DNS & BIND - stud.netgroup.uniroma2.itstud.netgroup.uniroma2.it/cgrl/2015/slides/dns.pdf · Before...
-
Upload
nguyennguyet -
Category
Documents
-
view
232 -
download
0
Transcript of DNS & BIND - stud.netgroup.uniroma2.itstud.netgroup.uniroma2.it/cgrl/2015/slides/dns.pdf · Before...
Needfornametransla9on • ini9allybecause>y2isbe>erthanport21• …imagineIPV6!
– 2002:a050:6768:0:e2f8:47ff:fe38:c5cc:(mypc)• Importantalsofor:
– loadbalancing– decouplingIPandname(i.e.whenchanginghos9ng)– manyotherthings(e.g.an9-spam!)
• Wheretostudy:– DnsandBIND(O’reilly)– ProDNSandBIND(Aitchison)
BeforeDNS…
• Trytoputin/etc/hosts:– 63.135.91.11facebook.com
• Inefficiencies:trafficload,namecollisions,consistencies
127.0.0.1localhost
• EachcomputerhasHOSTS.txt– s9llusedinallopera9ngsystem,checkyourone!
Simplesolu9on
Resolvethatname
Here’sthenumber! DB
nameserverhost
OnInternet– needofascalablesolu9on(today>~284Mdomains1)– avoidnamecollision– reliability– introducehierarchicalnames:www.example.com.– Keyconcept:authorityanddelega:on
“silentdot”
1h"ps://investor.verisign.com/releasedetail.cfm?releaseid=892548
InternetDomainNameSystem• DNS'sdistributeddatabaseisindexedbydomainnames• Eachdomainnameisessen9allyjustapathinalargeinvertedtree,
calledthedomainnamespace• Eachnodeinthetreehasatextlabel(withoutdots)thatcanbeup
to63characterslong• Thefulldomainnameofanynodeinthetreeisthesequenceof
labelsonthepathfromthatnodetotheroot• Anabsolutedomainnameisalsoreferredtoasafullyqualified
domainname,okenabbreviatedFQDN• DNSrequiresthatsiblingnodes−nodesthatarechildrenofthe
sameparent−havedifferentlabels.Thisrestric9onguaranteesthatadomainnameuniquelyiden9fiesasinglenodeinthetree(easiercollisionavoidance)
• ScalabilityisreachedthroughDELEGATION
InternetDomainNameSystemRoot
gTLD:.com,.org,.net…
ccTLD:.it,.us,.
SLD:uniroma2.it,google.com,example.com
TLDs
SLDs
ADomainisastringrepresen9ngtherealmofanAuthorityforroot:IANA(departementofICANN—www.icann.org/)for.it:is@Is9tutoperleApplicazioniTelema9chedelCNR,PISA.
FirstexperimentbyPaulMockapetris1983
generic countrycode
Top-LevelDomains
SecondLevelDomains
HigherLevelDomains…
DNSTree• Theadministra9ve
responsibilityofpartoftheDomainNameSpacecanbedelegated:thisiscalledazone
• Thezonecansub-delegate
• Zonearerepresentedusingzonefiles(RFC1034-1035)
“”
it.de.com…
virgilio Im uniroma2…
ingeconomia… le"ere
AZonedelegatedbytheRootAuthoritytothe“IT”Authority
AZonesub-delegatedtouniroma2
ResourceRecords
• EveryofthetreecouldhavesomeResourceRecordsthatcontaininforma9onaboutthedomainname– RRhavedifferentstandardizedtypes(e.g.A,PTR,MX)
– Forinstance,theIPv4Addressassociatedwithaname(ResourceRecordoftypeA)
Registrar,Registry,Maintainer
• Registry:databaseofalldomainnamesregisteredinatop-leveldomainorsecond-leveldomainextension
• Registrar:frontendtothepublic– accreditedbyagTLDorccTLD:
• Exampleh>p://www.nic.it/cgi-bin/List/index.cgi– Workswith“webpages”(asynchronous)
• Maintainer:frontendtothepublic• accreditedbyagTLDorccTLD• WorkswithFAX(synchronous)OBSOLETE*
*From1July2010nomoremaintainercontractsfor.itdomains(source:registro.it)
Whoisaquilante:~orazio$whoisuniroma2.itDomain:uniroma2.itCreated:1997-12-0300:00:00LastUpdate:2013-03-0812:19:02ExpireDate:2014-01-14RegistrantName:Universita'degliStudidiRoma"TorVergata"Organiza9on:Universita'degliStudidiRoma"TorVergata"ContactID:UNIV86(….)AdminContact(…)TechnicalContacts(…)RegistrarOrganiza9on:Universita'degliStudidiRoma"TorVergata"Name:UNIROMA2-REGNameserversdns.uniroma2.itdns1.uniroma2.itns1.garr.net
Upda9ngnames:let’sbuya“domain”
• Aregistrarinteractswithpublic,storedetailedinforma9on,andpassa“digest”toregistryoperator.
