1

Domain Name System

2

Resolve IP to a Name /etc/hosts The /etc/hosts file is just a list of IP addresses

and their corresponding server names. Your server will check this file before

referencing DNS. Add following contents to your /etc/hosts:

68.142.197.84 myyahoo You can open browser and type ‘myyahoo’ in

the URL. Usually use to resolve IP addresses of other

hosts in the same network.

3

Basic Commands to test domain name host www.vtc.edu.hk

The host command accepts arguments that are either the fully qualified domain name or the IP address of the server when providing results.

host 202.75.80.237 To perform a reverse lookup

nslookup www.vtc.edu.hk Same result as host but can be run in WindowsXP

4

Basic Concept of DNS Domain Name System (DNS) converts the

name of a Web site (www.vtc.edu.hk) to an IP address (202.75.80.237).

DNS Clients A DNS client doesn't store DNS information; it

must always refer to a DNS server to get it. The only DNS configuration file for a DNS client

is the /etc/resolv.conf .

5

Authoritative DNS Servers Authoritative servers provide the definitive

information for your DNS domain There are 13 root authoritative DNS servers

(super duper authorities) that all DNS servers query first.

For example, when you register your domain my-site.com, you are actually inserting a record on the .com DNS servers.

6

DNS Caching Name Server Most servers don't ask authoritative servers

for DNS directly, they usually ask a caching DNS server.

The caching DNS servers then store (or cache), the most frequently requested information to reduce the lookup overhead.

7

Forward, reverse lookup Forward Lookup

DNS resolution maps a fully qualified domain name (FQDN), such as www.vtc.edu.hk, to an IP address.

Reverse Lookup DNS can determining the fully qualified domain

name associated with an IP address. Many different Web sites can map to a single

IP address, but the reverse isn't true.

8

Start DNS server Use the ‘chkconfig’ command to configure

DNS to start at boot: chkconfig named on

Use ‘service named’ to start,stop, and restart DNS after booting: service named start service named stop service named restart

Configuration file: /etc/named.conf

9

Configure a Cache-Only DNS server Change the named.conf to:

pid-file Process ID file, filename to store its processes.

options { pid-file "/var/run/named/named.pid"; forward only; forwarders { 168.95.1.1; 139.175.10.20; };

allow-query {any;}allow-transfer { none; };

};

options { pid-file "/var/run/named/named.pid"; forward only; forwarders { 168.95.1.1; 139.175.10.20; };

allow-query {any;}allow-transfer { none; };

};

10

Configure a Cache-Only DNS server(2)

forward only Cache Only, no other function.

forwarders Real DNS servers’ IP address.

allow-query {any;} Allow other hosts to query your DNS server.

allow-transfer {none;} Do not allow other DNS server to copy your DNS

server’s data.

11

Configuring named.conf named.conf only contains the information of

‘Zone’. Each ‘Zone’ should contain a forward lookup

zone file and a reverse lookup file. All these files will store in ‘/var/named’ (by

default, you can change it) A well defined named.conf and a group of

Zone files can let you easily setup your DNS.

12

Configuring named.conf(2) root ‘.’ Zone

A file which connect to 13 root authoritative DNS servers.

Zone filename is “named.ca” type hint;

‘Type’ for root zones.

You can find this file in /var/named.

zone "." IN { type hint; file "named.ca";};

zone "." IN { type hint; file "named.ca";};

13

Configuring named.conf(3) Zone “localdomain”

A sample zone for your local network. allow-update {none;}

Do not allow to update this zone to root DNS. Omit this line for a REAL ZONE.

zone "localdomain" IN { type master; file "localdomain.zone"; allow-update { none; };};

zone "localdomain" IN { type master; file "localdomain.zone"; allow-update { none; };};

14

Configuring named.conf(4) Reverse Zone for “localdomain”

‘in-addr.arpa’ is the predefined zone name for a fixed IP address.

zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; };};

zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; };};

15

Configuring named.conf(5) To create a Virtual Zone “alanpo.com” for

network 192.168.1.0/24, add these statements to named.conf:

zone "alanpo.com" { type master; file "named.alanpo.com";};zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1";};

zone "alanpo.com" { type master; file "named.alanpo.com";};zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1";};

16

Configuring Zone Read the content of “localdomain.zone”:

TTL 86400 Time to Live Value, default is 86400 seconds The live time of this DNS record in a Cache DNS Server. Other values: 3D (3 days), 3W (3 weeks) or 3M (3

months)

$TTL 86400@ IN SOA localhost root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhostlocalhost IN A 127.0.0.1

$TTL 86400@ IN SOA localhost root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhostlocalhost IN A 127.0.0.1

17

Configuring Zone(2) The SOA Record

The first resource record is the Start of Authority (SOA) record, which contains general administrative and control information about the domain.

The format is:

Since the format is too long, usually we can use parenthesis to change them to multi lines and give a comment after a ‘;’.

Name Class Type Name-Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTLName Class Type Name-Server Email-Address Serial-No Refresh Retry Expiry Minimum-TTL

18

Configuring Zone(3)Field Description

Name The root name of the zone. The "@" sign is a shorthand reference to the current origin (zone) in the /etc/named.conf.

