DNS Overview

DNS Overview

Griffin Software Ltd.Griffin House, The Village Square, Tallaght, Dublin 24

Tel: (01) 4622277 Fax: (01) 4623059www.griffinsoft.com

This document is Copyright © 2004 Opus Novum Limited. All rights reserved. No part of this document may be reproduced inany form or by any means without prior written consent from Opus Novum Limited

DNS Overview Griffin Software

Module 1: A Brief History of DNS................................................................................ 4Before DNS................................................................................................................ 5Domain Name Service................................................................................................6

Module 2: How does DNS Work................................................................................... 7Domain Name Space.................................................................................................. 8Structure of DNS name space.................................................................................... 9Domain Names......................................................................................................... 10DNS Naming Standards........................................................................................... 11Reading Domain Names...........................................................................................12Domains................................................................................................................... 13Some Top Level Domains........................................................................................15Delegation................................................................................................................ 16Name Servers and Zones.......................................................................................... 17Types of Name Server.............................................................................................. 18Data files...................................................................................................................19Zone transfers........................................................................................................... 20Resolvers.................................................................................................................. 21Resolution.................................................................................................................22DNS Query types......................................................................................................23Searching the Domain Name Space......................................................................... 24Query Recursion and Referral.................................................................................. 25Recursive Query....................................................................................................... 26Iterative Query..........................................................................................................27Recursion and Iteration.............................................................................................28Caching.....................................................................................................................29

Module 3: Setting up a Domain................................................................................... 30Registering Your Domain........................................................................................ 31Zone Data................................................................................................................. 32Resource Record Syntax...........................................................................................33SOA records............................................................................................................. 34NS record..................................................................................................................35A records.................................................................................................................. 36MX records...............................................................................................................37CNAME Records..................................................................................................... 38PTR Records............................................................................................................ 39BIND Configuration Files........................................................................................ 40Configure a Primary Server......................................................................................41Exercise.................................................................................................................... 42Growing Domains.................................................................................................... 43How many Name servers?........................................................................................44Adding more Name Servers..................................................................................... 45Adding a Secondary Name Server............................................................................46Adding a Cache-Only Name Server......................................................................... 47Parenting...................................................................................................................48Why become a parent?............................................................................................. 49Sub-domains.............................................................................................................50Delegating a Sub-domain......................................................................................... 51Glue.......................................................................................................................... 52

Module 4: DNS Tools & Troubleshooting...................................................................53Host.......................................................................................................................... 54

2


Host Examples .........................................................................................................58Host Examples..........................................................................................................59Nslookup ................................................................................................................. 60Non-Interactive Mode.............................................................................................. 64Interactive Mode.......................................................................................................65Nslookup commands................................................................................................ 66Dig............................................................................................................................ 67Dig Example.............................................................................................................70BIND Logging..........................................................................................................71Log Channels............................................................................................................72Log Categories..........................................................................................................73Default Logging Config............................................................................................74Common Problems...................................................................................................75Forget to Increment Serial Number.......................................................................... 76Forget to Signal Primary.......................................................................................... 77Secondary Can’t Load Zone Data.............................................................................78Forget to Add PTR Record.......................................................................................79Syntax Error in the boot or data files........................................................................80Missing dot at the end of a name..............................................................................81Missing Cache data.................................................................................................. 82

Module 5: Advanced Features......................................................................................83Address Match Lists and ACL’s.............................................................................. 84Security.....................................................................................................................85DNS Notify...............................................................................................................86DNS Dynamic Update..............................................................................................87Incremental Zone Transfer....................................................................................... 89Views........................................................................................................................90Round Robin Load Distribution............................................................................... 91CNAME Record Limitations....................................................................................92Wildcards................................................................................................................. 93Network Names and Numbers................................................................................. 94Some Additional Resource Records.........................................................................95DNS and Windows...................................................................................................98Active Directory Integrated Zones........................................................................... 99Multi-master Replication........................................................................................100Windows Client Configuration.............................................................................. 101DNS Configuration Interface................................................................................. 102Client-side Configuration....................................................................................... 103Preferred DNS Server Configuration..................................................................... 104Alternate DNS Server Configuration..................................................................... 105Windows Client Dynamic Update..........................................................................106

3


Module 1: A Brief History of DNS

Module 1: A Brief History of DNS

4


Before DNS

Before DNS

ARPANET- HOSTS.TXT contained name to address mapping for

every host- E.g

- HOST : 10.7.0.4 : SUN.COM : SUN -3/160 : SunOS : TCP/TELNET, TCP/FTP, TCP/SMTP :

It soon became clear that a single hosts files did not scale wel l !

Through the 1970s, the ARPAnet was a small, friendly community of a few hundred hosts. A single file, HOSTS.TXT, containedall the information you needed to know about those hosts: it held a name-to-address mapping for every host connected to theARPAnet.

HOSTS.TXT was maintained by SRI's Network Information Center (dubbed "the NIC") and distributed from a single host, SRI-NIC.[1] ARPAnet administrators typically emailed their changes to the NIC, and periodically ftped to SRI-NIC and grabbed thecurrent HOSTS.TXT. Their changes were compiled into a new HOSTS.TXT once or twice a week. As the ARPAnet grew,however, this scheme became unworkable. The size of HOSTS.TXT grew in proportion to the growth in the number of ARPAnethosts. Moreover, the traffic generated by the update process increased even faster: every additional host meant not only anotherline in HOSTS.TXT, but potentially another host updating from SRI-NIC.SRI is the Stanford Research Institute in Menlo Park, California. SRI conducts research into many different areas, includingcomputer networking.And when the ARPAnet moved to the TCP/IP protocols, the population of the network exploded. Now there was a host ofproblems with HOSTS.TXT:

Traffic and load The toll on SRI-NIC, in terms of the network traffic and processor load involved in distributing the file, was becomingunbearable.

Name collisions No two hosts in HOSTS.TXT could have the same name. However, while the NIC could assign addresses in a way thatguaranteed uniqueness, it had no authority over host names. There was nothing to prevent someone from adding a host with aconflicting name and breaking the whole scheme. Someone adding a host with the same name as a major mail hub, for example,could disrupt mail service to much of the ARPAnet.

Consistency Maintaining consistency of the file across an expanding network became harder and harder. By the time a new HOSTS.TXTcould reach the farthest shores of the enlarged ARPAnet, a host across the network had changed addresses, or a new host hadsprung up that users wanted to reach.

The essential problem was that the HOSTS.TXT mechanism didn't scale well. Ironically, the success of the ARPAnet as anexperiment led to the failure and obsolescence of HOSTS.TXT.

5


Domain Name Service

Domain Name Service

Paul Mockapetis, tasked with designing a replacement system

RFC’s 882 and 883 released in 1984, describing the DNS system.

Later replaced by RFC’s 1034 and 1035

The ARPAnet's governing bodies chartered an investigation into a successor forHOSTS.TXT. Their goal was to create a system that solved the problems inherent in aunified host table system. The new system should allow local administration of data,yet make that data globally available. The decentralization of administration wouldeliminate the single-host bottleneck and relieve the traffic problem. And localmanagement would make the task of keeping data up-to-date much easier. It shoulduse a hierarchical name space to name hosts. This would ensure the uniqueness ofnames.Paul Mockapetris, then of USC's Information Sciences Institute, was responsible fordesigning the architecture of the new system. In 1984, he released RFCs 882 and 883,which describe the Domain Name System. These RFCs were superseded by RFCs1034 and 1035, the current specifications of the Domain Name System.[2] RFCs 1034and 1035 have now been augmented by many other RFCs.

The purpose of the Domain Name System is to create a system that allows lookups ina tree-like database. These lookups are mostly (but not only) finding an IP address thatbelongs to a "node" (a hostname) in the Domain Name System. A hostname in thisrespect is always a "Fully Qualified Domain Name" (FQDN).

6


Module 2: How does DNS Work

Module 2: How does DNS Work

7


Domain Name Space

Domain Name Space

Each unit of data in DNS’s Distributed database is indexed by a name

The names are paths in a large inverted tree structure, called the domain name space

The tree has a single root at the top, called the root or the root domain

The tree can branch any number of ways at each intersection point ( node )

DNS's distributed database is indexed by domain names. Each domain name isessentially just a path in a large inverted tree, called the domain name space. Thetree's hierarchical structure, shown in in next slide, is similar to the structure of theUNIX filesystem. The tree has a single root at the top. DNS simply calls it "the root."DNS's tree can branch any number of ways at each intersection point, called a node.The depth of the tree is limited to 127 levels.

8


Structure of DNS name space

Structure of DNS name space

org ukcom

.

orgco gov

The DNS system knows a hierarchical structure: • The root node(RED) is the "dot" domain. This dot is the origin of all domains. It is comparable with the root of a UNIX filesystem. • Below the root node you will find a number of Top Level Domains (YELLOW). These can further be distinguished in Generic Top Level Domains (gTLD), such as com, org and net, and Country Code Top Level Domains (ccTLDs), such as nl (for the Netherlands), au (for Australia) and uk (for the United Kingdom).

• Below a Top Level Domain an organization can apply for a subdomain. The application criteria and procedure for this varies from TLD to TLD. When an application has been granted, then that organization becomes the "owner" of a domain, and can use it to store information about its own hosts and (possibly) other subdomains. Furthermore, the DNS system is decentralized. This means that there is no central database which holds all the information, but organizations all keep their own databases on their own servers. Through special so-called "glue records", these databases all point to each other, making global lookups possible

9


Domain Names

Domain Names

Each node in the tree is labelled with a simple name (without dots)

The name may be up to 63 characters

The root domain has a null (zero length) name

The full domain name of any node is the sequence of names from the node to the root separated by dots.

NOTE:DNS requires that sibling nodes - nodes that are children of the same parent - havedifferent labels. This restriction guarantees that a domain name uniquely identifies asingle node in the tree.

10


DNS Naming Standards

DNS Naming Standards

Limited subset of ACSII character set A-Z a-z 0-9

Hyphen (-)

Underscore (_) is reserved character

DNS naming standards allow a limited subset of the ASCII character set for DNS.RFC 1123 specifies the characters A-Z, a-z, 0-9 and the hyphen (-) as valid for DNSnames. The underscore (_) character is reserved for special purposes.

Recent RFCs allow the use of some characters that were traditionally restricted maybe used, but use of such characters may cause conflicts between different versions ofDNS.

11


Reading Domain Names

Reading Domain Names

E.g. www.hp.com.

com

.

hp

www

12


Domains

Domains

A domain is a subtree of the domain name space

The name of a domain is the name of the nodeat the very top of the domain

A domain can contain other domains ( sub domains )

Domains also have a level in the name space, e.g. top-level domain

Besides being referred to in relative terms, as subdomains of other domains, domainsare often referred to by level. These terms simply refer to a domain's position in thedomain name space:

• A top-level domain is a child of the root.• A first-level domain is a child of the root (a top-level domain).• A second-level domain is a child of a first-level domain, and so on.

13


Domains

org ukcom

.

orgco gov

Managed by Domain Authority

Managed by HP

HP

WWW

The visual shows an example of a possible DNS structure. The root domain is on top,with the gTLDs and the ccTLDs right below it. There is one subdomain, hp.com.Furthermore, a hosts is shown, www.hp.com.

Note that when we are talking about Fully Qualified Domain Names, the final dotshould be included. So the FQDN of www is “www.hp.com."and not “www.hp.com". This becomes important later on.

14


Some Top Level Domains

Some Top Level Domains

com – commercial companies

edu – educational institutions

net – networking organisations

org – organisation ( often non -profit )

uk – Country code domain for United Kingdom

There are two types of top level domain;• Generic Top Level Domains• Country Code Top Level Domains

Originally all top level domains were “Generic” and represented organisation types.To accommodate the internationalization of the Internet, the implementers of theInternet name space compromised. Instead of insisting that all top-level domainsdescribe organizational affiliation, they decided to allow geographical designations,too. New top-level domains were reserved (but not necessarily created) to correspondto individual countries. Their domain names followed an existing internationalstandard called ISO 3166.[*] ISO 3166 establishes official, two-letter abbreviationsfor every country in the world.

[*] Except for Great Britain. According to ISO 3166 and Internet tradition, GreatBritain's top-level domain name should be gb. Instead, most organizations in GreatBritain and Northern Ireland (i.e., the United Kingdom) use the top-level domainname uk.

15


Delegation

Delegation

Responsibility for administering a particular domain may be delegated to an organisation or individual.