• Registryoperatorbuilda“zonefile”(i.e.Datadescribingthedomain)andpassittointerestedTLD
• Periodically,ICANNdistributea“TLDmasterfile”toeachRootServer.
Me Registrar
buyuniroma4.com
registryoperator
toTLDDNS
toTLDDNS
zonefile
www.example.com
• Thedomainnameexample.comwasdelegatedfromagTLDauthority,whichinturnwasdelegatedfromICANN(authorityforDNSRootZone)
• Theownerofthedomainchoosesthewwwpart(calledhostname)
• ThisisaFullyQualifiedDomainName(FQDN)– specifiesanexactloca9onintheDNStreehierarchy
DNSImplementa9on
• Exactlymapsthedomainnamedelega9onstructure
RootDNS
TLDDNS
DomainDNS
13root-servers(froma.root-servers.nettom)
ADNScomprehends:
1. Zonefiles– translatesthedomainnamesintoopera9onalen99es,suchashosts,mailservers,servicesforusebyDNSsokware.
– standardwithResourceRecords(RFC1035,soportable!)
2. DNSprogram3. Resolverlibrary(asktheques9ons)
DNSQueries:itera9vevsrecursiveQuerywww.uniroma2.it
referralto.itccTLDDNS
rootserver
Querywww.uniroma2.it
referraltouniroma2.itDNS
TLDDNS
Querywww.uniroma2.it
Authorita9veanswer
DomainDNS
RootServers:responsetoonlyitera9vequeries
DNSResolver
• Theclient-sideoftheDNSisusuallycalledaDNSresolver.
• OnPC,weusuallyhavesimpleresolvers(called"stubresolvers")thatcannotfollowreferrals– NeedarecursiveDNS
• Browserusegethostbynameorgethostbyaddrmethodstoinvokename/ipresolu9on– func9onsprovidedbythestubresolver
Dig
debianpackage:dnsu:lsroot@ale:~#digwww.uniroma2.it;<<>>DiG9.7.3<<>>www.uniroma2.it;;globalop9ons:+cmd;;Gotanswer:;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:31347;;flags:qrrdra;QUERY:1,ANSWER:2,AUTHORITY:2,ADDITIONAL:0;;QUESTIONSECTION:;www.uniroma2.it. IN A;;ANSWERSECTION:www.uniroma2.it. 3600 IN CNAME webhouse01.ccd.uniroma2.it.webhouse01.ccd.uniroma2.it.3600IN A 160.80.2.46;;AUTHORITYSECTION:ccd.uniroma2.it. 3600 IN NS dns1.uniroma2.it.ccd.uniroma2.it. 3600 IN NS dns.uniroma2.it.;;Query9me:53msec;;SERVER:213.133.99.99#53(213.133.99.99);;WHEN:ThuMar2218:35:152012;;MSGSIZErcvd:115
Dig
Examples:• [email protected]
– resolvewiththe8.8.8.8DNS• [email protected]+trace
– recursivelydoallthequeries• dig.ns+short
– showinshortformallthensfieldsofrootservers• dig-x204.152.184.167+short
– reverselookup
tcpdumpfordns
tcpdump–n–tportdomain–iany–s0IP192.168.0.111.3072>192.168.0.11.53:
34896+A?www.uniroma2.it.(36)
Fields:QueryID(+=recursionpreferred)Querytype(findArecord)Queryvalue(for?www.uniroma2.it.)Lenghtofpkt
MasterSlaveconfigura9on
• redundancyforloadbalancingandfaultresilience
• zonesarepassedfrommastertoslave– fullorpar9alzonetransfer
• 9ming?
