Module 7 Advanced Zone Files

Objectives Understand failover strategies using DNS Understand domain delegation Understand Glue Records Understand the SRV RR Understand the NAPTR RR

Load Balancing/Failover Basic Strategy Multiple RRs Mail Servers – 2 strategies MX natural failover/load balancing RRs delivered in round-robin order BIND provides alternate controls

Mail Servers – MX RRs 3w = TTL ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) - backup IN MX 20 mail.example.net. 3w = TTL Priority 10 simply means you can add a more important mail server with only one change

Mail Servers – Multiple RRs ; zone file fragment IN MX 10 mail.example.com. IN MX 10 mail1.example.com. IN MX 10 mail2.example.com. .... mail IN A 192.168.0.4 mail1 IN A 192.168.0.5 mail2 IN A 192.168.0.6 OR mail IN A 192.168.0.4 IN A 192.168.0.5 IN A 192.168.0.6

Mail Servers No difference in two approaches All local mail servers must have access to common mail filestore Backup servers (priority 20) are configured to forward mail to real (priority 10) mail servers MX RRs can be set to very high TTLs A or AAAA RRs may change

Mail Server Reverse Map ; reverse-map file fragment ; for 0.168.192.IN-ADDR.ARPA .... 4 PTR mail.example.com. 5 PTR mail.example.com. 6 PTR mail.example.com.

Other Services Typically uses multiple A (AAAA) RRs Multiple RRs called RRsets In case of web - browser will do IP failover in 2 – 3 minutes Dynamic updating of IP with short TTL will failover in 30 minutes (MSIE) DNS load balances on IP address Works for flat loads If transaction loads vary must use load- balancer

Load Balance – Multiple RRs ; example.com zone file fragment .... ftp IN A 192.168.0.4 ftp IN A 192.168.0.5 ftp IN A 192.168.0.6 www IN A 192.168.0.7 www IN A 192.168.0.8 IN A 192.168.0.5 IN A 192.168.0.6 www IN A 192.168.0.7 IN A 192.168.0.8

Parent and Child domains Parent of any domain is the next level in the hierarchy Parent contains NS RRs which are not Authoritative Child contains NS RRs which are Authoritative

Parent and Child domains

DNS Subdomain Delegation www.ramq.example.com Two methods Full delegation Needs separate name servers Complete control to delegated authority Method used by domain system Multiple zone files Virtual subdomain Does not need name servers Single zone file to maintain

Parent Zone File ; IPv4 zone file for example.com $TTL 2d ; default TTL for zone $ORIGIN example.com. ; base domain-name ; Start of Authority record defining the key characteristics of the zone (domain) @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ) ; name servers Resource Records for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain). IN NS ns2.example.net. ; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server has lower priority and is ; external to the zone (domain) IN MX 20 mail.example.net. ; domain hosts includes NS and MX records defined previously ; plus any others required ns1 IN A 192.168.254.2 mail IN A 192.168.254.4 joe IN A 192.168.254.6 www IN A 192.168.254.7 ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net.

DNS Subdomain Delegation ;; subdomain definitions in the same zone file ; $ORIGIN directive simplifies and clarifies definitions $ORIGIN ramq.example.com. ; all subsequent RRs use this ORIGIN ; two name servers for the subdomain @ IN NS ns3.ramq.example.com. ; the preceding record could have been written without the $ORIGIN as ; ramq.example.com. IN NS ns3.ramq.example.com. ; or @ IN NS ns3 ; the second name server points back to preceding ns1 IN NS ns1.example.com. ; A records for name server ns3 required - the glue record ns3 IN A 10.10.0.24 ; glue record ; the preceding record could have been written as ; ns3.ramq.example.com. A 10.10.0.24 if it's less confusing

Child Zone File ; zone file for subdomain us.example.com $TTL 2d ; zone default of 2 days $ORIGIN ramq.example.com. IN SOA ns3.ramq.example.com. hostmaster.ramq.example.com. ( 2003080800 ; serial number 2h ; refresh = 2 hours 15m ; update retry = 15 minutes 3w12h ; expiry = 3 weeks + 12 hours 2h20m ; minimum = 2 hours + 20 minutes ) ; subdomain name servers IN NS ns3.ramq.example.com. IN NS ns1.example.com. ; see following notes ; subdomain mail server IN MX 10 mail.ramq.example.com. ; A records for preceding name servers ns3 IN A 10.10.0.24 ns1.example.com. IN A 192.168.0.3 ; 'glue' record ; A record for preceding mail server mail IN A 10.10.0.25 ; next record defines our ftp server ftp IN A 10.10.0.28

Full Subdomain Delegation One of the Parent name servers provides NS services (slave) – common but not essential Mail is also delegated – not essential could use mail.example.com Needs one DNS server in this case (ns3.ramq.example.com) Zone file controlled by delegated authority Can delegate further

Virtual Subdomains $ORIGIN ramq.example.com. IN MX 10 mail ; preceding record could have been written as ; ramq.example.com. IN MX 10 mail.ramq.example.com. ; A record for subdomain mail server mail IN A 10.10.0.28 ; the preceding record could have been written as ; mail.ramq.example.com. A 10.10.0.28 if it's less confusing ftp IN A 10.10.0.29 ; ftp.ramq.example.com. A 10.10.0.29 if it's less confusing .... ; other subdomain definitions as required $ORIGIN mderr.example.com.

