DNS Overview
DNS Overview
DNS Overview
Griffin Software Ltd. Griffin House, The Village Square, Tallaght, Dublin 24 Tel: (01) 4622277 Fax: (01) 4623059 www.griffinsoft.com
This document is Copyright 2004 Opus Novum Limited. All rights reserved. No part of this document may be reproduced in any form or by any means without prior written consent from Opus Novum Limited
DNS Overview
Griffin Software
Module 1: A Brief History of DNS................................................................................ 4 Before DNS................................................................................................................ 5 Domain Name Service................................................................................................6 Module 2: How does DNS Work................................................................................... 7 Domain Name Space.................................................................................................. 8 Structure of DNS name space.................................................................................... 9 Domain Names......................................................................................................... 10 DNS Naming Standards........................................................................................... 11 Reading Domain Names...........................................................................................12 Domains................................................................................................................... 13 Some Top Level Domains........................................................................................ 15 Delegation................................................................................................................ 16 Name Servers and Zones.......................................................................................... 17 Types of Name Server.............................................................................................. 18 Data files...................................................................................................................19 Zone transfers........................................................................................................... 20 Resolvers.................................................................................................................. 21 Resolution.................................................................................................................22 DNS Query types......................................................................................................23 Searching the Domain Name Space......................................................................... 24 Query Recursion and Referral.................................................................................. 25 Recursive Query....................................................................................................... 26 Iterative Query..........................................................................................................27 Recursion and Iteration.............................................................................................28 Caching.....................................................................................................................29 Module 3: Setting up a Domain................................................................................... 30 Registering Your Domain........................................................................................ 31 Zone Data................................................................................................................. 32 Resource Record Syntax...........................................................................................33 SOA records............................................................................................................. 34 NS record..................................................................................................................35 A records.................................................................................................................. 36 MX records...............................................................................................................37 CNAME Records..................................................................................................... 38 PTR Records............................................................................................................ 39 BIND Configuration Files........................................................................................ 40 Configure a Primary Server......................................................................................41 Exercise.................................................................................................................... 42 Growing Domains.................................................................................................... 43 How many Name servers?........................................................................................44 Adding more Name Servers..................................................................................... 45 Adding a Secondary Name Server............................................................................46 Adding a Cache-Only Name Server......................................................................... 47 Parenting...................................................................................................................48 Why become a parent?............................................................................................. 49 Sub-domains.............................................................................................................50 Delegating a Sub-domain......................................................................................... 51 Glue.......................................................................................................................... 52 Module 4: DNS Tools & Troubleshooting...................................................................53 Host.......................................................................................................................... 54
DNS Overview
Griffin Software
Host Examples .........................................................................................................58 Host Examples..........................................................................................................59 Nslookup ................................................................................................................. 60 Non-Interactive Mode.............................................................................................. 64 Interactive Mode.......................................................................................................65 Nslookup commands................................................................................................ 66 Dig............................................................................................................................ 67 Dig Example.............................................................................................................70 BIND Logging.......................................................................................................... 71 Log Channels............................................................................................................72 Log Categories..........................................................................................................73 Default Logging Config............................................................................................74 Common Problems...................................................................................................75 Forget to Increment Serial Number.......................................................................... 76 Forget to Signal Primary.......................................................................................... 77 Secondary Cant Load Zone Data.............................................................................78 Forget to Add PTR Record.......................................................................................79 Syntax Error in the boot or data files........................................................................80 Missing dot at the end of a name..............................................................................81 Missing Cache data.................................................................................................. 82 Module 5: Advanced Features......................................................................................83 Address Match Lists and ACLs.............................................................................. 84 Security.....................................................................................................................85 DNS Notify...............................................................................................................86 DNS Dynamic Update..............................................................................................87 Incremental Zone Transfer....................................................................................... 89 Views........................................................................................................................90 Round Robin Load Distribution............................................................................... 91 CNAME Record Limitations....................................................................................92 Wildcards................................................................................................................. 93 Network Names and Numbers................................................................................. 94 Some Additional Resource Records.........................................................................95 DNS and Windows...................................................................................................98 Active Directory Integrated Zones........................................................................... 99 Multi-master Replication........................................................................................100 Windows Client Configuration.............................................................................. 101 DNS Configuration Interface................................................................................. 102 Client-side Configuration....................................................................................... 103 Preferred DNS Server Configuration..................................................................... 104 Alternate DNS Server Configuration..................................................................... 105 Windows Client Dynamic Update..........................................................................106
DNS Overview
Griffin Software
DNS Overview
Griffin Software
Before DNS
Before DNS
ARPANET
- HOSTS.TXT contained name to address mapping for every host - E.g
HOST : 10.7.0.4 : SUN.COM : SUN -3/160 : SunOS : TCP/TELNET, TCP/FTP, TCP/SMTP :
It soon became clear that a single hosts files did not scale wel l !
Through the 1970s, the ARPAnet was a small, friendly community of a few hundred hosts. A single file, HOSTS.TXT, contained all the information you needed to know about those hosts: it held a name-to-address mapping for every host connected to the ARPAnet. HOSTS.TXT was maintained by SRI's Network Information Center (dubbed "the NIC") and distributed from a single host, SRINIC.[1] ARPAnet administrators typically emailed their changes to the NIC, and periodically ftped to SRI-NIC and grabbed the current HOSTS.TXT. Their changes were compiled into a new HOSTS.TXT once or twice a week. As the ARPAnet grew, however, this scheme became unworkable. The size of HOSTS.TXT grew in proportion to the growth in the number of ARPAnet hosts. Moreover, the traffic generated by the update process increased even faster: every additional host meant not only another line in HOSTS.TXT, but potentially another host updating from SRI-NIC. SRI is the Stanford Research Institute in Menlo Park, California. SRI conducts research into many different areas, including computer networking. And when the ARPAnet moved to the TCP/IP protocols, the population of the network exploded. Now there was a host of problems with HOSTS.TXT: Traffic and load The toll on SRI-NIC, in terms of the network traffic and processor load involved in distributing the file, was becoming unbearable. Name collisions No two hosts in HOSTS.TXT could have the same name. However, while the NIC could assign addresses in a way that guaranteed uniqueness, it had no authority over host names. There was nothing to prevent someone from adding a host with a conflicting name and breaking the whole scheme. Someone adding a host with the same name as a major mail hub, for example, could disrupt mail service to much of the ARPAnet. Consistency Maintaining consistency of the file across an expanding network became harder and harder. By the time a new HOSTS.TXT could reach the farthest shores of the enlarged ARPAnet, a host across the network had changed addresses, or a new host had sprung up that users wanted to reach. The essential problem was that the HOSTS.TXT mechanism didn't scale well. Ironically, the success of the ARPAnet as an experiment led to the failure and obsolescence of HOSTS.TXT.
DNS Overview
Griffin Software
The ARPAnet's governing bodies chartered an investigation into a successor for HOSTS.TXT. Their goal was to create a system that solved the problems inherent in a unified host table system. The new system should allow local administration of data, yet make that data globally available. The decentralization of administration would eliminate the single-host bottleneck and relieve the traffic problem. And local management would make the task of keeping data up-to-date much easier. It should use a hierarchical name space to name hosts. This would ensure the uniqueness of names. Paul Mockapetris, then of USC's Information Sciences Institute, was responsible for designing the architecture of the new system. In 1984, he released RFCs 882 and 883, which describe the Domain Name System. These RFCs were superseded by RFCs 1034 and 1035, the current specifications of the Domain Name System.[2] RFCs 1034 and 1035 have now been augmented by many other RFCs. The purpose of the Domain Name System is to create a system that allows lookups in a tree-like database. These lookups are mostly (but not only) finding an IP address that belongs to a "node" (a hostname) in the Domain Name System. A hostname in this respect is always a "Fully Qualified Domain Name" (FQDN).
