dns for developers - ndc oslo 2016
TRANSCRIPT
![Page 1: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/1.jpg)
DNSfor DevelopersMaarten Balliauw@maartenballiauw
![Page 2: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/2.jpg)
“Can we add a CNAME to the DNS?”Manager
![Page 3: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/3.jpg)
“Sure, why?”Me
![Page 4: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/4.jpg)
“foo.bar.comshould redirect tohttp://bar.com/foo.aspx”Manager
![Page 5: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/5.jpg)
![Page 6: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/6.jpg)
Who am I? Maarten Balliauw Antwerp, Belgium Software Engineer, Microsoft Founder, MyGet AZUG Focus on web ASP.NET MVC, Azure, SignalR, ... Former MVP Azure & ASPInsider Big passion: Azure http://blog.maartenballiauw.be @maartenballiauw Shameless self promotion: Pro NuGet - http://amzn.to/pronuget2
![Page 7: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/7.jpg)
Agenda The 101 stuff How the Internet works (the DNS part) DNS zones Security DNS in application architecture Failover, load balancing, CDN Configuration and service discovery DNS for fun and profit
![Page 8: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/8.jpg)
How the Internet works(the DNS part)
![Page 9: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/9.jpg)
“Let’s Google!”
![Page 10: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/10.jpg)
“Let’s Google!” We need an IP address for www.google.com Use Domain Name System (“phone book”) Map www.google.com to 216.58.213.100 /
2a00:1450:4009:80f::2004 After which the browser will do its HTTP magic
![Page 11: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/11.jpg)
“Let’s Google!”Check operating system (hosts file, ...)
Check DNS cache
Ask home router
Check DNS cache at ISP, not in cache? Iterate!
![Page 12: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/12.jpg)
“Let’s Google!”Ask root servers where .com. lives
Ask .com. authoritative server where google.com lives
Ask .google.com. authoritative server for www.google.com. IP address
![Page 13: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/13.jpg)
Digging into the DNSDEMO
![Page 14: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/14.jpg)
DNS 2 types of servers Authoritative “Owns the domain” Cache (recursor) “Resolves the domain for you”
![Page 15: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/15.jpg)
DNS Designed in 1983 by Paul Mockapetris (University of California, Irvine)
Converts hostnames to IP addresses Stores mail delivery information for a domain Stores other information for a domain (TXT records)
![Page 16: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/16.jpg)
How do I get a domain name? TLD’s managed by separate organisations Verisign (.com) – DNS Belgium (.be) – EURid (.eu) - … Rules! Who can register a name? Ownership change procedures Disputes Technical rules Usually domain registration done by registrar E.g. DNSimple - http://bit.ly/dns4developers
![Page 17: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/17.jpg)
Hierarchical system.
com
www
org
example
www staff
www
be
…
![Page 18: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/18.jpg)
Root servers ICANN’s 13 root servers http://root-servers.org/ Why only 13? UDP packets limited to 512 bytes Response with > 13 entries would be > 512 bytes There are more: anycast
![Page 19: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/19.jpg)
gTLD, ccTLD, iTLD, … servers Delegation from root servers to gTLD, ccTLD, iTLD, … servers List managed by IANA http://www.iana.org/domains/root/db “Where does .tld live?”
