Download presentation
Presentation is loading. Please wait.
1
Domain Name Service (DNS) at Colorado State University
Mike Willard Academic Computing & Networking Svcs
2
What is Domain Name Service?
DNS is a hierarchical naming system to associate various information with names meaningful to humans. DNS data is made available by a distributed database run on various servers world wide. Distributed responsibility for domain data by designating authoritative name servers for each domain which can, in turn, delegate authority for sub-domains. This obviates the need for a single central repository of information.
3
Domain Name Service Data
A typical host name: “chico.cs.colostate.edu.” is a Fully Qualified Domain Name (FQDN) made up of parts: “chico” = Hostname “cs.colostate.edu.” = domain name “cs.colostate.edu.” = a subdomain of “colostate.edu.” which is a subdomain of “edu.” “edu.” is a Top Level Domain (TLD) “.” = the root of DNS data and technically all DNS names should end in “.” but is typically left out.
4
DNS Data Organization Thus DNS data organized in a tree structure
5
DNS Record Types: SOA Start of Authority (SOA): Defines global parameters for a “zone” which include: Time To Live (TTL) – no. of seconds records may be cached. Primary DNS server – FQDN of an authoritative DNS server. Addr – Contact info for domain. e.g. dnsadmin.colostate.edu. Serial number – Updated when data changes. Used for replication. Refresh – Interval in seconds a secondary tries to refresh zone data. Retry – Interval in seconds between refresh attempts after failure. Expiry – Interval in seconds secondary data is valid without refresh. Min – Default minimum TTL for other zone records. Changed in newer RFCs.
6
DNS Record Types: SOA (cont.)
DNS RFC defines a text representation for records as well as a binary or “wire” representation. SOA records have the following text format: Name TTL Class RType address acns.colostate.edu IN SOA dnsadmin.colostate.edu. ( ; sn 900 ; refresh (15 min) 600 ; retry (10 min) ; expiry (1 day) 3600 ; minTTL ( 1 hour) )
7
DNS Record Types: NS Name Server (NS): Defines the authoritative name server(s) for a domain. Actually located both at the root of the zone and at the point of delegation in the parent zone. The NS records for acns.colostate.edu reside in the parent zone, “colostate.edu”, like this : Name TTL Class RecordType Data acns IN NS dns1.colostate.edu acns IN NS dns2.colostate.edu And they exist in the acns.colostate.edu zone where they look like: @ IN NS dns1.colostate.edu @ IN NS dns2.colostate.edu
8
DNS Record Types: A, AAAA
IPv4 Address (A): Associates a name with an IPv4 address The A record for chico.cs.colostate.edu resides in the “cs.colostate.edu” zone and looks like: Name TTL Class RecordType Data Chico IN A IPv6 Address (AAAA): Associates a name with an IPv6 address An AAAA record looks like: Chico IN AAAA :8152:e6d2::8052:f8d1
9
DNS Record Types: CNAME
Canonical Name (CNAME): Associates an alias with another DNS name record. The CNAME record for looks like: Name TTL Class RecordType Data www IN CNAME parsons.cs.colostate.edu According to the RFC, you may not create any other records with the same name as a CNAME record. Recently added exceptions for DNSSEC record types RRSIG, NSEC and KEY.
10
DNS Record Types: Others…
There are ~71 record types. The other, more common records include: MX – Mail Exchanger. Specify mail servers for a mail domain name. PTR – Pointer. Maps IPv4 addresses to names (reverse lookup). SRV – Service record. Defines network service information available for zone (LDAP, Kerberos, etc.). Used heavily by Windows domains. TXT – Text information associated with a name. Basically a note. Also used in Sender Policy Framework (SPF) system to validate .
11
DNS Forward and Reverse Lookups
Most common use is forward lookup (name to IP). Also need reverse lookup (IP to name). This is also a tree structure, delegated in a similar fashion. All reverse space is rooted in the special domain called “IN-ADDR.ARPA” For delegation to work as in the forward space, the networks are listed most specific to least specific. Thus CSU’s IP space ( ) has a reverse DNS zone of “ IN-ADDR.ARPA”
12
DNS Reverse Data Organization
13
DNS Record Types: PTR Pointer (PTR): Associates an IPv4 address with a name. The PTR record for “ ” resides in the “ in-addr.arpa” zone and looks like: Name TTL Class RecordType Data IN PTR rush.colostate.edu Although Address and Pointer records are logically connected, there is nothing in the RFCs to force consistency. It often makes sense to have multiple A records pointing to different IPs (DNS “Round Robin” load balancing) It does not makes sense to have multiple PTR records pointing to different hosts.