DNS Overview
Griffin Software
DNS Overview
Griffin Software
DNS's distributed database is indexed by domain names. Each domain name is essentially just a path in a large inverted tree, called the domain name space. The tree's hierarchical structure, shown in in next slide, is similar to the structure of the UNIX filesystem. The tree has a single root at the top. DNS simply calls it "the root." DNS's tree can branch any number of ways at each intersection point, called a node. The depth of the tree is limited to 127 levels.
DNS Overview
Griffin Software
com
org
uk
co
org
gov
The DNS system knows a hierarchical structure: The root node(RED) is the "dot" domain. This dot is the origin of all domains. It is comparable with the root of a UNIX filesystem. Below the root node you will find a number of Top Level Domains (YELLOW). These can further be distinguished in Generic Top Level Domains (gTLD), such as com, org and net, and Country Code Top Level Domains (ccTLDs), such as nl (for the Netherlands), au (for Australia) and uk (for the United Kingdom). Below a Top Level Domain an organization can apply for a subdomain. The application criteria and procedure for this varies from TLD to TLD. When an application has been granted, then that organization becomes the "owner" of a domain, and can use it to store information about its own hosts and (possibly) other subdomains. Furthermore, the DNS system is decentralized. This means that there is no central database which holds all the information, but organizations all keep their own databases on their own servers. Through special so-called "glue records", these databases all point to each other, making global lookups possible
DNS Overview
Griffin Software
Domain Names
Domain Names
Each node in the tree is labelled with a simple name (without dots) The name may be up to 63 characters The root domain has a null (zero length) name The full domain name of any node is the sequence of names from the node to the root separated by dots.
NOTE: DNS requires that sibling nodes - nodes that are children of the same parent - have different labels. This restriction guarantees that a domain name uniquely identifies a single node in the tree.
10
DNS Overview
Griffin Software
DNS naming standards allow a limited subset of the ASCII character set for DNS. RFC 1123 specifies the characters A-Z, a-z, 0-9 and the hyphen (-) as valid for DNS names. The underscore (_) character is reserved for special purposes. Recent RFCs allow the use of some characters that were traditionally restricted may be used, but use of such characters may cause conflicts between different versions of DNS.
11
DNS Overview
Griffin Software
com
hp
www
12
DNS Overview
Griffin Software
Domains
Domains
A domain is a subtree of the domain name space The name of a domain is the name of the node at the very top of the domain A domain can contain other domains ( sub domains ) Domains also have a level in the name space, e.g. top-level domain
Besides being referred to in relative terms, as subdomains of other domains, domains are often referred to by level. These terms simply refer to a domain's position in the domain name space: A top-level domain is a child of the root. A first-level domain is a child of the root (a top-level domain). A second-level domain is a child of a first-level domain, and so on.
13
DNS Overview
Griffin Software
Domains
.
com
org
uk
HP
co
org
gov
WWW
Managed by HP
The visual shows an example of a possible DNS structure. The root domain is on top, with the gTLDs and the ccTLDs right below it. There is one subdomain, hp.com. Furthermore, a hosts is shown, www.hp.com. Note that when we are talking about Fully Qualified Domain Names, the final dot should be included. So the FQDN of www is www.hp.com."and not www.hp.com". This becomes important later on.
14
DNS Overview
Griffin Software
There are two types of top level domain; Generic Top Level Domains Country Code Top Level Domains Originally all top level domains were Generic and represented organisation types. To accommodate the internationalization of the Internet, the implementers of the Internet name space compromised. Instead of insisting that all top-level domains describe organizational affiliation, they decided to allow geographical designations, too. New top-level domains were reserved (but not necessarily created) to correspond to individual countries. Their domain names followed an existing international standard called ISO 3166.[*] ISO 3166 establishes official, two-letter abbreviations for every country in the world. [*] Except for Great Britain. According to ISO 3166 and Internet tradition, Great Britain's top-level domain name should be gb. Instead, most organizations in Great Britain and Northern Ireland (i.e., the United Kingdom) use the top-level domain name uk.
15
DNS Overview
Griffin Software
Delegation
Delegation
Responsibility for administering a particular domain may be delegated to an organisation or individual. The organisation may also delegate any sub domains with the domain they are responsible for E.g.
- ICANN has delegated responsibility for managing the .uk domain to Nominet UK - Nominet operates some .uk sub-domains like .co.uk, but delegates others like police.uk
The part of a domain that is the responsibility of a single organisation is a zone or zone of authority
Delegating domains works a lot like delegating tasks at work. A manager may break up a large project into smaller tasks and delegate responsibility for each of these tasks to different employees. Likewise, an organization administering a domain can divide it into subdomains. Each of those subdomains can be delegated to other organizations. This means that an organization becomes responsible for maintaining all the data in that subdomain. It can freely change the data and even divide its subdomain up into more subdomains and delegate those. The parent domain contains only pointers to sources of the subdomain's data so that it can refer queriers there.
16
DNS Overview
Griffin Software
Zones
Normally have several servers Zone information is replicated between servers
Name servers generally have complete information about some part of the domain name space, called a zone, which they load from a file or from another name server. The name server is then said to have authority for that zone. Name servers can be authoritative for multiple zones, too. The difference between a zone and a domain is important, but subtle. All top-level domains, and many domains at the second level and lower, like hp.com, are broken into smaller, more manageable units by delegation. These units are called zones. The com zone, which would contain mostly delegation information to subdomains of com.
17
DNS Overview
Griffin Software
Secondary retrieve their zone data from the primary server ( a zone transfer )
- Also called Slave
The DNS specs define two types of name servers: primary masters and secondary masters. A primary master name server for a zone reads the data for the zone from a file on its host. A secondary master name server for a zone gets the zone data from another name server that is authoritative for the zone, called its master server. Quite often, the master server is the zone's primary master, but that's not required: a secondary master can load zone data from another secondary. When a secondary starts up, it contacts its master name server and, if necessary, pulls the zone data over. This is referred to as a zone transfer. Nowadays, the preferred term for a secondary master name server is a slave, though many people (and much software, including Microsoft's DNS Manager) still call them secondaries. Both the primary master and slave name servers for a zone are authoritative for that zone. Despite the somewhat disparaging name, slaves aren't second-class name servers. DNS provides these two types of name servers to make administration easier. Once you've created the data for your zone and set up a primary master name server, you don't need to fool with copying that data from host to host to create new name servers for the zone. You simply set up slave name servers that load their data from the primary master for the zone. Once they're set up, the slaves will transfer new zone data when necessary. Slave name servers are important because it's a good idea to set up more than one name server for any given zone. You'll want more than one for redundancy, to spread the load around, and to make sure that all the hosts in the zone have a name server close by. Using slave name servers makes this administratively workable. Calling a particular name server a primary master name server or a slave name server is a little imprecise, though. We mentioned earlier that a name server can be authoritative for more than one zone. Similarly, a name server can be a primary master for one zone and a slave for another. Most name servers, however, are either primary for most of the zones they load or slave for most of the zones they load. So if we call a particular name server a primary or a slave, we mean that it's the primary master or a slave for most of the zones it loads.