![Page 20: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/20.jpg)
Root servers are a convention! Every OS has them, but they can be replaced E.g. www.opennicproject.org They have their own gTLD’s as well, e.g. .bit, .free, .null, .oss, … Not widely used (?) as it’s an alternate realm E.g. www.orsn.org Open Root Server Network Mirrors ICANN root servers Reduce over-dependence on the USA “Independent mode” in case political situation requires it
![Page 21: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/21.jpg)
Caches, caches everywhere! “Let’s change the IP address for our webserver in the DNS” Caches in recursive resolvers (e.g. at ISP’s) https://www.whatsmydns.net/ Caches in OS ipconfig /flushdns Caches in application (e.g. in IE) Restart browser Lower TTL beforehand
![Page 22: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/22.jpg)
DNS zones
![Page 23: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/23.jpg)
DNS zone “A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS.The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR).A zone file may be either a DNS master file, authoritatively describing a zone, or it may be used to list the contents of a DNS cache. [1]“
![Page 24: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/24.jpg)
DNS zone $ORIGIN example.com. ; designates the start of this zone file in the namespace$TTL 1h ; default expiration time of all resource recordsexample.com. IN SOA ns.example.com. username.example.com. ( 2007120710 1d 2h 4w 1h )example.com. IN NS ns ; ns.example.com is a nameserver for example.comexample.com. IN NS ns.somewhere.example. ; another nameserverexample.com. IN MX 10 mail.example.com. ; mail.example.com is the mailserver for example.com@ IN MX 20 mail2.example.com. ; equivalent to above line, "@" represents zone origin@ IN MX 50 mail3 ; equivalent to above line, but using a relative host nameexample.com. IN A 192.0.2.1 ; IPv4 address for example.com IN AAAA 2001:db8:10::1 ; IPv6 address for example.comns IN A 192.0.2.2 ; IPv4 address for ns.example.comwww IN CNAME example.com. ; www.example.com is an alias for example.commail IN A 192.0.2.3 ; IPv4 address for mail.example.commail2 IN A 192.0.2.4 ; IPv4 address for mail2.example.commail3 IN A 192.0.2.5 ; IPv4 address for mail3.example.com
![Page 25: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/25.jpg)
DNS zone Contains records describing a domain Value + TTL At the minimum: Start of Authority (SOA) record “which server stores all the information about the website I want to look
up”
Name of authoritative master name server Email address of someone responsible for management of the name server Expiration parameters
(serial #, slave refresh, slave retry time, slave expiration rime, cache duration or Time To Live)
![Page 26: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/26.jpg)
DNS zone Typical other records: NS – Who are my nameservers? (or subdomain delegation) A – IPv4 address pointer AAAA – IPv6 address pointer CNAME – Reference to another record (NOT A REDIRECT) MX – Mail exchangers for the domain, with priorities TXT – Textual value, often used to validate domain
ownership/spam rules/… SRV – Describes a service type and port
![Page 27: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/27.jpg)
PTR “Reverse DNS” used for e.g. diagnostics tools like ping and traceroute
Email anti-spam uses this as well (check EHLO IP address)
![Page 28: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/28.jpg)
Zone transfer Usually more than one nameserver for a zone 1 primary, other secondaries No need to maintain zones on every slave! Zone transfer Primary knows secondary IP’s (we don’t want to transfer to
anyone out there) Secondary knows zone name, queries primary over TCP (53) to
replicate data Uses SOA serial to check zone version & decide on update
![Page 29: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/29.jpg)
Security
![Page 30: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/30.jpg)
DNS cache poisoning Consider this DNS zone…
Consider this web page…
$ORIGIN evil.com.$TTL 1hevil.com. IN SOA ns.evil.com. username.example.com. ( 2007120710 1d 2h 4w 1h )evil.com. IN NS ns1.google.com.ns1.google.com. IN A 123.123.123.123
<!-- ... --><img src="http://www.evil.com/image.gif"/><!-- ... -->
![Page 31: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/31.jpg)
DNS cache poisoningDEMO
![Page 32: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/32.jpg)
DNSSEC (Domain Name System Security Extensions)
Set of extensions to DNS Origin verification Is the record really coming from the proper name server? Adds signing support (and delegation) Top-down the chain (root servers have DNSSEC, gTLD servers have
DNSSEC, …)
Why did that demo work? Custom resolver without DNSSEC trust chain broken
![Page 33: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/33.jpg)
DNS Amplification for DDoS DNS recursion is awesome! (and often default) Lots of DNS servers out there have recursion enabled for all Lots of open resolvers out there Saturate a victim’s network connection by using open DNS resolvers
UDP traffic has no source IP verification Spoof source traffic
![Page 34: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/34.jpg)
DNS Amplification for DDoS
Attacker Victim
Open DNS resolver
Open DNS resolver
Open DNS resolver
Small, spoofed request (ANY)
(source IP = victim IP) Large, real re
sponse
![Page 35: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/35.jpg)
DNS Amplification for DDoS Make sure to disable recursion Or limit it to known, trusted networks Use a DDoS filtering service Akamai, CloudFlare, Verisign, ... Use SPI firewall to verify packet origin
![Page 36: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/36.jpg)
DNS in application architecture
![Page 37: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/37.jpg)
DNS failover / load balancing Simple “round-robin” www.example.local. IN A 192.168.0.1. www.example.local. IN A 192.168.0.2. www.example.local. IN A 192.168.0.3. Most DNS servers return different IP as first item in list Issues What if one of the addresses is unreachable? What if the order is cached at ISP?
