Domain Name System

2 Introduction  In a distributed system, names are used to refer to a wide variety of resources such as:  Computers, services, remote objects, and files, as well as users.  Basic design issues for name services, such as the structure and management of the spaces of names recognized by the service and the operations that the name service supports, are outlined and discussed in the context of the Internet Domain Name Service. Couloris,Dollimore and Kindberg Distributed Systems: Concepts & Design Edn. 4, Pearson Education 2005

3 Introduction  Resources are accessed using identifier or reference  An identifier can be stored in variables and retrieved from tables quickly.  Identifier includes or can be transformed to an address for an object.  E.g. NFS file handle, Corba remote object reference. Couloris,Dollimore and Kindberg Distributed Systems: Concepts & Design Edn. 4, Pearson Education 2005

4 Introduction  A name is human-readable value (usually a string) that can be resolved to an identifier or address.  Internet domain name, file pathname, process number  E.g./etc/passwd, Couloris,Dollimore and Kindberg Distributed Systems: Concepts & Design Edn. 4, Pearson Education 2005

5 Introduction  For many purposes, names are preferable to identifiers  The binding of the named resource to a physical location is deferred and can be changed.  They are more meaningful to users.  Resource names are resolved by name services  To give identifiers and other useful attributes. Couloris,Dollimore and Kindberg Distributed Systems: Concepts & Design Edn. 4, Pearson Education 2005

6 Introduction file Web server Socket URL Resource ID (IP number, port number, pathname) WebExamples/earth.html8888 DNS lookup (Ethernet) Network address 2:60:8c:2:b0:5a ARP lookup Figure 1. Composed naming domains used to access a resource from a URL Couloris,Dollimore and Kindberg Distributed Systems: Concepts & Design Edn. 4, Pearson Education 2005

2/21/20167 Introduction You need to name an entity in order to use it. If you don’t have a name or don’t know a name you should be able to describe its characteristics in order to identify it. According to these two requirements we have two services:  Naming service  Directory service

2/21/20168 Naming Service Given the name of a resource returns the information about the resource. For example consider the white pages: given the name of a person you get the address/telephone number of that person. Other examples: LDAP (Lightweight Directory Access Protocol) a person on UB computers gives you information about the person’s , campus address, phone number, position held etc.

2/21/20169 Directory Service Given a description, find a service or resource that matches the description. For example consider the yellow pages: when you want to rent a car, it may give a list of car rental agencies.

2/21/ Directory Services A more powerful service than naming where you look up for names using the attributes than the other way. Clients can Lookup for services by providing their attributes rather the name. A discovery service provides registry and lookup for spontaneous networking. Registry is used by server to publish a service and lookup is used by a client to locate a service.

Overview of Domain Name System Domain Name System is a hierarchical distributed database DNS is the foundation of the Internet naming scheme DNS supports accessing resources by using alphanumeric names InterNIC is responsible for managing the domain namespace DNS was created to support the Internet’s growing number of hosts

The ausregistry.com.au sub-domain of com.au Domain com.au

What Is a Domain Namespace? Root Domain Subdomain Second-Level Domain Top-Level Domain FQDN: SERVER1.sales.south.nwtraders.com FQDN: SERVER1.sales.south.nwtraders.com south nwtraders com sales west east org net Host: SERVER1

Naming a Domain Naming a Directory yahoo.com.au. C:\windows\system32\drivers\ Start Here A “.” is used as separator A “\” is used as separator

Standards for DNS Naming The following characters are valid for DNS names: A through Z a through z 0 through 9 Hyphen (-) The underscore (_) is a reserved character

What Are the Components of a DNS Solution? DNS Servers on the Internet DNS Servers DNS Clients Root “.”.com.edu Resource Record Resource Record Resource Record Resource Record

DNS – How it works?

DNS – How it works (mechanism)

What Is a DNS Query? Queries are recursive or iterative DNS clients and DNS servers both initiate queries DNS servers are authoritative or nonauthoritative for a namespace An authoritative DNS server for the namespace will either:  Return the requested IP address  Return an authoritative “No” A nonauthoritative DNS server for the namespace will either:  Check its cache  Use forwarders  Use root hints A query is a request for name resolution and is directed to a DNS server

How Recursive Queries Work DNS Client mail1.contoso.msft A recursive query is sent to a DNS server and requires a complete answer Database Local DNS Server

How Iterative Queries Work An iterative query directed to a DNS server may be answered with a referral to another DNS server Client Server Local DNS Server Local DNS Server Root Hint (.).com Recursive Query mail1.nwtraders.com Iterative Query Ask.com Ask nwtraders.com Authoritative Response Nwtraders.com

How Forwarders Work A forwarder is a DNS server designated to resolve external or offsite DNS domain names Client Server Nwtraders.com Root Hint (.).com Iterative Query Ask.com Ask nwtraders.com Authoritative Response Forwarder Recursive query for mail1.nwtraders.com Recursive Query Local DNS Server Local DNS Server

How Root Hints Work Root hints contain the IP addresses for DNS root servers microsoft DNS Servers DNS Server Root (.) Servers com Client Root Hints

How DNS Server Caching Works Where’s ServerA? Client1 Client2 ServerA ServerA is at Where’s ServerA? ServerA is at DNS server cache Host nameIP addressTTL ServerA.contoso.msft seconds

Use a central forwarder for Internet name resolution Use conditional forwarders if you have multiple internal namespaces Consider disabling recursion for specific domains Use a central forwarder for Internet name resolution Use conditional forwarders if you have multiple internal namespaces Consider disabling recursion for specific domains Best Practices for Configuring DNS ISP DNS Contoso.msft Partner Organization Northwindtraders.msft Partner Organization Northwindtraders.msft Dev.contoso.msft Root (.) Servers Forwarding with no recursion Conditional forwarding Forwarding or root hints

How DNS Data Is Stored and Maintained DNS Server DNS ClientA Zone file: Contoso.msft.dns DNS ClientA DNS ClientB DNS ClientC DNS ClientB DNS ClientC A zone contains resource records for a contiguous portion of the DNS namespace

What is a resource record? A domain contains resource records Resource records are analogous to files Classified into types Some of the important types are SOA, NS, A, CNAME and MX Normally defines in “zone files”

What Are Resource Records and Record Types? TypeDescription A Resolves a host name to an IP address PTR Resolves an IP address to a host name SOA The first record in any zone file SRV Resolves names of servers providing services NS Identifies the DNS server for each zone MX The mail server CNAME Resolves an alias to a host name

The “A” Record The “Address” record One or more normally defines a host Contains an IPv4 Address (the address computers use to uniquely identify each other on the internet) Eg. The record: wwwA In the ausregistry.com.au domain, defines the host uniquely identifiable as “ to be reachable at the IPv4 Address

The “CNAME” Record A CNAME defines an alias The alias will then be resolved, if another CNAME is encountered then the process continues until an A record is found Eg. The record: searchCNAMEwww.google.com. In the ausregistry.com.au domain, defines the name uniquely identifiable as “search.ausregistry.com.au” to be and alias to “

The “MX” Record An MX record defines the mail servers for a particular domain Mail eXchange records hold the name of hosts, and their priorities, able to deliver mail for the domain. Eg. The record: ausregistry.com.auMX10mail In the ausregistry.com.au domain, defines the host mail to be the priority 10 mail server for the “ausregistry.com.au” domain

The “NS” Record An NS record defines the authoritative Name servers for the domain. The “Name Server” records also define the name servers of children domains Eg. The record: internalNSns1.hosting.com.au. In the ausregistry.com.au domain, defines the host “ns1.hosting.com.au” to be a name sever for the “internal.ausregistry.com.au” sub-domain

What is a zone? Its records are held in a database (“zonefile”) and served from an authoritative name server Zone refers to all the resource records in a domain but not its sub domains, the com.au zone contains delegations records for ausregistry.com.au, but not the resource records for ausregistry.com.au, however all of these records are part of the com.au domain

What Is a DNS Zone? Contoso.msft West South Support Sales Training North

What Are DNS Zone Types? ZonesDescription Primary Read/write copy of a DNS database Secondary Read-only copy of a DNS database Stub Copy of a zone that contains only records used to locate name servers Active Directory integrated Zone data is stored in Active Directory rather than in zone files

