Download presentation
Presentation is loading. Please wait.
1
1 Guide To TCP/IP Domain Name System
2
2 DNS – TCP/IP Application Protocol Name resolution protocol - robust, reliable & stable Distributed database technology What does it resolve? –Maps the Internet – all valid domain names (symbolic) with IP addresses (numeric) * Note: Win2K domain pertains to a group of computers & devises under one adm DNS – domain is a node representing a partition in the DNS database. Replaced manual task of updating HOSTS files in a network
3
3 DNS - contd Network Services with DNS enabled
4
4 DNS Layer 7 Application Layer 4 – TCP or UDP DNS Server
5
5 DNS Background Early method – static text files HOSTS 1984 – JEEVES by Paul Mockapetris 1988 – BIND (Berkeley Internet Name Domain) by Kevin Dunlap –Works with UNIX and Win2K
6
6 DNS Structure (Domain Namespace) Hierarchical – inverted tree with the root on top and is designated by a single period (.) Partitions namespace into categories Parent/child domains –Top level primary domains –Organizational domain hierarchies: second-level domains. –Host names
7
7 DNS Structure – an inverted tree There are also 2 or 3-letter country codes. See ftp://ftp.ripe.net/iso3166-countrycode.txt.uk
8
8 Structure - contd Root server – provide ultimate source for all name lookups 13 root servers worldwide –A.ROOT-SERVERS.NET –B.ROOT-SERVERS.NET At least one valid IP address for each unique domain name. –This name-to-address correlation is the most impt. function of DNS Structure of DNS database mirrors domain namespace itself.
9
9 FQDN Fully Qualified Domain Name – consists of all the elements of the domain including the periods. Ex. Computer1.sales.microsoft.com. Root Host name Domain name – starts from bottom of tree and work their way up.
10
10 Domain Namespace *Structure of DNS database mirrors domain namespace itself. Partitioning – trees and subtrees Delegation of Authority –Domain – registration & fees central authority –Subdomain – arbitrary, local admin. Any valid domain name ultimately resides in master/primary servers –Copies can be made.
11
11 Domain Namespace – “partitioning” Zone – a portion of the domain namespace ZONE 1ZONE 2 Microsoft Zone 1 Database file Zone 2 database file development sales.com Domain namespace divided into zones.
12
12 Zones - contd Zones allows a domain namespace to be partitioned into manageable sections. Root domain for zone 1 – microsoft Root domain for zone 2 - development
13
13 Zone File Zone file located -Win2K Server running DNS %SystemRoot%\System 32\DNS directory
14
14 DNS Naming Conventions & Guidelines Limit the number of domain levels. Host entries should be 3-4 levels down, no more than 5. The more levels you have, the more admin work. Use unique names. For ease of use, select simple names. Avoid lengthy names. Domain name can be up to 63 characters including the periods.
15
15 Naming Guides - contd FQDN cannot exceed 255 characters. Not case sensitive. Use standard DNS characters & Unicode characters: –DNS characters: A thru Z, a thru z, 0 thru 9 and the hyphen (-) RFC 1035 –Unicode characters set includes additional characters not found in ASCII; required for languages.
16
16 Unicode - contd Use Unicode characters only if all the servers support Unicode. For complete set of Unicode – RFC 2044
17
17 DNS Database Resource Records (RR) RR – special database that contains specific data relevant to DNS: Address record (A) – stores domain name-to-IP address translation data Canonical name record (CNAME) – used to create aliases Name server record (NS) – used to identify all DNS servers in the domain
18
18 RR - contd Pointer record (PTR) – stores IP address-to-domain name translation data; supports reverse DNS lookup Start of Authority record (SOA) – identifies the master DNS server for a specific domain or subdomain.
19
19 Other RR: –Host information (HINFO) record –Mail exchange (MX) record –Text (TXT) record –Well-known services (WKS) record
20
20 DNS Structure – delegation of authority Assignment of duties - hierarchy; zones; authoritative servers for subdomains, Easy and quick way to point to other name servers Resource Records (RR) – will reflect this delegation of authority. DNS Servers – 3 kinds at any given subdomain: –Primary –Secondary –Caching
21
21 DNS Servers – contd Primary or Master server – contains primary database files for the domain or subdomain. –Authoritative –Database file is called zone file, an ASCII snapshot that is loaded into memory when the server runs. –Only one primary/master on any given DNS zone.
22
22 DNS servers - contd Secondary or slave server – gets data from primary server; gets regular updates. Incremental zone transfer vs. full copy or replication. –Every zone should have at least one slave server; multiple slaves allowed. –Serves as backup (fault tolerance) and provides load balancing.
23
23 DNS servers - contd Caching servers – stores recently accessed DNS records –Stand-alone servers (primary & secondary DNS can provide caching also) –Ideal for large companies & Internet Service providers –Speeds access by storing lookup data locally. –Does not provide DNS server functions.