The organisation may also delegate any sub domains with the domain they are responsible for

E.g. - ICANN has delegated responsibility for managing the

.uk domain to Nominet UK- Nominet operates some .uk sub-domains like .co.uk,

but delegates others like police.uk The part of a domain that is the responsibility of a

single organisation is a zone or zone of authority

Delegating domains works a lot like delegating tasks at work. A manager may breakup a large project into smaller tasks and delegate responsibility for each of these tasksto different employees.Likewise, an organization administering a domain can divide it into subdomains. Eachof those subdomains can be delegated to other organizations. This means that anorganization becomes responsible for maintaining all the data in that subdomain. Itcan freely change the data and even divide its subdomain up into more subdomainsand delegate those. The parent domain contains only pointers to sources of thesubdomain's data so that it can refer queriers there.

16


Name Servers and Zones

Name Servers and Zones

Name Servers Provides information about domain names both from

its own knowledge of zones and by querying other DNS servers

May store information about one or more zones

Zones Normally have several servers Zone information is replicated between servers

Name servers generally have complete information about some part of the domainname space, called a zone, which they load from a file or from another name server.The name server is then said to have authority for that zone. Name servers can beauthoritative for multiple zones, too.

The difference between a zone and a domain is important, but subtle. All top-leveldomains, and many domains at the second level and lower, like hp.com, are brokeninto smaller, more manageable units by delegation. These units are called zones.

The com zone, which would contain mostly delegation information to subdomains ofcom.

17


Types of Name Server

Types of Name Server

Root – Authoritative server for the root zone

Primary – source of updates for a particular zone- Also called “Master”

Secondary – retrieve their zone data from the primary server ( a zone transfer )- Also called “Slave”

Cache-Only – does not have zone records

The DNS specs define two types of name servers: primary masters and secondary masters.

A primary master name server for a zone reads the data for the zone from a file on its host.

A secondary master name server for a zone gets the zone data from another name server that is authoritative forthe zone, called its master server. Quite often, the master server is the zone's primary master, but that's notrequired: a secondary master can load zone data from another secondary. When a secondary starts up, it contactsits master name server and, if necessary, pulls the zone data over. This is referred to as a zone transfer. Nowadays,the preferred term for a secondary master name server is a slave, though many people (and much software,including Microsoft's DNS Manager) still call them secondaries.

Both the primary master and slave name servers for a zone are authoritative for that zone. Despite the somewhatdisparaging name, slaves aren't second-class name servers. DNS provides these two types of name servers to makeadministration easier. Once you've created the data for your zone and set up a primary master name server, youdon't need to fool with copying that data from host to host to create new name servers for the zone. You simply setup slave name servers that load their data from the primary master for the zone. Once they're set up, the slaves willtransfer new zone data when necessary.

Slave name servers are important because it's a good idea to set up more than one name server for any given zone.You'll want more than one for redundancy, to spread the load around, and to make sure that all the hosts in thezone have a name server close by. Using slave name servers makes this administratively workable.

Calling a particular name server a primary master name server or a slave name server is a little imprecise, though.We mentioned earlier that a name server can be authoritative for more than one zone. Similarly, a name server canbe a primary master for one zone and a slave for another. Most name servers, however, are either primary for mostof the zones they load or slave for most of the zones they load. So if we call a particular name server a primary or aslave, we mean that it's the primary master or a slave for most of the zones it loads.

18


Data files

Data files

Also called Zone Files

Contain resource records that describe the zone

May contain Directives for Server software

The files from which primary master name servers load their zone data are called,zone data files or just data files. We often refer to them as db files, short for databasefiles.

Slave name servers can also load their zone data from data files. Slaves are usuallyconfigured to back up the zone data they transfer from a master name server to datafiles. If the slave is later killed and restarted, it will read the backup data files first,then check to see whether the data are current. This both obviates the need to transferthe zone data if it hasn't changed and provides a source of the data if the master isdown.

The data files contain resource records that describe the zone. The resource recordsdescribe all the hosts in the zone and mark any delegation of subdomains. The datafiles may also contain special directives such as include the contents of other data filesin a data file.

19


Zone transfers

Zone transfers

Primary Server

Secondary Server Secondary Server Secondary Server

UPDATE

Zone Transfers

Administrator

A zone transfer might occur during any of the following scenarios:• When the refresh interval expires for the zone • When a secondary server is notified of zone changes by its master server • When the DNS Server service is started at a secondary server for the zone • When the DNS console is used at a secondary server for the zone to manually

initiate a transfer from its master server Zone transfers are always initiated at the secondary server for a zone and sent to theirconfigured master servers which act as their source for the zone. Master servers can beany other DNS server that loads the zone, such as either the primary server for thezone or another secondary server. When the master server receives the request for thezone, it can reply with either a partial or full transfer of the zone to the secondaryserver.

20


Resolvers

Resolvers

The Clients that access name servers Querying a name server Interpreting responses Returning information to the programs that

requested it.

In BIND the resolver is just a set of library routines This is known as a Stub resolver

Resolvers are the clients that access name servers. Programs running on a host thatneed information from the domain name space use the resolver. The resolver handles:

• Querying a name server• Interpreting responses (which may be resource records or an error)• Returning the information to the programs that requested it

In BIND, the resolver is just a set of library routines that is linked into programs suchas telnet and ftp. It's not even a separate process. It has the smarts to put together aquery, to send it and wait for an answer, and to resend the query if it isn't answered,but that's about all. Most of the burden of finding an answer to the query is placed onthe name server. The DNS specs call this kind of resolver a stub resolver.Other implementations of DNS have had smarter resolvers, which can do moresophisticated things such as build up a cache of information already retrieved fromname servers.[

21


Resolution

Resolution

The name server can; Return zone information for which they are

authoritative Search the domain name space Cache recent queries

Name servers are adept at retrieving data from the domain name space.Not only can they give you data about zones for which they're authoritative, they canalso search through the domain name space to find data for which they're notauthoritative.

This process is called name resolution or simply resolution.

Because the name space is structured as an inverted tree, a name server needs only onepiece of information to find its way to any point in the tree: the domain names andaddresses of the root name servers. A name server can issue a query to a root nameserver for any name in the domain name space, and the root name server will start thename server on its way.

22


DNS Query types

DNS Query types

Recursive Query Server makes queries until an answer is found

Interative Query Server answers with authoritative answer, or a

referral

a resolver sends a recursive query to a name server for information about a particulardomain name. The queried name server is then obliged to respond with the requesteddata or with an error stating that data of the requested type don't exist or that thedomain name specified doesn't exist. The name server can't just refer the querier to adifferent name server, because the query was recursive If the queried name server isn'tauthoritative for the data requested, it will have to query other name servers to find theanswer.

Iterative resolution, on the other hand, doesn't require nearly as much work on the partof the queried name server. In iterative resolution, a name server simply gives the bestanswer it already knows back to the querier. No additional querying is required. Thequeried name server consults its local data (including its cache), looking for the datarequested. If it doesn't find the data there, it makes its best attempt to give the querierdata that will help it continue the resolution process. Usually these are the domainnames and addresses of the closest known name servers.

23


Searching the Domain Name Space

Searching the Domain Name Space

In order to search the domain name space; Contact a root name server

- Note: the server must have a list of root name servers Get an authoritative answer, or a referral Query the referred server Repeat until and authoritative answer is given

Because the name space is structured as an inverted tree, a name server needs only onepiece of information to find its way to any point in the tree: the domain names andaddresses of the root name servers. A name server can issue a query to a root nameserver for any name in the domain name space, and the root name server will start thename server on its way.

24


Query Recursion and Referral

Query Recursion and Referral

Recursion A process used by

DNS to “track down” the answer.

Server will query other servers on behalf of the client,

Server returns final answer to the client when it has:- Resolved

requested address

- Authoritative “No”

ReferralIf a queried DNS Server cannot provide a resolution, it may issue a Referral to the client or server that made the request. This is the address of another DNS server that may be able to resolve the query.

Recursion and ReferralRecursion is a DNS Server function in which a series of several iterative queries are issued by oneDNS Server to other DNS servers, when responding to a Recursive Query issued by a DNS client.

The queried DNS servers return referrals which the querying server follows until it gets a definitiveanswer. Recursion always ends with a server that owns the namespace either giving a positive ornegative reply.

Recursion enables the server to “go to work” on behalf of the client to resolve a query. The DNS Serverperforming recursion “does the work” of querying multiple other DNS servers until it has a suitableanswer for the client. This takes the burden of name resolution off of the client, and places it on thelocal DNS Server.

ReferralThis is a possible answer to an iterative query. If the queried server doesn’t have a positive or negativeanswer to return, it refers the querying server to the closest known DNS server that matches the namebeing queried.

25


Recursive Query

Recursive Query

Client SideThe DNS Client typically issues a Recursive Query to its configured name server.This means, “Don’t return until you have an answer or have failed to find an answer to the query.”

Server SideWhen the Server receives a Recursive Query, unless Recursion is disabled, it “goes to work” for the client, queries other name servers until it resolves client’s query or fails to do so, and responds to client with resolved address or “failure” message.

Recursive query The answer to a recursive request will always be either a positive or negative response. Recursivequeries can be initiated by a DNS client or by a DNS server configured for forwarders.

A recursive query puts the burden of delivering a final answer (and recursion if necessary) on thequeried server.

26


Iterative Query

Iterative Query

Asks for “Final Answer” or “Closer Server”:

Typically used between servers during resolution of client requests: Lower-level server

will issue Iterative queries to top -level servers

Reduces workload on top-level servers

Iterative Query Response Requested address Authoritative “No” A Referral, if server recognizes domain

name being queried and knows a server address for that domain.

Iterative queryIterative queries are generally only used between DNS servers to find answers on behalf of a client.Iterative queries keep the burden of finding a final answer on the querying client (or DNS server) viarecursion if necessary. Answers to iterative queries can be either a positive or negative answer or areferral to another server.

27


Recursion and Iteration

Recursion and Iteration

Name Server

Rootname server

ukname server

co.ukname server

opus -novum .co.ukname server

Resolver

Query

Query for www .opus-novum.co.uk

Query for www .opus -novum.co.uk

Query for www . opus-novum .co.uk

Query for www .opus-novum .co.uk

Answer

Referral to uk server

Referral to co.uk servers

Referral to opus-novum.co.uk servers

Address of www .opus-novum .co.uk

Recursive Query

Iterative Query

28


Caching

Caching

DNS servers use caching to speed up the resolution process

Cache data has to expire Otherwise we would never get updates

The administrator of a zone sets a TTL ( time to live ) for the zone data Short TTL: ensures consistent data, but more queries

to your zone servers Long TTL: less queries to handle, but data will be

inconsistent for longer

A name server processing a recursive query may have to send out quite a few queries to find an answer.However, it discovers a lot of information about the domain name space as it does so. Each time it'sreferred to another list of name servers, it learns that those name servers are authoritative for somezone, and it learns the addresses of those servers. And, at the end of the resolution process, when itfinally finds the data the original querier sought, it can store that data for future reference, too.

some name servers even implement negative caching: if an authoritative name server responds to aquery with an answer that says the domain name or data type in the query doesn't exist, the local nameserver will temporarily cache that information, too.

Name servers cache all of this data to help speed up successive queries. The next time a resolverqueries the name server for data about a domain name the name server knows something about, theprocess is shortened quite a bit. The name server may have cached the answer, positive or negative, inwhich case it simply returns the answer to the resolver. Even if it doesn't have the answer cached, it mayhave learned the identities of the name servers that are authoritative for the zone the domain name is inand be able to query them directly.

Name servers can't cache data forever, of course. If they did, changes to that data on the authoritativename servers would never reach the rest of the network. Remote name servers would just continue touse cached data. Consequently, the administrator of the zone that contains the data decides on a time tolive, or TTL, for the data. The time to live is the amount of time that any name server is allowed tocache the data. After the time to live expires, the name server must discard the cached data and get newdata from the authoritative name servers. This also applies to negatively cached data; a name servermust time out a negative answer after a period, too, in case new data has been added on theauthoritative name servers. However, the time to live for negatively cached data isn't tunable by thedomain administrator; it's hardcoded to ten minutes.

29


Module 3: Setting up a Domain

Module 3: Setting up a Domain

30


Registering Your Domain

Registering Your Domain

In order for your domain to work in the internet domain name space, it must have authority delegated to it from the parent domain.