Virtual Subdomain Requires no new name servers Functionally identical to full delegation Zone file controlled by main zone administrators Shows delegation of mail – not essential – could use mail.example.com Further delegation possible under control of main zone administrators

GLUE Records Widely and erroneously used term Glue is a A (AAAA) RR pointing to a authoritative name server for the child zone Glue is essential At the parent For in-zone name servers All others are technically normal A (AAAA) RRs

Glue – Why Essential? Client needs A RR to get to host Client needs a name server to get to host record Client needs A RR of name server to get name server Not required if out-of-zone – normal lookup for out-of-zone will get an in- zone name server glue record!

DNS – SRV RR srvce.prot.name ttl class rr pri weight port target SRV provides a means to find a host that offers a service within domain srvce = symbolic name of service (standardized by IANA) _ftp prot = protocol name _tcp name = domain (zone name) can be omitted (substitution)

DNS – SRV RR srvce.prot.name ttl class rr pri weight port target pri = relative priority – lower is more important like the MX RR (0 – 65535) weight = when pri is the same defines the frequency of delivery of the SRV (0 – 65535) port = the port number of the service (only time that DNS deals with ports and allows for non-standard ports)

DNS – SRV RR target = name of the host that provides the service srvce.prot.name ttl class rr pri weight port target target = name of the host that provides the service

SRV RR $ORIGIN example.com. ….. ; left hand name is _http._tcp.example.com = query target _http._tcp SRV 10 1 80 slow.example.com. SRV 10 3 80 fast.example.com. ; if neither slow or fast available, switch to ; an external backup web server but use port 8100 not port 80 SRV 20 0 8100 backup.example.net. slow A 192.168.254.3 fast A 192.168.254.4

SRV RR Extensive use made by modern services such as: SIP (voip) LDAP Windows AD (kerberos and others) Web browsers rarely use SRV

NAPTR RRs NAPTR order pref flag params regexp replace NAPTR (Naming Authority Pointer Record) is a general purpose RR for Dynamic Delegation Discover System (DDDS). Sister or SRV. Application unique format. order = low is highest like MX pref = if order is same pref (lower is highest) is used to find best RR

NAPTR RRs flag = Optional. Enclosed in quotes. Unique to application NAPTR order pref flag params regexp replace flag = Optional. Enclosed in quotes. Unique to application params = Optional. Enclosed in quotes. Unique to application. regexp = regular expression applied to Application User String (AUS)

NAPTR RRs NAPTR order pref flag params regexp replace replace = Replaces the Application User String (AUS). Dot if not used.

ENUM Use of NAPTR ENUM is a service which allows a telephone number to be converted into one or more methods to reach a human Domain name is .e164.arpa Assume we want to contact +44-111- 555-1212 (AUS = +441115551212) First Well Known Rule (ENUM specific) creates 2.1.2.1.5.5.5.1.1.1.4.4.E164.ARPA – DNS lookup

ENUM Use of NAPTR

ENUM Use of NAPTR ; zone file fragment for 5.5.5.1.1.1.4.4.E164.ARPA $TTL 2d ; zone TTL default = 2 days or 172800 seconds $ORIGIN 5.5.5.1.1.1.4.4.E164.ARPA. .... 2.1.2.1 NAPTR ( 10 ;order 100 ; preference "U" ; flag "E2U+sip" ;svc "!^\\+44111555(.+)$!sip:7\\1@sip.example.com!" ;ere .) ; replace NAPTR 10 101 "u" "E2U+pres" "!^.*$!mailto:sheila@example.com!" .

ENUM Result First NAPTR RR gives sip:71212@sip.example.com If this fails second NAPTR gives mailto:sheila@example.com "!^.*$!mailto:sheila@example.com!" Regular Expression Quick Key ! = delimiter, () group, $ = EoL, \1 = backref (group), ^ = SoL + = 1 or more times, * = 0 or more times \ escaped for DNS only (\\1), on-wire escape char removed (\1)

Quick Quiz Normal strategy for load balancing? MX failover/load balancing strategies? Does virtual subdomain delegation require name servers? What is the parent of ramq.example.com Are NS RRs in the parent authoritative Are GLUE records necessary for out-of- zone name servers? What do SRV records do?

Zone File Exercise Zone files for domain delegation Full delegation Parent is gov.lc Child is nic.gov.lc Mail will go to the parent domain Two NS servers ns1.nic.gov.lc, ns2.nic.gov.lc