cosc 4750
DESCRIPTION
Domain Name Service (DNS). Cosc 4750. IP Addresses. Machines on the Internet need an addressing scheme (or couldn’t receive packets!) Each machine has a 32-bit address assigned by the Internet Corporation for Assigned Names and Numbers (ICANN). - PowerPoint PPT PresentationTRANSCRIPT
Cosc 4750
Domain Name Service (DNS)
IP Addresses• Machines on the Internet need an addressing scheme (or
couldn’t receive packets!)• Each machine has a 32-bit address assigned by the
Internet Corporation for Assigned Names and Numbers (ICANN).
• In the U.S., American Registry for Internet Numbers (ARIN)• In Europe, Réseaux IP Européens (RIPE)• Addresses are written in dotted decimal notation:
• 128 . 2 . 218 . 2
10000000 00000010 11011010 00000010• Current max number of IP addresses = 232 ~ 4,000,000,000
Domain Names• IP addresses are inconvenient to remember
129.72.216.5 v. meru.cs.uwyo.edu (fully qualified)• Domain names are alphanumeric aliases for IP addresses.
They form a tree structure of FQDNs:
ROOT
.GOV .COM .MIL .NET .EDU .ORG .IT
UWYO PITT MITAMAZON MCKINSEY YAHOO
GSIA SDVC CS HEINZ
YEN MERU DOLLAR K2
207.237.113.94
129.72.216.5
208.216.182.15
129.72.216.12
DNS services
• Name to IP translations• Host aliasing
– asuwlink.uwyo.edu, also know as w3.uwyo.edu, ftp.uwyo.edu, etc.
• Mail server aliasing– In Cosc, all mail goes to one machine, even if sent to
different machines in the department
• Load Distribution– One DNS name points to different machines, the DNS
then uses round robins (or better algorithms) to give out IP numbers.
How it works
• At one point it was a single host for all machines– provided single point of failure– Traffic volumes could overwhelm it– Distant centralized database– Maintenance
• Would be a real problem now.
● Today, it functions in a hierarchy of name servers● Lots of local name servers
● Provides easy updates and quick response since local.● Local name servers have local name servers above them.● 10-15 root servers, right now
● root servers point to top level local servers, don’t hold any hosts names except root servers.
● Each name server has authoritative name servers (one level higher in the hierarchy usually) to kept rogue name servers from misdirecting people.
DNS Namespace● Two sorts of top-level domains (TLD)
● US: .edu, .net, .com, .gov, .mil, .arpa (rarely used)
● Rest of the world● two letter country codes: .us (USA), .au, .de, .fi, .dk,
.is, .md, .tv dozens of others.● New ones are being added, .biz and several
others.● .edu, .com, .net, .arpa are used outside us.
DNS names● several countries have sold their domain
● .md sold to a company, now used for doctors and residents of Maryland
● .tv now used for Television stations● Squatting
● purchase a name, but not using it. Then sell it to a company for a huge profit.
● used for nationally/internationally recognized names● Also used for people using similar names
● ie. www.whitehouse.com (Porn site), www.whitehouse.gov● Companies are now successfully suing and getting the names
changed.
BIND software
● two versions common. v4 and v9● 4 has been discontinued (v 4.9.X), but very
stable● 9 has many new features, but security issues
● the daemon that does the work is called named. ● Name servers, come in three types:● master, slave, cache/forwarding
Example name servers structure
ROOT
.GOV .COM .MIL .NET .EDU .ORG .IT
UWYO PITT MITAMAZON MCKINSEY YAHOO
GSIA SDVC CS HEINZ
BIGHORN MERU
Config files
Forward lookup files: meru.cs.uwyo.edu IN A 129.72.216.4<hostname> IN A <IP> Other partswww.cs.uwyo.edu IN CNAME hive.cs.uwyo.edu<alias hostname> IN canonical name <real hostname> www.cs.uwyo.edu IN MX 0 alameda.cs.uwyo.edu<alias hostname> IN mail <weight> <hostname to send the mail
to>
IN NS pike.cs.uwyo.edu<no name> IN Name server <hostname> Also you can multiple names for CNAME, MX, A: named uses a round-robin method for
handing them outhive.cs.uwyo.edu IN A 129.72.216.51
IN A 129.72.216.50
Subdomains in DNS
• meru.cs.uwyo.edu IN A 129.72.216.4• pike.cs.uwyo.edu IN A 129.72.216.13• cs IN NS meru.cs.uwyo.edu• IN NS pike.cs.uwyo.edu
• These are uwyo.edu records, when it gets a request for cs.uwyo.edu, it then sends the name server to meru or pike.
Reverse Name files
• 129.72.216.4 IN PTR meru.cs.uwyo.edu.
• <IP number> IN PTR <name>
• NS records are also included in the reverse name files as well.
nslookup & dig
• nslookup meru.cs.uwyo.edu – provides the IP
• nslookup <return>– enter the shell programs
• >meru
• returns the ip number, 129.72.216.4
• >129.72.216.4– returns the name, meru
• >set type=MX
• >hive.cs.uwyo.edu– returns the mail server redirection, alameda
• dig provides same info, but stat’s number of requests, and query time
/etc/resolv.conf
• File on UNIX listing the name servers
nameserver 10.216.218.13
nameserver 10.216.218.12
nameserver 10.84.60.8
search cs.uwyo.edu uwyo.edu
(OR) domain cs.uwyo.edu
win2k
• changed the standard for DNS– microsoft: embrace, extend, exterminate or change two
things and call it microsoft’s– Win2k comes with it own version of DNS (needs
updated before using).
