Zone transfer and dns-express

Slides:

Advertisements

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Advertisements

Protocol Configuration in Horner OCS

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

DNS server & Client Objectives Contents

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

4.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.

Module 3 DNS Types.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Ch 8-3 Working with domains and Active Directory.

DNS and Active Directory Integration

Advanced Module 3 Stealth Configurations.

Basic Router Configuration Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

1 Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008.

CN2140 Server II Kemtis Kunanuraksapong MSIS with Distinction MCT, MCITP, MCTS, MCDST, MCP, A+

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Network Protocols Chapter 25 (Data Communication & Networking Book): Domain Name System (DNS) 1.

Chapter 17 Domain Name System

Dynamic and Secure DNS Tianyi Xing.  Establish a dynamic and secure DNS service in the mobicloud system.

WA v11 New function and Changes Lin Jing 2011/11/

Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.

Domain Name System CH 25 Aseel Alturki

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.

Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.

Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

DNS Dynamic Update Performance Study The Purpose Dynamic update and XFR is key approach to perform zone data replication and synchronization,

Objectives Discuss the basics of the Domain Name System (DNS) and its terminology Configure DNS clients Install a standard DNS server on Server 2008 Create.

1 Kyung Hee University Chapter 18 Domain Name System.

Module 6: Managing and Monitoring Domain Name System (DNS)

Windows Server 2003 DNS 安裝設定與管理維護林寶森

GTM V11 update Jing Lin March.. VersionAuthorDate 1.0Jing Lin2012/3/12.

1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.

Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,

© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to

Linux Operations and Administration

Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.

1 CMPT 471 Networking II DNS © Janice Regan,

OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

Communication thread core thread Spawn N negotiation threads... negotiation threads active inactive Initialize An Agent and Its Threads execution thread.

CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.

So You Inherited a DNS Server…

Welcome POS Synchronize Concept 08 Sept 2015.

DNS zones and resource records

Module 5: Resolving Host Names by Using Domain Name System (DNS)

Network Commands 2 Linux Ubuntu A.S.

NIC Chile Secondary DNS Service History and Evolution

Implementing Listening Producers in IBM Sterling Filegateway

Presentation transcript:

Zone transfer and dns-express Jing Lin 2011.9.19 V1.0

Version Date Author Note 1.0 2011.9.19 Jing Lin

Zone transfer Slave name server pull zone files from master name server There are two types of zone transfer, AXFR and IXFR AXFR means full zones transfer IXFR means incremental transfer

Zone transfer An initial slave name server starts up, it will request AXFR to master server. After the first transfer finished, slave server will check if there is update on master server by send IXFR, the checking interval is according the refresh value of SOA. It will change to AXFR if the master does not support IXFR. The default bind behavior supports AXFR and IXFR.

notify To make slave server knows update from master asap, master server will send out notify to all slave servers, default, master will only send notify message to all slave servers that are defined in zone file. “Also-notify {ip port}” statement will let master server aslo send notify to those servers in addition to slave server which in zone. If slave server get a notify, it will send a soa query to master server, and compare serial number to himself, if the master server’s serial number greater than self, slave server will starts IXFR, if IXFR is failed, will use AXFR.

Master Master server: zone "cnadn.net" { type master; allow-transfer {192.168.209.72;192.168.209.188;}; //file "/etc/bind/db.cnadn.net.signed"; file "/etc/bind/db.cnadn.net"; }; BIND default allow all host to run AXFR to him, need be careful on this. Can disable allow-transfer globally, and enable it in each specific zone. dig @master axfr can test axfr. ======= $TTL 60 ; 24 hours could have been written as 24h or 1d $ORIGIN cnadn.net. @ 1D IN SOA ns1 hostmaster ( 2011091917 ; serial 1m ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS ns1 ; in the domain IN NS ns2 IN NS ns3 ns1 IN A 192.168.209.71 ;name server definition ns2 IN A 192.168.209.72 ;slave ns3 IN A 192.168.209.188 ; gtm v11. www IN A 30.30.30.30 ;web server definition ftp IN CNAME www.example.net. ;ftp server definition mail IN A 10.10.10.10 ;subdomain delegation sub IN NS ns1.sub.cnadn.net. ns1.sub.cnadn.net. IN A 192.168.209.45 =============

slave zone "cnadn.net" { type slave; masters {192.168.209.71;}; //file "/etc/bind/db.cnadn.net.signed"; file "slave.db.cnadn.net"; }; When set a new slave server, The only work is to set named.conf, zones will be dumped after successfully zone transfer.