Class There are a number of different DNS classes. Home/SOHO will be limited to the IN or Internet class. Other classes exist for non Internet protocols.

Type The type of DNS resource record.

Name-server Fully qualified name of your primary name server. Must be followed by a period.

Serial-no A serial number for the current configuration.

Refresh Tells the slave DNS server how often it should check the master DNS server.

Retry The slave's retry interval to connect the master in the event of a connection failure.

Expiry Total amount of time a slave should retry to contact the master before expiring the data it contains.

Minimum-TTL This value defines the caching duration your DNS includes with a no domain response.

19

Configuring Zone(4) NS, MX, A And CNAME RecordsRecordType

Field Descriptions

Name Field ClassField2

TypeField

DataField

NS Name Server IN NS IP address or CNAME of the name server

MX Domain to be used for mail.

IN MX Mail server DNS name

A Name of a server in the domain.

IN A IP address of server

CNAME Server name alias IN CNAME "A" record name for the server

PTR Last octet of server's IP address

IN PTR Fully qualified server name

20

Configuring Zone(5) Zone file for “alanpo.com” (filename is

“named.alanpo.com”)$TTL 3D@ IN SOA ns1.alanpo.com. root.ns1.alanpo.com. ( 2006070101 ; Serial 8H ; Refresh 12H ; Retry 1W ; Expire 1D ) ; minimum@ IN NS ns1.alanpo.com.@ IN MX 10 ns1.alanpo.com.ns1 IN A 192.168.1.254www IN CNAME ns1ftp IN CNAME ns1forum IN A 192.168.1.253

21

Configuring Zone(6) Reverse Zone file for “named.192.168.1”

$TTL 3D@ IN SOA ns1.alanpo.com. root.ns1.alanpo.com. ( 2006070102 ; Serial 8H ; Refresh 12H ; Retry 1W ; Expire 1D ) ; minimum@ IN NS ns1.alanpo.com.254 IN PTR ns1.alanpo.com.253 IN PTR forum.alanpo.com.

$TTL 3D@ IN SOA ns1.alanpo.com. root.ns1.alanpo.com. ( 2006070102 ; Serial 8H ; Refresh 12H ; Retry 1W ; Expire 1D ) ; minimum@ IN NS ns1.alanpo.com.254 IN PTR ns1.alanpo.com.253 IN PTR forum.alanpo.com.

22

Slave DNS Server A Slave DNS server can decrease the workload of

Master DNS server (load balancing). Add ‘allow-transfer’ to the named.conf of Master. 192.168.1.252 is the IP address of Slave.

zone "alanpo.com" { type master; file "named.alanpo.com"; allow-transfer { 192.168.1.252; };};zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1"; allow-transfer { 192.168.1.252; };};

zone "alanpo.com" { type master; file "named.alanpo.com"; allow-transfer { 192.168.1.252; };};zone "1.168.192.in-addr.arpa" { type master; file "named.192.168.1"; allow-transfer { 192.168.1.252; };};

23

Slave DNS Server(2) Copy the named.conf from Master and then

change the zone:

Zone file is not required in Slave.

zone "alanpo.com" { type slave; file "named.alanpo.com"; masters { 192.168.1.254; };};zone "1.168.192.in-addr.arpa" { type slave; file "named.192.168.1"; masters { 192.168.1.254; };};

zone "alanpo.com" { type slave; file "named.alanpo.com"; masters { 192.168.1.254; };};zone "1.168.192.in-addr.arpa" { type slave; file "named.192.168.1"; masters { 192.168.1.254; };};

24

Configuration of DNS Client Configuration file of DNS Client is

/etc/resolv.conf. Add your private DNS at the first line. Can you find any security problem in

resolv.conf?

25

Firewall Cars have a component that separates the engine

block from the passenger compartment. If the car explodes, this component protects the

passengers. This component is known as Firewall. A firewall in computer terms protects your network

from invalid access. Most firewalls are filtering incoming datagrams

based upon the datagrams source address, destination address, higher level protocol.

This kind of firewall is known as ‘packet filtering’.

26

ICF in WindowsXP Microsoft XP designed the Internet Connection

Firewall (ICF) for use in the home and small businesses.

To enable and configure ICF, do the following: Go to ‘Control Panel’ and then click ‘Network’

Connection. Click the network connection that you want to protect. Under ‘Network Tasks’, click ‘Change Settings Of This

Connection’. In the ‘Advanced’ tab, select the ‘Protect My Computer

And Network By Limiting Or Preventing Access To This Computer From The Internet’ check box.

To configure ICF, click ‘Settings’.

27

ICF in WindowsXP(2)

28

ICF in WindowsXP(3) The ‘Services’ tab allows you to

specify the services running on your network that Internet users can access.

The ‘Security Logging’ tab allows you to specify whether or not you want to log dropped packets and successful connections.

The ‘ICMP’ tab allows you to select which requests for information from the Internet this computer will respond to.

29

Important ICF considerations ICF should be enabled on your shared

Internet connection if your network is using ICS to provide Internet access to multiple computers.