![Page 38: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/38.jpg)
DNS failover / load balancing Intelligent DNS server e.g. Azure Traffic Manager / Amazon Route 53 Scenarios Round-robin Failover Performance Issues What if one of the addresses is unreachable? monitoring of
endpoints What if the order is cached at ISP? low TTL (still gaps)
![Page 39: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/39.jpg)
Azure Traffic ManagerDEMO
![Page 40: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/40.jpg)
Content Delivery Network (CDN) Serve origin content from edge location close to the user
www.cdnreviews.com
![Page 41: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/41.jpg)
Content Delivery Network (CDN) Serve origin content from edge location close to the user Intelligent DNS approach Check user IP address location, return DNS record closer to the
user Try nslookup myget-2e16.kxcdn.com Use IP Anycast Advertise the same IP for edge server in different networks No logic needed in DNS The DNS root servers use this as well
![Page 42: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/42.jpg)
Configuration in DNS Typical application configuration Key/value pairs Hierarchy Store as DNS records (TXT?) Typically multiple environments One special DNS server per environment One master to which we can recurse (e.g. shared settings)
![Page 43: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/43.jpg)
Configuration in DNSDEMO
![Page 44: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/44.jpg)
Configuration in DNS Alternative: store just the hostnames per environment api.app.local different IP per environment Downside to configuration in DNS Still need to maintain “the phone book” when changes occur Not very flexible with dynamic resources... Caches, CACHES!
![Page 45: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/45.jpg)
Service discovery “Detect services on various devices on a network of computers with minimal configuration.”
UPnP Service Location Protocol (SLP) Zero Configuration Networking (Zeroconf) Simple way to find and list services without maintaining a directory Every service announces itself
![Page 46: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/46.jpg)
Service discovery Multicast DNS (mDNS) 224.0.0.251 port 5353 - every machine on the network listens DNS Service Discovery (DNS-SD) Works with mDNS and DNS SRV (name + type, port, hostname) PTR (pointer) A (service IP) TXT (additional information)
You are probably already using this today! Printer, Apple Bonjour, Office365, …
46ce01.local. A 192.168.1.10146ce01._printer._tcp.local. SRV 515 46ce01.local_printer._tcp.local. PTR 46ce01._printer._tcp.local.
![Page 47: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/47.jpg)
Service Discoverywith mDNS and DNS-SDDEMO
![Page 48: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/48.jpg)
Abusing DNSFor fun and profit
![Page 49: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/49.jpg)
Public hotspots Connect to wifi Captive portal Usually intercepts HTTP(S) only Usually allows DNS lookups
![Page 50: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/50.jpg)
Public hotspots
![Page 51: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/51.jpg)
HTTP over DNS Custom client and server Server Identify client Fetch upstream data and make it available as DNS records Client Expose itself as a local proxy Make DNS lookups with custom server Things to be aware of… UDP packet size, maximum length of records, maximum # of
records Encrypt transport
![Page 52: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/52.jpg)
HTTP over DNSLocal browser
HoD client
HoD server
Target HTTP server
Browser uses local HoD client as proxy
HoD client tr
anslates request i
nto DNS query
Converts response back
HoD server makes upstream requestTranslates into DNS response(s)
![Page 53: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/53.jpg)
HTTP over DNS on the InternetLocal browser
HoD client
HoD server
Target HTTP server
ISP nameserver
![Page 54: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/54.jpg)
HTTP over DNSDEMO
![Page 55: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/55.jpg)
IP over DNS Same idea as HTTP over DNS: tunnel traffic http://code.kryo.se/iodine/
More elaborate protocol: User identification Auto-optimize UDP packet size Compression
![Page 56: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/56.jpg)
Conclusion
![Page 57: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/57.jpg)
Conclusion DNS is a hierarchical system Built in 1983, flexible and widely used Record types DNSSEC Application architecture Failover, load balancing, CDN Configuration and service discovery Fun
![Page 58: DNS for Developers - NDC Oslo 2016](https://reader036.vdocument.in/reader036/viewer/2022062820/58a9f7a61a28abec248b48d5/html5/thumbnails/58.jpg)
Thank you!http://blog.maartenballiauw.be@maartenballiauwhttp://amzn.to/pronuget2