domain name service (dns) at colorado state university mike willard academic computing &...
TRANSCRIPT
Domain Name Service (DNS)
at Colorado State UniversityMike Willard
Academic Computing & Networking Svcs
491-4651
What is Domain Name Service? DNS is a hierarchical naming system to associate
various information with names meaningful to humans.
DNS data is made available by a distributed database run on various servers world wide.
Distributed responsibility for domain data by designating authoritative name servers for each domain which can, in turn, delegate authority for sub-domains. This obviates the need for a single central repository of information.
Domain Name Service DataA typical host name: “chico.cs.colostate.edu.” is aFully Qualified Domain Name (FQDN) made up of parts:
“chico” = Hostname
“cs.colostate.edu.” = domain name
“cs.colostate.edu.” = a subdomain of “colostate.edu.” which is a subdomain of “edu.”
“edu.” is a Top Level Domain (TLD)
“.” = the root of DNS data and technically all DNS names should end in “.” but is typically left out.
DNS Data Organization
Thus DNS data organized in a tree structure
DNS Record Types: SOA
Start of Authority (SOA): Defines global parameters for a “zone” which include:
Time To Live (TTL) – no. of seconds records may be cached. Primary DNS server – FQDN of an authoritative DNS server. Email Addr – Contact info for domain. e.g. dnsadmin.colostate.edu. Serial number – Updated when data changes. Used for replication. Refresh – Interval in seconds a secondary tries to refresh zone
data. Retry – Interval in seconds between refresh attempts after failure. Expiry – Interval in seconds secondary data is valid without refresh. Min – Default minimum TTL for other zone records. Changed in
newer RFCs.
DNS Record Types: SOA (cont.)DNS RFC defines a text representation for records as well
as a binary or “wire” representation. SOA records have the following text format:
Name TTL Class RType Email address
acns.colostate.edu 3600 IN SOA dnsadmin.colostate.edu. (
249427 ; sn
900 ; refresh (15 min)
600 ; retry (10 min)
86400 ; expiry (1 day)
3600 ; minTTL ( 1 hour)
)
DNS Record Types: NS
Name Server (NS): Defines the authoritative name server(s) for a domain. Actually located both at the root of the zone and at the point of delegation in the parent zone.
The NS records for acns.colostate.edu reside in the parent zone, “colostate.edu”, like this :
Name TTL Class RecordType Data
acns IN NS dns1.colostate.edu
acns IN NS dns2.colostate.edu
And they exist in the acns.colostate.edu zone where they look like:@ IN NS dns1.colostate.edu
@ IN NS dns2.colostate.edu
DNS Record Types: A, AAAA
IPv4 Address (A): Associates a name with an IPv4 address
The A record for chico.cs.colostate.edu resides in the “cs.colostate.edu” zone and looks like:
Name TTL Class RecordType Data
Chico IN A 129.82.45.30
IPv6 Address (AAAA): Associates a name with an IPv6 address
An AAAA record looks like:
Name TTL Class RecordType Data
Chico IN AAAA 2002:8152:e6d2::8052:f8d1
DNS Record Types: CNAME
Canonical Name (CNAME): Associates an alias with another DNS name record.
The CNAME record for www.cs.colostate.edu looks like:
Name TTL Class RecordType Data
www IN CNAME parsons.cs.colostate.edu
According to the RFC, you may not create any other records with the same name as a CNAME record. Recently added exceptions for DNSSEC record types RRSIG, NSEC and KEY.
DNS Record Types: Others…
There are ~71 record types. The other, more common records include:
MX – Mail Exchanger. Specify mail servers for a mail domain name.
PTR – Pointer. Maps IPv4 addresses to names (reverse lookup).
SRV – Service record. Defines network service information available for zone (LDAP, Kerberos, etc.). Used heavily by Windows domains.
TXT – Text information associated with a name. Basically a note. Also used in Sender Policy Framework (SPF) system to validate email.
DNS Forward and Reverse Lookups Most common use is forward lookup (name to IP). Also need reverse lookup (IP to name).
This is also a tree structure, delegated in a similar fashion.
All reverse space is rooted in the special domain called
“IN-ADDR.ARPA”
For delegation to work as in the forward space, the networks are listed most specific to least specific.
Thus CSU’s IP space (129.82.0.0) has a reverse DNS zone of
“82.129.IN-ADDR.ARPA”
DNS Reverse Data Organization
DNS Record Types: PTR
Pointer (PTR): Associates an IPv4 address with a name.
The PTR record for “129.82.103.78” resides in the
“103.82.129.in-addr.arpa” zone and looks like:
Name TTL Class RecordType Data
78 IN PTR rush.colostate.edu
Although Address and Pointer records are logically connected, there is nothing in the RFCs to force consistency.