• BIND version 8 and 9 will accept microsoft’s implementation of DNS– needs to understand the _ and -– dynamic updates, but not with kerberos 5 (secure
updates)
Cosc 4750
NFS and NS
NFS
● NFS = Network File System● NFS is almost transparent to the users and is
“stateless”, meaning that no information is lost when an NFS server crashes
● Introduced by Sun in 1985● Used for sharing a “filesystem” from a
server to client machines
● Currently two versions in use● NFS version 2
● All UNIX O/S can use this version● NFS version 3
● Used by Sun, Sgi, HP-UX, and FreeBSD● used by most linux distro’s, but a little buggy.
● NFS version 4● still new, lot of problems with configurations.● Is supposed to be able to deal with firewalls.
● Filesytems and file ownership● The Server assumes that the client is using
the same UIDs and GIDs● The server and the client had better be using the
same set or there will be major security problem.
● Root access● An exported NFS filesystem can be set to block
incoming root (UID 0) requests.● Since root can su into another users account, root
can still gain access to the files.● the nobody account
● UID –2, or -65,534 [2’s complement of –2] are also blocked.
● File locking● NFS file locking has a tendency to be “flaky”.● Since so many machines can be using the same
file at the same time, it is a difficult process handled by lockd and statd.
● Disk quotas● handled by the server’s stated filesystem, but
the users on a remote system won’t know that unless rquotad is running on the server.
Security
● By default NFS provides no security● You can Sun’s public key system or
Kerberos for NFS● If you have a firewall, you can block port
2049 (UDP and TCP) ● unless you are using Sun’s WebNFS
Server-Side NFS
● It uses, nfsd, mountd, and portmap (since NFS relies on rpc)
● mountd and nfsd rely on a file, that tells them what filesystems are to be exported– /etc/exports (solaris: /etc/dfs/dfstab)
● To tell mountd and nfsd you changed the file, you must run: exportfs –a (solaris: shareall)
exports file
● The syntax is different between vendors● 1 line for each filesystem to be exported and
the following can (are) listed.– the filesystem– computers that have read/write priv’s– computers that have read only priv’s– computers that have root priv’s
● If a machine is listed by it’s name (NOT the IP number)● Then the machine name and IP number must be
listed in the /etc/hosts file. Otherwise, it will be denied access
● Some NFS servers allow a wildcard *● Fedora/Redhat linux does
Example
• Redhat version
• /home meru(rw,no_root_squash) *.cs.uwyo.edu(rw)
• /usr/local *.cs.uwyo.edu(rw)
• /var *.cs.uwyo.edu(ro)
• Standard NFS (Not used by many venders though)
• /meru3 rw,access=meru:alameda:k2,root=meru
Client-side NFS
● Uses the mountd daemon (can also use the nfsiod daemon as well).
• auto mounting on boot– uses the /etc/fstab (/etc/vfstab for Sun)
● manual mounting– uses the mount command– mount <machine>:<filesystem> <mount point>
● fstab file, used for both nfs and local drives● What it looks like:
● <machine>:<filesystem> <mount point> <flags> 0 0
● flags: (some of them)● rw Read/Write ro Read Only● bg background the mount of the filesystem● soft If nfs server fails, access fails with an error● hard if nfs server fails, access to blocked until server
returns● intr Allows users to interrupted blocked operations
Stat’s and debugging
● nfsstat –s ● shows stat’s and information about an nfs
server, rpc stat’s, timeouts, and many filesystem commands
● nfsstat -c● shows stat’s and information about an nfs
client, rpc stat’s, timeouts, and many filesystem commands
● Showmount● List all hosts that have mounted a nfs filesystem
● showmount –a● list all hosts and what they mounted
● showmount –d● list all the fileystems that have been mounted
● showmount –e● list all exported filesystems and who can mount them
● showmount [-a –e –d] <host>● Same as above, but for a remote host.
automatic mounting
● Besides mounting at boot time, an automouting daemon can be setup to mount the filesystem only when needed and removed when not used.
● Allows you to provide a list of replicated filesystems, for that case that a nfs server fails.
NIS
● NIS: the Network Information Service● originally called Sun Yellow Pages (yp),
but sued by the AT&T and changed the name.
● Allows you to share account information (passwd, shadow, group), as well as other system files, like hosts and services.
Advantages
● You can setup a user account on one machine and the information is distributed out to the other machines in the group.● The user can then login into any machine in
group● Combined with NFS, the user has the same file
space and account information on a variety of computers.
How it works.
● One computer acts as a master server● Other machines can act as slave server
● Client machines then ask for information from the server (master or slave).
● Example of a password file:
… normal password line
+seker::::::: User seker can have access
+ All NIS accounts have access
● All information about the user is gotten from the server password file
● So for user seker, it will ask the server which shell to use
● For security reasons, only UID over 100 are shared out in Fedora/Redhat. ● Can be configured to share all UIDs, except
root.
● ypserv is the server program ● yppasswd (maybe part of ypserv), used on
the server for new passwords● ypbind is the client program, which also
runs the server● ypasswd, used on the client machine instead
of passwd to change a users password.
● The reason that ypbind runs on server machines that all server machines are also client machines.
QA&