1 network administration module 6 domain name service (dns)
TRANSCRIPT
1
Network Administration
Module 6
Domain Name Service (DNS)
2
Overview
DNS is a client/server distributed database system which provides Host name to IP address mappings IP address to host name mappings (reverse mapping) Email routing Network service location mechanism
Implemented as Berkeley Internet Name Domain (BIND) in Linux (The most updated version is BIND 9.8.X)http://www.isc.org/software/bind/documentation
Use port 53
3
3 Types of DNS Servers
Primary DNS Server / Master Server Secondary DNS Server / Slave Server Caching Server / Caching-Name Server
4
Primary DNS Server / Master Server
Primary DNS Server / Master Server: The primary master name DNS server (or master server) is where the primary DNS database files for the domain(s) or subdomain(s) for which that server is authoritative reside.
The DNS data file is an ASCII snapshot of the DNS database that the server loads into memory while it runs. This database segment is called a zone (so, it is also called zone file or zone data file).
5
Secondary Server / Slave Server
A secondary DNS server / secondary master / slave server gets its zone data the master server.
In most DNS implementations, a secondary can read its data from a local file, but always checks to see if its on-disk version is as current as the version on the primary server. It does so by checking a specific field in its SOA record and comparing it to a corresponding value in the master server’s database. Where differences are noted, the secondary can update its database from the primary domain name server.
Secondary DNS servers are important because they provide a back-up copy of the domain database for a specific zone.
6
Caching / Caching-Name Server
Caching Server store recently accessed DNS records from other domains to avoid incurring the performance overhead involved in making a remote query each time a resource outside the local domain is accessed.
Note:The cache-nameserver package in CentOS automatically set up a caching instance of BIND for instant use (You need not rely on your’s ISP name service).
7
How Domain Name Servers Work
When a TCP/IP client uses a resolver to send a name query to a DNS server, that client obtain the address for the DNS server it queries from TCP/IP configuration data.
Servers are queried in the order in which they appear in TCP/IP configuration files (/etc/named.conf).
DNS servers retrieve name data from the general domain namespace.
If a given DNS server is authoritative, it provides data about those zones for which it is authoritative.
8
How Domain Name Servers Work
When queried, any given DNS server will search its cached domain name data and answer queries for which that server is not authoritative, unless that query originates from a root server (which requires the authoritative DNS server for the zone in question to respond).
9
How Domain Name Servers Work (Cont …)
When a local server does not have the information available in its database or its name cache, it may turn to a caching-only server or to other known name servers in the “neighborhood”.
If none of these searches produces a result, the name server sends a request for name resolution to a root server, which directs the query to the authoritative server for the database segment in question.
The root server locates the authoritative server by contacting the root server for the domain and then following NS pointers to the right authoritative server.
10
The Namespace DNS namespace is a hierarchical tree of domains
Similar in concept to the Linux filesystem Each node in the tree is managed by some name server
The top of the domain tree (the root) is called .(dot) Two branches under the root
Forward branch Provides host name to IP address mappings
Reverse branch Provides IP address to host name mappings
Beneath the root are Top Level Domains (TLDs) e.g. .com, .net and .us, .hk
Country Code Top Level Domain (ccTLD) - .hk, .us, .tv, .ru, … … Generic top-level domains (gTLD) - .asia, .com, .biz, .edu, .gov, .info, .net, .org, .mil, …
The Namespace
11
12
The Namespace (Cont)
Domain A node immediately beneath a TLD The term “domain” typically includes the TLD
e.g. The domain is example.com and Managed & distributed by the TLD’s authorized registrars
The domain owner controls the sub-tree namespace below itself
Others have no ability to utilize this namespace Sub-domain
An n-level sub-tree beneath a domain The nodes above the host, but below the domain
Host A system on the Internet
13
The Namespace (Cont) Fully Qualified Domain Name (FQDN)
This is similar to a full, rooted path in Linux Uniquely specifies a single host on the Internet
Through name servers, this host can be found using its FQDN
Hostname, sub-domain and domain joined by dots Written from most to least specific
General form hostname.subdomain.domain. e.g. ftp.example.com. Includes the trailing dot
Creating Domains and Subdomains
Several domain name registrars have been authorized by the Internet Corporation for Assigned Names and Numbers (ICANN),
To obtain a domain, apply to a registrar for authority to create a domain under one of the top-level domains.
Once the authority to create a domain is granted, additional domains (sub-domains) can be created.
14
15
Linux - BIND (Berkeley Internet Name Domain)
Resolver (Client of DNS Server) Queries a DNS server for information Standard C library software linked with networking
applications Usage controlled via name service switch /etc/nsswitch.conf
Name server daemon – named Responds to queries from the resolver Loads DNS configuration files into memory
Linux Commands(for verification of DNS operation) host nslookup dig
You should install the following components1.bind2.bind-utils3.bind-libs
16
How BIND works
Zone A sub-tree in the domain tree namespace
authoritatively managed and controlled by a single name server
Further sub-dividing a zone is called delegation A zone is delegated when
Another name server is granted authoritative control over the zone
Its parent’s servers are updated with the new name server
17
How BIND works (Cont)
Authoritative Name Servers Each zone has one or more authoritative name
servers They respond to queries about the zones
members, or They give referral to the name server that
controls a child zone
18
The DNS Database
The DNS database is a large set of distributed zone files Every zone is defined by its set of zone files Zone files contain:
Host name/IP information about the hosts in the zone Pointers to name servers for delegated zones Mail forwarding information
A name server is only authoritative for its own zone It is the information in the zone files that a name server
shares
19
BIND Query Algorithm
BIND employs a recursive querying algorithm A FQDN determines the name servers to be queried
It implicitly specifies the ordered list of name servers to be employed
Hence, BIND always requires FQDNs BIND starts a query at the root zone’s name servers
It then recursively travels down the domain tree It queries each encountered zone’s name servers
Until a response is given Every zone knows about its children
A name server may respond with a referral to another name server
20
Server Operation Modes
Non-recursive (Server-to-Server) Will not take responsibility for resolving queries A non-recursive server only answers a query if
It is authoritative for the zone being queried It has an answer already in its cache
Otherwise, it returns a referral to a name server one level down or an error if no response is possible
Recursive (Client-to-Server) Will resolve queries by following referrals to other
name servers A recursive name server must return an answer to a
query, or an error if no response is possible
DNS Query
21
22
DNS System Configurations
Resolver-only (Client only) Uses other DNS servers
Master server The authoritative single source of control for a
domain’s zone files Slave server
Authoritative server adding redundancy to master server
Caching-only Caches queries only; does not control any domain
/etc/resolv.conf
23
Resolver-only (Client only)
Very simple configuration The named name server daemon is not run on the system Resolver uses remote DNS server Only requires resolver configuration file /etc/resolv.conf
Tells the resolver which servers to use to resolve queries Helps resolver handle non-FQDNs May be created automatically when using DHCP
24
Resolver-Only Configuration
/etc/resolv.conf domain
Domain name to append to non-FQDNs Use either domain or search (not both)
search List of domains to append to non-FQDNs Maximum of 8 domains
nameserver <DNS-server-IP-addr> Maximum of 3 name servers can be specified Name servers are queried in the order listed Servers listed must be recursive servers
25
Resolver-Only Configuration Testing your configuration
Create /etc/resolv.conf file Specify default domain(s) to use using either
domain or search Specify up to three nameserver lines to use for
queries Configure /etc/nsswitch.conf to use DNS
Include dns keyword on hosts line Ensure network is properly configured Use nslookup, host, dig commands to query DNS
26
Master Server
Answers queries authoritatively Exactly one master name server for a zone The master server owns the domain’s zone files
The domain’s zone files reside and are maintained on this server
Zone files are the definitive information about the zone Required configuration files, created by domain
administrator/etc/named.conf Hint file Zone file(s) Loopback zone file
Store under /var/named/
27
DNS Configuration Files
/etc/named.conf named’s configuration file Specifies the type of server for a zone Information about the zone’s zone files Sets global and zone-specific options for named
Zone files A set of files that creates the database that
defines a zone Typically one forward file and one reverse file
Hints file Specifies the location of the root servers
28
Slave Server
Authoritative Has same information as the master server
Should at least one slave name server per zone Required configuration files
/etc/named.conf Hint file Loopback zone file
Zone file(s) are downloaded from the master server Called a Zone File Transfer
29
Caching-only System Simple Configuration (using forward) Most common configuration type Non-authoritative
Information is second-hand (Came from some server’s cache)
Caches responses to resolver queries May resolve its own queries via named or use other
DNS servers Required configuration files
/etc/named.conf Hint file Loopback zone file
30
Zone File Format
Zone files are simple ASCII textfiles Contain a list of resource records (RRs) The set of RRs together define a zone The zone file parser provides:
Many default values for unspecified fields in RRs Convenient macro commands for specifying RRs
These are not part of zone database They are expanded by the BIND syntax parser when
the file is read
31
Resource Record Format
Syntax <name> <ttl> <class> <type> <data> name – Name of the entity ttl – Time to live class – Typically IN, meaning Internet type – Type of RR data – Type-specific data
Special Characters @ - Current domain name ; - Comment ( ) - Grouping, for multi-line record * - Wildcard (name field)
32
Resource Record Fields
The name Field Specifies the name of this RR entity Usually a host or domain name Must be in the first column of the file Can be a relative name or a FQDN
BIND internally uses only FQDN Bind appends relative names with the current
domain + a final dot The current domain is either
the zone’s domain the domain specified by $ORIGIN
33
Resource Record Fields (Cont) The TTL Field
Number of seconds record is valid in cache Defaults to either
The value of the $TTL parser macro at the top of the zone file
Value set in SOA RR The class Field
Value is one of: IN, CH or HSIN (Internet), is the most common [default]CH (ChaosNet), mostly obsoleteHS - Hesiod
34
Resource Record Fields (Cont)
The type Field Specifies the type of RR
SOA,NS – Zone-defining and linking RRsA,PTR, MX – Basic RRsCNAME,SRV,WKS – Optional RRsLOC, RP, TXT – Informational onlyKEY, NXT, SIG – Security-related RRs
The data Field The data specific to each type of RR
35
Resource Record Types
Type: SOA Start of Authority This record defines a zone Each zone has exactly one SOA record Specifies
The master name server for the zone The zone administrator’s email address Slave server update information
Typically is first RR in zone file Should be an SOA for both forward & reverse
branches
36
Resource Record Types (Cont)
@ IN SOA ns1.example.com. admin.example.com (
2001041802 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
)
System Administrator’s email
37
Resource Record Types (Cont)
Type: NS Name server record Identifies authoritative servers for the zone
i.e. the master and all slaves Delegates sub-domains to other organization Used by named to identify slaves for zone changes Typically comes immediately after SOA record
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
38
Resource Record Types (Cont)
Type: A Address record Provides host name to IP address mapping
Similar to /etc/hosts Must have one per interface
OK to use single host name for all interface or unique host name for each interface
ftp IN A 203.186.89.173
39
Resource Record Types (Cont)
Type: PTR Pointer record Provides IP address to host name mapping (for reverse
zone only) Must have one per interface
OK to use single host name for all interface or unique host name for each interface
173 IN PTR www.example.com.
40
Resource Record Types (Cont) Type: MX
Mail exchanger record Helps route mail efficiently via central hub(s) Looked-up and used by mailers Assists in mail delivery when hosts are down Can be used by hosts not directly connected to internet Every host should have an MX record
@ IN MX 5 mail1.example.com.
@ IN MX 10 mail2.example.com.
priority
41
Resource Record Types (Cont) Type: CNAME
Canonical Name record A host’s real name is called its canonical name Assigns a nickname to a host – an alias
Allows functional name (i.e. www.domain, ftp.domain … etc.)
CNAMEs can nest up to 8 deep can point to another CNAME Other records must use real name, not a CNAME
www IN CNAME ns1.example.com.
42
Resource Record Types (Cont) Type: SRV
Services record Specifies the location of services in a domain Allows query of domain to find a host supporting some
service E.g. ftp, www, finger … etc.
ftp IN SRV 0 0 21 ftp.example.com.
ssh IN SRV 0 1 22 ssh.example.com.