This means registering your domain

Different domains have different registration policies

Your IP addresses will also have to be registered to you.

The basic information that your parent needs is the names and addresses of yourdomain name servers. If you're not connected to the Internet, give them the addressesof the Internet hosts that will act as your name servers. Some parent domains alsorequire that you already have operational name servers for your domain. (TheInterNIC doesn't, but they ask for an estimate of when the domain will be fullyoperational.)

If the InterNIC runs your parent domain, they'll also ask for some information aboutyour organization, and for an administrative contact and a technical contact for yourdomain (which can be the same person). If your contacts aren't already registered inthe InterNIC's whois database, you'll also need to provide information to register themin whois. This includes their names, surface mail addresses, phone numbers, andelectronic mail addresses. If they are already registered in whois, just specify theirInterNIC whois "handle" (a unique alphanumeric ID) in the registration.

If you're directly connected to the Internet, you should also have the in-addr.arpadomains corresponding to your IP networks delegated to you. For example, if yourcompany was allocated the network 192.201.44/24, you should manage the44.201.192.in-addr.arpa domain. This will let you control the IP address-to-namemappings for hosts on your network.

31


Zone Data

Zone Data

Zone data consists of DNS resource records

There are a number of record types SOA NS A PTR CNAME RP …..

Most entries in db files are called DNS resource records. DNS lookups are case-insensitive, so you canenter names in your db files in uppercase, lowercase, or mixed case. The ordering of resource records in the db files is as follows:

SOA record Indicates authority for this zone data

NS record Lists a name server for this zone

Other records Data about hosts in this zone

Some other records:A Name-to-address mappingPTR Address-to-name mappingCNAME Canonical name (for aliases)

32


Resource Record Syntax

Resource Record Syntax

[domain] [TTL] [class] type data

domain – domain name, usually a host name TTL – time to live in seconds Class – address type ( currently only IN fully

supported) Type & data – record type and data, data varies

according to type

33


SOA records

SOA records

Domain [ttl] class SOA source-dname mbox ( serial refresh retry expire minimum )

abc.com. IN SOA ns0.abc.com. hostmaster.abc.com. (2004071500 ; serial is YYYYmmddnn10800 ; refresh (3 hours)3600 ; retry (1 hour)604800 ; expire (1 week)86400 ) ; ttl (1 day)

The first entry in each of the zone files is the SOA (start of authority) resource record.The SOA record indicates that this name server is the best source of information forthe data within this zone. In the example our name server is authoritative for the zoneabc.com because of the SOA record. An SOA record is required in each zone file.There can be one, and only one, SOA record in a db file.

Domain: is the domain name for the domain which corresponds to thiszone of authorityTtl: is the time to live for the SOA record itselfClass: is the record class, in practice IN;Source-dname: is the domain name of the name server which is the source ofdata for this zone ( i.e. primary server )Mbox: is the mail address ( in dot notation ) of a person responsible for thezoneSerial: is a serial number, used by secondary servers to check there versions ofdata are up to dateRefresh: refresh period in seconds, how often secondary servers shouldcheck the serialRetry: retry period in seconds, time between retry’s for failed zone transfersExpire: expire period in seconds, how long secondary servers shouldcontinue serving the zone without synchronisingMinimum: the default minimum TTL for resource records where TTL isnot specified

34


NS record

NS record

Specify the names of authoritative servers for a domain

The value of data is the name of the server

abc.com. IN NS ns0.abc.com

The next entries we add to each zone file are NS (name server) resource records. Weadd one NS record for each name server for our zone.

35


A records

A records

Specifies the host IP address for a particular host name

The value in the data field is a valid IP address

www IN A 192.168.2.2

Note: since www does not end in a . It is relative to the current domain

36


MX records

MX records

Specifies a mail-exchanger

The data field is actually two fields Preference and domain name of the host that accepts

mail for the domain

abc.com. IN MX 10 mail.abc.com.IN MX 100 mail.def.net.

The value of the preference sub-field should be between 0 and 32767; the lower thenumber the higher the preference.

37


CNAME Records

CNAME Records

Specify aliases for domains

The data field a domain

www IN CNAME bigserver

defines www as an alias for bigserver

CNAME records must be used with care ( more later )

38


PTR Records

PTR Records

Specify the domain name that an IP address should resolve to, for reverse lookups.

1.0.0.127.in -addr.arpa. IN PTR localhost.abc.com

This is the PTR record for the loopback address 127.0.0.1 Note the domain is a sub-domain of in-addr.arpa Note the order of numbers in the domain field are opposite to those in

the IP address.

PTR ( pointer ) records give address-to-name mappings. There is one record, and onlyone record for each host interface on this network.

39


BIND Configuration Files

BIND Configuration Files

/etc/named.conf Sections

- options- Zone

Zone files ( default location / var/named ) Named.cache needed for internet servers

The following is an example BIND version 8 /etc/named.conf file:

// BIND configuration file

options {directory "/usr/local/named"; // Place additional options here.

};

zone “abc.com" in {type master; file “abc.com.zone";

};

zone "249.249.192.in-addr.arpa" in {type master;file "db.192.249.249";

};

zone "253.253.192.in-addr.arpa" in {type master; file "db.192.253.253";

};

zone "0.0.127.in-addr.arpa" in {type master; file "db.127.0.0";

};

zone "." in { type hint; file "db.cache";

};

40


Configure a Primary Server

Configure a Primary Server

Create config in /etc/named.conf

Create a working Directory /var/named

Get up to date named.cache file

Create Zone Files

Start named

Here is an example zone file abc.com.zone:

abc.com. IN SOA ns0.abc.com. hostmaster.abc.com. (2004051701 ;Serial 10800 ;Refresh after 3 hours 3600 ;Retry after 1 hour 604800 ;Expire after 1 week 86400 ) ;Minimum TTL of 1 day

; ; Name servers ;

abc.com. IN NS ns0.abc.com. abc.com. IN NS ns1.abc.com.

; ; Addresses for the canonical names ;

localhost.abc.com. IN A 127.0.0.1 ns0.abc.com. IN A 192.249.249.2 ns1.abc.com. IN A 192.249.249.3 mail.abc.com. IN A 192.249.249.4 yellow.abc.com. IN A 192.253.253.2

IN A 192.253.253.3

; ; Aliases ;

www.abc.com. IN CNAME yellow.abc.com. ftp.abc.com. IN CNAME mail.abc.com.

;; MX records ;

abc.com. IN MX 10 mail.abc.com.IN MX 20 mail.def.net.

41


Exercise

Exercise

42


Growing Domains

Growing Domains

43


How many Name servers?

How many Name servers?

A minimum of two

At least one on each network or subnet

Run a name server off-site if possible

Two servers are as few as you'll ever want to run. Depending on the size of your network, you may needto run many more than just two servers. It is not uncommon to run from five to seven servers, with oneof them off-site.

How many name servers are enough? You'll have to decide that based on your network.

Here are some guidelines to help out:

• Have at least one name server available directly on each network or subnet you have. Thisremoves routers as a point of failure. Make the most of any multihomed hosts you may have,since they're (by definition) attached to more than one network.

• If you have a file server and some diskless nodes, run a name server on the file server to servethis group of machines.

• Run name servers near, but not necessarily on, large time-sharing machines. The users andtheir processes probably generate a lot of queries, and, as administrators, you will work harderto keep a multiuser host up. But balance their needs against the risk of running a name server -a security-critical server - on a system that lots of people have access to.

• Run one name server off-site. This makes your data available when your network isn't. Youmight argue that it's useless to look up an address when you can't reach the host. Then again,the off-site name server may be available if your network is reachable, but your other nameservers are down. If you have a close relationship with an organization on the Internet - sayanother university or a business partner - they may consent to run a slave for you.

44


Adding more Name Servers

Adding more Name Servers

Easiest Route is to add Secondary Servers

Too Many Secondaries can overload the Primary

Consider Cache-Only Servers

Multiple Primaries must be synchronised manually

If a server is to service requests from outside your domain, it must be registered with the parent domain.

When you get around to setting up more and more name servers, a question may strikeyou - must I register all of my primary and slave name servers with my parent zone?No, only those servers you want to make available to servers outside of your zoneneed to be registered with the parent.

Caching-only name servers, must never be registered. A caching-only name serverrarely has complete information for any given zone, just the bits and pieces of it that ithas looked up recently. If a parent name server were mistakenly to refer a foreignname server to a caching-only name server, the foreign name server would send thecaching-only name server a non-recursive query. The caching-only name server mighthave the data cached, but then again, it might not. If it didn't have the data, it wouldrefer the querier to the best name servers it knew (those closest to the domain in thequery) - which might include the caching-only name server itself! The poor foreignname server might never get an answer. This kind of mis-configuration - actually,delegating a zone to any name server not authoritative for that zone - is known aslame delegation.

45


Adding a Secondary Name Server

Adding a Secondary Name Server

Configure /etc/ named.conf

Zone “abc.com ” in {

type slave;

file “abc.db”;

masters {

192.168.2.3;

};

};

zone records will be fetched from the master server

This the entry needed in the BIND configuration file /etc/named.conf to add asecondary zone for abc.com, using a data file “abc.db”, and zone updates are to comefrom the name server at IP address 192.168.2.3

There is no need to create the zone data file, as this will be created by BIND onstartup.

46


Adding a Cache-Only Name Server

Adding a Cache-Only Name Server

No zone records required But should still have loopback zone files

Still requires named.cache

Should still serve the local domain

The “out of the box” of BIND is as a cache-only name server.

The following example is a Cache-only server, note the zone entries for root (.) cache, localhost, and 0.0.127.in-addr.arpa.

options {directory "/var/named";/* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */// query-source address * port 53;

};controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; };};

zone "." IN {type hint;file "named.ca";

};

zone "localhost" IN {type master;file "localhost.zone";allow-update { none; };

};

zone "0.0.127.in-addr.arpa" IN {type master;file "named.local";allow-update { none; };

};

include "/etc/rndc.key";

47


Parenting

Parenting

48


Why become a parent?

Why become a parent?

To Delegate or Distribute Management

Your Domain is getting too large

Too distinguish hosts organisationally

Once your domain reaches a certain size, or you decide you need to distribute themanagement of parts of your domain to various entities within your organization,you'll want to divide the domain into subdomains. These subdomains will be thechildren of your current domain on the domain tree; your domain will be the parent. Ifyou delegate responsibility for your subdomains to another organization, eachbecomes its own zone, separate from its parent zone.

49


Sub-domains

Sub-domains

You can create sub-domains without delegation

in the abc.com zone:

www.uk IN A 192.168.2.4

would define a host www.uk.abc.com

Note: there is no need for a SOA for uk.abc.com

50


Delegating a Sub-domain

Delegating a Sub-domain

In the Parent zone, we list the name servers for the child zone.

In the abc.com zone:

uk 86400 IN NS ns0.uk.abc.com.

IN NS ns1.uk.abc.com.

Q. how can a host outside uk.abc.com find these name servers

51


Glue

Glue

The parent zone must also provide the addresses of the delegated sub-domain name servers if they are within the sub-domain.

These records are called Glue Records

Glue records are not necessary when the name servers are outside the domain

uk.abc.com. IN NS ns0.other.net.