18
DNS Overview
Griffin Software
Data files
Data files
Also called Zone Files Contain resource records that describe the zone May contain Directives for Server software
The files from which primary master name servers load their zone data are called, zone data files or just data files. We often refer to them as db files, short for database files. Slave name servers can also load their zone data from data files. Slaves are usually configured to back up the zone data they transfer from a master name server to data files. If the slave is later killed and restarted, it will read the backup data files first, then check to see whether the data are current. This both obviates the need to transfer the zone data if it hasn't changed and provides a source of the data if the master is down. The data files contain resource records that describe the zone. The resource records describe all the hosts in the zone and mark any delegation of subdomains. The data files may also contain special directives such as include the contents of other data files in a data file.
19
DNS Overview
Griffin Software
Zone transfers
Zone transfers
Primary Server UPDATE
Administrator
Zone Transfers
Secondary Server
Secondary Server
Secondary Server
A zone transfer might occur during any of the following scenarios: When the refresh interval expires for the zone When a secondary server is notified of zone changes by its master server When the DNS Server service is started at a secondary server for the zone When the DNS console is used at a secondary server for the zone to manually initiate a transfer from its master server Zone transfers are always initiated at the secondary server for a zone and sent to their configured master servers which act as their source for the zone. Master servers can be any other DNS server that loads the zone, such as either the primary server for the zone or another secondary server. When the master server receives the request for the zone, it can reply with either a partial or full transfer of the zone to the secondary server.
20
DNS Overview
Griffin Software
Resolvers
Resolvers
The Clients that access name servers
Querying a name server Interpreting responses Returning information to the programs that requested it.
Resolvers are the clients that access name servers. Programs running on a host that need information from the domain name space use the resolver. The resolver handles: Querying a name server Interpreting responses (which may be resource records or an error) Returning the information to the programs that requested it In BIND, the resolver is just a set of library routines that is linked into programs such as telnet and ftp. It's not even a separate process. It has the smarts to put together a query, to send it and wait for an answer, and to resend the query if it isn't answered, but that's about all. Most of the burden of finding an answer to the query is placed on the name server. The DNS specs call this kind of resolver a stub resolver. Other implementations of DNS have had smarter resolvers, which can do more sophisticated things such as build up a cache of information already retrieved from name servers.[
21
DNS Overview
Griffin Software
Resolution
Resolution
The name server can;
Return zone information for which they are authoritative Search the domain name space Cache recent queries
Name servers are adept at retrieving data from the domain name space. Not only can they give you data about zones for which they're authoritative, they can also search through the domain name space to find data for which they're not authoritative. This process is called name resolution or simply resolution. Because the name space is structured as an inverted tree, a name server needs only one piece of information to find its way to any point in the tree: the domain names and addresses of the root name servers. A name server can issue a query to a root name server for any name in the domain name space, and the root name server will start the name server on its way.
22
DNS Overview
Griffin Software
Recursive Query
Server makes queries until an answer is found
Interative Query
Server answers with authoritative answer, or a referral
a resolver sends a recursive query to a name server for information about a particular domain name. The queried name server is then obliged to respond with the requested data or with an error stating that data of the requested type don't exist or that the domain name specified doesn't exist. The name server can't just refer the querier to a different name server, because the query was recursive If the queried name server isn't authoritative for the data requested, it will have to query other name servers to find the answer. Iterative resolution, on the other hand, doesn't require nearly as much work on the part of the queried name server. In iterative resolution, a name server simply gives the best answer it already knows back to the querier. No additional querying is required. The queried name server consults its local data (including its cache), looking for the data requested. If it doesn't find the data there, it makes its best attempt to give the querier data that will help it continue the resolution process. Usually these are the domain names and addresses of the closest known name servers.
23
DNS Overview
Griffin Software
Get an authoritative answer, or a referral Query the referred server Repeat until and authoritative answer is given
Because the name space is structured as an inverted tree, a name server needs only one piece of information to find its way to any point in the tree: the domain names and addresses of the root name servers. A name server can issue a query to a root name server for any name in the domain name space, and the root name server will start the name server on its way.
24
DNS Overview
Griffin Software
Referral
If a queried DNS Server cannot provide a resolution, it may issue a Referral to the client or server that made the request. This is the address of another DNS server that may be able to resolve the query.
Recursion and Referral Recursion is a DNS Server function in which a series of several iterative queries are issued by one DNS Server to other DNS servers, when responding to a Recursive Query issued by a DNS client. The queried DNS servers return referrals which the querying server follows until it gets a definitive answer. Recursion always ends with a server that owns the namespace either giving a positive or negative reply. Recursion enables the server to go to work on behalf of the client to resolve a query. The DNS Server performing recursion does the work of querying multiple other DNS servers until it has a suitable answer for the client. This takes the burden of name resolution off of the client, and places it on the local DNS Server. Referral This is a possible answer to an iterative query. If the queried server doesnt have a positive or negative answer to return, it refers the querying server to the closest known DNS server that matches the name being queried.
25
DNS Overview
Griffin Software
Recursive Query
Recursive Query
Client Side
The DNS Client typically issues a Recursive Query to its configured name server. This means, Dont return until you have an answer or have failed to find an answer to the query.
Server Side
When the Server receives a Recursive Query, unless Recursion is disabled, it goes to work for the client, queries other name servers until it resolves clients query or fails to do so, and responds to client with resolved address or failure message.
Recursive query The answer to a recursive request will always be either a positive or negative response. Recursive queries can be initiated by a DNS client or by a DNS server configured for forwarders. A recursive query puts the burden of delivering a final answer (and recursion if necessary) on the queried server.
26
DNS Overview
Griffin Software
Iterative Query
Iterative Query
Asks for Final Answer or Closer Server: Typically used between servers during resolution of client requests:
Lower-level server will issue Iterative queries to top -level servers Reduces workload on top-level servers
Iterative query Iterative queries are generally only used between DNS servers to find answers on behalf of a client. Iterative queries keep the burden of finding a final answer on the querying client (or DNS server) via recursion if necessary. Answers to iterative queries can be either a positive or negative answer or a referral to another server.
