Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002

What does DNS provide? A hierarchical namespace for hosts and IP addresses A host table implemented as a distributed database A “resolver” – library routines that query this database Improved routing for A mechanism for finding services on a network A protocol for exchanging naming information

BIND Berkeley Internet Name Domain System An implementation of DNS for UNIX Maintained by the Internet Software Consortium Has been ported to Windows NT

DNS Namespace There are two types of top-level domains (TLDs): –Generic Top-Level Domains (gTLDs) such as com, org, and net describe organizational and political structure and are used primarily within the United States –Country codes (ccTLDs) are used outside the United States

Naming Tree The forward-mapping branch maps hostnames to IP addresses and uses forward zone files. The reverse-mapping branch maps IP addresses back to hostnames and uses reverse zone files.

Domain Names Domain names are case insensitive. An Internet host’s fully qualified name is formed by appending its domain name to its hostname. Within the DNS system, fully qualified names are terminated by a dot, but this dot is generally hidden from ordinary users. Names without dots terminating them are relative addresses.

Components of BIND A daemon called named that answers queries Library routines that resolve host queries by contacting the servers of the DNS distributed database Command-line interfaces to DNS: nslookup, dig, and host

named It answers queries about hostnames and IP addresses If it does not know the answer to a query, it asks other servers and caches the response It performs “zone transfers” to copy data among the servers of a domain

Authoritative and Caching-only Servers Each zone has one master name server that keeps the official copy of the zone’s data on disk. A slave server gets its data from the master server through a “zone transfer” operation. A stub server is a slave that loads only the NS records from the master. A caching-only name server loads the addresses of the servers for the root domain from a startup file and accumulates the rest of its data by caching answers to the queries it resolves.

Recursive and Nonrecursive Servers If a nonrecursive server has the asnwer to a query cached from a previous transaction or is authoritative for the domain to which the query pertains, it provides the appropriate response. Otherwise, instead of returning the real answer, it returns a referral to the authoritative servers of another domain that are more likely to know the answer. A recursive server returns only real answers or error messages. It follows referrals itself, relieving the client of the responsibility.

Negative Caching Perhaps 60% of DNS queries are for non- existent data Negative caching saves answers of the following types: –No host or domain matches the name queried –The type of data requested does not exist for this host –The server to ask is not responding –The server is unreachable because of network problems

Resolver Configuration Each host on the network has a file called /etc/resolv.conf that lists the DNS servers the host should query. Format: search domainname... nameserver ipaddress Example: search cs.colorado.edu colorado.edu ee.colorado.edu nameserver ; ns nameserver ; piper nameserver ; anchor

Hardware Requirements BIND is a memory hog. IPv6 and DNSSEC in BIND 9 are CPU-intensive. To determine if a server has enough memory, let it run for awhile and watch the size of the named process. It will take a week or two to converge on a stable size at which old cache records are expiring at about the same rate as new ones are being inserted.

Configuration Files The complete configuration for named consists of the config file, the hints file, and, for master servers, the zone data files that contain address mappings for each host. The configuration file specifies the role (master, slave, or stub) of this host relative to each zone and the way in which it should get its copy of the resource records that make up the local part of the database.

Statement Types in named.conf include – Interpolates a file (e.g., trusted keys readable only by named) options – Sets global name server configuration options and defaults server – Specifies per-server options key – Defines authentication information acl – Defines access control lists zone – Defines a zone of resource records

Statement Types in named.conf trusted-keys – Uses preconfigured keys controls – Defines channels used to control the name server with ndc logging – Specifies logging categories and their destinations view – Defines a view of the namespace (BIND 9 only)

DNS Database A set of text files maintained by the system administrator on the domain’s master name server Contain two types of entries: –parser commands –resource records (RRs)

Zone Records SOA – Start of Authority – Defines a DNS zone of authority NS – Name Server – Identifies zone servers, delegates subdomains

Basic Records A – IPv4 Address – Name-to-address translation AAAA – Original IPv6 address – Now obsolete – DO NOT USE A6 – IPv6 Address – Name-to-IPv6-address translation (V9 only) PTR – Pointer – Address-to-name translation DNAME – Redirection – Redirection for reverse IPv6 lookups (V9 only) MX – Mail Exchanger – Controls routing

Security Records KEY – Public Key – Public key for DNS name NXT – Next – Used with DNSSEC for negative answers SIG – Signature – Signed, authenticated zone

Optional Records CNAME – Canonical Name – Nicknames or aliases for a host LOC – Location – Geographic location and extent RP – Responsible Person – Specifies per-host contact info SRV – Services – Gives locations of well-known services TXT – Text – Comments or untyped information

Commands in Zone Files $ORIGIN domain-name – Sets the origin for relative filenames $INCLUDE filename – The specified file is read into the database at the point of the directive $TTL default-ttl – Sets a default value for the time-to-live field of the records that follow it $GENERATE lots-of-args – Provides a simple way to generate a series of similar records

Updating Zone Files When you make a change to a domain (such as adding or deleting a host): –The data files on the master server must be updated –You must increment the serial number in the SOA record for the zone –Run ndc reload to signal named to pick up the changes

Security Features in named.conf allow-query (options, zone) – Who can query a zone or server allow-transfer (options, zone) – Who can request zone transfers allow-update (zone) – Who can make dynamic updates blackhole (options) – Which servers to ignore completely bogus (server) – Which servers should never be queried acl (various) – Access control lists

Transaction Signatures (TSIG) Developed by the IETF while DNSSEC was being specified Use a symmetric encryption scheme Use a shared-secret key that must be exchanged manually for every pair of servers that needs to communicate Not scalable to large networks

DNSSEC A set of DNS extensions that authenticate the origin of zone data and verify its integrity Uses public key cryptography Provides: –Key distribution by means of KEY resource records stored in the zone files –Origin verification for servers and data –Verification of the integrity of zone data

Testing and Debugging named provides highly configurable logging. It is possible to select the severity and type of messages logged. nslookup queries the DNS database dig is similar to nslookup, but has more sensible defaults, provides more information, and has a nicer user interface host is similar to dig but less verbose