DNS/Proxy Babu Ram Dawadi

Introduction - DNS Domain Name Server Domain Name Server –programs that store information about the domain name space –largest distributed database on the planet Linux uses BIND to perform DNS functions Linux uses BIND to perform DNS functions –named It's a daemon that runs the server side of DNS –resolver library translate a friendly name to an IP address. uses the resolv.conf file Resolvers is a program that translating a users request located in end host, for example sending a queries to domains name servers –dig tools for testing your DNS server

Introduction – DNS (cont) DNS is a distributed data base. DNS is a distributed data base. Domain Name System database has three levels. Domain Name System database has three levels. –First group of servers Root servers Indicate by “.” (dot) –Second group of servers Top Level Domains or (TLDs). divided the Internet domain name space organizationally into seven domains: com, edu, gov, mil, net, org, int, –Third group of servers Client DNS server or also called Resolver in your domain

Domain Name Space DNS's distributed database is indexed by domain names. DNS's distributed database is indexed by domain names. Each of the domain name is a path in a large inverted tree and the tree is in hierarchical structure. Each of the domain name is a path in a large inverted tree and the tree is in hierarchical structure.

DNS – How it works?

DNS – How it works (mechanism)

How does DNS answer Queries If Bind package is installed, then Bind will come into play. If Bind package is installed, then Bind will come into play. Named in the DNS will answer the queries from the Resolvers. Named in the DNS will answer the queries from the Resolvers. –By reading its configuration file, named.conf named.conf contains the information in the zone files that can supply named the answers of queries. named.conf contains the information in the zone files that can supply named the answers of queries.

How does DNS answer Queries (cont) named named..conf pri.zone reverse zone local zone Domain Name Server Query Network Cloud Reply

The named.conf in linux box The named.conf in linux box –Describing the functionality of BIND system –Always listen to port 53 for queries Once DNS receives queries Once DNS receives queries –Check the address from named.conf The named.conf contains 4 others zones files for its reference to: The named.conf contains 4 others zones files for its reference to: –Hints file –Local host file –Zone file –Reverse Zone file DNS - Named.conf named named..conf Query Reply pri.zone reverse zone local zone

DNS - Named.conf (cont) Hints file Hints file –Contains names and address of the root servers on Internet. –These servers know where the authoritative servers for user domains exist. Local Host file Local Host file –Master of their own loop back domain –to reduce traffic Zone file Zone file –Domain database –Defines most of the information needed to resolve the domain being managed. Reverse Zone file Reverse Zone file –Maps IP address to Host files –Mirror image of the Zone file.

DNS -Queries Queries ? Queries ? –Can be a question like “What is an IP address of DNS queries can divided into 3 types: DNS queries can divided into 3 types: –Recursive query the complete answer to the question is always returned –Iterative (non-recursive) query the complete answer MAY be returned –Inverse query where the user wants to know the domain name given a resource record

DNS – Recursive Queries DNS fully answer the query. (DNS is not compulsory to support this type of queries) DNS fully answer the query. (DNS is not compulsory to support this type of queries) There are three possible responses to a recursive query There are three possible responses to a recursive query –The answer to the query accompanied by any CNAME records (aliases) that may be useful. The response will indicate whether the data is authoritative or cached. –An error indicating the domain or host does not exist (NXDOMAIN). This response may also contain CNAME records that pointed to the non- existing host. –An temporary error indication Example: can't access other DNS's due to network error etc.. DNS will, on behalf of the client (resolver) go across over the world to look for the real answer for the queries. DNS will, on behalf of the client (resolver) go across over the world to look for the real answer for the queries.

DNS - Iterative (non-recursive) Queries DNS server may provide a partial answer to the query (or give an error). (DNS must support this type of queries) DNS server may provide a partial answer to the query (or give an error). (DNS must support this type of queries) There are four possible responses to a non-recursive query and the 3 possible responses are same as the recursive query in the previous slides, except this possible responses There are four possible responses to a non-recursive query and the 3 possible responses are same as the recursive query in the previous slides, except this possible responses –A referral the name and IP addess(es) or one or more name server(s) that are closer to the requested domain name. This may, or may not be, the authoritative name server for the target domain.

