1 / 24

Domain Name Service (DNS) at Colorado State University

Domain Name Service (DNS) at Colorado State University. Mike Willard Academic Computing & Networking Svcs mike.willard@colostate.edu 491-4651. What is Domain Name Service?. DNS is a hierarchical naming system to associate various information with names meaningful to humans.

lanza
Download Presentation

Domain Name Service (DNS) at Colorado State University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain Name Service (DNS)at Colorado State University Mike Willard Academic Computing & Networking Svcs mike.willard@colostate.edu 491-4651

  2. What is Domain Name Service? • DNS is a hierarchical naming system to associate various information with names meaningful to humans. • DNS data is made available by a distributed database run on various servers world wide. • Distributed responsibility for domain data by designating authoritative name servers for each domain which can, in turn, delegate authority for sub-domains. This obviates the need for a single central repository of information.

  3. Domain Name Service Data A typical host name: “chico.cs.colostate.edu.” is a Fully Qualified Domain Name (FQDN) made up of parts: • “chico” = Hostname • “cs.colostate.edu.” = domain name • “cs.colostate.edu.” = a subdomain of “colostate.edu.” which is a subdomain of “edu.” • “edu.” is a Top Level Domain (TLD) • “.” = the root of DNS data and technically all DNS names should end in “.” but is typically left out.

  4. DNS Data Organization Thus DNS data organized in a tree structure

  5. DNS Record Types: SOA Start of Authority (SOA): Defines global parameters for a “zone” which include: • Time To Live (TTL) – no. of seconds records may be cached. • Primary DNS server – FQDN of an authoritative DNS server. • Email Addr – Contact info for domain. e.g. dnsadmin.colostate.edu. • Serial number – Updated when data changes. Used for replication. • Refresh – Interval in seconds a secondary tries to refresh zone data. • Retry – Interval in seconds between refresh attempts after failure. • Expiry – Interval in seconds secondary data is valid without refresh. • Min – Default minimum TTL for other zone records. Changed in newer RFCs.

  6. DNS Record Types: SOA (cont.) DNS RFC defines a text representation for records as well as a binary or “wire” representation. SOA records have the following text format: Name TTL Class RType Email address acns.colostate.edu 3600 IN SOA dnsadmin.colostate.edu. ( 249427 ; sn 900 ; refresh (15 min) 600 ; retry (10 min) 86400 ; expiry (1 day) 3600 ; minTTL ( 1 hour) )

  7. DNS Record Types: NS Name Server (NS): Defines the authoritative name server(s) for a domain. Actually located both at the root of the zone and at the point of delegation in the parent zone. The NS records for acns.colostate.edu reside in the parent zone, “colostate.edu”, like this : Name TTL Class RecordType Data acns IN NS dns1.colostate.edu acns IN NS dns2.colostate.edu And they exist in the acns.colostate.edu zone where they look like: @ IN NS dns1.colostate.edu @ IN NS dns2.colostate.edu

  8. DNS Record Types: A, AAAA IPv4 Address (A): Associates a name with an IPv4 address The A record for chico.cs.colostate.edu resides in the “cs.colostate.edu” zone and looks like: Name TTL Class RecordType Data Chico IN A 129.82.45.30 IPv6 Address (AAAA): Associates a name with an IPv6 address An AAAA record looks like: Name TTL Class RecordType Data Chico IN AAAA 2002:8152:e6d2::8052:f8d1

  9. DNS Record Types: CNAME Canonical Name (CNAME): Associates an alias with another DNS name record. The CNAME record for www.cs.colostate.edu looks like: Name TTL Class RecordType Data www IN CNAME parsons.cs.colostate.edu According to the RFC, you may not create any other records with the same name as a CNAME record. Recently added exceptions for DNSSEC record types RRSIG, NSEC and KEY.

  10. DNS Record Types: Others… There are ~71 record types. The other, more common records include: • MX – Mail Exchanger. Specify mail servers for a mail domain name. • PTR – Pointer. Maps IPv4 addresses to names (reverse lookup). • SRV – Service record. Defines network service information available for zone (LDAP, Kerberos, etc.). Used heavily by Windows domains. • TXT – Text information associated with a name. Basically a note. Also used in Sender Policy Framework (SPF) system to validate email.

  11. DNS Forward and Reverse Lookups • Most common use is forward lookup (name to IP). • Also need reverse lookup (IP to name). This is also a tree structure, delegated in a similar fashion. All reverse space is rooted in the special domain called “IN-ADDR.ARPA” For delegation to work as in the forward space, the networks are listed most specific to least specific. Thus CSU’s IP space (129.82.0.0) has a reverse DNS zone of “82.129.IN-ADDR.ARPA”

  12. DNS Reverse Data Organization

  13. DNS Record Types: PTR Pointer (PTR): Associates an IPv4 address with a name. The PTR record for “129.82.103.78” resides in the “103.82.129.in-addr.arpa” zone and looks like: Name TTL Class RecordType Data 78 IN PTR rush.colostate.edu • Although Address and Pointer records are logically connected, there is nothing in the RFCs to force consistency. • It often makes sense to have multiple A records pointing to different IPs (DNS “Round Robin” load balancing) • It does not makes sense to have multiple PTR records pointing to different hosts.

