DNS/BIND 系統管理基礎班/進階班適用

DNS/BIND 系統管理基礎班/進階班適用
TWNIC 委辦 DNS 教育訓練課程 DNS/BIND 系統管理基礎班/進階班適用主辦單位: 財團法人台灣網路資訊中心承辦單位: 國立交通大學協辦單位: 中華電信訓練所, 國立中興大學, 高雄縣教育網路中心. 教材編撰: 交通大學 NCTU/TWNIC DNS Tutorial

NCTU/TWNIC DNS Tutorial
課程大綱 (Outline) 綱要 Part 1 - 基礎篇 (Basics of DNS) Part 2 - BIND/named 簡介 (Introduction to BIND/named) Part 3 - 偵測工具程式 (DNS debugging tools) Part 4 - DNS 常見問題 (FAQ) Part 5 - DNS 網路系統進階規劃 Part 6 - 個案研究 (Case Study) 附錄 (Appendix) 其他相關課題課程綱要分類初級班 – Part 1, 2, 3, 4 + 上機進階班 – Part 3, 4, 5, 6 + 上機 NCTU/TWNIC DNS Tutorial

Part 1 - DNS 系統簡介基本系統運作分散式系統架構 DNS 流量統計 (MRTG/Netflow) DNS 與網路安全 DNS 與 SPAM Mail 防治其他相關課題 DNS反解設定與 Network Delay/performance 中文 DNS NCTU/TWNIC DNS Tutorial

DNS Basics What is DNS ? DNS 基本運作法則 (圖示) DNS registration & zone delegation DNS 命名原則與規範 ccSLD Naming Convention in DNS 2-character codes vs. 3- Generic name hierarchy vs. flat name space NCTU/TWNIC DNS Tutorial

Introduction to DNS What is Domain Name System ? The functionality of DNS Defining hostname, domain zone name, etc. Looking up for the DNS RRs defined by some organizations over the Internet. When will the DNS functions be used ? Outgoing access Looking up Forward RR (e.g. A, MX, NS, etc.) DNS vs. Mail routing Incoming access Reverse (e.g. PTR) RR checking Forward (e.g. A, MX, etc.) RR matching Typical Management Issues & Common Problems NCTU/TWNIC DNS Tutorial

網域名稱系統(Domain Name System)
DNS 系統, 概分成三個部份網域空間 (Domain Name Space ) 網域名稱伺服系統 (Domain Name Server) BIND/named, ... 網域名稱解譯程式 (Domain Name Resolver) DNS 相關程式 client(用戶端), agent(代理查詢), server(伺服器) NCTU/TWNIC DNS Tutorial

網域空間(Domain Name Space)
分散式與階層式的組織架構 tree-structure vs. DAG-structure 地理區域與功能組織的分類組合方式正解網域 (forward domain zones): ‘tw’, ‘edu.tw’, ... 反解網域 (reverse domain zones): Public zones: ‘ in-addr.arpa’, ‘ in-addr.arpa.’, ... 特殊網域 127.0.in-addr.arpa, 0.in-addr.arpa., etc. Private zones: in-addr.arpa., 10.in-addr.arpa, etc. NCTU/TWNIC DNS Tutorial

Definition of DNS records
domain zone delegation (NS, SOA RR) domain name (A RR) telnet bbs.cis.XYZ.edu.tw mail routing (MX RR) mail reverse pointer (PTR RR) > ns1.XYZ.edu.tw alias naming (CNAME RR; Canonical Name) proxy.XYZ.edu.tw -> wproxy1.XYZ.edu.tw Others NCTU/TWNIC DNS Tutorial

Hierarchical Architecture of current DNS System . root servers gov, mil . . . INT tw Arpa com, org,net cn,kr,vn.. NSAP IP6 gov,mil in-addr net edu org 203 192 . .. com 140 www ncku NCTU 113 hc hgsh 127 ee 114 cc nehs cis ... ns1 6 hchs 250 bbs ... mail www .. ccserv2 2 ccserv2.cc.NCTU.edu.tw <=> NCTU/TWNIC DNS Tutorial

Special DNS servers root DNS servers (totally 13) a.root-servers.net, b.root-servers.net, … m.root-servers.net For the 512-byte limitation, no more than a list of 13 DNS servers could be filled in a DNS UDP packet, even with encoding. Generic Top-level domain (gTLD) servers e.g. com, net, org, net, etc. Country-code Top-level domain (ccTLD) servers (e.g. cn, kr, jp, tw, us, vn, etc.) NCTU/TWNIC DNS Tutorial

ccSLD Naming Convention in DNS ccTLD country code top-level domain ccSLD = country-code Second Level Domain Ac/ Edu Co/ Com Or/ Org 3-character convention: com, edu, org,..etc Tw, us, .. 2-character convention: co, ac, or, … Uk, jp, … NCTU/TWNIC DNS Tutorial

Separation of registries and registrars
New Trend in DNS Any organization or company should be allowed to perform only one kind of the following two businesses. Registry : organization for accepting the registration of domain zones from registrars ( e.g. TWNIC, APNIC, InterNIC, etc.) Registrar : organizations or companies that do DNS registrations for other customers (e.g. ISP ) NCTU/TWNIC DNS Tutorial

DNS/IP-related Organizations
IP assignment and DNS registrations Global-> regional -> country-level DNS/IP Related Organizations ICANN (The Internet Corporation for Assigned Names and Numbers ) IANA ( Internet Assigned Number Authority ) InterNIC, APNIC, RIPE_NCC, ... KRNIC, TWNIC, VNNIC, ... Multilingual Internet Names Consortium NCTU/TWNIC DNS Tutorial

- http://www.twnic.net.tw NCTU/TWNIC DNS Tutorial
台灣地區 IP 分配管理與 .tw 網域註冊 - NCTU/TWNIC DNS Tutorial

DNS Operation Principle Internet Remote DNS Forwarding Server Direct mode DNS server Indirect mode Ordinary DNS queries WINS/DNS queries Local DNS server NCTU/TWNIC DNS Tutorial

Typical DNS Management Issues Issues Descriptions Availability Master/slave architecture, data synchronization among authoritative servers, etc. Configuration (correctness) Delegations of domain zones, illegal setting of DNS entries, etc. Interoperability BIND (version 4,8,9,etc.), Microsoft DNS, etc. Misc. Registration, buggy software version, etc. Performance DNS caching, forwarding, separation of inbound and outbound DNS traffic, etc. Security Access control, Dynamic Update, Intrusion detection, etc. NCTU/TWNIC DNS Tutorial

Basic functions/attributes of DNS servers
Authoritative (master, slave) SOA, NS Caching (recursive) vs. iterative (non-caching) Time-To-Live (TTL; valid time for caching) DNS Cache vs. Web Cache positive caching vs. negative caching Forwarding Total vs. selective forwarding NetBIOS (port-137) to DNS (port-53) forwarding DNS forwarder NCTU/TWNIC DNS Tutorial

Generic System Configuration Issues
Load sharing/balancing ( DNS, Mail, …) 提昇整體網路及系統效能 (global internetworking ) Backup system ( DNS, Mail,…) high availability/reliability Relaying System ( DNS, Mail , WWW ) 類似同義詞 : proxy, forwarding Caching ( DNS, www proxy, ftp mirror) NCTU/TWNIC DNS Tutorial

DNS query/response Query/Response Messages iterative query/referral vs. recursive query inverse query vs reverse pointer query round-robin vs. load balancing Round-trip time ( DNS query ) Examples NCTU/TWNIC DNS Tutorial

Q: R: Dl: local DNS server Dr: remote DNS server 1(Q) D1 4(R) Dr 3(R) 2(Q) NCTU/TWNIC DNS Tutorial

DNS Cache Mechanism - Cf. Web caching mechanism
The Cache Operation Principle TTL & SOA Positive vs. Negative Cache Positive Cache Maximal Default TTL = 7 days Actual TTL is defined by the source if it is < 7 days Negative Cache Recommends that negative caching (the caching of information about non-existence of resource records) becomes mandatory in resolvers. Maximal Default TTL = 3 hr (or sec), NOT good for local environment Chinese Group/Host Names in NetBIOS Suggested value 20 min (or 1200 sec) NCTU/TWNIC DNS Tutorial

DNS & Firewall -- spilt DNS servers (internal, external)
NCTU/TWNIC DNS Tutorial

NetBIOS (port-137) to DNS (port-53) proxy
NetBIOS over TCP/IP 國情不同, 以及使用習慣不同, 目前用處不大平均有效封包數目的變化 NetBIOS proxy Enabled 平均有效封包數目30% ( ) NetBIOS proxy Disabled ( 使用 ipfilter ) 平均有效封包數目40% ( ) NCTU/TWNIC DNS Tutorial

NetBIOS(WINS) 與 DNS NetBIOS 設定不當, 導致大量消耗可用頻寬實例,過去 TANet 竹苗區網某一學校, 曾經發生 (MOECC newsletter, 參考期 ) 儘量避免使用 (Disabled NetBIOS over TCP) Disable port 137 on DNS server. ( 關閉 proxy) 啟動 Negative Caching 功能自我保護避免拖累網路大環境請Upgrade 到最新版本 ( BIND 8.x 以後) 內建 Negative Caching NCTU/TWNIC DNS Tutorial

DNS 系統安全 - Cf. Firewall 運作模式
常見的網路攻擊對象 Router DNS WWW SMTP DNS 系統安全 (與其他系統的對照) Firewall default block mode Only specified IN or OUT traffic was allowed. DNS Server Limited recursive mode SMTP Server Limited relay mode NCTU/TWNIC DNS Tutorial

常見的入侵攻擊模式利用程式漏洞(如 buffer overflow) 等為基本運作模式, 入侵系統. 利用網路通信協定以 TCP 為主, syn flooding 等以 UDP 為主, 利用部分 fragments 處理問題等以 ICMP 為主, ping-of-death 等. 杜絕追查假造封包, 假造 IP address 來源 ( DoS ) 尋找藏身的中間站 (跳板站) 中間的放大站 DoS/DDoS attack NCTU/TWNIC DNS Tutorial

特定對象的入侵 buffer overflow 等系統問題 Lion worm on Linux (BIND 8.X) 尋找不特定的入侵對象 forward & reverse domain zone scanning DNS zone transfer 設限阻擋不特定的目標搜索 NCTU/TWNIC DNS Tutorial

系統安全規劃與管理各網域必須落實設立兩個以上 DNS server 重要 server 勤作 security patch DNS 設 ACL, 限制 zone transfer 委外廠商維護能力, 意願與合約 NCTU/TWNIC DNS Tutorial

基本運作模式 -limited recursive mode. 本單位的資料, 允許全 Internet 來查詢. (BIND v8) 非本單位的資料, 基本上只允許本地用戶, 進行 recursive 查詢. (BIND v8) 已經在 DNS cache 資料, 允許全 Internet 來查詢. (BIND v9) Performance 與實際考量 ( 考量使用習慣與歷史因素) NCTU/TWNIC DNS Tutorial

每一網域都應建置兩個以上的 DNS server 網路備援分散 loading 提昇整體效能 ( 計算 RTT, 往最近處查詢) 同一網域 server 宜考慮分散不同處所停電, 斷網, 系統受攻擊, 當機等效應 (ccTLD, ccTLD) 不太會改變者, 每筆資料的 TTL 宜設長一點減少不必要的 DNS 查詢, 提昇網路系統效能及穩定度建議 TTL ( 1-3 )天 NCTU/TWNIC DNS Tutorial

問題處理與追蹤 Security 問題回報及反應向相關單位報備及追蹤問題向相關 CERT 報備及追蹤問題各單位聯絡 address (Internet 慣例) 例如, NCTU/TWNIC DNS Tutorial

Part 2 – BIND 介紹, 安裝與使用 DNS Server Hosts 配置與規劃 Taxonomy of DNS servers Name Server Software Selection BIND Server Configuration 其他課題 BIND v4, v8, v9 的對照比較中文 DNS (mDNS, cBIND, etc.) NCTU/TWNIC DNS Tutorial

DNS Server Hosts 配置與規劃主機系統選擇 ( platform/OS ) Unix , Windows NT, OS/2, ... ( 現階段, 仍以 Unix 為佳 ) 硬體設備需求主要 memory size, 原則是 named 將 90% 以上的 dns query 放在 RAM 中 caching 起來, 不需用到 swap. 系統軟體 ( BIND/named, ... ) 網路位址 (多重 servers) primary/secondary server host 分離, 放在不同的網路區段, 當然如果能放在不同單位, 通常更好. NCTU/TWNIC DNS Tutorial

A standard configuration of a DNS system NCTU/TWNIC DNS Tutorial

Taxonomy of DNS servers
Types of DNS server Authoritative DNS servers Master/primary (source) Slave/secondary (mirror) Stealth Server stub servers DNS caching server DNS forwarder NCTU/TWNIC DNS Tutorial

Taxonomy of DNS server – alternative view NCTU/TWNIC DNS Tutorial

Selection of Platform (OS,DNS)
Currently, UNIX hosts are better for running DNS servers than Ms-windows Use different OS’s and different versions of DNS server programs between master and slave servers, whenever possible (e.g. avoiding single point of failure) For security reason, patch the related OS and the DNS server programs to the newest level Enable UDP checksum Remove any unused services (like SNMP, SMTP…) Enable syslog (it is better to log to another server in intranet too) Setup access control for required services NCTU/TWNIC DNS Tutorial

Hardware Requirements
Performance x86-based PC is usually better then other platforms (e.g. SUN workstation, etc) RAM (the more, the better) The server host should be able to cache all authoritative DNS zone files to memory without swapping CPU The processor(s) must be able to handle a peak value of three times of the normal requests NCTU/TWNIC DNS Tutorial

Name Server Software Selection
Criteria for an Internet name server inward/outward zone transfer stub resolver (recursive query) support at least the common resource record types A, MX, PTR, SOA, CNAME, NS support caching BIND on Unix also on Windows NT, MacOS, etc. Windows NT (Microsoft DNS server ) Windows NT 4.0, 2000, XP Others NCTU/TWNIC DNS Tutorial

Version info of BIND V9 Current Release - v9.2.1 (May 1, 2002) Release Candidate – v9.2.2rc1(Aug.14, 2002) V8 (still in wide usage) Current Release -v8.3.3 (June 28,2002) V4 (should be upgraded to v8 or v9) Current Release – v4.9.9 NCTU/TWNIC DNS Tutorial

Important BIND Features (v4 -> v8 -> v9) [1]
Completely new configuration syntax /etc/named.boot (v4) -> /etc/named.conf ( v8,9) resolver implicit search problem (v8; rfc 1535) DNS Dynamic Updates (v8,9; RFC 2136). DNS Change Notification (v8,9; RFC 1996). Flexible, categorized logging system (v8,9). IP-address-based access control for queries, zone transfers Allow-query (v8,9), Allow-recursion (v9 only), Allow-transfer (v8,9) updates that may be specified on a zone-by-zone basis. NCTU/TWNIC DNS Tutorial

Important BIND Features (v4 -> v8 -> v9) [2] New Name Daemon Control program ndc (v8), rndc (v9) CIDR-like Classless in-addr.arpa delegation More efficient zone transfers no fork() on outbound! (v8). Improved performance for servers with thousands of zones. incremental zone transfer IXFR ( v8,9; rfc 1995 ) New DNS RR (rfc 1183) RP, AFSDB, ISDN, X25, RT LOC (rfc 1876), SRV (rfc 2052) Secure Zone, DNSSEC (v9) Many bug fixes, including patches for all known security holes. NCTU/TWNIC DNS Tutorial

BIND Server Configuration
Server Configuration file /etc/named.boot (v4) /etc/named.conf (V8,9) named-bootconf.pl ( v4->v8, Automatic translation program) Zone data files Forward & reverse authoritative zones Resolver configuration file (Clients) /etc/resolv.conf NCTU/TWNIC DNS Tutorial

DNS Server options - /etc/named.boot (v4)
; type domain source file or host ; directory /var/named ; cache named.root primary localhost Localhost primary IN-ADDR.ARPA Rev-127.0 ; [ deleted] primary XYZ.edu.tw Zone.XYZ secondary ADM.XYZ.edu.tw Zone.ADM primary CC.XYZ.edu.tw Zone.CC ; [deleted ] . . . primary IN-ADDR.ARPA R primary in-addr.arpa R secondary in-addr.arpa R NCTU/TWNIC DNS Tutorial

DNS Server configuration (template) -- /etc/named.conf (v8, v9)
// Access Control list Block acl “L1" {… }; acl “L2” {….}; //----Logging block logging {…. }; // controls { … }; key rndc_key {….}; // options {…..}; // zone "." { type hint; file "named.root"; }; zone "localhost" { type master; file "Localhost” }; NCTU/TWNIC DNS Tutorial

DNS Server Options -- /etc/named.conf (v8, v9)
directory "/var/named"; pid-file "named.pid"; forwarders { some-ip-address; }; }; zone "." { type hint; file "named.root"; }; // root hint file zone "localhost" { type master; file "Localhost” }; zone " IN-ADDR.ARPA" { type master; file "Rev-127.0"}; zone "HC.edu.tw" { type slave; file "sec/zone-HC.edu.tw"; masters { ; }; }; zone " IN-ADDR.ARPA" { type slave; file "sec/R "; masters { ;}; }; NCTU/TWNIC DNS Tutorial

Special Symbols on DNS database
Special Symbols for defining the DNS database current origin “*”, wildcard ( only for some of the types ) “ . ” , root domain & domain separator “ ; ” , for comment lines “( )”, grouping data which crossing a line --> only work for SOA RR (now) “\X”, --> escape character ; “\DDD”, octal number ; -> “\345” NCTU/TWNIC DNS Tutorial

What are the valid characters in a hostname?
Hostnames can contain letters, numbers, and hyphens, and may not start with a hyphen. Underscore (_) is not a valid character in a hostname. While there are some DNS server software packages available that allow underscore within published host names, most do not. Using a domain or host name with an underscore will cause most name servers on the Internet to stop recognizing the related host/IP address. NCTU/TWNIC DNS Tutorial

BIND ( Berkeley Internet Name Domain )
Standalone Daemon ( named ) UDP/TCP port 53 UDP query/response ( < 512 bytes ) Over 99% of DNS traffic TCP response(>512 bytes) + zone transfer DNS message format Question/Answer section Authority section Additional section NCTU/TWNIC DNS Tutorial

DIG output ns1% dig cis.nctu.edu.tw ns ; <<>> DiG 2.2 <<>> cis.nctu.edu.tw ns ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr rd ra; Ques: 1, Ans: 2, Auth: 0, Addit: 2 ;; QUESTIONS: ;; cis.nctu.edu.tw, type = NS, class = IN ;; ANSWERS: cis.nctu.edu.tw NS cisserv.cis.nctu.edu.tw. cis.nctu.edu.tw NS cissol1.cis.nctu.edu.tw. ;; ADDITIONAL RECORDS: cisserv.cis.nctu.edu.tw A cissol1.cis.nctu.edu.tw A ;; Total query time: 8 msec ;; FROM: ns1 to SERVER: default ;; WHEN: Wed Sep 17 11:44: ;; MSG SIZE sent: 33 rcvd: 109 NCTU/TWNIC DNS Tutorial

BIND 8 Highlights - from BIND8 document
DNS Dynamic Updates (RFC 2136) DNS Change Notification (RFC 1996) Completely new configuration syntax Flexible, categorized logging system IP-address-based access control for queries, zone transfers, and updates that may be specified on a zone-by-zone basis More efficient zone transfers Improved performance for servers with thousands of zones The server no longer forks for outbound zone transfers Many bug fixes NCTU/TWNIC DNS Tutorial

BIND8 configuration file
A BIND 8 configuration consists of statements and comments. Statements end with a semicolon. Many statements contain a block of sub-statements, which are also terminated with a semicolon. The BIND 8 comment syntax allows for comments to appear anywhere that white space may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in C, C++, or shell/perl constructs. C (/* …*/), CC (//…), Shell ( #… ) NCTU/TWNIC DNS Tutorial

BIND8 statements (1) The following statements are supported: acl defines a named IP address matching list, for access control and other uses include includes a file key specifies key information for use in authentication and authorization logging specifies what the server logs, and where the log messages are sent NCTU/TWNIC DNS Tutorial

BIND8 statements (2) options controls global server configuration options and sets defaults for other statements controls declares control channels to be used by the ndc utility server sets certain configuration options on a per-server basis trusted-keys defines DNSSEC keys that are pre-configured into the server and implicitly trusted zone defines a zone The logging and options statements may only occur once per configuration. NCTU/TWNIC DNS Tutorial

What is BIND 9? A complete rewrite of the nameserver, library and tools. Includes support for the newer DNS protocol extensions and types. “It’s in there” RFC 1035 conformance For the first time in BIND’s 17 year history NCTU/TWNIC DNS Tutorial

Design Goals of BINDv9 EDNS0 Support EDNS1 not supported DNSSEC Support SSU, not 2137 supported BIND 8 compatibility Thread safety Increased conformance with relevant RFCs. Full IPv6 Support Very Large Zones Multiple Database Multi-Processor / Multi-Threaded Secure / Auditable / Maintainable 8-bit clean NCTU/TWNIC DNS Tutorial

Some of the important features of BIND 9
DNS Security DNSSEC (signed zones) TSIG (signed DNS requests) IP version 6 Answers DNS queries on IPv6 sockets IPv6 resource records (A6, DNAME, etc.) Bit string Labels Experimental IPv6 Resolver Library DNS Protocol Enhancements IXFR, DDNS, Notify, EDNS0 Improved standards conformance Views One server process can provide multiple "views" of the DNS namespace, e.g. an "inside" view to certain clients, and an "outside" view to others. Multiprocessor Support Improved Portability Architecture NCTU/TWNIC DNS Tutorial

To Build BINDv9 To build, just ./configure make To see additional configure options, run "configure --help". OpenSSL has been removed from the distribution. This means that to use DNSSEC, OpenSSL must be installed and the --with-openssl option must be supplied to configure. This does not apply to the use of TSIG, which does not require OpenSSL NCTU/TWNIC DNS Tutorial

/etc/rndc.conf (sample)
key rndc_key { algorithm "hmac-md5"; secret "4b3PAx1d8IlJeIuyLe/T6A=="; }; options { default-server ; default-key rndc_key; NCTU/TWNIC DNS Tutorial

Implict search problem (RFC 1535) - mbox@xyz.edu.cn
non RFC 1535 compliant (before V 4.9.3) <= some local department RFC 1535 compliant more examples vs A very bad example tw.com.tw NCTU/TWNIC DNS Tutorial

DNS Resource Records (1) - Common Resource Records
A - Address. A6 - IPv6 address. CNAME -Canonical Name. HINFO -Host Information. MX -Mail Exchanger. NS - Name Server. PTR -Pointer. SOA -Start Of Authority. WKS -Well-Known Service. TXT -Text. AAAA- IPv6 address. (Superseded by A6) KEY -Public key. KX - Key Exchanger. LOC - Location. RP -Responsible Person. SIG -Cryptographic signature. SRV- Server. NCTU/TWNIC DNS Tutorial

DNS Resource Records (2) - Other Resource Records
AFSDB -AFS Data Base location. GPOS - Geographical position. ISDN -ISDN. NSAP - Network service access point address. NXT -Next. PX -Pointer to X.400/RFC822 RT - Route Through. X25 - X25. NCTU/TWNIC DNS Tutorial

SOA 的意義 The meaning of SOA A Typical Example Related Issues Dynamic update Win2K update Default NCTU/TWNIC DNS Tutorial

SOA ( Start Of Authority ) RR
The syntax and meaning of an typical SOA RR (BINDv9) $TTL ; default Time-To-Live = 3days ; @ IN SOA dns.NCTU.edu.tw. hostmaster.NCTU.edu.tw. ( ; Serial number 6H ; Refresh - 6 hours 30M ; Retry – 30 minutes 1w ; Expire - 7 days 1h ) ; Negative Caching TTL IN NS ns.NCTU.edu.tw. IN NS ns2.NCTU.edu.tw. IN NS ns3.NCTU.edu.tw. Related Issues Dynamic update Win2K update Default NCTU/TWNIC DNS Tutorial

Special cases with mixed DNS concepts
$Origin XYZ.edu.tw. XYZ.edu.tw. IN NS ns.XYZ.edu.tw. ; domain zone ==> dig @ns.XYZ.edu.tw ;XYZ.edu.tw. IN NS XYZ.edu.tw. XYZ.edu.tw IN A ; domain name ==> telnet XYZ.edu.tw XYZ.edu.tw. IN MX 0 d2.XYZ.edu.tw. ; mail exchange ==> NCTU/TWNIC DNS Tutorial

Selection (network) of DNS server
master/slave servers had better be located on different networks ; $Origin XYZ.edu.tw. @ IN NS ns.XYZ.edu.tw. IN NS mDNS.XYZ.edu.tw. IN NS ns2.XYZ.edu.tw. ; ns IN A mDNS IN A ; ns2 IN A NCTU/TWNIC DNS Tutorial

Forward Domain Zone Delegation ;; There should be the same group of NS RRs on both the domain zone ; files of “XYZ.edu.tw” (upper) & “CSIE.XYZ.edu.tw” (lower) ; $ORIGIN CSIE.XYZ.edu.tw. @ IN NS csie.XYZ.edu.tw ; FQDN IN NS operator IN NS ccsun7 ; hostname ;; Glued Records ;; multi-homed DNS server csie.XYZ.edu.tw IN A IN A operator IN A ccsun IN A NCTU/TWNIC DNS Tutorial

Reverse domain zone delegation ; There should be the same group of NS RRs on both domain zone ; “ in-addr.arpa.” & “ in-addr.arpa” ;==========< file for the upper zone> ========== $ORIGIN in-addr.arpa. // upper zone IN NS cisserv.CIS.XYZ.edu.tw. IN NS cissol1.CIS.XYZ.edu.tw . ; No need for glued records ; because the NS entries have been defined somewhere else. ; < file for the lower zone> $ORIGIN in-addr.arpa. // lower zone @ IN NS cisserv.cis.XYZ.edu.tw. IN NS cissol1.cis.XYZ.edu.tw. NCTU/TWNIC DNS Tutorial

NS RR – Negative Examples (1)
; case 1 -> improperly assigned slave server (illegal delegation) ; $Origin XYZ.edu.tw. err1 IN NS ns-OK.XYZ.edu.tw. IN NS No-named-Host.XYZ.edu.tw. ; Lame IN NS moevax.edu.tw ; illegal delegation, ; case 2 , NS-> CNAME , intermittent error ; $Origin in-addr.arpa. err2 IN NS alias-ns.XYZ.edu.tw. ; intermittent error IN NS ns-OK.XYZ.edu.tw. ; case 3 -> NS-> A, illegal delegation ; err3 IN NS ; should be fqdn/hostname NCTU/TWNIC DNS Tutorial

NS RR – Negative Example (2)
; case 4, NS RR -> non-existent FQDN/hostname (e.g. TYPO, etc.) ; $Origin in-addr.arpa. err4 IN NS Non-existent.XYZ.edu.tw. IN NS ns-OK.xyz.edu.tw. ; case 5, some NS RR delegated in the upper zone, ; but is not authoritative in the lower zone ; $Origin XYZ.edu.tw. err5 IN NS ns-OK.XYZ.edu.tw. IN NS No-Good-ns.XYZ.edu.tw. ;============================ $Origin err5.XYZ.edu.tw. @ IN NS ns-OK.xyz.edu.tw. IN NS ns2-OK.xyz.edu.tw. ; It’s Ok ! (no corresponding NS RR delegation in ; the upper zone => for using inside firewall, …) NCTU/TWNIC DNS Tutorial

Address (A RR) ; A single IP addr. , but with several different FQDN’s. $Origin XYZ.edu.tw. @ IN A ; XYZ.edu.tw. ns1 IN A ; ns1.XYZ.edu.tw. ; ; ;Multi-homed , one FQDN with many corresponding IP addr. $Origin CS.XYZ.edu.tw. @ IN A ; multi-homed IN A NCTU/TWNIC DNS Tutorial

A RR – Negative example ; zone file “XYZ.edu.tw” (upper zone) ; $Origin XYZ.edu.tw. ; CIS IN NS CisServ.CIS.XYZ.edu.tw. IN NS CisSol1.CIS.XYZ.edu.tw. CisServ.CIS IN A ; glued record CisSol1.CIS IN A err-A.CIS IN A ; illegal setting ; zone file “CIS.XYZ.edu.tw” (lower zone) $Origin CIS.XYZ.edu.tw. CIS-gw IN A ; OK NCTU/TWNIC DNS Tutorial

A RR – semantic (error) problem
$Origin XYZ.edu.tw. @ IN NS XYZ.edu.tw ; IN A ; =XYZ.edu.tw, OK ; IN NS ns2.XYZ.edu.tw. IN A ; =XYZ.edu.tw, invalid ; Semantic problem, XYZ.edu.tw -> ; It might induce some mail routing problem(s). IN NS ns.XYZ.edu.tw. ns IN A NCTU/TWNIC DNS Tutorial

MX ( Mail eXchange) RR ;; ;; for both normal mail exchange & mail relay ;; --> DNS & Sendmail ;; $ORIGIN CC.XYZ.edu.tw. ; mail exchange @ IN MX CC.XYZ.edu.tw. ; FQDN IN MX 0 ccserv ; hostname ; mail relay IN MX 20 mx.XYZ.edu.tw. ; mx wildcarding; must be used very carefully * IN MX 0 cc.XYZ.edu.tw. ; Dis-couraged NCTU/TWNIC DNS Tutorial

Typical Usage of CNAME RR NCTU/TWNIC DNS Tutorial
; zone file 1 $Origin NCTU.edu.tw. ; netnews IN CNAME ccreader.NCTU.edu.tw. ; fqdn ; zone file 2 $Origin EDU.tw. ftp IN CNAME nctuccca ; hostname ; zone file 3 $Origin TWNIC.net. archie IN CNAME nctuccca.edu.tw NCTU/TWNIC DNS Tutorial

Common errors using CNAME RR
$Origin XYZ.edu.tw. ; case 1 -> cname looping cname-chain IN CNAME cname-chain.XYZ.edu.tw. ; case 2 -> ns-cname chaining err-ns IN CNAME ns-OK.XYZ.edu.tw. ; FQDN err6 IN NS err-ns.XYZ.edu.tw. ; alias ; case 3 -> mx-cname chaining err-mx IN CNAME mx-host.XYZ.edu.tw. err3-cname IN MX 10 err-mx.XYZ.edu.tw. ; case 4 -> cname-cname chaining alias1 IN CNAME host1.XYZ.edu.tw. ; FQDN alias2 IN CNAME alias1.XYZ.edu.tw. ; alias NCTU/TWNIC DNS Tutorial

Pointer (PTR) Record ; zone file “ in-addr.arpa” $Origin in-addr.arpa. IN NS ns.XYZ.edu.tw. IN NS ns2.XYZ.edu.tw. [ deleted] ; IN PTR CSIE-gw.XYZ.edu.tw. ; ; > < ; zone file “ in-addr.arpa” $Origin in-addr.arpa. @ IN NS ns.XYZ.edu.tw. .[deleted] 1 IN PTR XYZ.edu.tw. 110 IN PTR moesun.XYZ.edu.tw. NCTU/TWNIC DNS Tutorial

Resolver related Configuration - /etc/resolv.conf ; domain & Search Directives are mutual exclusive ; search XYZ.XYZ.edu.tw XYZ.edu.tw CIS.XYZ.edu.tw ; domain XYZ.edu.tw ; list at most 3 nameserver nameserver nameserver nameserver NCTU/TWNIC DNS Tutorial

中文網域相關問題(1) 網域授權登記的問題 DNS root server 登記權正反解網域對應的問題 Forward, reverse zone RFC 1035 的限制 (8bit clean ?) ASCII 大小寫不分內碼(衝碼)問題 Big5 編碼為 two-bytes, 其中第2 byte, 會用到原 ASCII 的編碼, 會造成混淆其他的 GB, JIS 等也有類似問題. NCTU/TWNIC DNS Tutorial

中文網域相關問題(2) DNS Resolver - client side 問題 DNS caching ASCII 編碼, 大小寫不分內碼, 衝碼問題參考資料 BIND, TWNIC 網域名稱技術及推廣專區 Microsoft Realname system UTF-8 (Windows2000) NCTU/TWNIC DNS Tutorial

Part 3 – DNS 工具程式 Network Connection Debugging 程式 Ping, etc. DNS debugging 工具程式 Network Traffic Monitoring Online monitoring system Offline traffic statistical analysis program Misc. Intelligent/Integrated DNS management system under development NCTU/TWNIC DNS Tutorial

DNS Debugging Tools Unix Command line tools nslookup ( default built-in on most systems ) dig dnswalk, doc ( PERL scripts ) Configuration Checkers Diagnostic tool on the web Misc utility programs $BIND-src/contrib/* NCTU/TWNIC DNS Tutorial

Examples of DNS Query & Response (1) % dig vnnic.net ns ; <<>> DiG <<>> vnnic.net ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16003 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vnnic.net IN NS ;; ANSWER SECTION: vnnic.net IN NS DNS3.VNNIC.NET.VN. vnnic.net IN NS DNS-HCM01.VNNIC.NET.VN. vnnic.net IN NS DNS2.VNNIC.NET.VN. ;; Query time: 412 msec ;; SERVER: #53( ) ;; WHEN: Sun Sep 1 13:10: ;; MSG SIZE rcvd: 101 NCTU/TWNIC DNS Tutorial

Examples of DNS Query & Response (2) % NCTU.edu.tw soa ; <<>> DiG NCTU.edu.tw soa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13399 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;NCTU.edu.tw IN SOA ;; ANSWER SECTION: NCTU.edu.tw IN SOA dns.NCTU.edu.tw. hostmaster.NCTU .edu.tw ;; AUTHORITY SECTION: NCTU.edu.tw IN NS ns.NCTU.edu.tw. NCTU.edu.tw IN NS ns2.NCTU.edu.tw. NCTU.edu.tw IN NS ns3.NCTU.edu.tw. ;; ADDITIONAL SECTION: ns.NCTU.edu.tw IN A ns2.NCTU.edu.tw IN A ns3.NCTU.edu.tw IN A ;; Query time: 1 msec ;; [deleted] NCTU/TWNIC DNS Tutorial

Online DNS monitoring and the related statistics
Online real-time DNS monitoring systems Ipf (firewall, for accounting) + MRTG (for sketching) Distribution of Incoming DNS Queries From the internal network From the external network DNS Protocol Distribution UDP vs. TCP packets NCTU/TWNIC DNS Tutorial

Top-like Online traffic monitoring - ipfstat –t (IP Filter) IP Filter: v state top :45: Src = Dest = Proto = any Sorted by = # bytes Source IP Destination IP ST PR #pkts #bytes , , /4 tcp :55: , , /0 udp : , , /0 udp : , , /4 tcp :59: , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /0 udp : , , /4 tcp :59: , , /0 udp : , , /0 udp : NCTU/TWNIC DNS Tutorial

Inbound DNS Traffic Protocol Analysis
--UDP vs. Total (DNS packets) on On normal conditions, DNS UDP traffic occupies more than 99% of the total DNS traffic of the specified server `Daily' Graph (5 Minute Average) on a Typical Day Max UDP: pkts/min (0.8%) Average UDP: pkts/min (0.5%) Current UDP: pkts/min (0.6%) Max Total: pkts/min (0.8%) Average Total: pkts/min (0.5%) Current Total: pkts/min (0.6%) Max Percentage100.0 % Average Percentage99.0 % Current Percentage99.0 % NCTU/TWNIC DNS Tutorial

Firewall Inbound Traffic Analysis --Passed (DNS) vs. Total ( DNS + WINS packets) Daily' Graph (5 Minute Average) Note. Anomaly traffic recorded during the 18:00 to 20:00 interval in previous day. `Weekly' Graph (30 Minute Average) NCTU/TWNIC DNS Tutorial

Top-N entries of the daily DNS traffic distribution, with respect to source IP NCTU/TWNIC DNS Tutorial

Sample output of Aguri (e.g. Japan project) - some real-time online traffic aggregator %!AGURI-1.0 %%StartTime: Wed Jun 27 19:23: (2001/06/27 19:23:40) %%EndTime: Wed Jun 27 19:25: (2001/06/27 19:25:03) %AvgRate: Kbps [src address] (100.00%) / (0.99%/100.00%) / (1.00%/1.00%) / (1.47%/94.63%) / (1.71%/90.70%) / (3.16%/73.75%) / (1.23%/70.58%) (47.35%) (17.16%) (2.11%) (2.73%) / (1.04%/1.04%) / (1.46%/2.51%) / (1.04%/1.04%) (5.29%) (5.29%) / (1.12%/1.12%) / (1.44%/2.45%) (1.02%) / (2.03%/2.03%) / (1.35%/1.35%) %LRU hits: 93.50% (23369/24994) NCTU/TWNIC DNS Tutorial

Planning DNS Admin DNS Registration DNS Tutoring Complete & Correct Configuration DNS Server DNS Debugging DNS Monitoring & Anomaly Detection NCTU/TWNIC DNS Tutorial

A snapshot of a sample Output of the iDNS-PMS under development NCTU/TWNIC DNS Tutorial

Part 4 – DNS 常見問題 Single point of failure Lame delegated Server Delegated but not authoritative DNS 系統安全問題舊版程式漏洞系統被入侵 (e.g. 未使用 secure shell 連線, etc.) 遭受 DoS, DDoS 攻擊等 DNS spoofing 未建立 reverse DNS mapping 不利於 SPAM mail 防治 NCTU/TWNIC DNS Tutorial

Simple Classification of Typical DNS Problems Problem Category Examples Configuration errors Lame Server, illegal characters in hostname, etc. Inappropriate planning and management (e.g., Improper defaults, etc.) Inappropriate DNS dynamic update , WINS-to-DNS forwarding, etc. Inappropriate software implementation (e.g. not immune to cache poisoning, etc.) DNS-spoofing, server root vulnerability exploited, etc. Attacks to the DNS systems DDoS, forwarding attacks, etc. NCTU/TWNIC DNS Tutorial

國內DNS server 規劃及建置問題沒有避免 SPOF 的觀念國內第三層以下 domain zone 常見的問題多未建立 slave/secondary DNS server Lame Server 問題錯誤的 secondary caching 觀念 Edu.tw, com.tw, etc. 反解網域的註冊與管理比以往有進步, 但觀念普及仍不夠相關領域: SPAM mail 的反制, www proxy 的管理相關中文文件太少 NCTU/TWNIC DNS Tutorial

Issues/Problems concerning DNS authority NCTU/TWNIC DNS Tutorial

DNS Spoofing What is DNS spoofing ? DNS spoofing is simply tricking the DNS system into believing your domain name is something other than it really is The Types DNS caching by additional unrelated data DNS caching by related data DNS query id prediction BIND passes through harmful information for the AP to cache NCTU/TWNIC DNS Tutorial

A simple taxonomy of abnormal DNS activities
Bogus DNS queries DNS Spoofing, IP Spoofing Network attack Denial of Service (DoS, DDoS) OS bug (ping…) BIND bug (tsig…) Virus Intrusion/Information theft Domain zone scanning, Zone transfer DNS & SPAM mail distribution NCTU/TWNIC DNS Tutorial

SPAM Mail & DNS SPAM Mail <=> UCE/UBE UCE = Unsolicited Commercial UBE = Unsolicited Bulk UCE/UBE distribution mechanism Name list collection www homepage scanning, USENET news articles account password files on individual servers Others ( program bug, call for members, …) Locating open mail relays Domain Zone scanning ( DNS) URL scanning (web pages ) NCTU/TWNIC DNS Tutorial

DNS entry 正反解必須匹配 - Anti-SPAM mail checking
domain name 驗證流程. Reverse query Domain name B IP addr. A IP addr. C Forward Query 其中, IP addr. C (可能是一個 group), 必須包含或等於 A 才算通過 DNS 查驗. NCTU/TWNIC DNS Tutorial

Typical Bogus DNS queries rfc1918 queries from hosts in RFC 1918 private address space src = private-IP, routing issues rfc1918? queries for the hostname of an RFC 1918 address q => private-IP, DNS A+IP queries with IP address target instead of a hostname MS bug or Virus-infected TLD queries for a record in an invalid top level domain windows queries about microsoft document system names (.msdcs.) top10 src/query pairs in trace, repeated query bugs >1/min queries repeated more than once a minute NCTU/TWNIC DNS Tutorial

Common Type of DoS Attacks to DNS Servers
Network Layer DoS attacks Ping-of-death (Smurf,…) UDP, ICMP Application Layer DNS Anomaly orDoS Attacks UDP/TCP Configuration error or Attacks ? NAT Proxy + Split DNS Scheme Dynamic Update ( DHCP, Windows 2000,..) Lame Server DNS forwarding Storm SPAM attacks … NCTU/TWNIC DNS Tutorial

DNS Forwarding Storm DNS forwarder If enabled, forward unknown queries (not in its positive cache) to the DNS server for resolving Sensitive to no-caching attacks (e.g. ServFail. …etc) NetBIOS proxy to DNS server Forward of improperly assigned names Mixed WINS group queries and DNS queries Suggestion Disable port 137 on DNS server unless WINS over TCP is deployed on your site. Hybrid a tightly integration of the above two mechanisms NCTU/TWNIC DNS Tutorial

Part 5 – DNS 系統進階規劃 Important DNS Issues Availability Performance Security Important DNS Metrics DNS Planning & Management NCTU/TWNIC DNS Tutorial

DNS Planning and Management issues (1)
Availability: Routing – multiple incoming and outgoing paths Distributed system - multiple server distributed on different network segments (or, even on different ISP) Performance: multiple server farm Separation of incoming and outgoing traffic Caching-only Selective forwarding NCTU/TWNIC DNS Tutorial

DNS Planning and Management issues (2)
Security: internal & external servers ( access control) Hiding of the master server of a zone Avoiding selection of “hot” IP address (.1, or .254) Split Domain Zones different DNS space views Internal view vs. external view Inter-operability BIND vs. Microsoft DNS BIND v4, v8 & v9 Multi-lingual DNS NCTU/TWNIC DNS Tutorial

Important/Typical Metrics
Observed facts Currently, there are 13 root DNS servers totally. Totally 6 root servers for “.tw” Over 99% DNS traffic is UDP Survey data Over 70% of ".COM" zones got some DNS configuration problems (Men & Mice) DNS monthly traffic aggregation occupies about 5.7% between TANet and Internet. total volume (e.g. bytes) transferred in November, 2001 Useless WINS (to DNS) traffic, occupies up to 40-60% on a typical DNS site on our campus (NCTU, Taiwan) NCTU/TWNIC DNS Tutorial

Monthly Traffic (e.g. volume aggregation) Distribution
on TANet, November 2001 NCTU/TWNIC DNS Tutorial

DNS & 流量分析網路流量分析與追蹤了解正常的 DNS 與 SMTP 流量 (netflow) E.g. DNS ( 5-10% ), SMTP (8-12% ) ( MOECC newsletter) 流量異常的可能原因系統運作不正常 (可能機器故障) 設定不正確 ( 認知錯誤, 或疏忽) 系統被入侵, 當作攻擊他站的跳板系統被偽裝使用 e.g. 以 tcp port 跑其他非 DNS 程式其他 NCTU/TWNIC DNS Tutorial

DNS Planning & Management
DNS Planning & Management Issues Selection of Platform (OS, DNS programs) Hardware requirement DNS Software Network(environment) Zone file parameter DNS security NCTU/TWNIC DNS Tutorial

How many slave servers are enough
At least 2 servers(1 master, 1 slave) Max: 13 (a DNS packet can not fill in more then 13 DNS servers) The average number of DNS servers between TLD: 4.74 NCTU/TWNIC DNS Tutorial

How many bandwidth you need
.TW DNS about 20M queries per day 231 queries per second (a.root-servers.net root server is about 12,000 queries/sec) Average size of a DNS packet is 150 bytes Bandwidth=150*8*231=272.2 kbps TWNIC have 5 servers, only 1 server has a bandwidth limit of 768 kbps, the others are on un-limit network NCTU/TWNIC DNS Tutorial

Suggestions for DNS planning
DNS 是 Software Infrastructure 的重要組成建議 incoming 與 outgoing DNS traffic 分開建立專屬的Caching-only Server 給特定的系統使用 Mail/WWW 等系統網路實驗課程謹慎使用 DNS forwarding 避免 DNS forwarding loop 採行多路由分工的 DNS 查詢系統架構 NCTU/TWNIC DNS Tutorial

Multi-path Inbound DNS Architecture DNS server pool Internet DNS server ISP1 SMTP server ISP2 SMTP server pools NCTU/TWNIC DNS Tutorial

Multiple outgoing paths and distributed DNS NCTU/TWNIC DNS Tutorial
Layer-1 Layer-2 ISP-1 .com Internet DNS Server farm Ordinary client DNS server .arpa Caching-only Others SMTP www, proxy ISP-2 NCTU/TWNIC DNS Tutorial

專屬的 Caching-only Server Internet Ordinary client DNS server DNS server Caching-only For special computing environment NCTU/TWNIC DNS Tutorial

DNS Software Keep your servers up-to-date The latest version BIND v or above BIND v9.2.1 or above Use different versions of server programs between the master of a zone and the related slave servers, whenever possible. Check syslog after restart or reload bind software Consider using a hidden master server Automatic transfer database record to zone file NCTU/TWNIC DNS Tutorial

Network (environment)
The master and slave servers should be located on different networks or locations, whenever possible. different network segment / location / country. Keep the network environment as simple as possible. A DNS server deserves being put into a network segment by itself, whenever possible. There should be enough bandwidth for providing DNS queries and responses. Good Physical housing & facilities Power (UPS), air condition … Ask some ISP or other site(s) to provide slave server services for your zone if you have no such environment NCTU/TWNIC DNS Tutorial

Zone file parameters Access Control Provide authoritative responses only from zone they serve (disable recursive lookup). Disable zone transfer request from any server other than your slave server(s). TTL at least 1 day (86400) about 1 – 3 days Enable notify at hidden master server. If the zone transfer process from the hidden master server to any slave server lasts more than 1 hour (e.g. in different country), use other solution (e.g. ftp) to transfer the zone file. NCTU/TWNIC DNS Tutorial

DNS security Avoiding DoS/DDoS attacks Deploying Hidden master servers Avoiding Single-Point-of-Failure (SPOF) Network Different network segments Server host At least two different server hosts Different platforms of hardware/OS Different versions of DNS server software Zone data files Master/primary, slave/secondary Network Intrusion Detection IDS, or NIDS NCTU/TWNIC DNS Tutorial

Other security issue(1)
Don’t run BIND as user root named –u named Disable recursive query on ccTLD servers named –r options { directory "/var/named"; recursion no; }; NCTU/TWNIC DNS Tutorial

Other security issue (2) - Log
logging { channel my_security_channel { file "my_security_file.log" versions 3 size 20m; severity info; }; category security { my_security_channel; default_syslog; default_debug; }; }; NCTU/TWNIC DNS Tutorial

DNS server configuration suggestion (ordinary DNS server)
Using limited recursive mode whenever possible Allow queries about local authoritative zone data from all Internet DNS clients/servers (v8,9) Allow recursion (e.g. recursive queries) for DNS queries about all Internet Names/IP for local users only (v9, allow-recursion) Allow queries about non-authoritative zone data (e.g. caching) from all Internet DNS clients/servers (v9) Performance & practical consideration ( e.g. user behavior, historical consideration) Allow queries (e.g. recursive) for DNS queries about all Internet Names/IP for local users use (v8, allow-query) “Measure 3” above usually outperforms “Measure 4”. NCTU/TWNIC DNS Tutorial

Access Control on DNS server
/etc/named.conf ( BIND v8/9 ) options { // global option directory /home/namedb; allow-transfer { none; // zone transfer is disabled by default }; allow-query { Trusted-IP1}; // only trusted-IP permitted // Allow-recursion { Trusted-IP2}; // only for v9 [deleted] // per zone-based access control zone “XYZ.edu.tw” { type master ; file “Zone-XYZ” ; allow-query { any; }; // accept all queries from Internet allow-transfer { ; ; // slave/secondary server NCTU/TWNIC DNS Tutorial

Part 6 – Case Study Sample scenario - 竹苗區網 DNS server 入侵事件 TTL 設的太短容易遭受諸如 DDoS 攻擊, Virus Mail 等的影響) Typical Bogus A+IP queries Typical Bogus RFC1918 Queries Direct Attacks – Endless Reverse DNS PTR Queries Indirect Attacks – DNS forwarding storm Microsoft Windows 2000 uses a sub-zone called "_msdcs" to hold the Active Directory data. NCTU/TWNIC DNS Tutorial

竹苗區網 DNS server 入侵事件 - Sample scenario
該 server-A 有 security hole, 被外來者闖入入侵者, 持續透過該 server-A, 嘗試入侵國外網站由於該單位未設立 abuse, postmaster 等標準聯絡信箱, 且該機器的 root mail 根本無人處理網域上層, 持續收到國外不同地方轉來的抱怨與求助從區網的 router 統計數字, 發現該校有大量異常的 DNS 流量往國外地區 (東歐) NCTU/TWNIC DNS Tutorial

TTL 設的太短 dig ; <<>> DiG 9.2.2rc1 <<>> ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55730 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: IN A ;; Query time: 132 msec ;; SERVER: #53( ) ;; WHEN: Fri Nov 8 14:26: ;; MSG SIZE rcvd: 48 NCTU/TWNIC DNS Tutorial

Typical Bogus A+IP queries 16:26: > : A? (32) (ttl 119, id 9782) 16:26: > : icmp: udp port 53 unreachable (ttl 64, id 13862) 16:26: > : A? (32) (ttl 119, id 10038) 16:26: > : icmp: udp port 53 unreachable (ttl 64, id 13863) 16:26: > : A? NCTU.edu.tw. (44) (ttl 119, id 12086) 16:26: > : icmp: udp port 53 unreachable (ttl 64, id 13871) 16:26: > : A? NCTU.edu.tw. (44) (ttl 119, id 12854) NCTU/TWNIC DNS Tutorial

Typical Bogus RFC1918 Queries Improper Deployment of the Split DNS Scheme Jul 17 16:18: info: client #35475: query ' in-addr.arpa/IN' denied Jul 17 16:24: info: client #33216: query ' in-addr.arpa/IN' denied Jul 17 16:25: info: client #39503: query ' in-addr.arpa/IN' denied Jul 17 16:30: info: client #2234: query ' in-addr.arpa/IN' denied Jul 17 16:35: info: client #2236: Jul 17 16:35: info: client #2239: query '10.in-addr.arpa/IN' denied NCTU/TWNIC DNS Tutorial

Direct Attacks – Endless Reverse DNS PTR Queries 06:24: > : PTR? in-addr.arpa. (45) (ttl 62, id 15121) 06:24: > : q: in-addr.arpa. 1/2/ in-addr.arpa. PTR rigel.chem.ccu.edu.tw. (130) (ttl 64, id 7121) 06:24: > : PTR? in-addr.arpa. (45) (ttl 62, id 15123) 06:24: > : q: in-addr.arpa. 1/2/ in-addr.arpa. PTR rigel.chem.ccu.edu.tw. (130) (ttl 64, id 7122) 06:24: > : PTR? in-addr.arpa. (45) (ttl 62, id 15126) 06:24: > : q: in-addr.arpa. 1/2/ in-addr.arpa. PTR rigel.chem.ccu.edu.tw. (130) (ttl 64, id 7123) 06:24: > : PTR? in-addr.arpa. (45) (ttl 62, id 15130) 06:24: > : q: in-addr.arpa. 1/2/ in-addr.arpa. PTR rigel.chem.ccu.edu.tw. (130) (ttl 64, id 7124) [deleted] NCTU/TWNIC DNS Tutorial