52


Module 4: DNS Tools & Troubleshooting

Module 4: DNS Tools & Troubleshooting

53


Host

Host

Simple tool for DNS lookups$ host blue.abc.comblue.abc.com has address 192.168.2.3

options: -t to look for a particular type of information ( e.g –t MX ) -v verbose mode -a detailed output -l lists all hosts in a domain

NAMEhost - query nameserver about domain names and zones SYNOPSIS host [-v] [-a] [-t querytype] [options] name [server] host [-v] [-a] [-t querytype] [options] -l zone [server] host [-v] [options] -H [-D] [-E] [-G] zonehost [-v] [options] -C zonehost [-v] [options] -A hosthost [options] -x [name ...]host [options] -X server [name ...]OPTION SYNTAXBesides the traditional short options (one letter with single dash, and an optional value as separate argument), there are now alsolong options in the format --keyword[=value]. Many (but not all) short options have a long equivalent. There are several longoptions without a short equivalent. The long options are not yet documented in this manual page, but a summary of the existinglong options, and the mapping to their short alternative, is available via the command host --help. DESCRIPTION host looks for information about Internet hosts and domain names. It gets this information from a set of interconnected serversthat are spread across the world. The information is stored in the form of "resource records" belonging to hierarchicallyorganized "zones". By default, the program simply converts between host names and Internet addresses. However, with the -t, -a and -v options, itcan be used to find all of the information about domain names that is maintained by the domain nameserver system. Theinformation printed consists of various fields of the associated resource records that were retrieved. The arguments can be either host names (domain names) or numeric Internet addresses. A numeric Internet address consists of four decimal numbers separated by dots, e.g. 192.16.199.1, representing the four bytes ofthe 32-bit address. The default action is to look up the associated host name. A host name or domain name consists of component names (labels) separated by dots, e.g. nikhefh.nikhef.nl The default action is to look up all of its Internet addresses. For single names without a trailing dot, the local domain is automatically tacked on the end. Thus a user in domain "nikhef.nl"can say "host nikhapo", and it will actually look up "nikhapo.nikhef.nl". In all other cases, the name is tried unchanged. Singlenames with trailing dot are considered top-level domain specifications, e.g. "nl." Note that the usual lookup convention for any name that does not end with a trailing dot is to try first with the local domainappended, and possibly other search domains. (As of BIND 4.9, names that have embedded dots but no trailing dot are first tried``as is'' before appending search domains) This convention is not used by this program. The actual suffix to tack on the end is usually the local domain as specified in the /etc/resolv.conf file, but this can beoverridden. See below for a description of how to customize the host name lookup. ARGUMENTSThe first argument is normally the host name (domain name) for which you want to look up the requested information. If thefirst argument is an Internet address, a query is done on the special "reverse mapping" domain to look up its associated hostname. If the -l option is given, the first argument is a domain zone name for which a complete listing is given. The program enters aspecial zone listing mode which has several variants (see below).

54


The second argument is optional. It allows you to specify a particular server to query. If you don't specify this argument, defaultservers are used, as defined by the /etc/resolv.conf file. EXTENDED SYNTAXIf the -x option is given, it extends the syntax in the sense that multiple arguments are allowed on the command line. An optionalexplicit server must now be specified using the -X option as it cannot be given as an ordinary argument any more. The -X optionimplies -x. The extended syntax allows no arguments at all, in which case the arguments will be read from standard input. This can be apipe, redirection from a file, or an interactive terminal. Note that these arguments are the names to be queried, and not commandoptions. Everything that appears after a '#' or ';' on an input line will be skipped. Multiple arguments per line are allowed. OPTIONSThere are a number of options that can be used before the specified arguments. Some of these options are meaningful only to thepeople who maintain the domain database zones. The first options are the regularly used ones. -v causes printout to be in a "verbose" format. All resource record fields are printed. Without this option, the ttl and class fields arenot shown. Also the contents of the "additional information" and "authority information" sections in the answer from thenameserver are printed, if present. Normally these sections are not shown. In addition, the verbose option prints extrainformation about the various actions that are taken by the program. Note that -vv is "very verbose". This generates a lot ofoutput. -t querytype allows you to specify a particular type of resource record information to be looked up. Supported types are listed below. Thewildcard may be written as either ANY or *. Types may be given in upper or lower case. The default is type A for regularlookups, and A, NS, and PTR for zone listings. -a is equivalent to -t ANY. Note that this gives you "anything available" (currently cached) and not "all defined data" if a non-authoritative server is queried. SPECIAL MODESThe following options put the program in a special mode. -l zone generates the listing of an entire zone. E.g. the command host -l nikhef.nl

will give a listing of all hosts in the "nikhef.nl" zone. The -t option is used to filter what information is extracted, as you wouldexpect. The default is address information from A records, supplemented with data from PTR and NS records. The command host -Z -a -l nikhef.nl

will give a complete download of the zone data for "nikhef.nl", in the official master file format. -H can be specified instead of the -l option. It will print the count of the unique hostnames (names with an A record) encounteredwithin the zone. It will not count pseudo names like "localhost", nor addresses associated with the zone name itself. Neither arecounted the "glue records" that are necessary to define nameservers for the zone and its delegated zones. By default, this option will not print any resource records. Combined with the -S option, it will give a complete statistics survey of the zone. The host count may be affected by duplicate hosts (see below). To compute the most realistic value, subtract the duplicate hostcount from the total host count. -G implies -H, but lists the names of gateway hosts. These are the hosts that have more than one address. Gateway hosts are notchecked for duplicate addresses. -E implies -H, but lists the names of extrazone hosts. An extrazone host in zone "foo.bar" is of the form "host.xxx.foo.bar" where"xxx.foo.bar" is not defined as a delegated zone with an NS record. This may be intentional, but also may be an error. -D implies -H, but lists the names of duplicate hosts. These are hosts with only one address, which is known to have been definedalso for another host with a different name, possibly even in a different zone. This may be intentional, but also may be an error. -C can be specified instead of the -l option. It causes the SOA records for the specified zone to be compared as found at each of theauthoritative nameservers for the zone (as listed in the NS records). Nameserver recursion is turned off, and it will be checkedwhether the answers are really authoritative. If a server cannot provide an authoritative SOA record, a lame delegation of thezone to that server is reported. Discrepancies between the records are reported. Various sanity checks are performed. -A enters a special address check mode. If the first argument is a host name, its addresses will be retrieved, and for each of the addresses it will be checked whether theymap back to the given host. If the first argument is a dotted quad Internet address, its name will be retrieved, and it will be checked whether the givenaddress is listed among the known addresses belonging to that host. If the -A flag is specified along with any zone listing option, a reverse lookup of the address in each encountered A record isperformed, and it is checked whether it is registered and maps back to the name of the A record. This applies to forward zones.For reverse in-addr.arpa zones, it is checked whether the target in PTR records maps to a canonical host name. LISTING OPTIONSThe following options apply only to the special zone listing modes. -L level Recursively generate zone listings up to this level deep. Level 1 traverses the parent zone and all of its delegated zones. Eachadditional level descends into another layer of delegated zones. -S

55


prints statistics about the various types of resource records found during zone listings, the number of various host classifications,the number of delegated zones, and some total statistics after recursive listings. -p causes only the primary nameserver of a zone to be contacted for zone transfers during zone listings. Normally, zone transfersare obtained from any one of the authoritative servers that responds. The primary nameserver is obtained from the SOA record ofthe zone. If a specific server is given on the command line, this option will query that server for the desired nameservers of thezone. This can be used for testing purposes in case the zone has not been registered yet. -P prefserver gives priority for zone transfers to preferred servers residing in domains given by the comma-separated list prefserver. The moredomain component labels match, the higher the priority. If this option is not present, priority is given to servers within your owndomain or parent domains. The order in which NS records are issued may be unfavorable if they are subject to BIND 4.9 round-robin reshuffling. -N skipzone prohibits zone transfers for the zones given by the comma-separated list skipzone. This may be used during recursive zonelistings when certain zones are known to contain bogus information which should be excluded from further processing. COMMON OPTIONSThe following options can be used in both normal mode and domain listing mode. -d turns on debugging. Nameserver transactions are shown in detail. Note that -dd prints even more debugging output. -f filename writes the resource record output to the given logfile as well as to standard output. -F filename same as -f, but exchange the role of stdout and logfile. All stdout output (including verbose and debug printout) goes to thelogfile, and stdout gets only the extra resource record output (so that it can be used in pipes). -I chars suppresses warning messages about illegal domain names containing invalid characters, by specifying such characters in thestring chars. The underscore is a good candidate. -i constructs a query for the "reverse mapping" in-addr.arpa domain in case a numeric (dotted quad) address was specified.Useful primarily for zone listing mode, since for numeric regular lookups such query is done anyway (but with -i you see theactual PTR resource record outcome). -n constructs a query for the "reverse mapping" nsap.int domain in case an nsap address was specified. This can be used to look upthe names associated with nsap addresses, or to list reverse nsap zones. An nsap address consists of an even number ofhexadecimal digits, with a maximum of 40, optionally separated by interspersed dots. An optional prefix "0x" is skipped. If thisoption is used, all reverse nsap.int names are by default printed in forward notation, only to improve readability. The -Z optionforces the output to be in the official zone file format. -q be quiet and suppress various warning messages (the ones preceded by " !!! "). Serious error messages (preceded by " *** ") arenever suppressed. -Q selects quick mode, in which several potentially time consuming special checks are not carried out, and statistics gathering isskipped if not explicitly selected. -T prints the time-to-live values during non-verbose output. By default the ttl is shown only in verbose mode. -Z prints the selected resource record output in full zone file format, including trailing dot in domain names, plus ttl value and classname. OTHER OPTIONSThe following options are used only in special circumstances. -c class allows you to specify a particular resource record class. Supported are IN, INTERNET, CS, CSNET, CH, CHAOS, HS,HESIOD, and the wildcard ANY or *. The default class is IN. -e excludes information about names that are not residing within the given zone during zone listings, such as some glue records.For regular queries, it suppresses the printing of the "additional information" and "authority information" sections in the answerfrom the nameserver. -m is equivalent to -t MAILB, which filters any of types MB, MR, MG, or MINFO. In addition, MR and MG records will berecursively expanded into MB records. -o suppresses the resource record output to stdout. Can be used in combination with the -f option to separate the resource recordoutput from verbose and debug comments and error messages. -r causes nameserver recursion to be turned off in the request. This means that the contacted nameserver will return only data it hascurrently cached in its own database. It will not ask other servers to retrieve the information. Note that nameserver recursion isalways turned off when checking SOA records using the -C option. Authoritative servers should have all relevant informationavailable. -R Normally querynames are assumed to be fully qualified and are tried as such, unless it is a single name, which is always tried(and only once) in the default domain. This option simulates the default BIND behavior by qualifying any specified name byrepeatedly adding search domains, with the exception that the search terminates immediately if the name exists but does nothave the desired querytype. The default search domains are constructed from the default domain by repeatedly peeling off thefirst component, until a final domain with only one dot remains. -B

56


Normally the search through search domains enabled by the -R option is stopped whenever the specified name exists but doesnot have the desired type. This option simulates the default BIND behavior to continue the search. -s seconds specifies a new nameserver timeout value. The program will wait for a nameserver reply in two attempts of this number ofseconds. Normally it does 2 attempts of 5 seconds per nameserver address tried. The actual timeout algorithm is slightly morecomplicated, extending the timeout value dynamically depending on the number of tries and the number of nameserveraddresses. -u forces the use of virtual circuits (TCP) instead of datagrams (UDP) when issuing nameserver queries. This is slower, butpotentially more reliable. Note that a virtual circuit is automatically chosen in case a query exceeds the maximum datagrampacket size. Also if a datagram answer turns out to be truncated, the query is retried using virtual circuit. A zone transfer isalways done via a virtual circuit. -w causes the program to retry forever if the response to a regular query times out. Normally it will time out after some 10 secondsper nameserver address tried. -V prints just the version number of the host program, and exits.

57


Host Examples

Host Examples

$ host –t MX abc.com

Abc.com mail is handled by 100 mail.def.net.

Abc.com mail is handled by 10 mail.abc.com.

58


Host Examples

Host Examples

$ host –a www.abc.comTrying "www.abc.com "

;; ->>HEADER<<- opcode : QUERY, status: NOERROR, id: 28147

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:

;www.abc.com. IN ANY

;; ANSWER SECTION:

www.abc.com . 3600 IN A 192.168.2.4

;; AUTHORITY SECTION:

abc.com. 3600 IN NS ns0.abc.com.