master slave
SOArequest
SOAresponse
AXFRrequest
En9reZone
ZoneFile:Example$ORIGINexample.com.;changesthe'zonename'whichisaddedtoany'unqualified'name$TTL1h;defaultexpira9on9meTTLvalueexample.com.INSOAns.example.com.myemail.example.com.(2007120710;serialnumberofthiszonefile1d;slaverefresh(1day)2h;slaveretry9meincaseofaproblem(2hours)4w;slaveexpira9on9me(4weeks)1h;maximumcaching9meincaseoffailedlookups(1hour))example.com.NSns;ns.example.comisanameserverforexample.comexample.com.NSns.somewhere.example.;abackupnameserverforexample.comexample.com.MX10mail.example.com.;[email protected].;equivalenttoaboveline,"@"representszoneorigin@MX50mail3;equivalenttoaboveline,butusingarela9vehostnameexample.com.A192.0.2.1;IPv4addressforexample.com AAAA2001:db8:10::1;IPv6addressforexample.comnsA192.0.2.2;IPv4addressforns.example.comAAAA2001:db8:10::2;IPv6addressforns.example.commailA192.0.2.3;IPv4addressformail.example.com,
mail2A192.0.2.4;IPv4addressformail2.example.commail3A192.0.2.5;IPv4addressformail3.example.comwwwCNAMEexample.com.;www.example.comisanaliasforexample.com
direc9ves
RFC1035
SOARR
NSRR
MXRR
AandAAAARR
CNAMERR
ResourceRecords(RR)
• AStartofAuthority(SOA)RR:– describesglobalcharacteris9csofthezonedomain– oneandonlyoneforeachzonefile(firstRRinazonefile)
• NameServer(NS)RR:Definesnameserversthatareauthorita9veforthezoneordomain.TheremustbetwoormoreNSResourceRecordsinazonefile.NSRRsmayreferenceserversinthisdomainorinaforeignorexternaldomain.TheseRRsaremandatory.
• MailExchanger(MX)RR:Definesthemailserversforthezone(op9onal)• Address(A)RR:DefinetheIPv4addressofallthehosts(orservices)that
existinthiszoneandwhicharerequiredtobepubliclyvisible.IPv6entriesaredefinedusingAAAA(calledQuadA)RRs(op9onal)
• CanonicalName(CNAME)RR:DefinesanAliasRR,whichallowsonehost(orservice)bedefinedasthealiasnameforanotherhost(op9onal)
• And:PTR,TXT,AAAA,SRVandNSEC,RRSIG,DS,DNSKEY,KEY(DNSSEC)
Syntax:SOARR• Specifiesauthorita9veinforma9onaboutaDNSzone
• Severalparameters– serial:date(conven9on:YYYYMMDDSS)– refresh:telltoslavehowokencheckforchanges(default3600)
– retry:intervalbetweentwosubsequenta>empttocontactthemasterincaseofproblems(default600)
– expire:ifslavefailstocontactmasterakerexpire9me,itstopstoresolvethatzone(default86400)
– >lTheminimum9me-to-livevalueappliestoallresourcerecordsinthezonefile(default3600)
ZoneDomain Class RR NS emaildnsmaster
example.com. IN SOA ns.example.com. email.example.com.