27
DNS Overview
Griffin Software
Query for www .opus- novum.co.uk Referral to u k server Query for www .opus -novum.co.uk Referral to co.uk servers Name Server Query for www . opus-novum .co.uk Referral to op us-n ovu m.co .uk servers Query for www .opus-novum .co.uk Address of www .opus-novum .co.uk
uk name server
Query
Answer
Recursive Query
Resolver
28
DNS Overview
Griffin Software
Caching
Caching
DNS servers use caching to speed up the resolution process Cache data has to expire
Otherwise we would never get updates
The administrator of a zone sets a TTL ( time to live ) for the zone data
Short TTL: ensures consistent data, but more queries to your zone servers Long TTL: less queries to handle, but data will be inconsistent for longer
A name server processing a recursive query may have to send out quite a few queries to find an answer. However, it discovers a lot of information about the domain name space as it does so. Each time it's referred to another list of name servers, it learns that those name servers are authoritative for some zone, and it learns the addresses of those servers. And, at the end of the resolution process, when it finally finds the data the original querier sought, it can store that data for future reference, too. some name servers even implement negative caching: if an authoritative name server responds to a query with an answer that says the domain name or data type in the query doesn't exist, the local name server will temporarily cache that information, too. Name servers cache all of this data to help speed up successive queries. The next time a resolver queries the name server for data about a domain name the name server knows something about, the process is shortened quite a bit. The name server may have cached the answer, positive or negative, in which case it simply returns the answer to the resolver. Even if it doesn't have the answer cached, it may have learned the identities of the name servers that are authoritative for the zone the domain name is in and be able to query them directly. Name servers can't cache data forever, of course. If they did, changes to that data on the authoritative name servers would never reach the rest of the network. Remote name servers would just continue to use cached data. Consequently, the administrator of the zone that contains the data decides on a time to live, or TTL, for the data. The time to live is the amount of time that any name server is allowed to cache the data. After the time to live expires, the name server must discard the cached data and get new data from the authoritative name servers. This also applies to negatively cached data; a name server must time out a negative answer after a period, too, in case new data has been added on the authoritative name servers. However, the time to live for negatively cached data isn't tunable by the domain administrator; it's hardcoded to ten minutes.
29
DNS Overview
Griffin Software
30
DNS Overview
Griffin Software
The basic information that your parent needs is the names and addresses of your domain name servers. If you're not connected to the Internet, give them the addresses of the Internet hosts that will act as your name servers. Some parent domains also require that you already have operational name servers for your domain. (The InterNIC doesn't, but they ask for an estimate of when the domain will be fully operational.) If the InterNIC runs your parent domain, they'll also ask for some information about your organization, and for an administrative contact and a technical contact for your domain (which can be the same person). If your contacts aren't already registered in the InterNIC's whois database, you'll also need to provide information to register them in whois. This includes their names, surface mail addresses, phone numbers, and electronic mail addresses. If they are already registered in whois, just specify their InterNIC whois "handle" (a unique alphanumeric ID) in the registration. If you're directly connected to the Internet, you should also have the in-addr.arpa domains corresponding to your IP networks delegated to you. For example, if your company was allocated the network 192.201.44/24, you should manage the 44.201.192.in-addr.arpa domain. This will let you control the IP address-to-name mappings for hosts on your network.
31
DNS Overview
Griffin Software
Zone Data
Zone Data
Zone data consists of DNS resource records There are a number of record types
SOA NS A PTR CNAME RP ..
Most entries in db files are called DNS resource records. DNS lookups are case-insensitive, so you can enter names in your db files in uppercase, lowercase, or mixed case. The ordering of resource records in the db files is as follows: SOA record Indicates authority for this zone data NS record Lists a name server for this zone Other records Data about hosts in this zone Some other records: A Name-to-address mapping PTR Address-to-name mapping CNAME Canonical name (for aliases)
32
DNS Overview
Griffin Software
33
DNS Overview
Griffin Software
SOA records
SOA records
Domain [ttl] class SOA source-dname mbox ( serial refresh retry expire minimum ) abc.com. IN SOA ns0.abc.com. hostmaster.abc.com . ( 2004071500 ; serial is YYYYmmddnn 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ) ; ttl (1 day)
The first entry in each of the zone files is the SOA (start of authority) resource record. The SOA record indicates that this name server is the best source of information for the data within this zone. In the example our name server is authoritative for the zone abc.com because of the SOA record. An SOA record is required in each zone file. There can be one, and only one, SOA record in a db file. Domain: is the domain name for the domain which corresponds to this zone of authority Ttl: is the time to live for the SOA record itself Class: is the record class, in practice IN; Source-dname: is the domain name of the name server which is the source of data for this zone ( i.e. primary server ) Mbox: is the mail address ( in dot notation ) of a person responsible for the zone Serial: is a serial number, used by secondary servers to check there versions of data are up to date Refresh: refresh period in seconds, how often secondary servers should check the serial Retry: retry period in seconds, time between retrys for failed zone transfers Expire: expire period in seconds, how long secondary servers should continue serving the zone without synchronising Minimum: the default minimum TTL for resource records where TTL is not specified
34
DNS Overview
Griffin Software
NS record
NS record
Specify the names of authoritative servers for a domain The value of data is the name of the server abc.com. IN NS ns0.abc.com
The next entries we add to each zone file are NS (name server) resource records. We add one NS record for each name server for our zone.
35
DNS Overview
Griffin Software
A records
A records
Specifies the host IP address for a particular host name The value in the data field is a valid IP address www IN A 192.168.2.2
Note: since www does not end in a . It is relative to the current domain
36
DNS Overview
Griffin Software
MX records
MX records
Specifies a mail-exchanger The data field is actually two fields
Preference and domain name of the host that accepts mail for the domain abc.com. IN MX 10 IN MX 100 mail.abc.com. mail.def.net.
The value of the preference sub-field should be between 0 and 32767; the lower the number the higher the preference.
37
DNS Overview
Griffin Software
CNAME Records
CNAME Records
Specify aliases for domains The data field a domain
www IN CNAME bigserver defines www as an alias for bigserver
38
DNS Overview
Griffin Software
PTR Records
PTR Records
Specify the domain name that an IP address should resolve to, for reverse lookups.
1.0.0.127.in -addr.arpa. IN PTR localhost.abc.com
This is the PTR record for the loopback address 127.0.0.1 Note the domain is a sub-domain of in-addr.arpa Note the order of numbers in the domain field are opposite to th se in o the IP address.
PTR ( pointer ) records give address-to-name mappings. There is one record, and only one record for each host interface on this network.
39
DNS Overview
Griffin Software
The following is an example BIND version 8 /etc/named.conf file: // BIND configuration file options { directory "/usr/local/named"; // Place additional options here. }; zone abc.com" in { type master; file abc.com.zone"; }; zone "249.249.192.in-addr.arpa" in { type master; file "db.192.249.249"; }; zone "253.253.192.in-addr.arpa" in { type master; file "db.192.253.253"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; zone "." in { type hint; file "db.cache"; };
40
DNS Overview
Griffin Software
Here is an example zone file abc.com.zone: abc.com. IN SOA ns0.abc.com. hostmaster.abc.com. ( 2004051701 ;Serial 10800 ;Refresh after 3 hours 3600 ;Retry after 1 hour 604800 ;Expire after 1 week 86400 ) ;Minimum TTL of 1 day ; ; Name servers ; abc.com. IN NS ns0.abc.com. abc.com. IN NS ns1.abc.com. ; ; Addresses for the canonical names ; localhost.abc.com. IN A 127.0.0.1 ns0.abc.com. IN A 192.249.249.2 ns1.abc.com. IN A 192.249.249.3 mail.abc.com. IN A 192.249.249.4 yellow.abc.com. IN A 192.253.253.2 IN A 192.253.253.3 ; ; Aliases ; www.abc.com. IN CNAME yellow.abc.com. ftp.abc.com. IN CNAME mail.abc.com. ;; MX records ; abc.com. IN MX 10 mail.abc.com. IN MX 20 mail.def.net.