DNS Express

GTM DNS express Pull dns into memory. Respond answer from RAM directly, this will improve performance significantly. It is a LTM function, not only for GTM module. Support all kinds of RR type but AXFR and IXFR, which means you cant run AXFR/IXFR to dns express Support TSIG, and support to be notified. DO NOT support view. Support ipv6 and tcp/udp/ Support dnssec??? (Should be, will verify it in another ppt)

How dns express works It lives in TMM actually Zxfrd which a new process in v11 control zxfrd.bin file. TMM reads a binary db file from /var/db/tmmdns.bin When update happens, zxrfd.bin will be updated first, then some times later tmmdns.bin will be wrote by zxfrd. At last these 2 files should be same

How dns express works This diagram describes in detail the inner workings of DNS Express. zxfrd or zone transfer daemon is responsible for performing zone transfers with the authoritative DNS server. The results of the zone transfer are stored in a memory-mapped segment which is serialized to disk (/var/db/zxfrd.bin). zxfrd registers with MCPD to receive information regarding when and what to query, or to send notice to TMM that the zone DB has been updated. When TMM receives notification that the zone on the authoritative server has been updated (DNS notify), TMM informs MCPD which looks up the zone notify-action for the domain and if set to consume or repeat, MCPD proxies the update request to zxfrd. Upon receiving the update request, zxfrd will initiate a zone transfer (via IXFR) to the authoritative DNS server. The results of the zone transfer are committed to the zone DB. Next, zxfrd notifies MCPD that the zone transfer has completed and MCPD proxies the notification to TMM upon which TMM will re-read the zone DB. In summary, MCPD facilitates event notification (e.g., updates, configuration) and zxfrd handles zone-transfer and updates the memory-mapped segment which TMM reads from.

Zxfrd state transitions

Dns request match rule When bigip receives a dns request: 1. If it matches a wideip (gtm module), if yes, follow wideip configuration to answer the request. If no, go to step 2 2.Check if matches dns express zone, if yes, tmm respond answer from dns express zone directly. If no, go to step 3. 3. Check the listener vs, decide if the request need to be sent to backend dns server (pool member)

DNS express troubleshooting Check /var/log/ltm, grep logs of zxfrd Check zxfrd process status with bigstart status zxfrd Zxfrd listen on ::1:5353 Zone transfer uses tcp:53

Sample logs When master refuse bigip’s axfr/ixfr: Sep 18 10:46:31 ltm6900-1 err zxfrd[6393]: 01531010:3: Transfer of zone cnadn.net failed b/c there are no records. Sep 18 10:46:31 ltm6900-1 err zxfrd[6393]: 01531015:3: Failed to retrieve next RR in XFR for zone cnadn.net. Sep 18 10:46:31 ltm6900-1 err zxfrd[6393]: 01531018:3: Failed to transfer zone cnadn.net from 192.168.209.71, will attempt AXFR. Sep 18 10:46:31 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 5s for cnadn.net from 192.168.209.71. Sep 18 10:46:36 ltm6900-1 err zxfrd[6393]: 01531010:3: Transfer of zone cnadn.net failed b/c there are no records. Sep 18 10:46:36 ltm6900-1 err zxfrd[6393]: 01531015:3: Failed to retrieve next RR in XFR for zone cnadn.net. Sep 18 10:46:36 ltm6900-1 err zxfrd[6393]: 01531018:3: Failed to transfer zone cnadn.net from 192.168.209.71, will attempt AXFR. Sep 18 10:46:36 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 5s for cnadn.net from 192.168.209.71. Above logs base on below situation: Tcp level is ok Master does not allow bigip in allow-tranfer