Syntax:NSRR• DelegatesaDNSzonetousethegivenauthorita9vename
servers
• Thenamefieldcanbeanyof:– AFullyQualifiedDomainName(FQDN)e.g.example.com.(endswithadot)
– Anunqualifiedname(doesnotendwithadot)– An'@'(subs9tutesthecurrentvalueof$ORIGIN)– a'space'or'blank'(tab)-thisisreplacedwiththepreviousvalueofthenamefield.Ifnonamehasbeenpreviouslydefinedthismayresultinthevalueof$ORIGIN.
ZoneName TTL class rr dnsname
example.com. IN NS ns1.example.com.
ReverseMapping
• Howtofindthenamecorrespondingto1.2.3.4?– Andmoregenerally,howtobuildatreetokeepthestructurescalable(asinthecaseofname)?
– but…why?example:theanI-spamcase
• InverttheIPandsearchintheIN-ADDR.ARPAdomain
ReverseMapping:zonefile
…$ORIGIN254.168.192.IN-ADDR.ARPA.…17INPTRwww.example.org
192.168.254.17
Trywith:dig-x204.152.184.167+short
PTRRR
ReverseMapping• IPv4addressesareallocatedinnetblocksbytheRIRsto
eitheraLocalInternetRegistry,LIR(typicallyISP,orNa9onalInternetRegistry(NIR),whichinturnwillallocatetoanLIR.)
• EachInternetRegistrylevelisdelegatedtheresponsibilityforreversemappingtheaddressesithasbeenassigned.
• TheLIRmaydelegatetheresponsibilityforreversemappingtotheenduser
h>ps://www.ripe.net/membership/indices/IT.htmlItalianLIRs
Interested?SearchforInternetGovernancehNp://en.wikipedia.org/wiki/Internet_governance
Firstsimpleexample:cgrl.edu
DNS10.0.0.1
PC210.0.0.101
PC110.0.0.100LANA
10.0.0.0/24
DNS(ns.cgrl.edu.)istheauthorita9venameserverforthezonecgrl.edu. edu
cgrl
pc1 pc2 alias ns10.0.0.1CNAMEpc110.0.0.100 10.0.0.101
Bind• bindexecutable:/usr/sbin/named• rndc:commandlineadministra9onofthenameddaemon
• Likemanydaemonsgotitsstart/stopscriptin/etc/init.d– /etc/init.d/bind[startstoprestartstatusreload]
• Goodnews!Onlyone(usuallyshort)conffile:/etc/bind/named.conf
• Badnews!itincludesseveralotherfiles!!suchas:• Zonefiles:in/etc/bind/.Example:db.edu.cgrl• op9ons:/etc/bind/named.conf.op9ons• otherfiles
BINDconfigura9on/etc/bind/named.conf!
/etc/bind/db.edu.cgrl!
NOTE: we are not using wildcards and special characters… more later on
CheckBINDconfigura9on
• Tocheckzonefiles:– named-checkzone$ZONE_NAME$ZONE_FILE
• Tocheckconffiles:– named-checkconf
• Viewinsyslog(or,ifinanotherlogfileifyouchangedit)
Andforreverseaddressmapping?Wesimplymakens.cgrl.eduauthorita9veforthezone:0.0.10.IN-ADDR.ARPA
/etc/bind/named.conf!
/etc/bind/db.0.0.10!
/etc/resolv.confnameserver8.8.8.8nameserver8.8.4.4domainmydomain.comsearchmysearch.comd2.com
primaryDNSsecondaryDNSsearchdirec:veforshortnames
• Whentrytoresolv“test”itresolvetest.mydomain.com(usinggethostnameordomainifpresent)
• Ifyouwantthattestwillberesolvedastest.Aandtest.BspecifysearchAB.(incasetest.Afails,resolverwillgofortest.B)
• Thedomainandsearchkeywordsaremutuallyexclusive.Ifmorethanoneinstanceofthesekeywordsispresent,thelastinstancewins.
• Let’sput127.0.0.1totestournewdnsserver!!