ICF also protects a single computer that is connected to the Internet with a cable modem, a DSL modem, or a dial-up modem.

ICF should not be enabled on VPN connections or on client computers; it will interfere with file and printer sharing.

30

IP Filter in Linux

The IP datagram is received through a network adapter (usually known as eth0). (1)

The incoming IP datagram is examined to determine if it is destined for a process on this machine.

If the datagram is for this machine, it is processed locally.(2)

31

IP Filter in Linux (2) If it is not destined for this machine, a search is made

of the routing table for an appropriate route and the datagram is forwarded to the appropriate interface or dropped if no route can be found. (3)

Datagrams from local processes are sent to the routing software for forwarding to the appropriate interface. (4)

The outgoing IP datagram is examined to determine if there is a valid route for it to take, if not, it is dropped.

The IP datagram is transmitted out through a PPP driver or another network adapter (usually known as eth1). (5)

32

IP Chains in Linux (3) INPUT and OUTPUT chain

The flows 1→2 and 4→5 represent the data input and output flows of a network program running on our local host.

FORWARD chain The flow 1→3→5 represents our machine routing

data (perform as a router) between a host on our Ethernet network to a host reachable via our PPP link (or other interface, e.g. another network adapter eth1).

33

iptables The iptables is used to configure both IP filtering

(filter) and Network Address Translation (nat). Five built-in chains:

The INPUT and FORWARD chains are available for the filter table.

The PREROUTING and POSTROUTING chains are available for the nat table.

The OUTPUT chain is available for both tables. In this chapter we'll discuss only the filter table. The general syntax of most iptables commands is:

iptables command rule-specification extensions

34

Commands of iptables -A chain

Append one or more rules to the end of the nominated chain.

-I chain rulenum Insert one or more rules to the start of the nominated

chain. -D chain

Delete one or more rules from the specified chain matching the rule specification.

-D chain rulenum Delete the rule residing at position rulenum in the

specified chain. Rule positions start at 1 for the first rule in the chain.

35

Commands of iptables(2) -R chain rulenum

Replace the rule residing at position rulenum in the specific chain with the supplied rule specification.

-C chain Check the datagram described by the rule specification

against the specific chain. -L [chain]

List the rules of the specified chain, or for all chains if no chain is specified.

-F [chain] Flush the rules of the specified chain, or for all chains if

no chain is specified.

36

Commands of iptables(3) -X [chain]

Delete the specified user-defined chain, or all user-defined chains if no chain is specified.

-Z [chain] Zero the datagram and byte counters for all rules

of the specified chain, or for all chains if no chain is specified.

-P chain policy Set the default policy of the specified chain to the

specified policy. Valid firewalling policies are ACCEPT, DROP.

37

Rule specification parameters -p [!]protocol

Specifies the protocol of the datagram that will match this rule. Valid protocol names are tcp, udp, icmp.

If the ‘!’ character is supplied, the rule is negated and the datagram will match any protocol other than the specified protocol.

If this parameter isn't supplied, it will default to match all protocols.

38

Rule specification parameters(2) -s [!]address[/mask]

Specifies the source address of the datagram that will match this rule.

The address may be supplied as a hostname, a network name, or an IP address.

The optional mask is the netmask to use and may be supplied either in the traditional form (e.g., /255.255.255.0) or in the modern form (e.g., /24).

-d [!]address[/mask] Specifies the destination address and port of the

datagram that will match this rule.

39

Rule specification parameters(3) -j target

Specifies what action to take when this rule matches.

Valid targets are ACCEPT, DROP. -i [!]interface-name

Specifies the interface on which the datagram was received, e.g. eth0.

-o [!]interface-name Specifies the interface on which the datagram is

to be transmitted.

40

Extensions --sport [!] [port[:port]]

Specifies the port that the datagram source must be using to match this rule.

Ports may be specified as a range by specifying the upper and lower limits of the range using the colon as a delimiter, e.g. 20:25.

Again, the ! character may be used to negate the values.

--dport [!] [port[:port]] Specifies the port that the datagram destination

must be using to match this rule.

41

Extensions(2) --icmp-type [!] typename

Specifies the ICMP message type that this rule will match.

Some valid names are: echo-request, echo-reply, source-quench, time-exceeded, destination-unreachable, network-unreachable, host-unreachable, protocol-unreachable, and port-unreachable.

--mac-source [!] address Specifies the host's Ethernet address that

transmitted the datagram that this rule will match.

42

Examples Clear all the chains.

iptables -F OUTPUT iptables -F FORWARD iptables -F INPUT iptables –X

By default, do not allow any connection! iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

43

Examples(2) Allow all traffic at the interface lo.

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -i lo -j ACCEPT

Open ports 20 to 23 for INPUT and OUTPUT tables to the all hosts. iptables -A INPUT -p tcp --dport 20:23 -j ACCEPT iptables -A OUTPUT -p tcp --sport 20:23 -j ACCEPT

Open port 80 for INPUT and OUTPUT tables to the network 192.168.1.0/24 iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp -d 192.168.1.0/24 --sport 80 -j ACCEPT

Allow other hosts to ‘ping’ this machine iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT