Cosc 4750

Domain Name Service (DNS)

IP Addresses• Machines on the Internet need an addressing scheme (or

couldn’t receive packets!)• Each machine has a 32-bit address assigned by the

Internet Corporation for Assigned Names and Numbers (ICANN).

• In the U.S., American Registry for Internet Numbers (ARIN)• In Europe, Réseaux IP Européens (RIPE)• Addresses are written in dotted decimal notation:

• 128 . 2 . 218 . 2

10000000 00000010 11011010 00000010• Current max number of IP addresses = 232 ~ 4,000,000,000

Domain Names• IP addresses are inconvenient to remember

129.72.216.5 v. meru.cs.uwyo.edu (fully qualified)• Domain names are alphanumeric aliases for IP addresses.

They form a tree structure of FQDNs:

ROOT

.GOV .COM .MIL .NET .EDU .ORG .IT

UWYO PITT MITAMAZON MCKINSEY YAHOO

GSIA SDVC CS HEINZ

YEN MERU DOLLAR K2

207.237.113.94

129.72.216.5

208.216.182.15

129.72.216.12

DNS services

• Name to IP translations• Host aliasing

– asuwlink.uwyo.edu, also know as w3.uwyo.edu, ftp.uwyo.edu, etc.

• Mail server aliasing– In Cosc, all mail goes to one machine, even if sent to

different machines in the department

• Load Distribution– One DNS name points to different machines, the DNS

then uses round robins (or better algorithms) to give out IP numbers.

How it works

• At one point it was a single host for all machines– provided single point of failure– Traffic volumes could overwhelm it– Distant centralized database– Maintenance

• Would be a real problem now.

● Today, it functions in a hierarchy of name servers● Lots of local name servers

● Provides easy updates and quick response since local.● Local name servers have local name servers above them.● 10-15 root servers, right now

● root servers point to top level local servers, don’t hold any hosts names except root servers.

● Each name server has authoritative name servers (one level higher in the hierarchy usually) to kept rogue name servers from misdirecting people.

DNS Namespace● Two sorts of top-level domains (TLD)

● US: .edu, .net, .com, .gov, .mil, .arpa (rarely used)

● Rest of the world● two letter country codes: .us (USA), .au, .de, .fi, .dk,

.is, .md, .tv dozens of others.● New ones are being added, .biz and several

others.● .edu, .com, .net, .arpa are used outside us.

DNS names● several countries have sold their domain

● .md sold to a company, now used for doctors and residents of Maryland

● .tv now used for Television stations● Squatting

● purchase a name, but not using it. Then sell it to a company for a huge profit.

● used for nationally/internationally recognized names● Also used for people using similar names

● ie. www.whitehouse.com (Porn site), www.whitehouse.gov● Companies are now successfully suing and getting the names

changed.

BIND software

● two versions common. v4 and v9● 4 has been discontinued (v 4.9.X), but very

stable● 9 has many new features, but security issues

● the daemon that does the work is called named. ● Name servers, come in three types:● master, slave, cache/forwarding

Example name servers structure

ROOT

.GOV .COM .MIL .NET .EDU .ORG .IT

UWYO PITT MITAMAZON MCKINSEY YAHOO

GSIA SDVC CS HEINZ

BIGHORN MERU

Config files

Forward lookup files: meru.cs.uwyo.edu IN A 129.72.216.4<hostname> IN A <IP> Other partswww.cs.uwyo.edu IN CNAME hive.cs.uwyo.edu<alias hostname> IN canonical name <real hostname> www.cs.uwyo.edu IN MX 0 alameda.cs.uwyo.edu<alias hostname> IN mail <weight> <hostname to send the mail

to> 

IN NS pike.cs.uwyo.edu<no name> IN Name server <hostname> Also you can multiple names for CNAME, MX, A: named uses a round-robin method for

handing them outhive.cs.uwyo.edu IN A 129.72.216.51

IN A 129.72.216.50

Subdomains in DNS

• meru.cs.uwyo.edu IN A 129.72.216.4• pike.cs.uwyo.edu IN A 129.72.216.13• cs IN NS meru.cs.uwyo.edu• IN NS pike.cs.uwyo.edu

• These are uwyo.edu records, when it gets a request for cs.uwyo.edu, it then sends the name server to meru or pike.

Reverse Name files

• 129.72.216.4 IN PTR meru.cs.uwyo.edu.

• <IP number> IN PTR <name>

• NS records are also included in the reverse name files as well.

nslookup & dig

• nslookup meru.cs.uwyo.edu – provides the IP

• nslookup <return>– enter the shell programs

• >meru

• returns the ip number, 129.72.216.4

• >129.72.216.4– returns the name, meru

• >set type=MX

• >hive.cs.uwyo.edu– returns the mail server redirection, alameda

• dig provides same info, but stat’s number of requests, and query time

/etc/resolv.conf

• File on UNIX listing the name servers

nameserver 10.216.218.13

nameserver 10.216.218.12

nameserver 10.84.60.8

search cs.uwyo.edu uwyo.edu

(OR) domain cs.uwyo.edu

win2k

• changed the standard for DNS– microsoft: embrace, extend, exterminate or change two

things and call it microsoft’s– Win2k comes with it own version of DNS (needs

updated before using).

• BIND version 8 and 9 will accept microsoft’s implementation of DNS– needs to understand the _ and -– dynamic updates, but not with kerberos 5 (secure

updates)

Cosc 4750

NFS and NS

NFS

● NFS = Network File System● NFS is almost transparent to the users and is

“stateless”, meaning that no information is lost when an NFS server crashes

● Introduced by Sun in 1985● Used for sharing a “filesystem” from a

server to client machines

● Currently two versions in use● NFS version 2

● All UNIX O/S can use this version● NFS version 3

● Used by Sun, Sgi, HP-UX, and FreeBSD● used by most linux distro’s, but a little buggy.

● NFS version 4● still new, lot of problems with configurations.● Is supposed to be able to deal with firewalls.

● Filesytems and file ownership● The Server assumes that the client is using

the same UIDs and GIDs● The server and the client had better be using the

same set or there will be major security problem.

● Root access● An exported NFS filesystem can be set to block

incoming root (UID 0) requests.● Since root can su into another users account, root

can still gain access to the files.● the nobody account

● UID –2, or -65,534 [2’s complement of –2] are also blocked.

● File locking● NFS file locking has a tendency to be “flaky”.● Since so many machines can be using the same

file at the same time, it is a difficult process handled by lockd and statd.

● Disk quotas● handled by the server’s stated filesystem, but

the users on a remote system won’t know that unless rquotad is running on the server.

Security

● By default NFS provides no security● You can Sun’s public key system or

Kerberos for NFS● If you have a firewall, you can block port

2049 (UDP and TCP) ● unless you are using Sun’s WebNFS

Server-Side NFS

● It uses, nfsd, mountd, and portmap (since NFS relies on rpc)

● mountd and nfsd rely on a file, that tells them what filesystems are to be exported– /etc/exports (solaris: /etc/dfs/dfstab)

● To tell mountd and nfsd you changed the file, you must run: exportfs –a (solaris: shareall)

exports file

● The syntax is different between vendors● 1 line for each filesystem to be exported and

the following can (are) listed.– the filesystem– computers that have read/write priv’s– computers that have read only priv’s– computers that have root priv’s

● If a machine is listed by it’s name (NOT the IP number)● Then the machine name and IP number must be

listed in the /etc/hosts file. Otherwise, it will be denied access

● Some NFS servers allow a wildcard *● Fedora/Redhat linux does

Example

• Redhat version

• /home meru(rw,no_root_squash) *.cs.uwyo.edu(rw)

• /usr/local *.cs.uwyo.edu(rw)

• /var *.cs.uwyo.edu(ro)

• Standard NFS (Not used by many venders though)

• /meru3 rw,access=meru:alameda:k2,root=meru

Client-side NFS

● Uses the mountd daemon (can also use the nfsiod daemon as well).

• auto mounting on boot– uses the /etc/fstab (/etc/vfstab for Sun)

● manual mounting– uses the mount command– mount <machine>:<filesystem> <mount point>

● fstab file, used for both nfs and local drives● What it looks like:

● <machine>:<filesystem> <mount point> <flags> 0 0

● flags: (some of them)● rw Read/Write ro Read Only● bg background the mount of the filesystem● soft If nfs server fails, access fails with an error● hard if nfs server fails, access to blocked until server

returns● intr Allows users to interrupted blocked operations

Stat’s and debugging

● nfsstat –s ● shows stat’s and information about an nfs

server, rpc stat’s, timeouts, and many filesystem commands

● nfsstat -c● shows stat’s and information about an nfs

client, rpc stat’s, timeouts, and many filesystem commands

● Showmount● List all hosts that have mounted a nfs filesystem

● showmount –a● list all hosts and what they mounted

● showmount –d● list all the fileystems that have been mounted

● showmount –e● list all exported filesystems and who can mount them

● showmount [-a –e –d] <host>● Same as above, but for a remote host.

automatic mounting

● Besides mounting at boot time, an automouting daemon can be setup to mount the filesystem only when needed and removed when not used.

● Allows you to provide a list of replicated filesystems, for that case that a nfs server fails.

NIS

● NIS: the Network Information Service● originally called Sun Yellow Pages (yp),

but sued by the AT&T and changed the name.

● Allows you to share account information (passwd, shadow, group), as well as other system files, like hosts and services.

Advantages

● You can setup a user account on one machine and the information is distributed out to the other machines in the group.● The user can then login into any machine in

group● Combined with NFS, the user has the same file

space and account information on a variety of computers.

How it works.

● One computer acts as a master server● Other machines can act as slave server

● Client machines then ask for information from the server (master or slave).

● Example of a password file:

… normal password line

+seker::::::: User seker can have access

+ All NIS accounts have access

● All information about the user is gotten from the server password file

● So for user seker, it will ask the server which shell to use

● For security reasons, only UID over 100 are shared out in Fedora/Redhat. ● Can be configured to share all UIDs, except

root.

● ypserv is the server program ● yppasswd (maybe part of ypserv), used on

the server for new passwords● ypbind is the client program, which also

runs the server● ypasswd, used on the client machine instead

of passwd to change a users password.

● The reason that ypbind runs on server machines that all server machines are also client machines.

QA&