24
24 DNS Root-Level Servers Top of the hierarchy Has access to all elements of the hierarchy (subdomains) Any queries that can’t be handled locally go to the root server Follows NS (Name Server) records in the zone database until it finds the authoritative server that contains the SOA name
25
25 QUERY (Client) Local – ZONE Authoritative Server Neighborhood/Caching Server ROOT – Authoritative Servers following NS If DNS server is authoritative, it gives data. This process always produces some kind of answer, even error message. How Domain Name Servers Work:
26
26 Root-level Servers: Types of Queries Recursive – “query that keeps working until an answer of some kind is forthcoming.” –FIRST DNS server issues further queries on its behalf –When other server responds to first server, they provides answer from own dbases/caches OR –Provide pointers to other “closer” name servers.
27
27 Types of queries - contd Iterative or non-recursive – queries to authoritative server which may or may not generate a reply. –FIRST DNS server that receives the recursive query issues repeated iterative queries to other servers –It will either : get an answer or error message –What is the difference between a DNS server that receives a recursive and a server that receives iterative query?
28
28 Queries - contd Why is caching important to a DNS server? What is non-authoritative response? Authoritative response?
29
29 Resource Record (RR) Formats RFC 1034. 2052, 2065 A and CNAME records: ; Host addresses localhost.tree.com. IN A 127.0.0.1 pear.tree.com. IN A 172.16.1.2 apple.tree.com. IN A 172.16.1.3 peach.tree.com. IN A 172.16.1.4
30
30 RR format ; Multi-homed host hedge.tree.com. IN A 172.16.1.1 hedge.tree.com. IN A 172.16.2.1 ; Aliases pr.tree.com IN CNAME pear.tree.com h.tree.com IN CNAME hedge.tree.com h1.tree.com IN CNAME 172.16.1.1 Note: CNAME do not end in period.
31
31 Start of Authority (SOA) Record (p. 325) tree.com IN SOA apple.tree.com. sue.pear.tree.com ( 1 ; Serial ( incremented after each update ) 10800 ; Refresh after 3 hours ( sync w/ primary ) 3600 ; Retry after 1 hour ( interval before trying another refresh) 604800 ; Expire after 1 week (zone db no longer auth.) 86400 ) ; Minimum TTL of 1 day ( how long an entry can persist outside of a zone.) “ IN ” indicates the record is an Internet class of record types “ SOA ” indicates the record is a Start of Authority record
32
32 Client Side DNS Errors Client side DNS errors may stem from any of the following causes –Invalid domain name or Invalid IP address –Inability to locate an IP address that corresponds to the requested domain name –Inability to reach an authoritative name server for the requested domain
33
33 Reverse DNS Lookup – mapping addresses to names Used to verify if an IP address matches the domain name of the source. Good for identifying IP spoofing Format – reverse order (4 th octet first) Example: 1.1.16.172.in-addr-arpa. IN PTR hedge.tree.com 2.1.16.172.in-addr-arpa. IN PTR pear.tree.com This string defined IP address for Internet formerly known as Arpanet
34
34 NSLOOKUP Command Queries default name server; provides info from default server or from a server/IP address you provide. Command-line utility C:\>nslookup –should give you default server –Let see if we can find default DNS server for nvcc.edu.
35
35 NSLOOKUP
36
36 NSLOOKUP - contd Results of lookup Lookup occurs here
37
37 NSLOOKUP
38
38 Other DNS Issues Dual Purpose: DNS allows your users to “reach out”; Outsiders can “reach in” –Provide name resolution to your users –Providing the authoritative hostname-to-IP mapping for services you choose to provide Dynamic DNS (DDNS) – name servers & clients within a network automatically update the zone database files –Linkage: need to link DNS and Active Directory. –DHCP, WINS, Active Directory or LDAP Lightweight Directory Access Protocol) keep track of IP address space; keeps track of domain name-to-address changes over time.
39
39 DNS Issues - contd DDNS & DHCP – DHCP service generates dynamic updates –Active Directory (with DHCP) keeps track of name-to-address changes over time –Synchronize master copies of zone files –DHCP allows client to add his/her A (host) records to the zone –DHCP adds the PTR (pointer) to the zone –DHCP also cleans up when zone expires
40
40 DNS Issues - contd Remember the query process? How does caching play a role? Propagation Delay – How long will the cached values catch up with “master copies”? –Depends on TTL clause. Default TTL – 24 hours. –Any change will add another 24 hrs to the default TTL before it kicks in.
41
41 DNS issues - contd Security : if possible, separate your internal & external DNS servers. How? –Single DNS server can leak info about internal hosts.
42
42 Security Structure DNS, Web, FTP, E-mail,etc How can we separate our external and internal servers?
43
43 Split DNS Architecture 2 DNS servers: External DNS Server Internal DNS Server Query Bastion Host
44
44 Security - contd External DNS server contains public server info Both external & external servers are primary for the domain –Internal DNS should forward queries that it cannot resolve to external DNS Another alternative – run external DNS on Bastion host.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.