Sample logs-continue After the master allow bigip transfer: Sep 18 10:47:06 ltm6900-1 notice zxfrd[6393]: 0153101f:5: AXFR Transfer of zone cnadn.net from 192.168.209.71 succeeded. Sep 18 10:47:06 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 180s for cnadn.net from 192.168.209.71. Regular checking with soa-refresh time interval: Sep 18 10:56:06 ltm6900-1 notice zxfrd[6393]: 01531025:5: Serials equal (2011091901); transfer for zone cnadn.net complete. Sep 18 10:56:06 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net. Sep 18 10:56:06 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 180s for cnadn.net from 192.168.209.71.

Sample logs-continue When bigip finds the master’s serial number is greater: Sep 18 11:05:06 ltm6900-1 debug zxfrd[6393]: 01531206:7: Cleared zone cnadn.net from db. Sep 18 11:05:06 ltm6900-1 notice zxfrd[6393]: 0153101f:5: AXFR Transfer of zone cnadn.net from 192.168.209.71 succeeded. Sep 18 11:05:06 ltm6900-1 debug zxfrd[6393]: 01531203:7: Scheduling DB dump with zone cnadn.net. Sep 18 11:05:06 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net. Sep 18 11:05:06 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 180s for cnadn.net from 192.168.209.71. Although the logs show AXFR, actually, it is IXFR. The master’s log show as: Sep 18 15:05:32 bind named[4686]: client 192.168.209.188#41263: transfer of 'cnadn.net/IN': AXFR-style IXFR started Sep 18 15:05:32 bind named[4686]: client 192.168.209.188#41263: transfer of 'cnadn.net/IN': AXFR-style IXFR ended

Sample logs-continue When receive notify message: Sep 18 11:21:23 ltm6900-1 notice zxfrd[6393]: 0153101c:5: Handling NOTIFY for zone cnadn.net. Sep 18 11:21:23 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net. Sep 18 11:21:23 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 5s for cnadn.net from 192.168.209.71. Sep 18 11:21:28 ltm6900-1 debug zxfrd[6393]: 01531206:7: Cleared zone cnadn.net from db. Sep 18 11:21:28 ltm6900-1 notice zxfrd[6393]: 0153101f:5: AXFR Transfer of zone cnadn.net from 192.168.209.71 succeeded. Sep 18 11:21:28 ltm6900-1 debug zxfrd[6393]: 01531203:7: Scheduling DB dump with zone cnadn.net. Sep 18 11:21:28 ltm6900-1 debug zxfrd[6393]: 01531008:7: Resetting transfer state for zone cnadn.net. Sep 18 11:21:28 ltm6900-1 notice zxfrd[6393]: 01531023:5: Scheduling zone transfer in 60s for cnadn.net from 192.168.209.71. You must set listener before bigip can deal with notify message. Either gtm listener or ltm vs ,both all need have a dns-express enabled dns profile.

Verify dns-express status Check statistics of the dns-express zone from GUI, set data format as unformatted. Check dns-express zone color, it should be green. Tmsh show ltm dns dns-express [root@ltm6900-1:Standby] db # tmsh show ltm dns dns-express -------------------------------- Ltm::DNS-Express Zone: cnadn.net Status Availability : available State : enabled Reason : Successful IXFR. SOA Attributes Serial : 2011091918 Refresh : 60 Retry : 15 Expire : 604800 Resource Records (11 total) A 6 NS 4 CNAME 1