Secondsimpleexample:delega9onofstuden9.cgrl.edu
DNS10.0.0.2
PC210.0.0.101
PC110.0.0.100
LANA10.0.0.0/24
www192.168.1.200
LANB192.168.1.0/24
DNS2192.168.1.2
Secondsimpleexample:delega9onofstuden9.cgrl.edu
edu
cgrl
pc1 pc2 alias ns10.0.0.1CNAMEpc110.0.0.100 10.0.0.101
studen9
www192.168.1.200
ns192.168.1.2
cgrl.edudomain
cgrl.eduzone
studen9.cgrl.eduzone
cgrl.edudelegatedtons.cgrl.edustuden9.cgrl.edudelegatedtons.studen9.cgrl.edu
BINDconfigura9on–dnsdns#/etc/bind/db.edu.cgrl!
delega:on
@subs9tutesthecurrentvalueof$ORIGIN
Rela9venamesappendedtocurrentzone
Gluerecord
• Howwecanresolvens.studen9.cgrl.edu?– ifthatwasexactlythednsresponsibletoresolve*.studen9.cgrl.edu!!
• AgluerecordisanArecordforthenameserverthatisauthorita9veforthedelegatedzone– ns.studen9.cgrl.eduINA192.168.1.2
MXrecordsandloadBalancing• inmostusedMTAclients,ifequalDNSpreferencesàRoundrobin!
INMX10mail.example.comINMX10mail2.example.comINMX10mail3.example.commailINA192.168.0.4mail2INA192.168.0.5mail3INA192.168.0.6
LoadBalancing• ThenameserverwilldeliveralltheIPaddressesdefinedforthegivennameinanswertoaqueryfortheARRs;
• theorderofIPaddressesinthereturnedlistisdefinedbytherrset-orderstatementinBIND’snamed.conffile.– rrset-order{typeMXname"example.com"orderrandom;ordercyclic};
• Cachingcansignificantlydistorttheeffec9venessofanyDNSIPaddressalloca9onalgorithm.ATTLvalueof0maybeusedtoinhibit
Mailserverfailover
;zonefilefragmentINMX10mail.example.com.INMX20mail.example.net.....mailINA 192.168.0.4....
• Ifthemostpreferredmailserver,theonewiththelowestnumber(10),isnotavailable,mailwillbesenttothesecondmostpreferredserver
SenderPolicyFramework(SPF)• ThedesignintentoftheSPFrecordistoallowareceiving
MessageTransferAgent(MTA)toverifythattheorigina9ngIP(thesource-ip)ofane-mailfromasenderisauthorizedtosendmailforthesender’sdomain.
• TXTRR(BINDreleasesfrom9.4.0supporttheSPFRRtype)
• v=spf1[pre]type[[pre]type]...[mod]”where:– pre:+=pass(default),-=fail,~=sokfail(indeterminateresult),?=neutral
– type:Thisdefinesthemechanismtypetouseforverifica9onofthesender.
SPF:SMTPConversa9onExample==>220teamits105.teamITS.netESMTPSendmail8.13.6.20060614/8.13.6;Wed,6Dec200714:27:47-0600(CST)<--HELOteamits104.teamITS.net==>250teamits105.teamITS.netHellopy-in-f99.google.com[64.233.167.99],pleasedtomeetyou<--mailfrom:[email protected]==>[email protected]<--rcptto:[email protected]==>[email protected]<--Data==>354Pleasestartmailinput.<--From:[email protected]<--To:[email protected]<--Subject:Wanttobuyawidget?<--<--Bodytextofmessage.<--.==>250Mailqueuedfordelivery.<--Quit==>221Closingconnec9on.Goodbye.