DNS – Inverse Queries Inverse queries reverse the mappings performed by standard query operations Inverse queries reverse the mappings performed by standard query operations –An Inverse query maps a resource record to a domain, while a standard query map a domain name to a resource. The corresponding inverse query binds the host address to a domain name. The corresponding inverse query binds the host address to a domain name. –For example: “What is the domain name for this MX ?” Inverse query IS NOT a Reverse Mapping Inverse query IS NOT a Reverse Mapping –Inverse query is NOT use as finding a host name given in an IP address –inverse queries are primarily useful for database management and debugging activities

DNS – named.conf file Sample options { pid-file "/var/run/bind/run/named.pid"; directory "/etc/bind"; // query-source address * port 53; }; // // a master nameserver config // zone "." { type hint; file "db.root"; }; zone " in-addr.arpa" { type master; file "db.local"; }; zone " in-addr.arpa" { type master; file "pri in-addr.arpa"; }; zone "centralsoft.org" { type master; file "pri.centralsoft.org"; }; options { pid-file "/var/run/bind/run/named.pid"; directory "/etc/bind"; // query-source address * port 53; }; // // a master nameserver config // zone "." { type hint; file "db.root"; }; zone " in-addr.arpa" { type master; file "db.local"; }; zone " in-addr.arpa" { type master; file "pri in-addr.arpa"; }; zone "centralsoft.org" { type master; file "pri.centralsoft.org"; }; options named.pid options statement defines the default directory for named and the location of the process ID (pid) file. named.pid Hints file Local Host file Zone file Reverse Zone file

DNS-The Primary Zone IN SOA server1.centralsoft.org. root.localhost. ( ; serial 28800; refresh, seconds 7200; retry, seconds ; expire, seconds ); minimum, seconds NS server1.centralsoft.org. NS ns0.centralsoft.org. MX 10 server1.centralsoft.org.; Mail Server centralsoft.org. A www A server1 A ns0 A The host name of the master server for this zone is server1.centralsoft.org specify the name servers that are responsible for our domain The semicolon is for comment

DNS-The Primary Zone File IN SOA ns.example.org. root.localhost. ( ; serial 28800; refresh, seconds 7200; retry, seconds ; expire, seconds ); minimum, seconds NameClass Type Type Name-Server -Address Name-Server -AddressSerial-noRefreshRetryExpiryMinimum-TTL Class IN = INternet

DNS-The Primary Zone File (cont) Name Name –The root name of the zone. The sign is a shorthand reference to the current origin (zone) in the /etc/named.conf file for that particular database file. Class Class –A number of different DNS classes exist. –Since the configuration is using IP mapping for BIND, so in this case IN class will be used. Type Type –The type of DNS resource record. In this case, this is an SOA (Start of Authority resource record. Name-server Name-server –The fully qualified primary name server. Must be followed by a period. -address -address –This is the address of the person responsible for the domain.

DNS-The Primary Zone File (cont) Serial-no Serial-no –The serial number need to be incremented each time after editing the file. This is for the slave server to check whether the zone file has been updated. Refresh Refresh –This files represents a length in second, the purpose is to tell a slave DNS how long it should recheck the master. Thus, every refresh cycle, the slave DNS will perform update from master. Retry Retry –To tell the slave the period of time it should try to reconnect to the master in the event of a connection failure. Expiry Expiry –This is the expiration time, the length of time that the slave server should continue to respond to queries even if it cannot update the zone file. Minimum-TTL Minimum-TTL –This is the default time to live (TTL) for this domain in seconds. Times will occur when remote clients will make queries for sub-domains that don't exist in your records.

DNS – Server Type DNS can be configured into 6 different type of DNS servers DNS can be configured into 6 different type of DNS servers –Master DNS (a. k. a. Primary) –Slave DNS (Secondary) –Caching DNS (a. k. a. Hint) –Forwarding DNS (a. k. a. Proxy, Client, Remote) –Stealth DNS (a. k. a. DMZ or Split) –Authoritative Only DNS

Proxy Server

Introduction - Proxy Server A proxy server is a server sit between the client site and the real server. A proxy server is a server sit between the client site and the real server. When users request for a data from web browser which was configured to use proxy server When users request for a data from web browser which was configured to use proxy server –Traffic goes from web browser to a proxy server –On behalf of user, proxy will do the job for requesting the data from internet. –Proxy will transmit back the information to user Web Site Proxy Server User

Introduction – Why using Proxy? Advantages of using proxy servers Advantages of using proxy servers –Improve performance –Ensure security Improve performance Improve performance –Faster operation, because using cache service. Ensure security Ensure security –Rules and policies regulation can be added into proxy configuration makes proxy server can serve the users by filtering their requests. –It make the network easier to be controlled because only traffic that passes the filtering requirements will be served or reply

Proxy -Improving Performance Proxy server can be configured as Cache Server Proxy server can be configured as Cache Server The proxy server store the information that has been used by many internet users The proxy server store the information that has been used by many internet users If a user intend to request the same information, he gets the information immediately because the data has been previously stored. If a user intend to request the same information, he gets the information immediately because the data has been previously stored. Improving performance Improving performance –Decrease the usage of network resources because make less contact to the original Internet site using network resources

Proxy -Improving Performance (cont) User A Proxy Server Web Site Check from the cache first Existed or not? Request: ww.google.com Not in the cache. Contact to the original server Information return Return: ww.google.com Request: ww.google.com Check from the cache. Yes Existed! Return: ww.google.com Immediately Web Site User B Proxy Server Cached Cached Not contact to the original server

Proxy -Ensure security Proxy server can be configured to add some limitations on user access. Proxy server can be configured to add some limitations on user access. It can be configured to bypass some restrictions as well. It can be configured to bypass some restrictions as well. Policies can be defined into proxy configuration in order to put some restrictions on internet or webpage access. Policies can be defined into proxy configuration in order to put some restrictions on internet or webpage access. Network administrator can blocks access to the users from certain network or even a country. Network administrator can blocks access to the users from certain network or even a country. Limit the sites that can be surfed by users through proxies. Limit the sites that can be surfed by users through proxies. –Banned pornography or unsecured websites.