;; ADDITIONAL SECTION:

ns0.abc.com. 109505 IN A 192.168.2.2

Received 142 bytes from 192.168.0.4#53 in 1 ms

59


Nslookup

Nslookup

Interactive and non-interactive DNS query tool Now deprecated on linux

Interactive mode is entered in the following cases: a) when no arguments are given (the default name server will

be used), b) when the first argument is a hyphen ( -) and the second

argument is the host name or Internet address of a name server

NSLOOKUP(8) NSLOOKUP(8)NAME nslookup - query Internet name servers interactivelySYNOPSIS nslookup [ -option ... ] [ host-to-find | - [ server ]]DESCRIPTION Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non- interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non- interactive mode is used to print just the name and requested information for a host or domain.ARGUMENTS Interactive mode is entered in the following cases: a) when no arguments are given (the default name server will be used), b) when the first argument is a hyphen (-) and the second argument is the host name or Internet address of a name server. Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. The options listed under the ``set'' command below can be specified in the .nslookuprc file in the user's home directory if they are listed one per line. Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: nslookup -query=hinfo -timeout=10INTERACTIVE COMMANDS Commands may be interrupted at any time by typing a control-C. To exit, type a control-D (EOF) or type exit. The command line length must be less than 256 characters. To treat a built-in command as a host name, precede it with an escape character (\). N.B. an unrecognized command will be interpreted as a host name. host [server] Look up information for host using the current default server or using server if specified. If host is an Internet address and the query type is A

60


or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the default domain name is appended to the name. (This behavior depends on the state of the set options domain, srchlist, defname, and search). To look up a host not in the current domain, append a period to the name. server domain lserver domain Change the default server to domain. Lserver uses the initial server to look up information about domain while server uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. root Changes the default server to the server for the root of the domain name space. Currently, the host ns.internic.net is used. (This command is a synonym for lserver ns.internic.net.) The name of the root server can be changed with the set root command. finger [name] [> filename] finger [name] [>> filename] Connects with the finger server on the current host. The current host is defined when a previous lookup for a host was successful and returned address information (see the set querytype=A command). Name is optional. > and >> can be used to redirect output in the usual manner. ls [option] domain [> filename] ls [option] domain [>> filename] List the information available for domain, optionally creating or appending to filename. The default output contains host names and their Inter- net addresses. Option can be one of the following: -t querytype lists all records of the specified type (see querytype below). -a lists aliases of hosts in the domain. synonym for -t CNAME. -d lists all records for the domain. synonym for -t ANY. -h lists CPU and operating system information for the domain. synonym for -t HINFO. -s lists well-known services of hosts in the domain. synonym for -t WKS. When output is directed to a file, hash marks are printed for every 50 records received from the server. view filename Sorts and lists the output of previous ls command(s) with more(1). help ? Prints a brief summary of commands. exit Exits the program. set keyword[=value] This command is used to change state information that affects the lookups. Valid keywords are: all Prints the current values of the frequently- used options to set. Information about the current default server and host is also printed. class=value Change the query class to one of: IN the Internet class. CHAOS the Chaos class. HESIOD the MIT Athena Hesiod class. ANY wildcard (any of the above). The class specifies the protocol group of the information. (Default = IN, abbreviation = cl) [no]debug Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. (Default = nodebug, abbreviation = [no]deb)

61


[no]d2 Turn exhaustive debugging mode on. Essen- tially all fields of every packet are printed. (Default = nod2) domain=name Change the default domain name to name. The default domain name is appended to a lookup request depending on the state of the defname and search options. The domain search list contains the parents of the default domain if it has at least two components in its name. For example, if the default domain is CC.Berkeley.EDU, the search list is CC.Berkeley.EDU and Berkeley.EDU. Use the set srchlist command to specify a different list. Use the set all command to display the list. (Default = value from hostname, /etc/resolv.conf or LOCALDOMAIN, abbreviation = do) srchlist=name1/name2/... Change the default domain name to name1 and the domain search list to name1, name2, etc. A maximum of 6 names separated by slashes (/) can be specified. For example, set srchlist=lcs.MIT.EDU/ai.MIT.EDU/MIT.EDU sets the domain to lcs.MIT.EDU and the search list to the three names. This command overrides the default domain name and search list of the set domain command. Use the set all command to display the list. (Default = value based on hostname, /etc/resolv.conf or LOCALDOMAIN, abbreviation = srchl) [no]defname If set, append the default domain name to a single-component lookup request (i.e., one that does not contain a period). (Default = defname, abbreviation = [no]def) [no]search If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. (Default = search, abbreviation = [no]sea) port=value Change the default TCP/UDP name server port to value. (Default = 53, abbreviation = po) querytype=value type=value Change the type of information query to one of: A the host's Internet address. CNAME the canonical name for an alias. HINFO the host CPU and operating system type. MINFO the mailbox or mail list information. MX the mail exchanger. NS the name server for the named zone. PTR the host name if the query is an Internet address, otherwise the pointer to other information. SOA the domain's ``start-of-authority'' information. TXT the text information. UINFO the user information. WKS the supported well-known services. Other types (ANY, AXFR, MB, MD, MF, NULL) are described in the RFC-1035 document. (Default = A, abbreviations = q, ty) [no]recurse

62


Tell the name server to query other servers if it does not have the information. (Default = recurse, abbreviation = [no]rec) retry=number Set the number of retries to number. When a reply to a request is not received within a certain amount of time (changed with set timeout), the timeout period is doubled and the request is resent. The retry value controls how many times a request is resent before giving up. (Default = 4, abbreviation = ret) root=host Change the name of the root server to host. This affects the root command. (Default = ns.internic.net., abbreviation = ro) timeout=number Change the initial timeout interval for waiting for a reply to number seconds. Each retry doubles the timeout period. (Default = 5 seconds, abbreviation = ti) [no]vc Always use a virtual circuit when sending requests to the server. (Default = novc, abbreviation = [no]v) [no]ignoretc Ignore packet truncation errors. (Default = noignoretc, abbreviation = [no]ig)

63


Non-Interactive Mode

Non-Interactive Mode

$ nslookup www.abc.comServer: ns0.abc.com

Address: 192.168.2.2

Name: www.abc.com

Address: 192.168.2.4

$

64


Interactive Mode

Interactive Mode

$ nslookup

>www.abc.com

Server: ns0.abc.com

Address: 192.168.2.2

Name: www.abc.com

Address: 192.168.2.4

>exit

$

65


Nslookup commands

Nslookup commands

server nameserver Changes the default name server

lserver nameserver Changes the ‘local’ name server to nameserver

ls [-t type] domain-name Retrieves all records by type

set Set an option interactively

help Outputs a summary of commands

66


Dig

Dig

Domain Information Groper A flexible tool for interrogating DNS servers

Dig [@server] name [type]

e.g. $ dig . Ns Will return a list of root name servers

SYNOPSIS dig [@server] [-b address] [-c class] [-f filename] [-k filename]

[-p port#] [-t type] [-x addr] [-y name:key] [name] [type] [class] [queryopt ...]

dig -h dig [global-queryopt ...] [query1] [query2 ...]DESCRIPTION dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administra tors use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig. Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unlike earlier versions, the BIND9 implementation of dig allows multiple lookups to be issued from the command line. Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. When no command line arguments or options are given, will perform an NS query for "." (the root).SIMPLE USAGE A typical invocation of dig looks like:

dig @server name type where: server is the name or IP address of the name server to query. An IPv4

address can be provided in dotted-decimal notation. When the supplied server argument is a hostname, dig resolves that name before querying that name server. If no server argument is pro vided, dig consults /etc/resolv.conf and queries the name servers listed there. The reply from the name server that responds is displayed.

name is the name of the resource record that is to be looked up. type indicates what type of query is required - ANY, A, MX, SIG, etc.

type can be any valid query type. If no type argument is sup plied, dig will perform a lookup for an A record.

OPTIONS The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces. The default query class (IN for internet) is overridden by the -c option. class is any valid class, such as HS for Hesiod records or CH for CHAOS NET records.

67


The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to dig using the command- line interface. If a non-standard port number is to be queried, the -p option is used. port# is the port number that dig will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. The -t option sets the query type to type. It can be any valid query type which is supported in BIND9. The default query type "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial num ber in the zone's SOA record was N. Reverse lookups - mapping addresses to names - are simplified by the -x option. addr is an IPv4 address in dotted-decimal notation, or a colon- delimited IPv6 address. When this option is used, there is no need to provide the name, class and type arguments. dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using the IP6.ARPA domain and binary labels as defined in RFC2874. To use the older RFC1886 method using the IP6.INT domain and "nibble" labels, specify the -n (nibble) option. To sign the DNS queries sent by dig and their responses using transaction signatures (TSIG), specify a TSIG key file using the -k option. You can also specify the TSIG key itself on the command line using the -y option; name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, typically generated by dnssec-keygen(8). Caution should be taken when using the -y option on multi-user systems as the key can be visible in the output from ps(1) or in the shell's history file. When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by pro viding appropriate key and server statements in named.conf.QUERY OPTIONS dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strate gies. Each query option is identified by a keyword preceded by a plus sign: "+". Some keywords set or reset an option. These may be preceded by the string "no" to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +keyword=value. The query options are: +[no]tcp Use [do not use] TCP when querying name servers. The

default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.

+[no]vc Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit".

+[no]ignore Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.

+domain=somename Set the default domain to somename, as if specified in a domain directive in /etc/resolv.conf.

+[no]search Use [do not use] the search list in resolv.conf (if any). The search list is not used by default.

+[no]defname Use [do not use] the default domain name, if any, in resolv.conf The default is not to append that name to name when making queries.

+[no]aaonly This option does nothing. It is provided for compati bilty with old versions of dig where it set an unimple mented resolver flag.

+[no]adflag Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.

+[no]cdflag Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.

+[no]recursive Toggle the setting of the RD (recursion desired) bit in

68


the query. This bit is set by default, which means dig. normally sends recursive queries. Recursion is automat ically disabled when the +nssearch or +trace query options are used.

+[no]nssearch When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.

+[no]trace Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is dis abled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.

+[no]cmd toggles the printing of the initial comment in the out put identifying the version of dig and the query options that have been applied. This comment is printed by default.

+[no]short Provide a terse answer. The default is to print the answer in a verbose form.

+[no]identify Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port num ber of the server that provided the answer.

+[no]comments Toggle the display of comment lines in the output. The default is to print comments.

+[no]stats This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statis tics.

+[no]qr Print [do not print] the query as it is sent. before sending the query. By default, the query is not printed.

+[no]question Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.

+[no]answer Display [do not display] the answer section of a reply. The default is to display it.

+[no]authority Display [do not display] the authority section of a reply. The default is to display it.

+[no]additional Display [do not display] the additional section of a reply. The default is to display it.

+[no]all Set or clear all display flags +time=T Sets the timeout for a query to T seconds. The default

time out is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied.

+tries=A Sets the number of times to retry UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of retries is silently rounded up to 1.

+ndots=D Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf.

+bufsize=B Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.

69


Dig Example

Dig Example

$ dig abc.com NS; <<>> DiG 9.2.1 <<>> abc.comNS

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57076

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;abc.com. IN NS

;; ANSWER SECTION:



;; ADDITIONAL SECTION:

ns0.abc.com. 107948 IN A 192.168.2.2

;; Query time: 1 msec

;; SERVER: 192.168.0.4#53(192.168.0.4)

;; WHEN: Tue May 11 10:34:01 2004

;; MSG SIZE rcvd: 122

70


BIND Logging

BIND Logging

Logging is configured in named.conf Log Channels – where to information goes Log Categories – Which Information

71


Log Channels

Log Channels

default_syslog sends messages to the syslogd

default_debug writes messages to the file named.run

default_stderr writes to standard error

null

72


Log Categories

Log Categories

default –catchall for any unassigned messages

config – High level config file processing

parser – low level config file processing

queries – one log message per query

statistics – name server stats

panic – fatal errors

db – database operations

…

73


Default Logging Config

Default Logging Config

If there is no logging statement the following applies:

Logging {

category default { default_syslog; default_debug; };

category panic { default_syslog; default_stderr; };

category packet { default_debug; };

category eventlib { default_debug; };

};

74


Common Problems

Common Problems

75


Forget to Increment Serial Number

Forget to Increment Serial Number

Secondaries don’t know the data has changed.

Clients will get inconsistent answers from your servers

Check the SOA records on each server

The main symptom of this problem is that slave name servers don't pick up anychanges you make to the zone's db file on the primary. The slaves think the zone datahasn't changed, since the serial number is still the same.

The serial number gives you no indication of when it was updated, there's no directway to tell whether it's changed. About the best you can do is to use a query tool tocompare the data returned by the primary and by a slave. If they return different data,you probably forgot to increment the serial number.

On the other hand, if you encode the date into the serial number, as many people do(e.g., 1998010500 is the first rev of data on January 5, 1998), you may be able to tellat a glance whether you updated the serial number when you made the change.

The good news is that, although determining whether the zone was transferred istricky, making sure the zone is transferred is simple. Just increment the serial numberon the primary's copy of the db file and signal the primary to reload. The slaves shouldpick up the new data within their refresh interval, or sooner if they use NOTIFY.

76


Forget to Signal Primary

Forget to Signal Primary

The name server only loads zone changes at start up or when you signal the server

You can check when the name server last started or reloaded in the syslog

Occasionally, you may forget to signal your primary master name server after makinga change to the conf file or to the db file. The name server won't know to load the newdata - it doesn't automatically check the timestamp of the file and notice that itchanged. Consequently, any changes you've made won't be reflected in the nameserver's data: new zones won't be loaded, and new records won't percolate out to theslaves

77


Secondary Can’t Load Zone Data

Secondary Can’t Load Zone Data

If the secondary can’t reach a primary server it will log the problem in syslog and retry after the retry period.