  14. DNS Authorities Internet Assigned Numbers Authority (IANA) and Internet Network Information Center (InterNIC) originally established by various US Government agencies now and run under contract by a private, non-profit organization… Internet Corporation for Assigned Names and Numbers (ICANN) Responsible for: • Coordination of DNS Root globally • Coordination of IP space globally • Maintaining the list of gTLDs (generic top level domains) and ccTLDs (country code top level domains). • Root Hints: http://www.internic.net/zones/named.root

  15. DNS Registries and Registrars DNS Registry – the authoritative source for a DNS domain. DNS Registrar – entity authorized to manage registry data. • Registrars sell domains to others and maintain that data in the registry. • VeriSign operates the current registry for .com and .net but does not act as a registrar. • Hundreds of Registrars are certified with Verisign to sell .com domains (e.g. Tucows, GoDaddy, etc.) • Reverse Registries run by regional entities (ARIN, LACNIC, RIPENCC, AFRINIC, APNIC).

  16. DNS Queries – Root Hints . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35

  17. DNS Queries – Interaction • DNS Resolver – software that contacts DNS servers to find DNS data • Located in client operating systems and as part of DNS server software • Two query types – recursive and non-recursive • Typical query interaction: Where’s www.colostate.edu? Root Nameserver Ask 192.5.6.36 DNS Resolver Ask 129.82.103.78 edu. Nameserver It is at 129.82.103.106 colostate.edu. Nameserver

  18. DNS Delegation • Entity wishing to run DNS for a zone negotiates with group authoritative for parent domain. • Authoritative server hosts NS records for delegated domain and “glue” records. • Delegated server hosts SOA and the same NS records along with zone data. • Changes take some time to replicate everywhere as caches update.

  19. DNS Servers • Software: BIND – originally UNIX. Windows 2000 move to heavy reliance on DNS • Network traffic: UDP and TCP port 53 • Authoritative vs. non-authoritative: Servers that host a zone are authoritative. • Authoritative Only: Servers that *only* respond to queries for zones they host. • Recursive/Caching Servers: Resolve any DNS request for clients. Store answers locally to answer other requests. • Replication: Slave and master. Uses zone serial numbers, refresh and retry intervals to update slaves which have a read only copy of data. • Dynamic DNS (DDNS) – Allows clients to update A and PTR records on the fly.

  20. DNS Security Concerns. • Cache poisoning • Denial Of Service (DOS). Amplified DOS. • Separate resolving and caching server from authoritative server. • Secure DNS (DNSSEC) • Dynamic DNS (DDNS) • Zone transfers • Firewalls • OS and Application vulnerabilities • Outsource • Appliances

  21. Domain Name System Security Extensions (DNSSEC). • New record types to support protocol • RRSIG – one per resource record (used to verify RR data). • DNSKEY – one per zone/subdomain (used to verify RRSIG). • DS – one per subdomain in parent domain (used to verify DNSKEY). • NSEC/NSEC3 – Used to verify a “negative” response. Helps prevent spoofing. • Requires support of “Extended Mechanisms for DNS” (EDNS) • Increased flag space and data packet size beyond 512 bytes. • Uses a “line-only” record type (OPT) for backwards compatibility. • Trust Anchors • A trusted key/DS record distributed with OS or installed manually • Theoretically, only root zone record needed but TLDs not all secure yet. • EDU supports DNSSEC as of this year. GOV. Some ORG. VeriSign projected to have their COM and NET zones next year.

  22. DNS Utilities NSLOOKUP Get DNS records from given server Command line parameters and interactive (non-gui). DIG Get DNS record info from given server Command line. WHOIS www.whois.net, various registries, command line Web sites: www.dnstools.com www.dnsstuff.com network-tools.com

  23. DNS at Colorado State University • Master servers – Rush.colostate.edu and Hasty.colostate.edu • Slave servers – yuma.colostate.edu, lamar.colostate.edu, holly.colostate.edu (legacy) and dns1.colostate.edu, dns2.colostate.edu (public) • “Hidden Master” configuration – The master servers (RUSH and HASTY) are not accessible off-campus and there are no NS records registered for them. The public servers are DNS1 and DNS2 which *only* answer queries about colostate.edu and 129.82.0.0/16. • Statistics – DNS1 ~40 Queries/Sec DNS2 <10 Queries/Sec RUSH ~970 Queries/Sec HASTY ~160 Queries/Sec

  24. Domain Name Service (DNS)at Colorado State University Mike Willard Academic Computing & Networking Svcs mike.willard@colostate.edu 491-4651

More Related