41
DNS Overview
Griffin Software
Exercise
Exercise
42
DNS Overview
Griffin Software
Growing Domains
Growing Domains
43
DNS Overview
Griffin Software
Two servers are as few as you'll ever want to run. Depending on the size of your network, you may need to run many more than just two servers. It is not uncommon to run from five to seven servers, with one of them off-site. How many name servers are enough? You'll have to decide that based on your network. Here are some guidelines to help out: Have at least one name server available directly on each network or subnet you have. This removes routers as a point of failure. Make the most of any multihomed hosts you may have, since they're (by definition) attached to more than one network. If you have a file server and some diskless nodes, run a name server on the file server to serve this group of machines. Run name servers near, but not necessarily on, large time-sharing machines. The users and their processes probably generate a lot of queries, and, as administrators, you will work harder to keep a multiuser host up. But balance their needs against the risk of running a name server a security-critical server - on a system that lots of people have access to. Run one name server off-site. This makes your data available when your network isn't. You might argue that it's useless to look up an address when you can't reach the host. Then again, the off-site name server may be available if your network is reachable, but your other name servers are down. If you have a close relationship with an organization on the Internet - say another university or a business partner - they may consent to run a slave for you.
44
DNS Overview
Griffin Software
When you get around to setting up more and more name servers, a question may strike you - must I register all of my primary and slave name servers with my parent zone? No, only those servers you want to make available to servers outside of your zone need to be registered with the parent. Caching-only name servers, must never be registered. A caching-only name server rarely has complete information for any given zone, just the bits and pieces of it that it has looked up recently. If a parent name server were mistakenly to refer a foreign name server to a caching-only name server, the foreign name server would send the caching-only name server a non-recursive query. The caching-only name server might have the data cached, but then again, it might not. If it didn't have the data, it would refer the querier to the best name servers it knew (those closest to the domain in the query) - which might include the caching-only name server itself! The poor foreign name server might never get an answer. This kind of mis-configuration - actually, delegating a zone to any name server not authoritative for that zone - is known as lame delegation.
45
DNS Overview
Griffin Software
This the entry needed in the BIND configuration file /etc/named.conf to add a secondary zone for abc.com, using a data file abc.db, and zone updates are to come from the name server at IP address 192.168.2.3 There is no need to create the zone data file, as this will be created by BIND on startup.
46
DNS Overview
Griffin Software
The out of the box of BIND is as a cache-only name server. The following example is a Cache-only server, note the zone entries for root (.) cache, localhost, and 0.0.127.in-addr.arpa. options { directory "/var/named"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; include "/etc/rndc.key";
47
DNS Overview
Griffin Software
Parenting
Parenting
48
DNS Overview
Griffin Software
To Delegate or Distribute Management Your Domain is getting too large Too distinguish hosts organisationally
Once your domain reaches a certain size, or you decide you need to distribute the management of parts of your domain to various entities within your organization, you'll want to divide the domain into subdomains. These subdomains will be the children of your current domain on the domain tree; your domain will be the parent. If you delegate responsibility for your subdomains to another organization, each becomes its own zone, separate from its parent zone.
49
DNS Overview
Griffin Software
Sub-domains
Sub-domains
You can create sub-domains without delegation in the abc.com zone:
www.uk IN A 192.168.2.4 would define a host www.uk.abc.com
50
DNS Overview
Griffin Software
Delegating a Sub-domain
Delegating a Sub-domain
In the Parent zone, we list the name servers for the child zone. In the abc.com zone: uk 86400 IN NS IN NS ns0.uk.abc.com. ns1.uk.abc.com.
51
DNS Overview
Griffin Software
Glue
Glue
The parent zone must also provide the addresses of the delegated sub -domain name servers if they are within the sub -domain. These records are called Glue Records Glue records are not necessary when the name servers are outside the domain
uk.abc.com. IN NS ns0.other.net.
52
DNS Overview
Griffin Software
53
DNS Overview
Griffin Software
Host
Host
Simple tool for DNS lookups
$ host blue.abc.com
blue.abc.com has address 192.168.2.3
options:
-t to look for a particular type of information ( e.g t MX ) -v verbose mode -a detailed output -l lists all hosts in a domain
NAME host - query nameserver about domain names and zones SYNOPSIS host [-v] [-a] [-t querytype] [options] name [server] host [-v] [-a] [-t querytype] [options] -l zone [server] host [-v] [options] -H [-D] [-E] [-G] zone host [-v] [options] -C zone host [-v] [options] -A host host [options] -x [name ...] host [options] -X server [name ...] OPTION SYNTAX Besides the traditional short options (one letter with single dash, and an optional value as separate argument), there are now also long options in the format --keyword[=value]. Many (but not all) short options have a long equivalent. There are several long options without a short equivalent. The long options are not yet documented in this manual page, but a summary of the existing long options, and the mapping to their short alternative, is available via the command host --help. DESCRIPTION host looks for information about Internet hosts and domain names. It gets this information from a set of interconnected servers that are spread across the world. The information is stored in the form of "resource records" belonging to hierarchically organized "zones". By default, the program simply converts between host names and Internet addresses. However, with the -t, -a and -v options, it can be used to find all of the information about domain names that is maintained by the domain nameserver system. The information printed consists of various fields of the associated resource records that were retrieved. The arguments can be either host names (domain names) or numeric Internet addresses. A numeric Internet address consists of four decimal numbers separated by dots, e.g. 192.16.199.1, representing the four bytes of the 32-bit address. The default action is to look up the associated host name. A host name or domain name consists of component names (labels) separated by dots, e.g. nikhefh.nikhef.nl The default action is to look up all of its Internet addresses. For single names without a trailing dot, the local domain is automatically tacked on the end. Thus a user in domain "nikhef.nl" can say "host nikhapo", and it will actually look up "nikhapo.nikhef.nl". In all other cases, the name is tried unchanged. Single names with trailing dot are considered top-level domain specifications, e.g. "nl." Note that the usual lookup convention for any name that does not end with a trailing dot is to try first with the local domain appended, and possibly other search domains. (As of BIND 4.9, names that have embedded dots but no trailing dot are first tried ``as is'' before appending search domains) This convention is not used by this program. The actual suffix to tack on the end is usually the local domain as specified in the /etc/resolv.conf file, but this can be overridden. See below for a description of how to customize the host name lookup. ARGUMENTS The first argument is normally the host name (domain name) for which you want to look up the requested information. If the first argument is an Internet address, a query is done on the special "reverse mapping" domain to look up its associated host name. If the -l option is given, the first argument is a domain zone name for which a complete listing is given. The program enters a special zone listing mode which has several variants (see below).
54
DNS Overview
Griffin Software
The second argument is optional. It allows you to specify a particular server to query. If you don't specify this argument, default servers are used, as defined by the /etc/resolv.conf file. EXTENDED SYNTAX If the -x option is given, it extends the syntax in the sense that multiple arguments are allowed on the command line. An optional explicit server must now be specified using the -X option as it cannot be given as an ordinary argument any more. The -X option implies -x. The extended syntax allows no arguments at all, in which case the arguments will be read from standard input. This can be a pipe, redirection from a file, or an interactive terminal. Note that these arguments are the names to be queried, and not command options. Everything that appears after a '#' or ';' on an input line will be skipped. Multiple arguments per line are allowed. OPTIONS There are a number of options that can be used before the specified arguments. Some of these options are meaningful only to the people who maintain the domain database zones. The first options are the regularly used ones. -v causes printout to be in a "verbose" format. All resource record fields are printed. Without this option, the ttl and class fields are not shown. Also the contents of the "additional information" and "authority information" sections in the answer from the nameserver are printed, if present. Normally these sections are not shown. In addition, the verbose option prints extra information about the various actions that are taken by the program. Note that -vv is "very verbose". This generates a lot of output. -t querytype allows you to specify a particular type of resource record information to be looked up. Supported types are listed below. The wildcard may be written as either ANY or *. Types may be given in upper or lower case. The default is type A for regular lookups, and A, NS, and PTR for zone listings. -a is equivalent to -t ANY. Note that this gives you "anything available" (currently cached) and not "all defined data" if a nonauthoritative server is queried. SPECIAL MODES The following options put the program in a special mode. -l zone generates the listing of an entire zone. E.g. the command host -l nikhef.nl will give a listing of all hosts in the "nikhef.nl" zone. The -t option is used to filter what information is extracted, as you would expect. The default is address information from A records, supplemented with data from PTR and NS records. The command host -Z -a -l nikhef.nl will give a complete download of the zone data for "nikhef.nl", in the official master file format. -H can be specified instead of the -l option. It will print the count of the unique hostnames (names with an A record) encountered within the zone. It will not count pseudo names like "localhost", nor addresses associated with the zone name itself. Neither are counted the "glue records" that are necessary to define nameservers for the zone and its delegated zones. By default, this option will not print any resource records. Combined with the -S option, it will give a complete statistics survey of the zone. The host count may be affected by duplicate hosts (see below). To compute the most realistic value, subtract the duplicate host count from the total host count. -G implies -H, but lists the names of gateway hosts. These are the hosts that have more than one address. Gateway hosts are not checked for duplicate addresses. -E implies -H, but lists the names of extrazone hosts. An extrazone host in zone "foo.bar" is of the form "host.xxx.foo.bar" where "xxx.foo.bar" is not defined as a delegated zone with an NS record. This may be intentional, but also may be an error. -D implies -H, but lists the names of duplicate hosts. These are hosts with only one address, which is known to have been defined also for another host with a different name, possibly even in a different zone. This may be intentional, but also may be an error. -C can be specified instead of the -l option. It causes the SOA records for the specified zone to be compared as found at each of the authoritative nameservers for the zone (as listed in the NS records). Nameserver recursion is turned off, and it will be checked whether the answers are really authoritative. If a server cannot provide an authoritative SOA record, a lame delegation of the zone to that server is reported. Discrepancies between the records are reported. Various sanity checks are performed. -A enters a special address check mode. If the first argument is a host name, its addresses will be retrieved, and for each of the addresses it will be checked whether they map back to the given host. If the first argument is a dotted quad Internet address, its name will be retrieved, and it will be checked whether the given address is listed among the known addresses belonging to that host. If the -A flag is specified along with any zone listing option, a reverse lookup of the address in each encountered A record is performed, and it is checked whether it is registered and maps back to the name of the A record. This applies to forward zones. For reverse in-addr.arpa zones, it is checked whether the target in PTR records maps to a canonical host name. LISTING OPTIONS The following options apply only to the special zone listing modes. -L level Recursively generate zone listings up to this level deep. Level 1 traverses the parent zone and all of its delegated zones. Each additional level descends into another layer of delegated zones. -S
55
DNS Overview
Griffin Software
prints statistics about the various types of resource records found during zone listings, the number of various host classifications, the number of delegated zones, and some total statistics after recursive listings. -p causes only the primary nameserver of a zone to be contacted for zone transfers during zone listings. Normally, zone transfers are obtained from any one of the authoritative servers that responds. The primary nameserver is obtained from the SOA record of the zone. If a specific server is given on the command line, this option will query that server for the desired nameservers of the zone. This can be used for testing purposes in case the zone has not been registered yet. -P prefserver gives priority for zone transfers to preferred servers residing in domains given by the comma-separated list prefserver. The more domain component labels match, the higher the priority. If this option is not present, priority is given to servers within your own domain or parent domains. The order in which NS records are issued may be unfavorable if they are subject to BIND 4.9 roundrobin reshuffling. -N skipzone prohibits zone transfers for the zones given by the comma-separated list skipzone. This may be used during recursive zone listings when certain zones are known to contain bogus information which should be excluded from further processing. COMMON OPTIONS The following options can be used in both normal mode and domain listing mode. -d turns on debugging. Nameserver transactions are shown in detail. Note that -dd prints even more debugging output. -f filename writes the resource record output to the given logfile as well as to standard output. -F filename same as -f, but exchange the role of stdout and logfile. All stdout output (including verbose and debug printout) goes to the logfile, and stdout gets only the extra resource record output (so that it can be used in pipes). -I chars suppresses warning messages about illegal domain names containing invalid characters, by specifying such characters in the string chars. The underscore is a good candidate. -i constructs a query for the "reverse mapping" in-addr.arpa domain in case a numeric (dotted quad) address was specified. Useful primarily for zone listing mode, since for numeric regular lookups such query is done anyway (but with -i you see the actual PTR resource record outcome). -n constructs a query for the "reverse mapping" nsap.int domain in case an nsap address was specified. This can be used to look up the names associated with nsap addresses, or to list reverse nsap zones. An nsap address consists of an even number of hexadecimal digits, with a maximum of 40, optionally separated by interspersed dots. An optional prefix "0x" is skipped. If this option is used, all reverse nsap.int names are by default printed in forward notation, only to improve readability. The -Z option forces the output to be in the official zone file format. -q be quiet and suppress various warning messages (the ones preceded by " !!! "). Serious error messages (preceded by " *** ") are never suppressed. -Q selects quick mode, in which several potentially time consuming special checks are not carried out, and statistics gathering is skipped if not explicitly selected. -T prints the time-to-live values during non-verbose output. By default the ttl is shown only in verbose mode. -Z prints the selected resource record output in full zone file format, including trailing dot in domain names, plus ttl value and class name. OTHER OPTIONS The following options are used only in special circumstances. -c class allows you to specify a particular resource record class. Supported are IN, INTERNET, CS, CSNET, CH, CHAOS, HS, HESIOD, and the wildcard ANY or *. The default class is IN. -e excludes information about names that are not residing within the given zone during zone listings, such as some glue records. For regular queries, it suppresses the printing of the "additional information" and "authority information" sections in the answer from the nameserver. -m is equivalent to -t MAILB, which filters any of types MB, MR, MG, or MINFO. In addition, MR and MG records will be recursively expanded into MB records. -o suppresses the resource record output to stdout. Can be used in combination with the -f option to separate the resource record output from verbose and debug comments and error messages. -r causes nameserver recursion to be turned off in the request. This means that the contacted nameserver will return only data it has currently cached in its own database. It will not ask other servers to retrieve the information. Note that nameserver recursion is always turned off when checking SOA records using the -C option. Authoritative servers should have all relevant information available. -R Normally querynames are assumed to be fully qualified and are tried as such, unless it is a single name, which is always tried (and only once) in the default domain. This option simulates the default BIND behavior by qualifying any specified name by repeatedly adding search domains, with the exception that the search terminates immediately if the name exists but does not have the desired querytype. The default search domains are constructed from the default domain by repeatedly peeling off the first component, until a final domain with only one dot remains. -B
56
DNS Overview
Griffin Software
Normally the search through search domains enabled by the -R option is stopped whenever the specified name exists but does not have the desired type. This option simulates the default BIND behavior to continue the search. -s seconds specifies a new nameserver timeout value. The program will wait for a nameserver reply in two attempts of this number of seconds. Normally it does 2 attempts of 5 seconds per nameserver address tried. The actual timeout algorithm is slightly more complicated, extending the timeout value dynamically depending on the number of tries and the number of nameserver addresses. -u forces the use of virtual circuits (TCP) instead of datagrams (UDP) when issuing nameserver queries. This is slower, but potentially more reliable. Note that a virtual circuit is automatically chosen in case a query exceeds the maximum datagram packet size. Also if a datagram answer turns out to be truncated, the query is retried using virtual circuit. A zone transfer is always done via a virtual circuit. -w causes the program to retry forever if the response to a regular query times out. Normally it will time out after some 10 seconds per nameserver address tried. -V prints just the version number of the host program, and exits.
57
DNS Overview
Griffin Software
Host Examples
Host Examples
$ host t MX abc.com
Abc.com mail is handled by 100 mail.def.net. Abc.com mail is handled by 10 mail.abc.com.
58
DNS Overview
Griffin Software
Host Examples
Host Examples
$ host a www.abc.com
Trying "www.abc.com " ;; ->>HEADER<< - opcode : QUERY, status: NOERROR, id: 28147 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.abc.com. ;; ANSWER SECTION: www.abc.com . ;; AUTHORITY SECTION: abc.com. abc.com. 3600 3600 IN IN NS NS ns0.abc.com. ns1.abc.com. 3600 IN A 192.168.2.4 IN ANY
;; ADDITIONAL SECTION: ns0.abc.com. 109505 IN A 192.168.2.2 Received 142 bytes from 192.168.0.4#53 in 1 ms
59
DNS Overview
Griffin Software
Nslookup
Nslookup
Interactive and non-interactive DNS query tool
Now deprecated on linux
NSLOOKUP(8) NSLOOKUP(8) NAME nslookup - query Internet name servers interactively SYNOPSIS nslookup [ -option ... ] [ host-to-find | - [ server ]] DESCRIPTION Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and noninteractive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Noninteractive mode is used to print just the name and requested information for a host or domain. ARGUMENTS Interactive mode is entered in the following cases: a) when no arguments are given (the default name server will be used), b) when the first argument is a hyphen (-) and the second argument is the host name or Internet address of a name server. Non-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server. The options listed under the ``set'' command below can be specified in the .nslookuprc file in the user's home directory if they are listed one per line. Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type: nslookup -query=hinfo -timeout=10 INTERACTIVE COMMANDS Commands may be interrupted at any time by typing a control-C. To exit, type a control-D (EOF) or type exit. The command line length must be less than 256 characters. To treat a built-in command as a host name, precede it with an escape character (\). N.B. an unrecognized command will be interpreted as a host name. host [server] Look up information for host using the current default server or using server if specified. If host is an Internet address and the query type is A
60
DNS Overview
or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the default domain name is appended to the name. (This behavior depends on the state of the set options domain, srchlist, defname, and search). To look up a host not in the current domain, append a period to the name. server domain lserver domain Change the default server to domain. Lserver uses the initial server to look up information about domain while server uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned. root Changes the default server to the server for the root of the domain name space. Currently, the host ns.internic.net is used. (This command is a synonym for lserver ns.internic.net.) The name of the root server can be changed with the set root command. finger [name] [> filename] finger [name] [>> filename] Connects with the finger server on the current host. The current host is defined when a previous lookup for a host was successful and returned address information (see the set querytype=A command). Name is optional. > and >> can be used to redirect output in the usual manner. ls [option] domain [> filename] ls [option] domain [>> filename] List the information available for domain, optionally creating or appending to filename. The default output contains host names and their Internet addresses. Option can be one of the following: -t querytype lists all records of the specified type (see querytype below). -a lists aliases of hosts in the domain. synonym for -t CNAME. -d lists all records for the domain. synonym for -t ANY. -h lists CPU and operating system information for the domain. synonym for -t HINFO. -s lists well-known services of hosts in the domain. synonym for -t WKS. When output is directed to a file, hash marks are printed for every 50 records received from the server. view filename Sorts and lists the output of previous ls command(s) with more(1). help ? Prints a brief summary of commands. exit Exits the program. set keyword[=value] This command is used to change state information that affects the lookups. Valid keywords are: all Prints the current values of the frequentlyused options to set. Information about the current default server and host is also printed. class=value Change the query class to one of: IN the Internet class. CHAOS the Chaos class. HESIOD the MIT Athena Hesiod class. ANY wildcard (any of the above). The class specifies the protocol group of the information. (Default = IN, abbreviation = cl) [no]debug Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer. (Default = nodebug, abbreviation = [no]deb)
Griffin Software
61
DNS Overview
[no]d2 Turn exhaustive debugging mode on. Essentially all fields of every packet are printed. (Default = nod2) domain=name Change the default domain name to name. The default domain name is appended to a lookup request depending on the state of the defname and search options. The domain search list contains the parents of the default domain if it has at least two components in its name. For example, if the default domain is CC.Berkeley.EDU, the search list is CC.Berkeley.EDU and Berkeley.EDU. Use the set srchlist command to specify a different list. Use the set all command to display the list. (Default = value from hostname, /etc/resolv.conf or LOCALDOMAIN, abbreviation = do) srchlist=name1/name2/... Change the default domain name to name1 and the domain search list to name1, name2, etc. A maximum of 6 names separated by slashes (/) can be specified. For example, set srchlist=lcs.MIT.EDU/ai.MIT.EDU/MIT.EDU sets the domain to lcs.MIT.EDU and the search list to the three names. This command overrides the default domain name and search list of the set domain command. Use the set all command to display the list. (Default = value based on hostname, /etc/resolv.conf or LOCALDOMAIN, abbreviation = srchl) [no]defname If set, append the default domain name to a single-component lookup request (i.e., one that does not contain a period). (Default = defname, abbreviation = [no]def) [no]search If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received. (Default = search, abbreviation = [no]sea) port=value Change the default TCP/UDP name server port to value. (Default = 53, abbreviation = po) querytype=value type=value Change the type of information query to one of: A the host's Internet address. CNAME the canonical name for an alias. HINFO the host CPU and operating system type. MINFO the mailbox or mail list information. MX the mail exchanger. NS the name server for the named zone. PTR the host name if the query is an Internet address, otherwise the pointer to other information. SOA the domain's ``start-of-authority'' information. TXT the text information. UINFO the user information. WKS the supported well-known services. Other types (ANY, AXFR, MB, MD, MF, NULL) are described in the RFC-1035 document. (Default = A, abbreviations = q, ty) [no]recurse
Griffin Software
62
DNS Overview
Tell the name server to query other servers if it does not have the information. (Default = recurse, abbreviation = [no]rec) retry=number Set the number of retries to number. When a reply to a request is not received within a certain amount of time (changed with set timeout), the timeout period is doubled and the request is resent. The retry value controls how many times a request is resent before giving up. (Default = 4, abbreviation = ret) root=host Change the name of the root server to host. This affects the root command. (Default = ns.internic.net., abbreviation = ro) timeout=number Change the initial timeout interval for waiting for a reply to number seconds. Each retry doubles the timeout period. (Default = 5 seconds, abbreviation = ti) [no]vc Always use a virtual circuit when sending requests to the server. (Default = novc, abbreviation = [no]v) [no]ignoretc Ignore packet truncation errors. (Default = noignoretc, abbreviation = [no]ig)
Griffin Software
63
DNS Overview
Griffin Software
Non-Interactive Mode
Non-Interactive Mode
$ nslookup www.abc.com
Server: Address: ns0.abc.com 192.168.2.2
Name: Address: $
www.abc.com 192.168.2.4
64
DNS Overview
Griffin Software
Interactive Mode
Interactive Mode
$ nslookup
>www.abc.com Server: Address: ns0.abc.com 192.168.2.2
www.abc.com 192.168.2.4
65
DNS Overview
Griffin Software
Nslookup commands
Nslookup commands
server nameserver
Changes the default name server
lserver nameserver
Changes the local name server to nameserver
set
Set an option interactively
help
Outputs a summary of commands
66
DNS Overview
Griffin Software
Dig
Dig
Domain Information Groper
A flexible tool for interrogating DNS servers
SYNOPSIS dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-p port#] [-t type] [-x addr] [-y name:key] [name] [type] [class] [queryopt ...] dig -h dig [global-queryopt ...] [query1] [query2 ...] DESCRIPTION dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administra tors use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig. Although dig is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments and options is printed when the -h option is given. Unlike earlier versions, the BIND9 implementation of dig allows multiple lookups to be issued from the command line. Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. When no command line arguments or options are given, will perform an NS query for "." (the root). SIMPLE USAGE A typical invocation of dig looks like: dig @server name type where: server is the name or IP address of the name server to query. An IPv4 address can be provided in dotted-decimal notation. When the supplied server argument is a hostname, dig resolves that name before querying that name server. If no server argument is pro vided, dig consults /etc/resolv.conf and queries the name servers listed there. The reply from the name server that responds is displayed. name is the name of the resource record that is to be looked up. type indicates what type of query is required - ANY, A, MX, SIG, etc. type can be any valid query type. If no type argument is sup plied, dig will perform a lookup for an A record. OPTIONS The -b option sets the source IP address of the query to address. This must be a valid address on one of the host's network interfaces. The default query class (IN for internet) is overridden by the -c option. class is any valid class, such as HS for Hesiod records or CH for CHAOS NET records.
