be master for one zone and slave for another Always use FQDN for NS and MX records (Never CNAME, things will break) Email delivery problems often caused by missing or faulty PTR records
Split DNS Troubleshooting DNS Possibility to give different replies depending on who is asking (How do you reproduce errors your customers are seeing with this?) Dig is the command to use for querying DNS servers you want to troubleshoot dig <recordtype> @<server> <name> getent hosts <ip> might give a clue what your OS think is the right answer Watch out for nscd, it might cache bad records! Configuration Example Configuring Bind options { directory var/named ; pid-file /var/run/named ; zone. { type hint; file named.cache ; zone 0.0.127.in-addr.arpa { type master; file localhost.rev ; notify no;
Configuring primary master zone ahania.com { type master; file ahania.com.db ; zone 10.168.192.in-addr.arpa { type master; file 192.168.10.rev ; Configuring secondary master zone verdana.com { type slave; master{192.168.10.1; file sec/verdana.com.db ; zone 10.168.192.in-addr.arpa { type slave; masters{192.168.10.1; file sec/192.168.10.rev ; Zone Transfers Security Is there any real security in not allowing people to list your zones?
Transaction Signatures DNSSEC Provides secure server to server communication (zone transfer, notify, recursive queries) Uses shared secrets and a hash function for authentication Relatively light weight All answers are signed Designed to protect people from DNS cache poisoning No confidentiality of data! DNSSEC #2 Securing the named process Authenticates that data is truly from the domain owner, or not available Possibility to store certificates, useful if using DNS as Public Key Infrastructure Keep track of security holes in the version you use, if necessary upgrade Do not run named as root. Have a separate user that only runs named. Run in a chrooted environment