43
Summary DNS Database Records Types (RFC1035)
Record Types
Symbol Description
Address record
A An address (A) record stores domain name-to-IP address translation data.
Cononical name record
CNAME A canonical name (CNAME) record is used to create aliases.
Host Information record
HINFO A host information (HINFO) record stores descriptive information about a specific Internet host.
Mail Exchange record
MX A mail exchange (MX) record is used to route SMTP-based email on the Internet and identify the IP address for a domain’s master email server
44
Summary DNS Database Records Types (RFC1035)
Record Types
Symbol Description
Name Server record
NS A name server (NS) record is used to identify all DNS servers in a domain.
Pointer record
PTR A pointer (PTR) record stores IP address-to-domain name translation data and supports the operation known as a reverse DNS lookup.
Start of Authority record
SOA A Start of Authority (SOA) record identifies the name server that is authoritative for a specific DNS database segment; in other words, it identifies the master DNS server for a specific domain or subdomain.
45
Summary DNS Database Records Types (RFC1035)
Record Types
Symbol Description
Text record TXT A text (TXT) record may be used to add arbitrary text information to a DNS databases, usually for documentation.
Service record
SRV SRV (service) records are a generalization and expansion of features provided by MX records. Where MX records work only for mail delivery and provide "failover" via the Priority value, SRV records add in support for load balancing (via the Weight value) and port selection (via the Port value).
Well-known services record
WKS A well-known services (WKS) record lists the IP-based services, such as Telnet, FTP, HTTP, and so forth that an Internet host can supply.
46
Reverse Maps
Reverse Branch of Domain Tree Maps IP addresses to host names Reverse branch resides on the domain in-addr.arpa.
Allows IP addresses to fit into the domain tree Organized with network addresses towards root Zones separated on IP address octet boundaries The name of that zone is the IP octet
Separate zone file Must contain SOA and other RRs
47
Additional Zone Files
Zone File for localhost Allows local name server to be authoritative for
localhostlocalhost.<domain>localhost.127.0.0.<x>.in-addr.arpa.
Avoids queries to a root server for obviously local names
48
Considerations when using DNS
Program will require valid FQDNs NFS, /etc/exports, infamous sendmail hang!
DNS, /etc/hosts and NIS/NIS+ /etc/nsswitch.conf file indicates order of usage
Boot-time name resolution deadlock Is DNS required to be used during boot before DNS is
running? Server Considerations
BIND consumes a fair amount of memory BIND’s advanced features are CPU-intensive Run named continuously – not via inetd/xinetd
Master - Sample /etc/named.conf (1)
options {
directory "/var/named";
query-source port 53 { 127.0.0.1;192.168.1.0/24 };
allow-transfer { localhost; };
allow-query { locahhost; 192.168.1.10/24; };
recursion yes;
};
zone "." IN {
type hint;
file "named.ca";
};
49
IP addresses of the 13 super servers
Master Sample /etc/named.conf (2)
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
50
Master Sample /etc/named.conf (3)
/* Forward Zone */
zone “example.com" {
type master;
file "named.example.zone";
};
/* Reverse Zone */
zone "39.18.172.in-addr.arpa" {
type master;
file "named.172.18.39.zone";
};
include "/etc/rndc.key";
51
Sample – Forward zone file$TTL 86400
@ IN SOA example.com. admin.example.com. (
2009042701 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
; Name servers
IN NS ns1.example.com.
IN NS ns2.example.com.
; Mail server for domain
IN MX 10 mail.example.com.
IN MX 20 mail2.example.com.
; Public servers
ns1 IN A 123.45.67.1
ns2 IN A 123.45.67.2
mail IN A 123.45.67.3
www IN A 123.45.67.4
ftp IN CNAME mail.example.com.
mail2 IN CNAME www.example.com.
52
Master Sample – Reverse zone
$TTL 86400
@ IN SOA ns1.example.com admin.example.com. (
2006042701 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.example.com.
1 IN PTR example.com.
2 IN PTR ns2.example.com.
3 IN PTR ftp.example.com.
4 IN PTR www.example.com.
53