Dump dns-express to a file Run below command, will show result on terminal. dnsxdump [root@ltm6900-1:Standby] db # dnsxdump DNS-Express DB Dump -= Region Stats =- memory: 132 objects (132 small/0 large), 5600 bytes allocated (71 wasted) in 2 chunks, 1 cleanups, 216 in recyclebin 17 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -= DB Dump =- Domain: . Domain: net. Domain: cnadn.net. cnadn.net. 60 IN NS ns1.cnadn.net cnadn.net. 60 IN NS ns2.cnadn.net cnadn.net. 60 IN NS ns3.cnadn.net cnadn.net. 86400 IN SOA ns1.cnadn.net hostmaster.cnadn.net 2011091918 60 15 604800 10800 Domain: ftp.cnadn.net. ftp.cnadn.net. 60 IN CNAME www.example.net Domain: hostmaster.cnadn.net. Domain: mail.cnadn.net. mail.cnadn.net. 60 IN A 10.10.10.10 Domain: ns1.cnadn.net. ns1.cnadn.net. 60 IN A 192.168.209.71 Domain: ns2.cnadn.net. ns2.cnadn.net. 60 IN A 192.168.209.72 Domain: ns3.cnadn.net. ns3.cnadn.net. 60 IN A 192.168.209.188 Domain: sub.cnadn.net. sub.cnadn.net. 60 IN NS ns1.sub.cnadn.net Domain: ns1.sub.cnadn.net. ns1.sub.cnadn.net. 60 IN A 192.168.209.45 Domain: www.cnadn.net. www.cnadn.net. 60 IN A 30.30.30.30 Domain: example.net. Domain: www.example.net. -= DB Stats =- RR Count: 12 Name Count: 14 RR Count by Type: A: 6 NS: 4 CNAME: 1 SOA: 1

Debug zxfrd Trun on zxfrd debug tmsh modify sys db log.zxfrd.level value debug (defautl is notice) Output will be in /var/tmp/zxfrd.out ////////// SEND_QUERY START ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 54887 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; cnadn.net. IN IXFR ;; ANSWER SECTION: ;; AUTHORITY SECTION: cnadn.net. 86400 IN SOA ns1.cnadn.net hostmaster.cnadn.net 2011091903 60 15 604800 10800 ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Wed Dec 31 16:00:00 1969 ;; MSG SIZE rcvd: 0 ////////// SEND_QUERY END ////////// GET_PKT START ;; flags: qr aa ; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 cnadn.net. 86400 IN SOA ns1.cnadn.net hostmaster.cnadn.net 2011091904 60 15 604800 10800 cnadn.net. 60 IN NS ns1.cnadn.net cnadn.net. 60 IN NS ns2.cnadn.net cnadn.net. 60 IN NS ns3.cnadn.net ftp.cnadn.net. 60 IN CNAME www.example.net mail.cnadn.net. 60 IN A 10.10.10.10 ns1.cnadn.net. 60 IN A 192.168.209.71 ns2.cnadn.net. 60 IN A 192.168.209.72 ns3.cnadn.net. 60 IN A 192.168.209.188 sub.cnadn.net. 60 IN NS ns1.sub.cnadn.net ns1.sub.cnadn.net. 60 IN A 192.168.209.45 www.cnadn.net. 60 IN A 30.30.30.30 ;; WHEN: Sun Sep 18 11:21:28 2011 ;; MSG SIZE rcvd: 321 ////////// GET_PKT END TMMDNS DB PRINT -= Region Stats =- 89 objects (89 small/0 large), 3568 bytes allocated (71 wasted) in 1 chunks, 0 cleanups, 88 in recyclebin 3 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -= Zone RR Stats =- cnadn.net (Total RRs: 11) A: 6 NS: 4 CNAME: 1 -= DB Dump =- Domain: . Domain: net. Domain: cnadn.net. Domain: ftp.cnadn.net. Domain: hostmaster.cnadn.net. Domain: mail.cnadn.net. Domain: ns1.cnadn.net. Domain: ns2.cnadn.net. Domain: ns3.cnadn.net. Domain: sub.cnadn.net. Domain: ns1.sub.cnadn.net. Domain: www.cnadn.net. Domain: example.net. Domain: www.example.net. ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25070 ;; flags: qr aa ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WHEN: Sun Sep 18 11:22:28 2011 ;; MSG SIZE rcvd: 78 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 1951

How to config dns-express Create a dns profile and enable dns-express from LTM menu. Create a gtm listener or dns-vs and associate it with the dns profile Create a dns-express zone: Target ip is the master server, if using TSIG, select a TSIG KEY for the zone. Notify , keep as consume.