It often makes sense to have multiple A records pointing to different IPs (DNS “Round Robin” load balancing)
It does not makes sense to have multiple PTR records pointing to different hosts.
DNS Authorities
Internet Assigned Numbers Authority (IANA) and Internet Network Information Center (InterNIC) originally established by various US Government agencies now and run under contract by a private, non-profit organization…
Internet Corporation for Assigned Names and Numbers (ICANN)
Responsible for: Coordination of DNS Root globally Coordination of IP space globally Maintaining the list of gTLDs (generic top level domains) and ccTLDs
(country code top level domains). Root Hints: http://www.internic.net/zones/named.root
DNS Registries and RegistrarsDNS Registry – the authoritative source for a DNS domain.
DNS Registrar – entity authorized to manage registry data.
Registrars sell domains to others and maintain that data in the registry.
VeriSign operates the current registry for .com and .net but does not act as a registrar.
Hundreds of Registrars are certified with Verisign to sell .com domains (e.g. Tucows, GoDaddy, etc.)
Reverse Registries run by regional entities (ARIN, LACNIC, RIPENCC, AFRINIC, APNIC).
DNS Queries – Root Hints
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
DNS Queries – Interaction
DNS Resolver – software that contacts DNS servers to find DNS data Located in client operating systems and as part of DNS server software Two query types – recursive and non-recursive Typical query interaction:
DNS Resolver
edu.Nameserver
RootNameserver
colostate.edu.Nameserver
Where’s www.colostate.edu?
Ask
192.5.6.36
Ask 129.82.103.78
It is at 129.82.103.106
DNS Delegation
Entity wishing to run DNS for a zone negotiates with group authoritative for parent domain.
Authoritative server hosts NS records for delegated domain and “glue” records.
Delegated server hosts SOA and the same NS records along with zone data.
Changes take some time to replicate everywhere as caches update.
DNS Servers
Software: BIND – originally UNIX.
Windows 2000 move to heavy reliance on DNS Network traffic: UDP and TCP port 53 Authoritative vs. non-authoritative: Servers that host a zone are
authoritative. Authoritative Only: Servers that *only* respond to queries for zones
they host. Recursive/Caching Servers: Resolve any DNS request for clients.
Store answers locally to answer other requests. Replication: Slave and master. Uses zone serial numbers, refresh and
retry intervals to update slaves which have a read only copy of data. Dynamic DNS (DDNS) – Allows clients to update A and PTR records on
the fly.
DNS Security Concerns.
Cache poisoning Denial Of Service (DOS). Amplified DOS. Separate resolving and caching server from authoritative server. Secure DNS (DNSSEC) Dynamic DNS (DDNS) Zone transfers Firewalls OS and Application vulnerabilities Outsource Appliances
Domain Name System Security Extensions (DNSSEC). New record types to support protocol
RRSIG – one per resource record (used to verify RR data). DNSKEY – one per zone/subdomain (used to verify RRSIG). DS – one per subdomain in parent domain (used to verify DNSKEY). NSEC/NSEC3 – Used to verify a “negative” response. Helps prevent spoofing.
Requires support of “Extended Mechanisms for DNS” (EDNS) Increased flag space and data packet size beyond 512 bytes. Uses a “line-only” record type (OPT) for backwards compatibility.
Trust Anchors A trusted key/DS record distributed with OS or installed manually Theoretically, only root zone record needed but TLDs not all secure yet. EDU supports DNSSEC as of this year. GOV. Some ORG. VeriSign projected to
have their COM and NET zones next year.
DNS Utilities
NSLOOKUP
Get DNS records from given server
Command line parameters and interactive (non-gui).
DIG
Get DNS record info from given server
Command line.
WHOIS
www.whois.net, various registries, command line
Web sites: www.dnstools.com
www.dnsstuff.com
network-tools.com
DNS at Colorado State University Master servers – Rush.colostate.edu and Hasty.colostate.edu
Slave servers – yuma.colostate.edu, lamar.colostate.edu, holly.colostate.edu (legacy) and dns1.colostate.edu, dns2.colostate.edu (public)
“Hidden Master” configuration – The master servers (RUSH and HASTY) are not accessible off-campus and there are no NS records registered for them. The public servers are DNS1 and DNS2 which *only* answer queries about colostate.edu and 129.82.0.0/16.
Statistics – DNS1 ~40 Queries/Sec
DNS2 <10 Queries/Sec
RUSH ~970 Queries/Sec
HASTY ~160 Queries/Sec
Domain Name Service (DNS)
at Colorado State UniversityMike Willard
Academic Computing & Networking Svcs
491-4651