Proxy -Ensure security (cont) Web Site Users Proxy Server Request from users Allow? Checking the rules YES! Web Site Users Proxy Server Request from users Allow? Checking the rules Users are not allow to access Internet You are not allow to access Internet

Types of Proxy There are many different types of Proxy Servers. It depends on the purpose of network administrator to setup a proxy servers. Mainly, proxy servers can be categorized into 3 types: There are many different types of Proxy Servers. It depends on the purpose of network administrator to setup a proxy servers. Mainly, proxy servers can be categorized into 3 types: –Forward Proxy –Reverse Proxy –Proxy Chaining

Forward Proxy Forward Proxy is the most common Proxy Server Forward Proxy is the most common Proxy Server –Generally used to accept or reject request from users based on the policies that defined. –If request is valid, the proxy server will forward the request to the original server in Internet for retrieving the requested information. –Request may also be replied from local cache rather than passing through Internet and it will help to reduce the network traffic. Web Site Users Proxy Server Cached

The reverse proxy is generally used to pass the request from the Internet to local network. The reverse proxy is generally used to pass the request from the Internet to local network. It can prevent the users connect to the local server and accessing sensitive data directly or freely. It can prevent the users connect to the local server and accessing sensitive data directly or freely. Whenever there is a request, the proxy server will check the request first, if it fulfilled the rules, then the request will send to server, otherwise the request will be blocked. Whenever there is a request, the proxy server will check the request first, if it fulfilled the rules, then the request will send to server, otherwise the request will be blocked. Proxy server may also reply the request using cache information. Proxy server may also reply the request using cache information. Reverse Proxy Web Site Users Proxy Server Cached

Proxy Chaining Private LAN Proxy Server 1 Cached Proxy Server 2 Cached Web Site Internet

Proxy Chaining (cont) Proxy chain involved 2 or more proxy server in a network in order to enhance the performance and the security control of a network. Proxy chain involved 2 or more proxy server in a network in order to enhance the performance and the security control of a network. Proxy chaining allows requests from different protocols to be fulfilled different requirements. Proxy chaining allows requests from different protocols to be fulfilled different requirements. According to previous slide, there are 2 proxy servers, Proxy server 1 can be configured to forward every request to upstream proxy – Proxy server 2, or if the cache features is enabled, it can reply the request immediately if information was already cached. According to previous slide, there are 2 proxy servers, Proxy server 1 can be configured to forward every request to upstream proxy – Proxy server 2, or if the cache features is enabled, it can reply the request immediately if information was already cached.

How does Squid Proxy works? Cache Hit Cache Hit Private LAN Proxy Server 1 Proxy Server 2 Cached Web Site Internet Cached URL Request Cache Hit!! HTTP Response

How does Squid Proxy works? (cont) Cache Miss – case 1 Cache Miss – case 1 Private LAN Proxy Server 1 Proxy Server 2 Cached Web Site Internet Cached URL Request Cache Miss!! HTTP Response ICP Request Cache Hit!! ICP Reply

How does Squid Proxy works? (cont) Cache Miss – Case 2 Cache Miss – Case 2 Private LAN Proxy Server 1 Proxy Server 2 Cached Web Site Internet Cached URL Request Cache Miss!! ICP Request Cache Miss!! Time out!! ICP Request HTTP Request HTTP Reply ICP Reply HTTP Response

Proxy Server – Squid Configuration cache_peer sfc-cache.ai3.net parent acl all src /0 ::/0 acl manager proto cache_object acl localsite src / :d30:1214::/48 acl localhost src /32 ::1/128 acl to_localhost dst /8 ::/126 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http

Proxy Server – Squid Configuration acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports

DNS Forwarder Domain Name Server Domain Name Server –DNS forwards Only –DNS will forward all the query to the parent DNS server using IPv6 traffic –It can be done by modifying the current Cached Only Name Server Configuration /var/named/chroot/etc/named.conf options { forwarders {2001:d30:102:1000::1001; 2001:d30:101:1::11;}; forward only; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; allow-query { /24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;}; allow-recursion { /24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;}; allow-transfer { none;}; listen-on-v6 { any; }; }; Adding these two lines. Tell DNS must forward all the query to parent DNS server

Thank you