14
DNS Authorities Internet Assigned Numbers Authority (IANA) and Internet Network Information Center (InterNIC) originally established by various US Government agencies now and run under contract by a private, non-profit organization… Internet Corporation for Assigned Names and Numbers (ICANN) Responsible for: Coordination of DNS Root globally Coordination of IP space globally Maintaining the list of gTLDs (generic top level domains) and ccTLDs (country code top level domains). Root Hints:
15
DNS Registries and Registrars
DNS Registry – the authoritative source for a DNS domain. DNS Registrar – entity authorized to manage registry data. Registrars sell domains to others and maintain that data in the registry. VeriSign operates the current registry for .com and .net but does not act as a registrar. Hundreds of Registrars are certified with Verisign to sell .com domains (e.g. Tucows, GoDaddy, etc.) Reverse Registries run by regional entities (ARIN, LACNIC, RIPENCC, AFRINIC, APNIC).
16
DNS Queries – Root Hints
IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET A A.ROOT-SERVERS.NET AAAA 2001:503:BA3E::2:30 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET A NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET A NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET A NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET A NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET A F.ROOT-SERVERS.NET AAAA 2001:500:2F::F NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET A NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET A H.ROOT-SERVERS.NET AAAA 2001:500:1::803F:235 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET A I.ROOT-SERVERS.NET AAAA 2001:7FE::53 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET A J.ROOT-SERVERS.NET AAAA 2001:503:C27::2:30 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET A K.ROOT-SERVERS.NET AAAA 2001:7FD::1 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET A L.ROOT-SERVERS.NET AAAA 2001:500:3::42 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET A M.ROOT-SERVERS.NET AAAA 2001:DC3::35
17
DNS Queries – Interaction
DNS Resolver – software that contacts DNS servers to find DNS data Located in client operating systems and as part of DNS server software Two query types – recursive and non-recursive Typical query interaction: Where’s Root Nameserver Ask DNS Resolver Ask edu. Nameserver It is at colostate.edu. Nameserver
18
DNS Delegation Entity wishing to run DNS for a zone negotiates with group authoritative for parent domain. Authoritative server hosts NS records for delegated domain and “glue” records. Delegated server hosts SOA and the same NS records along with zone data. Changes take some time to replicate everywhere as caches update.
19
DNS Servers Software: BIND – originally UNIX.
Windows 2000 move to heavy reliance on DNS Network traffic: UDP and TCP port 53 Authoritative vs. non-authoritative: Servers that host a zone are authoritative. Authoritative Only: Servers that *only* respond to queries for zones they host. Recursive/Caching Servers: Resolve any DNS request for clients. Store answers locally to answer other requests. Replication: Slave and master. Uses zone serial numbers, refresh and retry intervals to update slaves which have a read only copy of data. Dynamic DNS (DDNS) – Allows clients to update A and PTR records on the fly.
20
DNS Security Concerns. Cache poisoning
Denial Of Service (DOS). Amplified DOS. Separate resolving and caching server from authoritative server. Secure DNS (DNSSEC) Dynamic DNS (DDNS) Zone transfers Firewalls OS and Application vulnerabilities Outsource Appliances
21
Domain Name System Security Extensions (DNSSEC).
New record types to support protocol RRSIG – one per resource record (used to verify RR data). DNSKEY – one per zone/subdomain (used to verify RRSIG). DS – one per subdomain in parent domain (used to verify DNSKEY). NSEC/NSEC3 – Used to verify a “negative” response. Helps prevent spoofing. Requires support of “Extended Mechanisms for DNS” (EDNS) Increased flag space and data packet size beyond 512 bytes. Uses a “line-only” record type (OPT) for backwards compatibility. Trust Anchors A trusted key/DS record distributed with OS or installed manually Theoretically, only root zone record needed but TLDs not all secure yet. EDU supports DNSSEC as of this year. GOV. Some ORG. VeriSign projected to have their COM and NET zones next year.
22
DNS Utilities NSLOOKUP Get DNS records from given server
Command line parameters and interactive (non-gui). DIG Get DNS record info from given server Command line. WHOIS various registries, command line Web sites: network-tools.com
23
DNS at Colorado State University
Master servers – Rush.colostate.edu and Hasty.colostate.edu Slave servers – yuma.colostate.edu, lamar.colostate.edu, holly.colostate.edu (legacy) and dns1.colostate.edu, dns2.colostate.edu (public) “Hidden Master” configuration – The master servers (RUSH and HASTY) are not accessible off-campus and there are no NS records registered for them. The public servers are DNS1 and DNS2 which *only* answer queries about colostate.edu and /16. Statistics – DNS1 ~40 Queries/Sec DNS2 <10 Queries/Sec RUSH ~970 Queries/Sec HASTY ~160 Queries/Sec
24
Domain Name Service (DNS) at Colorado State University
Mike Willard Academic Computing & Networking Svcs
Similar presentations