Indirect Attacks – DNS forwarding storm 19:48: > : SRV ? _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mi.xyz.edu.tw. (83) (ttl 60, id 5829) 19:48: > : q: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mi.xyz.edu.tw. 0/3/3 (180) (ttl 64, id 64027) 19:48: > : A? ee.xyz.edu.tw.edu.tw. (38) (ttl 60, id 6003) 19:48: > : q: ee.xyz.edu.tw.edu.tw. 0/4/0 (117) (ttl 64, id 64700) 19:49: > : ANY? newsletter.4freenetwork.com.mi.xyz.edu.tw. (59) (ttl 60, id 6761) 19:49: > : q: newsletter.4freenetwork.com.mi.xyz.edu.tw. 0/3/3 (156) (ttl 64, id 1104) 19:50: > : SOA? peter.mi.xyz.edu.tw. (37) (ttl 60, id 7064) 19:50: > : q: peter.mi.xyz.edu.tw. 0/3/3 (134) (ttl 64, id 1956) [deleted] NCTU/TWNIC DNS Tutorial

Microsoft Windows 2000 and BIND (1)
Microsoft Windows 2000 uses a sub-zone called "_msdcs" to hold the Active Directory data. While this sub-zone cannot clash with any legal hostname it also makes it impossible to put hosts within this sub-zone without using an illegal name. The use of such hostnames will be rejected, by default, by BIND. The Active Directory wants to have its "global catalog" server within _msdcs (e.g. gc._msdcs.example.com) which will be rejected by default. NCTU/TWNIC DNS Tutorial

Microsoft Windows 2000 and BIND (2)
To work around this issue we recommend that the Active Directory be a separate zone (e.g. "_msdcs.example.com") configured to not check for illegal hostnames. This should be reasonable as the Window 2000 servers create this data and should not have interoperability problems with other Windows 2000 machines wanting to access this data. e.g. zone "_msdcs.example.com" { type master; file "_msdcs.example.db"; check-names ignore; allow-update { localnets; }; }; NCTU/TWNIC DNS Tutorial

Example - Classless in-addr.arpa delegation (1)
How to do IN-ADDR.ARPA delegations on arbitrary boundaries, in a way compatible with existing software, by using CNAME records and new zones. ; reverse zones $ORIGIN in-addr.arpa. ;0 IN NS ccsun10.cc.XYZ.edu.tw. ; IN NS ns.XYZ.edu.tw. IN CNAME in-addr.CC.XYZ.edu.tw. IN CNAME in-addr.CC.XYZ.edu.tw. ; ; forward zones $ORIGIN cc.XYZ.edu.tw. cchp IN A IN MX 0 ccserv6.cc.XYZ.edu.tw. in-addr IN PTR cchp14 NCTU/TWNIC DNS Tutorial

Internet Domain Survey Host Count Public Information Resources on the Internet Domain Name System A brief history of BIND Which version of BIND that I am using ? DNS monitoring and the related statistics Where to find more NCTU/TWNIC DNS Tutorial

Public Information Resources on the Internet Domain Name System
Generic Top Level Domain Registries ISO 3166 Country Code Top Level Domain Related Resources Dispute Resolution Resources Domain Names and Trademarks Domain Name Value-Added Services Domain Name Surveys and Statistics NCTU/TWNIC DNS Tutorial

A Brief History of the DNS and BIND (1) -from the BIND operation guide
“official" beginning of the Domain Name System occurred in 1984 (RFC 920) core of the new system was described in 1983 in RFCs 882 and 883. The first working domain name server, called "Jeeves," was written in by Paul Mockapetris for operation on DEC Tops-20 machines. A DNS server for Unix machines, the Berkeley Internet Name Domain (BIND) package, was written soon after by a group of graduate students at the University of California at Berkeley under a grant from the US DARPA. [1984] Versions of BIND through were maintained by the Computer Systems Research Group at UC Berkeley. [from 1985 to 1987] NCTU/TWNIC DNS Tutorial

A Brief History of the DNS and BIND (2)
New RFCs were written and published in 1987 that modified the original documents to incorporate improvements based on the working model. RFC 1034, "Domain Names-Concepts and Facilities," and RFC 1035, "Domain Names-Implementation and Specification" were published and became the standards upon which all DNS implementations are built. BIND versions 4.9 and were released by Digital Equipment Corporation. BIND Version was sponsored by Vixie Enterprises. BIND versions from onward have been developed and maintained by the Internet Software Consortium with support being provided by ISC's sponsors. BIND version 8 in May 1997 BIND version 9 in Sep 2000 NCTU/TWNIC DNS Tutorial

What version of BIND am I using? (1)
The message that named puts in the system log file on startup. Jul 14 12:54:21 ns named[15677]: starting. named P5 Jul 14 12:54:21 The "-v" switch with named will display the version: # named -v named P5 Thu Jul 20 17:19:57 PDT 2000 The BIND name daemon control interface program can provide version information when used with newer versions of BIND: # ndc status NCTU/TWNIC DNS Tutorial

What version of BIND am I using? (2) - For BIND 4.9.5 or greater.
nslookup # nslookup Default Server: ns.yourco.bogus Address: set class=chaos set type=txt version.bind Server: ns.yourco.bogus VERSION.BIND text = "8.2.2-P5" > dig # dig version.bind txt server name or # server name txt chaos version.bind NCTU/TWNIC DNS Tutorial

Statistics about Incoming DNS queries (1) N Dst-port = 53 Ignore Y UDP or TCP ? Y UDP ? MRTG-1 MRTG-2 Src-addr = ANY Src_addr = /16 Y N MRTG-4 MRTG-3 Src-addr ! = /16 Src-addr = /16 NCTU/TWNIC DNS Tutorial

Statistics about Incoming DNS queries (2) N Dst-port = 53 Start Ignore Y Y Find effective DNS queries and ratio Src-port = 137 Packet Accumulation Program Reject N End MRTG NCTU/TWNIC DNS Tutorial

Where to Find More Books -DNS and BIND Paul Albitz and Cricket Liu, O'Reilly & Associates BIND mailing list Usenet newsgroup comp.protocols.tcp-ip.domains, comp.protocols.dns.* The related RFC repertory (RFC 1034, 1035, etc) Try some search engine (e.g. Google, Yahoo, etc.) To find more information NCTU/TWNIC DNS Tutorial

Chinese Big5 code DNS Resource Directory - http://dnsrd.nctu.edu.tw
DNS/BIND 的最新發展與相關的工具程式簡介 Case Study - 部份系統設定錯誤實例分析其他和 DNS 系統相關的網路系統應用與管理課題 >>> End of the Notes <<< NCTU/TWNIC DNS Tutorial

DNS/BIND 系統管理基礎班/進階班適用

Similar presentations

Presentation on theme: "DNS/BIND 系統管理基礎班/進階班適用"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

DNS/BIND 系統管理 基礎班/進階班適用

Similar presentations

Presentation on theme: "DNS/BIND 系統管理 基礎班/進階班適用"— Presentation transcript:

Similar presentations

About project

Feedback

DNS/BIND 系統管理基礎班/進階班適用

Presentation on theme: "DNS/BIND 系統管理基礎班/進階班適用"— Presentation transcript: