Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zone transfer and dns-express

Published byHoward Allen McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "Zone transfer and dns-express"— Presentation transcript:

1 Zone transfer and dns-express
Jing Lin V1.0

2 Version Date Author Note 1.0 Jing Lin

3 Zone transfer Slave name server pull zone files from master name server There are two types of zone transfer, AXFR and IXFR AXFR means full zones transfer IXFR means incremental transfer

4 Zone transfer An initial slave name server starts up, it will request AXFR to master server. After the first transfer finished, slave server will check if there is update on master server by send IXFR, the checking interval is according the refresh value of SOA. It will change to AXFR if the master does not support IXFR. The default bind behavior supports AXFR and IXFR.

5 notify To make slave server knows update from master asap, master server will send out notify to all slave servers, default, master will only send notify message to all slave servers that are defined in zone file. “Also-notify {ip port}” statement will let master server aslo send notify to those servers in addition to slave server which in zone. If slave server get a notify, it will send a soa query to master server, and compare serial number to himself, if the master server’s serial number greater than self, slave server will starts IXFR, if IXFR is failed, will use AXFR.

6 Master Master server: zone "cnadn.net" { type master;
allow-transfer { ; ;}; //file "/etc/bind/db.cnadn.net.signed"; file "/etc/bind/db.cnadn.net"; }; BIND default allow all host to run AXFR to him, need be careful on this. Can disable allow-transfer globally, and enable it in each specific zone. axfr can test axfr. ======= $TTL ; 24 hours could have been written as 24h or 1d $ORIGIN cnadn.net. @ 1D IN SOA ns1 hostmaster ( ; serial 1m ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS ns1 ; in the domain IN NS ns2 IN NS ns3 ns1 IN A ;name server definition ns2 IN A ;slave ns3 IN A ; gtm v11. www IN A ;web server definition ftp IN CNAME ;ftp server definition mail IN A ;subdomain delegation sub IN NS ns1.sub.cnadn.net. ns1.sub.cnadn.net. IN A =============

7 slave zone "cnadn.net" { type slave; masters {192.168.209.71;};
//file "/etc/bind/db.cnadn.net.signed"; file "slave.db.cnadn.net"; }; When set a new slave server, The only work is to set named.conf, zones will be dumped after successfully zone transfer.

8 DNS Express

9 GTM DNS express Pull dns into memory. Respond answer from RAM directly, this will improve performance significantly. It is a LTM function, not only for GTM module. Support all kinds of RR type but AXFR and IXFR, which means you cant run AXFR/IXFR to dns express Support TSIG, and support to be notified. DO NOT support view. Support ipv6 and tcp/udp/ Support dnssec??? (Should be, will verify it in another ppt)

10 How dns express works It lives in TMM actually
Zxfrd which a new process in v11 control zxfrd.bin file. TMM reads a binary db file from /var/db/tmmdns.bin When update happens, zxrfd.bin will be updated first, then some times later tmmdns.bin will be wrote by zxfrd. At last these 2 files should be same

11 How dns express works This diagram describes in detail the inner workings of DNS Express. zxfrd or zone transfer daemon is responsible for performing zone transfers with the authoritative DNS server. The results of the zone transfer are stored in a memory-mapped segment which is serialized to disk (/var/db/zxfrd.bin). zxfrd registers with MCPD to receive information regarding when and what to query, or to send notice to TMM that the zone DB has been updated. When TMM receives notification that the zone on the authoritative server has been updated (DNS notify), TMM informs MCPD which looks up the zone notify-action for the domain and if set to consume or repeat, MCPD proxies the update request to zxfrd. Upon receiving the update request, zxfrd will initiate a zone transfer (via IXFR) to the authoritative DNS server. The results of the zone transfer are committed to the zone DB. Next, zxfrd notifies MCPD that the zone transfer has completed and MCPD proxies the notification to TMM upon which TMM will re-read the zone DB. In summary, MCPD facilitates event notification (e.g., updates, configuration) and zxfrd handles zone-transfer and updates the memory-mapped segment which TMM reads from.