SPFExamples
• mail.acme.example.net.TXT"v=spf1a–all”– Theonlyhostthatcanannounceitselfasmail.acme.example.netismail.acme.example.net(indicatedbythe"a")
• @INTXT"v=spf1a:mail.example.com/27-all”– or:@INSPF"v=spf1a:mail.example.com/27–all– Wecanuseslashnota9ontospecifyaCIDRrange
Exerciseinclass
DNS10.0.0.2
PC210.0.0.101
PC110.0.0.100
LANA10.0.0.0/24
www192.168.1.200
LANB192.168.1.0/24
DNS2192.168.1.2
www2192.168.1.201
Addwww2VMandloadbalancewww.studen9.cgrl.edubetweenwwwandwww2
LoadBalancingofwwwserveronlanB
• SimplyaddanotherARRin/etc/bind/db.studen9.cgrl.edu• BINDwillautoma9callyroundrobinthrooguhthen
addressesboundtothesamename
R
10.0.0.2
10.0.1.2
10.0.2.2
10.0.1.3
pc1
dns-stud
dns-dip
router(dhcpserver)
dns-sld
10.0.0.1
10.0.2.110.0.1.1
pc2
10.0.2.3
stud.cgrl.edu dip.cgrl.edu
cgrl.eduserver1server2
dhcp dhcp
AsmallInternet… Netkitlab:lab4-dns.tar.gz
Statements:BIND
• many!– h>p://www.zytrax.com/books/dns/ch7/statements.html
• allow-transfer{192.168.1.2;};(defaultyes)• orselec9ve:
zone"example.com"in{....allow-transfer{192.168.1.2;};....};
• Theallow-no9fy{192.168.254.2;};statementdisablesNOTIFYmessagesfromanyhostexceptthezonemastertominimizepossiblemaliciousac9on.
Viewclause
view"goodguys"{match-clients{192.168.254.0/24;};//theexample.comnetworkrecursionyes;//requiredzoneforrecursivequerieszone"."{
typehint;file"root.servers";
};
• Toofferdifferentservicestodifferentclients(e.g.insideandoutsideourcompany)
• Theviewstatementcantakeaseriousnumberofstatements
MasterSlaveconfigura9on:AXFR
FullZoneTransfer• Master:thezonefilewillbereadfromthelocalfilestore
• Slave:obtainsthezonerecordsusingzonetransfer• EverythingdoneusingTCP,zonetransferarealwaysstartedbyclients
master slave
SOArequest
SOAresponse
AXFRrequest
En9reZone
MasterSlaveconfigura9on:IXFR
Incrementalzonetransfer• Requestsazonetransferofthegivenzonebutonlydifferences
fromapreviousserialnumber.• AXFRcanbesentiftheauthorita9veserverisunabletofulfillthe
requestduetoconfigura9onorlackofrequireddeltas.
master slave
SOArequest
SOAresponse
IXFRrequest
Changesinzoneinfo
MasterSlaveconfigura9on:No9fy
serverscansendaNOTIFYmessagetoclientstosignalchangesNo9fydecreaselatencyandpropaga9on9meofzonechanges
master slave
SOArequest
SOAresponse
IXFRorAXFRrequest
Changesinzoneinfo
No9fy
Example:delega9onandredundancy
Masterforsubdomain:us.example.com
Masterfor:example.comSlaveforus.example.com
Delega9onofsubdomain:us.example.com
Bind:DelegateaSubdomain(Subzone)
zone"example.com"in{typemaster;file"master.example.com";
};"us.example.com"IN{
typeslave;file"slave.us.example.com";masters{10.10.0.24;};
};Delega9onwithredundancy
Reversedelega9on
• Example:howtoreversedelegatesubnet</24:– RFC2317
• 64/26.199.168.192.IN-ARDDR.ARPA.INNSns2.example.com.
Assignee
(End-user)ZoneFile
• Simple!
65INPTRfred.example.com.66INPTRjoe.example.com.67INPTRbill.example.com.
Assignor
Out-of-SequenceSerialNumbers
• SN=4byteintandsetasadate(conven9on)– biggerSN,newerthedata
• whatifwemakeamistakeandputadatainthefuture?– what9llthefuturewillcometocorrecttheerror– incrementby2^31thevalue,pushtoalltheslaves,andthenputtherightvalue(wrappedthroughzero)
Wildcard
@INMX10mail.example.com.* INMX10mail.example.com.
• anMXqueryeverythingelse.example.comwillreturnthehostmail.example.com.