If the problem is not resolved within the expiry period the secondary will expire and stop answering queries about the zone.

There are three leading causes of this problem: • a loss in connectivity to the master server due to network failure• an incorrect IP address for the master server in the conf file• a syntax error in the zone data file on the master server.

78


Forget to Add PTR Record

Forget to Add PTR Record

A number of systems use reverse lookups as a security check

If you have added a host to your zone without a corresponding reverse mapping, it will fail these security checks.

79


Syntax Error in the boot or data files

Syntax Error in the boot or data files

Syntax errors in the boot file /etc/named.confmay stop named from starting

Errors in a zone file may prevent the zone from loading

In each case the errors will be logged via the syslog

Generally, an error in the conf file will cause the name server to fail to load one or more zones. Some typos in the optionsstatement will cause the name server to fail to start at all, and to log an error like this via syslog:

Jan 6 11:59:29 terminator named[544]: can't change directory to /var/name: No such file or directory

Note that you won't see an error message when you try to start named on the command line, but named won't stay running forlong.

If the syntax error is in a less important line in the boot file - say, in zone statement - only that zone will be affected. Usually, thename server will not be able to load the zone at all (say, you misspell "master" or the name of the data file, or you forget to putquotes around the file name or domain name). This would produce syslog output like:

Jan 6 12:01:36 terminator named[841]: /etc/named.conf:10: syntax error near 'movie.edu'

If a db file contains a syntax error, yet the name server succeeds in loading the zone, it will either answer as "non-authoritative"for all data in the zone or will return a SERVFAIL error for lookups in the zone:

% nslookup fred Server: ns0.abc.com Address: 192.168.2.3 Non-authoritative answer: Name: fred.abc.com Address: 192.168.2.13

Here's the syslog message produced by the syntax error that caused this problem:

Jan 6 15:07:46 huskymo named[693]: db.abc:11: Priority error (postmanrings2x.movie.edu.) Jan 6 15:07:46 huskymo named[693]: master zone “abc.com" (IN) rejected due to errors (serial 1997010600) Jan 6 15:07:46 huskymo named[693]: slave zone “abc.com" (IN) removed

If you looked in the db file for the problem, you'd find this record:

postmanrings2x IN MX postmanrings2x.abc.com.

The MX record is missing the preference field, which causes the error.

Note that unless you correlate the lack of authority (when you expect the name server to be authoritative) with a problem, orscan your syslog file assiduously, you might never notice the syntax error!

80


Missing dot at the end of a name

Missing dot at the end of a name

In a zone file:

abc.com. IN MX 10 mail.abc.com

Is equivalent to

abc.com. IN MX 10 mail.abc.com.abc.com.

81


Missing Cache data

Missing Cache data

Without a cache file to find the root name servers, the server will be unable to resolve names outside it’s authoritative zone.

The log will show an error: “no root nameservers for class 1”

To confirm your suspicion that the cache data are missing, check the syslog output foran error like this:Jan 6 15:10:22 terminator named[764]: No root nameservers for class IN

82


Module 5: Advanced Features

Module 5: Advanced Features

83


Address Match Lists and ACL’s

Address Match Lists and ACL’s

Address match list are used for security features of BIND 8 and later

A Named ACL must be defined before usee.g.

acl "internal" {

{ 192.168.1.192/26; };

};

There are 4 predefined access lists: None All Localhost Localnets

BIND 8 uses address match lists for nearly every security feature, and for some features that aren't security-relatedat all.An address match list is a list of terms that specify one or more IP addresses. The elements in the list can beindividual IP addresses, IP prefixes, or a named access control list. An IP prefix has the format: network in dotted-octet format/bits in netmask

For example, the network 15.0.0.0, with the network mask 255.0.0.0 (eight contiguous ones), would be written15/8.

A named ACL must have been previously defined with an acl statement. The acl statement has a simple structure:

acl "name" {{ address_match list; }; };

Now we can refer to these ACLs by name in address match lists.There are also four predefined access lists:None No IP addressesAny All IP addressesLocalhost Any of the local host's IP addressesLocalnets Any of the networks the local host has a network interface on (found by using each network interface's IP addressand using the netmask to mask off the host bits in the address)

84


Security

Security

Bind 8 implements two security directives

Restricting Queries allow-query { address match list; } ;

Restricting Zone Transfers allow-transfer { address match list; } ;

Can be used in options or zone statements in /etc/named.conf

Restricting QueriesThe BIND allow-query substatement allows you to place an IP address-based access list on queries. The access list can apply toa particular zone, or to any queries received by the server. In particular, the access list specifies which IP addresses are allowedto send queries to the server.Restricting all queriesThe global form of the allow-query substatement looks like this:options { allow-query { address_match_list; }; };

So to restrict our name server to answering queries from the two main Movie U. networks, we'd use:

options { allow-query { 192.249.249/24; 192.253.253/24; }; };

Restricting queries in a particular zoneBIND also allows you to apply an access list to a particular zone. In this case, just use allow-query as a substatement of the zonestatement for the zone you want to protect:

zone "hp.com" { type slave; file "db.hp"; masters { 15.255.152.2; }; allow-query { "HP-NET"; }; };

Preventing Unauthorized Zone TransfersBIND’s allow-transfer substatement lets administrators apply an access list to zone transfers. allow-transfer can restricttransfers of a particular zone as a zone substatement or can restrict all zone transfers as an options substatement. It takes anaddress match list as an argument.Say the slave servers for your acmebw.com zone have the IP addresses 192.168.0.1 and 192.168.1.1. The zone statement:zone "acmebw.com" { type master; file "db.acmebw"; allow-transfer { 192.168.0.1; 192.168.1.1; }; }; will allow only thoseslaves to transfer acmebw.com from the primary master name server. Note that since BIND 8's default is to allow any IP addressto transfer zones, and because hackers can just as easily transfer the zone from your slaves, you should probably also have azone statement like this on your slaves:

zone "acmebw.com" { type slave; masters { 192.168.0.4; }; allow-transfer { none; }; };

BIND will also let you establish a global access list on zone transfers. This applies to any zones that don't have their own,explicit access lists defined as zone substatements. For example, you might want to limit all zone transfers to your internal IPaddresses:

options { allow-transfer { 192.168/16; }; };

85


DNS Notify

DNS Notify

Proposed in RFC 1996, Implemented in BIND 8

When the Primary server notices a change it send a NOTIFY message to all the slave servers in the zone

The slave servers then check for updates immediately rather than waiting until they are next due to check

This feature is on by default

To turn it off, include the option “notify off” either; In the options section – to apply to all zones In the Zone statement – to apply to a particular zone

RFC 1996 proposed a mechanism that would allow primary master servers to notify their slaves ofchanges to a zone's data. BIND implements this scheme, called DNS NOTIFY for short.DNS NOTIFY works like this: when a primary master name server notices a change to data in a zone, itsends a special request to all of the slave servers for that zone. It determines which servers are theslaves for the zone by looking at the list of NS records in the zone and taking out the one that points tothe name server listed in the first record-specific field in the zone's SOA record as well as the local host.The special NOTIFY request is identified by its opcode in the query header. The opcode for mostqueries is QUERY. NOTIFY messages have a special opcode, NOTIFY (duh). Other than that, therequest looks very much like a query for the SOA record for the zone: it specifies the zone's domainname, class, and a type of SOA. The authoritative answer bit is also set.When a slave receives a NOTIFY request for a zone from one of its configured master name servers, itresponds with a NOTIFY response. The response tells the master that the slave received the NOTIFYrequest, so that it can stop sending it NOTIFY messages for the zone. Then the slave proceeds just as ifthe refresh timer had expired: it queries the master server for the SOA record for the zone that themaster claimed has changed. If the serial number is higher, the slave transfers the zone.Why doesn't the slave simply take the master's word that the zone has changed? It's possible that amiscreant could forge NOTIFY requests to our slaves, causing lots of unnecessary zone transfers,amounting to a denial of service attack against our master server.If the slave actually transfers the zone, RFC 1996 says that it should issue its own NOTIFY requests tothe other authoritative name servers for the zone. The idea is that the primary master may not be able tonotify all of the slave servers for the zone itself, since it's possible some slaves can't communicatedirectly with the primary master and use another slave as their master. However, BIND 8 doesn'timplement this, and BIND 8 slaves don't send NOTIFY messages unless explicitly configured to.

86


DNS Dynamic Update

DNS Dynamic Update

Bind 8 and later support DDNS ( RFC 2136 )

Uses nsupdate on client to update DNS server

Uses PGP key pair to maintain security

described in RFC 2136. This permits authorized updaters to add and delete resource records from a zone for which the server isauthoritative. An updater can find the authoritative name servers for a zone by retrieving the zone's NS records. If the server receiving anauthorized update message is not the primary master for the zone, it will forward the update "upstream" to its master server(s). Ifthey, in turn, are slaves for the zone, they will also forward the update upstream.Dynamic update permits more than the simple addition and deletion of records. Updaters can add or delete individual resourcerecords, delete RRsets (a set of resource records with the same domain name, class and type, such as all Internet addresses forwww.acmebw.com), or even delete all records associated with a given name. An update can also stipulate that certainprerequisite records exist or not exist in the zone before the update takes effect. For example, an update can add the addressrecord:dakota.west.acmebw.com. in a 192.168.1.4 only if the name dakota.west.acmebw.com isn't currently being used, or only ifdakota.west.acmebw.com currently has no address records.For the most part, dynamic update functionality is used by programs like DHCP servers that assign IP addresses automatically tocomputers, and then need to register the resulting name-to-address and address-to-name mappings. These programs use thens_update() routine to create update messages and send them to an authoritative server for the zone that contains the domainname.However, it is possible to create updates manually with the command-line program nsupdate, which is part of the standard BINDdistribution. nsupdate reads one-line commands that it then translates into an update message. Commands can be specified onstandard input (the default) or in a file, whose name must be given as an argument to nsupdate. Commands not separated by ablank line are incorporated into the same update message.The commands nsupdate understands are:prereq yxrrset domain name type [rdata] Makes the existence of an RRset of type type owned by domain name a prerequisite to performing the updateprereq nxrrset Makes the non-existence of an RRset of type type owned by domain name a prerequisite to performing the update specified insuccessive update commandsprereq yxdomain domain name Makes the existence of the domain name specified a prerequisite to performing the updateprereq nxdomain Makes the non-existence of the domain name specified a prerequisite to performing the updateupdate delete domain name [type] [rdata] Deletes the domain name specified or, if type is also specified, deletes the RRset specified or, if rdata is also specified, deletesthe record matching domain name, type, and rdataupdate add domain name ttl [class] type rdata Adds the record specified to the zone. Note that the TTL, in addition to the type and resource-record-specific data, must beincluded, but the class is optional, and defaults to INSo, for example, the command:% nsupdate > prereq nxdomain dakota.west.acmebw.com. > update add dakota.west.acmebw.com. 333 in a 192.168.0.4 >tells the server to add an address for dakota.west.acmebw.com only if the domain name does not already exist. Note that the lastblank line is nsupdate's cue to send the update.The command:% nsupdate > prereq yxrrset dakota.west.acmebw.com. in mx > update delete dakota.west.acmebw.com. in mx > updateadd dakota.west.acmebw.com. in mx 10 dakota.west.acmebw.com. > update add dakota.west.acmebw.com. in mx 50

87


store-forward.mindspring.com. > checks to see whether dakota.west.acmebw.com already has MX records, and if it does,deletes them and adds two in their place.Given the fearsome control that dynamic updates obviously give an updater over a zone, you clearly need to restrict them, if youuse them at all. By default, BIND 8 servers don't allow dynamic updates to authoritative zones. In order to use them, you add anallow-update substatement to the zone statement for the zone that you'd like to allow updates to.allow-update takes an address match list as an argument. The address or addresses matched by the list are the only addressesthat are allowed to send your server updates to that zone. It's prudent to make this access list as restrictive as possible:zone "acmebw.com" { type master; file "db.acmebw"; allow-update { 192.168.0.1; }; };

88


Incremental Zone Transfer

Incremental Zone Transfer

Allows Secondary servers to request just the changes to a zone

Can reduce size and duration of Zone Transfers dramatically

Works best with Dynamic Updates

RFC 1995 - Incremental Zone Transfer in DNS

If an IXFR client, which likely has an older version of a zone, thinks it needs newinformation about the zone (typically through SOA refresh timeout or the NOTIFYmechanism), it sends an IXFR message containing the SOA serial number of its,presumably outdated, copy of the zone.