12 Zxfrd state transitions

13 Dns request match rule When bigip receives a dns request:
1. If it matches a wideip (gtm module), if yes, follow wideip configuration to answer the request. If no, go to step 2 2.Check if matches dns express zone, if yes, tmm respond answer from dns express zone directly. If no, go to step 3. 3. Check the listener vs, decide if the request need to be sent to backend dns server (pool member)

14 DNS express troubleshooting
Check /var/log/ltm, grep logs of zxfrd Check zxfrd process status with bigstart status zxfrd Zxfrd listen on ::1:5353 Zone transfer uses tcp:53

15 Sample logs When master refuse bigip’s axfr/ixfr:
Sep 18 10:46:31 ltm err zxfrd[6393]: :3: Transfer of zone cnadn.net failed b/c there are no records. Sep 18 10:46:31 ltm err zxfrd[6393]: :3: Failed to retrieve next RR in XFR for zone cnadn.net. Sep 18 10:46:31 ltm err zxfrd[6393]: :3: Failed to transfer zone cnadn.net from , will attempt AXFR. Sep 18 10:46:31 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 5s for cnadn.net from Sep 18 10:46:36 ltm err zxfrd[6393]: :3: Transfer of zone cnadn.net failed b/c there are no records. Sep 18 10:46:36 ltm err zxfrd[6393]: :3: Failed to retrieve next RR in XFR for zone cnadn.net. Sep 18 10:46:36 ltm err zxfrd[6393]: :3: Failed to transfer zone cnadn.net from , will attempt AXFR. Sep 18 10:46:36 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 5s for cnadn.net from Above logs base on below situation: Tcp level is ok Master does not allow bigip in allow-tranfer

16 Sample logs-continue After the master allow bigip transfer:
Sep 18 10:47:06 ltm notice zxfrd[6393]: f:5: AXFR Transfer of zone cnadn.net from succeeded. Sep 18 10:47:06 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 180s for cnadn.net from Regular checking with soa-refresh time interval: Sep 18 10:56:06 ltm notice zxfrd[6393]: :5: Serials equal ( ); transfer for zone cnadn.net complete. Sep 18 10:56:06 ltm debug zxfrd[6393]: :7: Resetting transfer state for zone cnadn.net. Sep 18 10:56:06 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 180s for cnadn.net from

17 Sample logs-continue When bigip finds the master’s serial number is greater: Sep 18 11:05:06 ltm debug zxfrd[6393]: :7: Cleared zone cnadn.net from db. Sep 18 11:05:06 ltm notice zxfrd[6393]: f:5: AXFR Transfer of zone cnadn.net from succeeded. Sep 18 11:05:06 ltm debug zxfrd[6393]: :7: Scheduling DB dump with zone cnadn.net. Sep 18 11:05:06 ltm debug zxfrd[6393]: :7: Resetting transfer state for zone cnadn.net. Sep 18 11:05:06 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 180s for cnadn.net from Although the logs show AXFR, actually, it is IXFR. The master’s log show as: Sep 18 15:05:32 bind named[4686]: client #41263: transfer of 'cnadn.net/IN': AXFR-style IXFR started Sep 18 15:05:32 bind named[4686]: client #41263: transfer of 'cnadn.net/IN': AXFR-style IXFR ended

18 Sample logs-continue When receive notify message:
Sep 18 11:21:23 ltm notice zxfrd[6393]: c:5: Handling NOTIFY for zone cnadn.net. Sep 18 11:21:23 ltm debug zxfrd[6393]: :7: Resetting transfer state for zone cnadn.net. Sep 18 11:21:23 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 5s for cnadn.net from Sep 18 11:21:28 ltm debug zxfrd[6393]: :7: Cleared zone cnadn.net from db. Sep 18 11:21:28 ltm notice zxfrd[6393]: f:5: AXFR Transfer of zone cnadn.net from succeeded. Sep 18 11:21:28 ltm debug zxfrd[6393]: :7: Scheduling DB dump with zone cnadn.net. Sep 18 11:21:28 ltm debug zxfrd[6393]: :7: Resetting transfer state for zone cnadn.net. Sep 18 11:21:28 ltm notice zxfrd[6393]: :5: Scheduling zone transfer in 60s for cnadn.net from You must set listener before bigip can deal with notify message. Either gtm listener or ltm vs ,both all need have a dns-express enabled dns profile.

19 Verify dns-express status
Check statistics of the dns-express zone from GUI, set data format as unformatted. Check dns-express zone color, it should be green. Tmsh show ltm dns dns-express db # tmsh show ltm dns dns-express Ltm::DNS-Express Zone: cnadn.net Status Availability : available State : enabled Reason : Successful IXFR. SOA Attributes Serial : Refresh : 60 Retry : 15 Expire : Resource Records (11 total) A NS CNAME

20 Dump dns-express to a file
Run below command, will show result on terminal. dnsxdump db # dnsxdump DNS-Express DB Dump -= Region Stats =- memory: 132 objects (132 small/0 large), 5600 bytes allocated (71 wasted) in 2 chunks, 1 cleanups, 216 in recyclebin -= DB Dump =- Domain: . Domain: net. Domain: cnadn.net. cnadn.net IN NS ns1.cnadn.net cnadn.net IN NS ns2.cnadn.net cnadn.net IN NS ns3.cnadn.net cnadn.net IN SOA ns1.cnadn.net hostmaster.cnadn.net Domain: ftp.cnadn.net. ftp.cnadn.net IN CNAME Domain: hostmaster.cnadn.net. Domain: mail.cnadn.net. mail.cnadn.net IN A Domain: ns1.cnadn.net. ns1.cnadn.net IN A Domain: ns2.cnadn.net. ns2.cnadn.net IN A Domain: ns3.cnadn.net. ns3.cnadn.net IN A Domain: sub.cnadn.net. sub.cnadn.net IN NS ns1.sub.cnadn.net Domain: ns1.sub.cnadn.net. ns1.sub.cnadn.net IN A Domain: IN A Domain: example.net. Domain: -= DB Stats =- RR Count: 12 Name Count: 14 RR Count by Type: A: 6 NS: 4 CNAME: 1 SOA: 1

21 Debug zxfrd Trun on zxfrd debug
tmsh modify sys db log.zxfrd.level value debug (defautl is notice) Output will be in /var/tmp/zxfrd.out ////////// SEND_QUERY START ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 54887 ;; flags: ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; cnadn.net. IN IXFR ;; ANSWER SECTION: ;; AUTHORITY SECTION: cnadn.net IN SOA ns1.cnadn.net hostmaster.cnadn.net ;; ADDITIONAL SECTION: ;; Query time: 0 msec ;; WHEN: Wed Dec 31 16:00: ;; MSG SIZE rcvd: 0 ////////// SEND_QUERY END ////////// GET_PKT START ;; flags: qr aa ; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 cnadn.net IN SOA ns1.cnadn.net hostmaster.cnadn.net cnadn.net IN NS ns1.cnadn.net cnadn.net IN NS ns2.cnadn.net cnadn.net IN NS ns3.cnadn.net ftp.cnadn.net IN CNAME mail.cnadn.net IN A ns1.cnadn.net IN A ns2.cnadn.net IN A ns3.cnadn.net IN A sub.cnadn.net IN NS ns1.sub.cnadn.net ns1.sub.cnadn.net IN A IN A ;; WHEN: Sun Sep 18 11:21: ;; MSG SIZE rcvd: 321 ////////// GET_PKT END TMMDNS DB PRINT -= Region Stats =- 89 objects (89 small/0 large), 3568 bytes allocated (71 wasted) in 1 chunks, 0 cleanups, 88 in recyclebin -= Zone RR Stats =- cnadn.net (Total RRs: 11) A: 6 NS: 4 CNAME: 1 -= DB Dump =- Domain: . Domain: net. Domain: cnadn.net. Domain: ftp.cnadn.net. Domain: hostmaster.cnadn.net. Domain: mail.cnadn.net. Domain: ns1.cnadn.net. Domain: ns2.cnadn.net. Domain: ns3.cnadn.net. Domain: sub.cnadn.net. Domain: ns1.sub.cnadn.net. Domain: Domain: example.net. Domain: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25070 ;; flags: qr aa ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WHEN: Sun Sep 18 11:22: ;; MSG SIZE rcvd: 78 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 1951

22 How to config dns-express
Create a dns profile and enable dns-express from LTM menu. Create a gtm listener or dns-vs and associate it with the dns profile Create a dns-express zone: Target ip is the master server, if using TSIG, select a TSIG KEY for the zone. Notify , keep as consume.

23

Download ppt "Zone transfer and dns-express"

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Protocol Configuration in Horner OCS

Protocol Configuration in Horner OCS
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
DNS server & Client Objectives Contents

DNS server & Client Objectives Contents
The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.

The Domain Name System. CeylonLinux DNS concepts using BIND 2 Hostnames IP Addresses are great for computers –IP address includes information used for.
4.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

4.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.

DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.
Module 3 DNS Types.

Module 3 DNS Types.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Ch 8-3 Working with domains and Active Directory.

Ch 8-3 Working with domains and Active Directory.

Similar presentations

Ads by Google