Primary Zone Contoso.msft Primary Zone Contoso.msft What Are Stub Zones? (SOA)Den-srv1.contoso.msft (NS)Den-srv1.contoso.msft (NS)Den-srv2.contoso.msft DEN-SRV1 (A) DEN-SRV2 (A) WEB1 (A) DEN-DC1 (A) WWW (CNAME)Web1.contoso.msft (SOA)Den-srv1.contoso.msft (NS)Den-srv1.contoso.msft (NS)Den-srv2.contoso.msft DEN-SRV1 (A) DEN-SRV2 (A) WEB1 (A) DEN-DC1 (A) WWW (CNAME)Web1.contoso.msft Stub Zone Contoso.msft Stub Zone Contoso.msft DEN-SRV1 MTL-SRV2 (SOA)Den-srv1.contoso.msft (NS)Den-srv1.contoso.msft (NS)Den-srv2.contoso.msft DEN-SRV1 (A) DEN-SRV2 (A) (SOA)Den-srv1.contoso.msft (NS)Den-srv1.contoso.msft (NS)Den-srv2.contoso.msft DEN-SRV1 (A) DEN-SRV2 (A)

What Are Forward and Reverse Lookup Zones? Namespace: training.nwtraders.msft DNS Client1 DNS Client2 DNS Client3 DNS Server Authorized for training DNS Server Authorized for training Forward zone Training DNS Client DNS Client DNS Client Reverse zone in- addr.arpa DNS Client DNS Client DNS Client3 DNS Client2 = ? = ?

Why Use Reverse Lookup Zones? Web site Allow only Contoso.msft Web site Allow only Contoso.msft 10Den-srv1.contoso.msft 11Den-srv2.contoso.msft 13Den-srv2.contoso.msft 10Den-cl1.contoso.msft 127Den-cl2.nwtraders1.msft 10Den-srv1.contoso.msft 11Den-srv2.contoso.msft 13Den-srv2.contoso.msft 10Den-cl1.contoso.msft 127Den-cl2.nwtraders1.msft Reverse Lookup Zone in-addr.arpa Reverse Lookup Zone in-addr.arpa IIS Server DNS Server Access Denied Access Granted

What is a Delegation? Delegation refers to the act of putting NS records in a domain name “delegating” control of a sub-domain to another entity This entity then has the ability to control the resource records in this sub-domain and delegate further children domains to other entities. Eg. IANA delegating control of a country code domain to the country.

What Is Delegation of a DNS Zone? Training.contoso.msft Sales.contoso.msft Contoso.msft

Guidelines for Configuring DNS Zones Limit internal domain names to one primary zone Use secondary zones for fault tolerance Use secondary zones for load balancing Use split DNS for external resources Limit internal domain names to one primary zone Use secondary zones for fault tolerance Use secondary zones for load balancing Use split DNS for external resources ISP DNS Contoso.msft Partner Organization Northwindtraders.msft Partner Organization Northwindtraders.msft Dev.contoso.msft Root (.) Servers Delegation or stub zone Delegation or stub zone Conditional forwarding or stub zone Conditional forwarding or stub zone Forwarding or root hints Secondary zone Internet zone for Contoso.msft Internet zone for Contoso.msft

How DNS Zone Transfers Work A DNS zone transfer is the synchronization of authoritative DNS zone data between DNS servers SOA query for a zone SOA query answered IXFR or AXFR query for a zone IXFR or AXFR query answered (zone transferred) Secondary server Primary and master server

How Incremental Zone Transfers Work Primary Zone Secondary Zone SOA [12056] Client Client Client Client SOA [12056] Client Client Client Client SOA [12054] Client Client SOA [12054] Client Client IXFR Request Current SOA [12054] IXFR Request Current SOA [12054]

How DNS Notify Works Secondary Server Primary and Master Server DNS notify Zone transfer A DNS notify is an update to the original DNS protocol specification that permits notification to secondary servers when zone changes occur Source Server Destination Server Resource record is updated SOA serial number is updated

How to Secure Zone Transfers Primary Zone Secondary Zone Restrict zone transfer to specified servers Encrypt zone transfer traffic Consider using Active Directory integrated zones Restrict zone transfer to specified servers Encrypt zone transfer traffic Consider using Active Directory integrated zones

How Preferred and Alternate DNS Servers Work 1. The client tries the preferred DNS server first. 2. If the preferred server fails, the client tries the alternate DNS server. 3. Optionally, you can enter a whole list of alternate DNS servers. The preferred and alternate DNS servers automatically appear at the top of this list.

How Suffixes Are Applied Domain suffix Search List Connection- Specific Suffix Name query = SERVER1 Server1.sales.south.contoso.msft Server1.south.contoso.msft Server1.contoso.msft Suffix Selection Option Suffix Selection Option

Linux - DNS Linux uses BIND/DJBDNS to perform DNS functions  named It's a daemon that runs the server side of DNS  resolver library translate a friendly name to an IP address. uses the resolv.conf file Resolvers is a program that translating a users request located in end host, for example sending a queries to domains name servers  dig tools for testing your DNS server

named named..conf pri.zone reverse zone local zone Domain Name Server Query Network Cloud Reply

The named.conf in linux box  Describing the functionality of BIND system  Always listen to port 53 for queries Once DNS receives queries  Check the address from named.conf The named.conf contains 4 others zones files for its reference to:  Hints file  Local host file  Zone file  Reverse Zone file DNS - Named.conf named named..conf Query Reply pri.zone reverse zone local zone

DNS - Named.conf (cont) Hints file  Contains names and address of the root servers on Internet.  These servers know where the authoritative servers for user domains exist. Local Host file  Master of their own loop back domain  to reduce traffic Zone file  Domain database  Defines most of the information needed to resolve the domain being managed. Reverse Zone file  Maps IP address to Host files  Mirror image of the Zone file.

DNS -Queries Queries ?  Can be a question like “What is an IP address of DNS queries can be divided into 3 types:  Recursive query the complete answer to the question is always returned  Iterative (non-recursive) query the complete answer MAY be returned  Inverse query where the user wants to know the domain name given a resource record

DNS – named.conf file Sample options { pid-file "/var/run/bind/run/named.pid"; directory "/etc/bind"; // query-source address * port 53; }; // // a master nameserver config // zone "." { type hint; file "db.root"; }; zone " in-addr.arpa" { type master; file "db.local"; }; zone " in-addr.arpa" { type master; file "pri in-addr.arpa"; }; zone "centralsoft.org" { type master; file "pri.centralsoft.org"; }; options named.pid options statement defines the default directory for named and the location of the process ID (pid) file. named.pid Hints file Local Host file Zone file Reverse Zone file

DNS-The Primary Zone IN SOA server1.centralsoft.org. root.localhost. ( ; serial 28800; refresh, seconds 7200; retry, seconds ; expire, seconds ); minimum, seconds NS server1.centralsoft.org. NS ns0.centralsoft.org. MX 10 server1.centralsoft.org.; Mail Server centralsoft.org. A www A server1 A ns0 A The host name of the master server for this zone is server1.centralsoft.org specify the name servers that are responsible for our domain The semicolon is for comment

DNS-The Primary Zone File IN SOA ns.example.org. root.localhost. ( ; serial 28800; refresh, seconds 7200; retry, seconds ; expire, seconds ); minimum, seconds Name Class Type Name-Server -Address Serial-no Refresh Retry Expiry Minimum-TTL Class IN = INternet

DNS-The Primary Zone File (cont) Name  The root name of the zone. The sign is a shorthand reference to the current origin (zone) in the /etc/named.conf file for that particular database file. Class  A number of different DNS classes exist.  Since the configuration is using IP mapping for BIND, so in this case IN class will be used. Type  The type of DNS resource record. In this case, this is an SOA (Start of Authority resource record. Name-server  The fully qualified primary name server. Must be followed by a period. -address  This is the address of the person responsible for the domain.

DNS-The Primary Zone File (cont) Serial-no  The serial number need to be incremented each time after editing the file. This is for the slave server to check whether the zone file has been updated. Refresh  This files represents a length in second, the purpose is to tell a slave DNS how long it should recheck the master. Thus, every refresh cycle, the slave DNS will perform update from master. Retry  To tell the slave the period of time it should try to reconnect to the master in the event of a connection failure. Expiry  This is the expiration time, the length of time that the slave server should continue to respond to queries even if it cannot update the zone file. Minimum-TTL  This is the default time to live (TTL) for this domain in seconds.

DNS – Server Type DNS can be configured into 6 different type of DNS servers  Master DNS (a. k. a. Primary)  Slave DNS (Secondary)  Caching DNS (a. k. a. Hint)  Forwarding DNS (a. k. a. Proxy, Client, Remote)  Authoritative Only DNS

DNS Forwarder Domain Name Server  DNS forwards Only  DNS will forward all the query to the parent DNS server using IP traffic  It can be done by modifying the current Cached Only Name Server Configuration /var/named/chroot/etc/named.conf options { forwarders {2001:d30:102:1000::1001; 2001:d30:101:1::11;}; forward only; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; allow-query { /24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;}; allow-recursion { /24; localhost; 2001:d30:1214::/64; ::1/128; fe80::/10;}; allow-transfer { none;}; listen-on-v6 { any; }; }; Adding these two lines. Tell DNS must forward all the query to parent DNS server

Thank you