An IXFR server should keep record of the newest version of the zone and thedifferences between that copy and several older versions. When an IXFR request withan older version number is received, the IXFR server needs to send only thedifferences required to make that version current. Alternatively, the server may chooseto transfer the entire zone just as in a normal full zone transfer.

89


Views

Views

Allows you to present different configurations based on Address Match Lists

E.g. Have different Zone files for internal and external

clients

Particular useful if you run a NAT configuration

90


Round Robin Load Distribution

Round Robin Load Distribution

BIND rotates addresses for any domain that has more than one A record

www.abc.com. 60 IN A 192.168.2.4

60 IN A 192.168.2.5

60 IN A 192.168.2.6

Note: small TTL value

The name server rotates addresses for any domain name that has more than one A record. (In fact, thename server will rotate any type of record, except PTR records, as long as a given domain name hasmore than one of them.) So the records:foo.bar.baz. 60 IN A 192.1.1.1 foo.bar.baz. 60 IN A 192.1.1.2 foo.bar.baz. 60 IN A 192.1.1.3

The BIND documentation calls this process round robin.

It's a good idea to reduce the records' time-to-live, too, as we did in this example. This ensures that ifthe addresses are cached on an intermediate name server that doesn't support round robin, they'll timeout of the cache quickly. If the intermediate name server looks up the name again, your authoritativename server can round robin the addresses again.

91


CNAME Record Limitations

CNAME Record Limitations

You can not use CNAME to rename a zone

uk.abc.com. IN CNAME euro.abc.com .

You can use CNAME to Alias an Alias But possibility of CNAME loop

You must not use the Alias in other resource records ( e.g. MX )

Using Multiple CNAME records (i.e. for rotation ) is WRONG, but may work on some servers

92


Wildcards

Wildcards

You can use * as a wildcard in resource records

*.abc.com. IN MX 10 mail.abc.com .

But this can cause confusion as queries for host that do not exist will be returned e.g. host –t MX foobar.abc.com will return

mail.abc.com even though the host foobar does not exist.

Also Wildcards do not match names for which there is already data

Most often, you'd use wildcards to forward mail to non-Internet-connected networks. Suppose your site is not connected to theInternet, but you have a host that will relay mail between the Internet and your network. You could add a wildcard MX record tothe movie.edu zone for Internet consumption that points all your mail to the relay. Here is an example:*.movie.edu. IN MX 10 movie-relay.nea.gov.

Since the wildcard matches one or more labels, this resource record would apply to names like terminator.movie.edu,empire.fx.movie.edu, or casablanca.bogart.classics.movie.edu. The danger with wildcards is that they clash with search lists.This wildcard also matches cujo.movie.edu.movie.edu, making wildcards dangerous to use in your internal zone data. Rememberthat some versions of sendmail apply the search list when looking up MX records:% nslookup Default Server: wormhole Address: 0.0.0.0

> set type=mx - Look up MX records > cujo.movie.edu - for cujo Server: wormhole Address: 0.0.0.0 cujo.movie.edu.movie.edu - This isn't a real host's name! preference = 10, mail exchanger = movie-relay.nea.gov

What are the limitations of wildcards? Wildcards do not match names for which there is already data. Suppose you did usewildcards within your zone data, as in these partial contents of db.movie:

* IN MX 10 mail-hub.movie.edu. et IN MX 10 et.movie.edu. jaws IN A 192.253.253.113 fx IN NS bladerunner.fx.movie.edu. fx IN NS outland.fx.movie.edu.

Mail to terminator.movie.edu will be sent to mail-hub, but mail to et.movie.edu will be sent directly to et. An MX lookup ofjaws.movie.edu would result in a response that said there was no MX data for that name. The wildcard doesn't apply because anA record exists. The wildcard also doesn't apply to domain names in fx.movie.edu, because they don't apply across delegation.

93


Network Names and Numbers

Network Names and Numbers

RFC 1101 defines a method of storing network names and sub-net masks without making and changes to the name server software

However there is not yet any software that make use of this data

To map an IP address to a name in DNS, you reverse the IP address, append in-addr.arpa, and look up PTR data. This sametechnique is used to map a network number to a network name; for example, to map network 15.0.0.0 to "HP Internet." To lookup the network number, include the trailing zeros to make it four bytes, and look up PTR data just as you did with a host's IPaddress. For example, to find the network name for the old ARPAnet, network 10.0.0.0, look up PTR data for 0.0.0.10.in-addr.arpa. You'd get back an answer like ARPAnet.ARPA.If the ARPANET were subnetted, you'd also find an address record at 0.0.0.10.in-addr.arpa. The address would be the subnetmask, 255.255.0.0, for instance. If you were interested in the subnet name instead of the network name, you'd apply the mask tothe IP address and look up the subnet number.This technique allows you to map the network number to a name. To provide a complete solution, there must be a way to map anetwork name to its network number. This, again, is accomplished with PTR records. The network name has PTR data that pointto the network number (reversed with in-addr.arpa appended).Let's see what the data might look like in HP's zone data files (the HP Internet has network number 15.0.0.0), and step throughmapping a network number to a network name.Partial contents of the file db.hp: ; ; Map HP's network name to 15.0.0.0. ; hp-net.hp.com. IN PTR 0.0.0.15.in-addr.arpa. Partial contents of the file db.corp: ; ; Map corp's subnet name to 15.1.0.0. ; corp-subnet.corp.hp.com. IN PTR 0.0.1.15.in-addr.arpa. Partial contents of the filedb.15: ; ; Map 15.0.0.0 to hp-net.hp.com. ; HP's subnet mask is 255.255.248.0. ; 0.0.0.15.in-addr.arpa. IN PTR hp-net.hp.com. IN A255.255.248.0 Partial contents of the file db.15.1: ; ; Map the 15.1.0.0 back to its subnet name. ; 0.0.1.15.in-addr.arpa. IN PTR corp-subnet.corp.hp.com. Here's the procedure tolook up the subnet name for the IP address 15.1.0.1:Apply the default network mask for the address's class. Address 15.1.0.1 is a class A address, so the mask is 255.0.0.0. Applyingthe mask to the IP address makes the network number 15.Send a query (type=a or type=any) for 0.0.0.15.in-addr.arpa.The query response contains address data. Since there is address data at 0.0.0.15.in- addr.arpa (the subnet mask-255.255.248.0), apply the subnet mask to the IP address. This yields 15.1.0.0.Send a query (type=a or type=any) for 0.0.1.15.in-addr.arpa.The query response does not contain address data, so 15.1.0.0 is not further subnetted.Send a PTR query for 0.0.1.15.in-addr.arpa.The query response contains the network name for 15.1.0.1: corp- subnet.corp.hp.com.In addition to mapping between network names and numbers, you can also list all the networks for your domain with PTRrecords:movie.edu. IN PTR 0.249.249.192.in-addr.arpa. IN PTR 0.253.253.192.in-addr.arpa.

94


Some Additional Resource Records

Some Additional Resource Records

HINFO – host information

X25, ISDN, RT

LOC

AAAA – IPv6 Addresses

SRV

HINFO stands for Host INFOrmation. The data are a pair of strings identifying the host's hardware type and operating system.The strings should come from the MACHINE NAMES and OPERATING SYSTEM NAMES listed in the "Assigned Numbers"RFC (currently RFC 1700), but this requirement is not enforced; you can use your own abbreviations. The RFC isn't at allcomprehensive, so it is quite possible you won't find your system in the list anyway. Originally, host information records weredesigned to let services like FTP determine how to interact with the remote system. This would have made it possible tonegotiate data type transformations automatically. Unfortunately, this didn't happen - few sites supply accurate HINFO valuesfor all their systems. Some network administrators use HINFO records to help them keep track of the machine types, instead ofrecording the machine types in a database or a notebook. Here are two examples of HINFO records; note that the hardware typeor operating system must be surrounded with quotes if it includes any whitespace:; ; These machine names and system names did not come from RFC 1340 ; wormhole IN HINFO ACME-HW ACME-GW cujoIN HINFO "Watch Dog Hardware" "Rabid OS" As we pointed out, HINFO records are a security risk - by providing easilyaccessible information about a system, you are making it easier for a hacker to break in.

X25, ISDN, and RTThese three record types were created specifically in support of research on next-generation internets. Two of the records, X25and ISDN, are simply address records specific to X.25 and ISDN networks, respectively. Both take arguments (record-specificdata) appropriate to the type of network. The X25 record type uses an X.121 address (X.121 is the ITU-T recommendation thatspecifies the format of addresses used in X.25 networks). The ISDN record type uses an ISDN address.Examples of the X25 and ISDN record types are:relay.pink.com. IN X25 31105060845 delay.hp.com. IN ISDN 141555514539488 hep.hp.com. IN ISDN 141555514539488 004

These records are intended for use in conjunction with the Route Through (RT) record type. RT is syntactically and semanticallysimilar to the MX record type: it specifies an intermediate host that will route packets (instead of mail) to a destination host. Sonow, instead of only being able to route mail to a host that isn't directly connected to the Internet, you can route any kind of IPpacket to that host by using another host as a forwarder. The packet could be part of a telnet or ftp session, or perhaps even aDNS query!Like MX, RT includes a preference value, which indicates how desirable delivery to a particular host is. For example, therecords:housesitter.movie.edu. IN RT 10 relay.pink.com.

IN RT 20 delay.hp.com.

instruct hosts to route packets bound for housesitter through relay.pink.com (the first choice) or through delay.hp.com (thesecond choice).The way RT works with X25 and ISDN (and even A) records is like this:Internet host A wants to send a packet to host B, which is not connected to the Internet.Host A looks up host B's RT records. This search also returns all address records (A, X25, and ISDN) for each intermediate host.Host A sorts the list of intermediate hosts and looks for its own domain name. If it finds it, it removes it and all intermediatehosts at higher preference values. This is analogous to sendmail's "paring down" a list of mail exchangers. Host A examines the address record(s) for the most preferred intermediate host that remains. If host A is attached to a networkthat corresponds to the type of address record indicated, it uses that network to send the packet to the intermediate host. Forexample, if host A were trying to send a packet through relay.pink.com, it would need connectivity to an X.25 network.

95


If host A lacks appropriate connectivity, it tries the next intermediate host specified by the RT records. For example, if host Alacked X.25 connectivity, it might fall back to delivering via ISDN to delay.hp.com.This process continues until the packet is routed to the most preferred intermediate host. The most preferred intermediate hostmay then deliver the packet directly to the destination host's address (which may be A, X25, or ISDN).

LocRFC 1876 defines an experimental record type, LOC, that allows domain administrators to encode the location of theircomputers, subnets and networks. In this case, location means latitude, longitude and altitude. Future applications could use thisinformation to produce network maps, assess routing efficiency, and more.In its basic form, the LOC record takes latitude, longitude and altitude (in that order) as its record-specific data. Latitude andlongitude are expressed in the format:

<degrees> [minutes [seconds.<fractional seconds>]] (N|S|E|W) Altitude is expressed in meters.

If you're wondering how in the world you're going to get that data, check out "RFC 1876 Resources," athttp://www.ckdhr.com/dns-loc/. This site, created by Christopher Davis, one of the authors of RFC 1876, is an indispensablecollection of information and useful links and utilities for people creating LOC records.If you don't have your own Global Positioning System receiver to carry around to all of your computers, two sites that may comein handy are Etak's Eagle Geocoder, at http://www.geocode.com/eagle.html-ssi, which you can use to find the latitude andlongitude of most addresses in the United States; and AirNav's Airport Information, at http://www.airnav.com/airports/, whichwill let you find the elevation of the closest airport to you. If you don't have a major airport near you, don't worry: the databaseeven includes the helipad at my neighborhood hospital!Here's a LOC record for one of our hosts:

huskymo.acmebw.com. IN LOC 40 2 0.373 N 105 17 23.528 W 1638m

Optional fields in the record-specific data allow you to specify how large the entity you're describing is, in meters (LOC recordscan describe networks, after all, which can be quite large), as well as the horizontal and vertical precision. The size defaults toone meter, which is perfect for a single host. Horizontal precision defaults to 10,000 meters, and vertical precision to ten meters.These defaults represent the size of a typical ZIP or postal code, the idea being that you can fairly easily find a latitude andlongitude given a ZIP code.

AAAA - IPv6 AddressesIf you're to believe the hype, IPv6 is coming soon to a network near you. Clearly, the existing A record won't accommodateIPv6's 128-bit addresses: BIND expects an A record's record-specific data to be a 32-bit address in dotted-octet format.RFC 1886 introduces a new address record, AAAA, used to store a 128-bit IPv6 address. AAAA takes as its record-specific datathe textual format of an IPv6 record described in RFC 1884. This format expresses the 128 bits of the address as eight sets offour hexadecimal digits, separated by colons (":"). The first set of four digits encodes the high-order 16 bits of the address. Everyset of four bits are compressed into the equivalent hexadecimal digit (e.g., 1111 becomes f). You can omit leading zeroes in a setof hexadecimal digits.So, for example, you'd see AAAA records like this:

ipv6 IN AAAA 4321:0:1:2:3:4:567:89ab

RFC 1886 also extends the additional processing that BIND and other name servers do, so that name servers include AAAArecords for mail exchangers and name servers that speak IPv6, for example.Finally, RFC 1886 establishes a new reverse mapping namespace for IPv6 addresses, called ip6.int. Each level of subdomainunder ip6.int represents a nibble (a 4-bit quantity) in the 128-bit address, with the low-order nibble encoded first (appearing atthe far left of the domain name). Unlike the format of addresses in AAAA records, omitting leading zeroes is not allowed, sothere are always 32 nibbles and 32 levels of subdomain below ip6.int in a domain name corresponding to a full IPv6 address.The domain name that corresponds to the address in the example above is:

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.INT.

These domain names have PTR records attached, just as domain names under in-addr.arpa do.

SRVLocating a service or server within a zone, if you don't know which host it runs on, is a difficult problem. Some domainadministrators have attempted to solve this problem by using service-specific aliases in their zones. For example, at Movie U. wecreated the alias ftp.movie.edu and point it to the domain name of our FTP archive:

ftp.movie.edu. IN CNAME plan9.fx.movie.edu.

This makes it easy for people to guess a domain name that will get them to our FTP archive, and separates the name people useto access to archive from the domain name of the host it runs on. If we were to move the archive to a different host, we couldsimply change the CNAME record.The experimental SRV record, introduced in RFC 2052, is a general mechanism for locating services. SRV also providespowerful features that allow domain administrators to distribute load and provide backup services, similar to the MX record.A unique aspect of the SRV record is the format of the domain name it's attached to. Like service-specific aliases, the domainname to which an SRV record is attached gives the name of the service sought, as well as the protocol it runs over, concatenatedwith a domain name. So, for example:

ftp.tcp.movie.edu

would represent the SRV records someone ftping to movie.edu should retrieve in order to find the movie.edu FTP servers, while:

96


http.tcp.www.movie.edu

represents the SRV records someone accessing the URL http://www.movie.edu/ should look up in order to find thewww.movie.edu web servers.

The names of the service and protocol should appear in the latest Assigned Numbers RFC (the most recent as of this writing isRFC 1700), or be unique names used only locally. Don't use the port or protocol numbers, just the names.The SRV record has four resource record-specific fields:

priority weight port target

priority, weight, and port are unsigned 16-bit numbers (between 0 and 65535). target is a domain name.Priority works very similarly to the preference in an MX record: the lower the number in the priority field, the more desirablethe associated target. When searching for the hosts offering a given service, clients should try targets at the same priority beforetrying those at a higher priority value.Weight allows domain administrators to distribute load to multiple targets. Clients should query targets at the same priority inproportion to their weight. For example, if one target has a priority of zero and a weight of one, and another target also has apriority of zero but a weight of two, the second target should receive twice as much load (in queries, connections, whatever) asthe first.Port specifies the port on which the service being sought is running. This allows domain administrators to run servers on non-standard ports. For example, a domain administrator could use SRV records to point web browsers at a web server running onport 8000 instead of the standard HTTP port (80).Target, finally, specifies the domain name of a host on which the service is running (on the port specified in the port field).Target must be the canonical name of the host (not an alias), with address records attached to it.

So, for the movie.edu FTP server, we added these records to db.movie:

ftp.tcp IN SRV 1 0 21 plan9.fx.movie.edu. IN SRV 2 0 21 thing.fx.movie.edu.

This instructs SRV-capable FTP clients to try the FTP server on plan9.fx.movie.edu's port 21 first when connecting tomovie.edu, and then to try the FTP server on thing.fx.movie.edu's port 21 if plan9's FTP server isn't available.The records:

http.tcp.www IN SRV 0 2 80 www.movie.edu. IN SRV 0 1 80 www2.movie.edu. IN SRV 1 1 8000 postmanrings2x.movie.edu.

direct web queries for www.movie.edu to www.movie.edu's port 80 and www2.movie.edu's port 80, with www.movie.edu gettingtwice the queries that www2.movie.edu does. If neither is available, queries go to postmanrings2x, on port 8000.

97


DNS and Windows

DNS and Windows

DNS is the primary name resolution method in Windows 2000

Active Directory Integration Extensive use of Dynamic Updates Domain Controllers add many SRV records

98


Active Directory Integrated Zones

Active Directory Integrated Zones

AD Integrated Zone Stored as AD Objects Replicated as part of normal AD Replication Multi-master Replication model

Benefits: Fault Tolerance Security Simplified Management More Efficient Replication of Large Zones

Active Directory Integration and Multimaster ReplicationIn addition to storing zone files on DNS servers, you can store a primary zone in Active Directory.When you store a zone in Active Directory, zone data is stored as Active Directory objects andreplicated as part of Active Directory replication.Active Directory replication provides an advantage over standard DNS alone. With standard DNS, onlythe primary server for a zone can modify the zone. With Active Directory replication, all domaincontrollers for the domain can modify the zone and then replicate the changes to other domaincontrollers. This replication process is called multimaster replication because multiple domaincontrollers, or masters, can update the zone.Although Active Directory–integrated zones are transferred by using Active Directory replication, youcan also perform standard zone transfers to secondary servers as you can with standard DNS zones.Active Directory–integrated storage provides the following benefits:Fault Tolerance Although you can still perform standard zone transfers with Active Directory–integrated zones, Active Directory multimaster replication provides greater fault tolerance than usingstandard zone transfers alone. Standard zone transfers and updates rely on a single primary DNS serverto update all the secondary servers. With Active Directory replication, however, there is no single pointof failure for zone updates.Security You can limit access to updates for any zone or record, preventing insecure dynamicupdates. For more information about configuring secure dynamic update, see "Dynamic Update andSecure Dynamic Update" later in this chapter.Simpler Management Because Active Directory performs replication, you do not need to set up andmaintain a separate replication topology (that is, zone transfers) for DNS servers.More Efficient Replication of Large Zones Active Directory replicates on a per-property basis,propagating only relevant changes. This is more efficient than full zone transfers.

99


Multi-master Replication

Multi-master Replication

DNS Transfers Full Zone Transfers send the Entire Database Incremental Zone Transfers send Each Change

Per-Property Processing Only Relevant Changes Propagated

Every DNS Server running on a DC is Authoritative SOA Records

Multimaster ReplicationActive Directory supports multi-master replication, which is replication in which anydomain controller can send or receive updates of information stored in ActiveDirectory. Replication processing is performed on a per-property basis, which meansthat only relevant changes are propagated. Replication processing differs from DNSfull zone transfers, in which the entire zone is propagated. Replication processing alsodiffers from incremental zone transfers, in which the server transfers all changes madesince the last change. With Active Directory replication, however, only the final resultof all changes to a record is sent.When you store a primary zone in Active Directory, the zone information is replicatedto all domain controllers within the Active Directory domain. Every DNS serverrunning on a domain controller is then authoritative for that zone and can update it.

100


Windows Client Configuration

Windows Client Configuration

Client Configuration is Critical Server Addresses DNS Suffix Configuration Dynamic updates

Server addresses configured at client direct client queries to DNS Server(s)

Client Configuration Settings TCP/IP > Properties > Advanced System Properties > Network Identification

DNS Client ConfigurationDNS Client configuration is critical to successful operation of DNS.

Keep in mind that when we speak of a “DNS Client” that could mean either an individual host computersubmitting a request to a DNS server, or it could be one DNS Server communicating with other DNSservers while attempting to resolve a query on behalf of a client.

Therefore, DNS client settings must be correct on all systems – workstations, Servers, DomainControllers, and the DNS Server itself.

In Windows® 2000 DNS is configured per network connection via TCP/IP > Properties and TCP/IP >Properties > Advanced Settings.

TCP/IP PropertiesThis dialog box is used to enter the address of the Preferred DNS Server and optionally one Alternateserver address.

The Preferred DNS Server will be attempted first for all DNS Name Queries issued by the client.

TCP/IP Properties > AdvancedWithin the Advanced Properties you will notice the DNS tab. Here the user may configure additionalAlternate DNS Server addresses, as well as the DNS Suffixes that will be appended onto queries madeby the client.

The process of how the client appends and uses these suffixes is described in detail later in this section.

101


DNS Configuration Interface



DNS client settings are configured via TCP/IP Properties and TCP/IP AdvancedSettings. In Windows® 2000 these settings may be configured for each networkadapter present in the system.

102


Client-side Configuration

Client-side Configuration

Server Addresses Preferred DNS Server Address Alternate DNS Server Address(es) Specified via TCP/IP Properties and TCP/IP Properties > Advanced >

DNS Initially uses Preferred first, then tries Alternates in order l isted Optimizes for non-responding servers

Client-side Configuration: Preferred and Alternate DNS Server Addresses

The DNS Client service uses a server search list, ordered by preference.

This list includes all preferred and alternate DNS servers configured for each of theactive network connections on the system.

Windows® 2000 rearranges these lists based on the following criteria:• Preferred DNS servers are given first priority. • If no preferred DNS servers are available, then alternate DNS servers

are used. • Unresponsive servers are removed temporarily from these lists.

Note: In Windows® 2000, the DHCP Client service initiates dynamic registration forclient DNS names, whether the client is enabled for DHCP automatic addressing orwhether it is statically configured. Therefore the DHCP Client service must berunning on the client for dynamic registration of DNS names to occur.

103


Preferred DNS Server Configuration

Preferred DNS Server Configuration

The Preferred DNS Server is

the one the client tries

first…

If Preferred Server fails, the client tries the Alternate DNS Server (if so

configured)…

104


Alternate DNS Server Configuration

Alternate DNS Server Configuration

The Preferred and Alternate

Servers specified on the previous Properties

page automatically appear at the top of this list, and Preferred and Alternates are queried in order listed…

Optionally, you can enter a whole list of

Alternate DNS Servers

105


Windows Client Dynamic Update

Windows Client Dynamic Update

Process:1. Client SOA query for Server

Authoritative for the record2. DNS Server returns Zone name

and IP of authoritative server3. Client sends Assertion Update to

verify existing registration4. Server responds5. If no existing registration, client

sends dynamic update package to register the record

If Failure: If update fails, client attempts to

register the record with other primary servers in the zone

If all fail, client repeats after 5 minutes, and again after 10 minutes

Failures result in a repeated pattern of attempts 50 minutes after the last retry

DYNAMIC UPDATE/REGISTRATIONIn a conventional DNS implementation (Windows® NT 4.0 DNS server and older BIND versions), ifthe authoritative information of a resource record must be changed, the network administrator has toedit the appropriate zone file manually.

Protocol Description The RFC 2136 introduces a new opcode or message format called UPDATE. The update message canadd and delete RRs from a specified zone as well as test for prerequisite conditions. Update is atomic,that is, all prerequisites must be satisfied or else no update operation will take place.

As in older static DNS implementations, the zone update must be committed on a primary name serverfor that zone. If an update is received by a secondary server, it will be forwarded up the replicationtopology until it reaches the primary server. In the case of a Active Directory(AD) integrated zone, anupdate for a record in that zone may be sent to any DNS server running on a domain controller whoseAD contains the zone.

Dynamic Update AlgorithmThe dynamic update sequence consists of the following steps:

A client, using an SOA query, locates primary DNS server and zone authoritative for the record to beregistered.

The client sends to the located DNS server an assertion or prerequisite-only update to verify an existingregistration. If the registration does not exist, the client will send the appropriate dynamic updatepackage to register the record.

106


107

DNS Overview

Documents

Transcript of DNS Overview