67
DNS Overview
The -f option makes dig operate in batch mode by reading a list of lookup requests to process from the file filename. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to dig using the commandline interface. If a non-standard port number is to be queried, the -p option is used. port# is the port number that dig will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non-standard port number. The -t option sets the query type to type. It can be any valid query type which is supported in BIND9. The default query type "A", unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial num ber in the zone's SOA record was N. Reverse lookups - mapping addresses to names - are simplified by the -x option. addr is an IPv4 address in dotted-decimal notation, or a colondelimited IPv6 address. When this option is used, there is no need to provide the name, class and type arguments. dig automatically performs a lookup for a name like 11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using the IP6.ARPA domain and binary labels as defined in RFC2874. To use the older RFC1886 method using the IP6.INT domain and "nibble" labels, specify the -n (nibble) option. To sign the DNS queries sent by dig and their responses using transaction signatures (TSIG), specify a TSIG key file using the -k option. You can also specify the TSIG key itself on the command line using the -y option; name is the name of the TSIG key and key is the actual key. The key is a base-64 encoded string, typically generated by dnssec-keygen(8). Caution should be taken when using the -y option on multi-user systems as the key can be visible in the output from ps(1) or in the shell's history file. When using TSIG authentication with dig, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by pro viding appropriate key and server statements in named.conf. QUERY OPTIONS dig provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strate gies. Each query option is identified by a keyword preceded by a plus sign: "+". Some keywords set or reset an option. These may be preceded by the string "no" to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form +keyword=value. The query options are: +[no]tcp Use [do not use] TCP when querying name servers. default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used. +[no]vc Use [do not use] TCP when querying name servers. This alternate syntax to +[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit". +[no]ignore Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed. +domain=somename Set the default domain to somename, as if specified in a domain directive in /etc/resolv.conf. +[no]search Use [do not use] the search list in resolv.conf (if any). The search list is not used by default. +[no]defname Use [do not use] the default domain name, if any, in resolv.conf The default is not to append that name to name when making queries. +[no]aaonly This option does nothing. It is provided for compati bilty with old versions of dig where it set an unimple mented resolver flag. +[no]adflag Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness. +[no]cdflag Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. +[no]recursive Toggle the setting of the RD (recursion desired) bit in
Griffin Software
The
68
DNS Overview
the query. This bit is set by default, which means dig. normally sends recursive queries. Recursion is automat ically disabled when the +nssearch or +trace query options are used. +[no]nssearch When this option is set, dig attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone. +[no]trace Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is dis abled by default. When tracing is enabled, dig makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup. +[no]cmd toggles the printing of the initial comment in the out put identifying the version of dig and the query options that have been applied. This comment is printed by default. +[no]short Provide a terse answer. The default is to print the answer in a verbose form. +[no]identify Show [or do not show] the IP address and port number that supplied the answer when the +short option is enabled. If short form answers are requested, the default is not to show the source address and port num ber of the server that provided the answer. +[no]comments Toggle the display of comment lines in the output. The default is to print comments. +[no]stats This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statis tics. +[no]qr Print [do not print] the query as it is sent. before sending the query. By default, the query is not printed. +[no]question Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment. +[no]answer Display [do not display] the answer section of a reply. The default is to display it. +[no]authority Display [do not display] the authority section of a reply. The default is to display it. +[no]additional Display [do not display] the additional section of a reply. The default is to display it. +[no]all Set or clear all display flags +time=T Sets the timeout for a query to T seconds. The default time out is 5 seconds. An attempt to set T to less than 1 will result in a query timeout of 1 second being applied. +tries=A Sets the number of times to retry UDP queries to server to T instead of the default, 3. If T is less than or equal to zero, the number of retries is silently rounded up to 1. +ndots=D Set the number of dots that have to appear in name to D for it to be considered absolute. The default value is that defined using the ndots statement in /etc/resolv.conf, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the search or domain directive in /etc/resolv.conf. +bufsize=B Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
Griffin Software
69
DNS Overview
Griffin Software
Dig Example
Dig Example
$ dig abc.com NS
; <<>> DiG 9.2.1 <<>> abc.comNS ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode QUERY, status: NOERROR, id: 57076 : ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;abc.com. ;; ANSWER SECTION: abc.com . abc.com . 3600 3600 IN IN NS NS ns0.abc.com. ns1.abc.com. IN NS
;; ADDITIONAL SECTION: ns0.abc.com. 107948 IN A ;; Query time: 1 msec ;; SERVER: 192.168.0.4#53(192.168.0.4) ;; WHEN: Tue May 11 10:34:01 2004 ;; MSG SIZE rcvd: 122 192.168.2.2
70
DNS Overview
Griffin Software
BIND Logging
BIND Logging
71
DNS Overview
Griffin Software
Log Channels
Log Channels
default_syslog
sends messages to the syslogd
default_debug
writes messages to the file named.run
default_stderr
writes to standard error
null
72
DNS Overview
Griffin Software
Log Categories
Log Categories
default catchall for any unassigned messages config High level config file processing parser low level config file processing queries one log message per query statistics name server stats panic fatal errors db database operations
73
DNS Overview
Griffin Software
74
DNS Overview
Griffin Software
Common Problems
Common Problems
75
DNS Overview
Griffin Software
The main symptom of this problem is that slave name servers don't pick up any changes you make to the zone's db file on the primary. The slaves think the zone data hasn't changed, since the serial number is still the same. The serial number gives you no indication of when it was updated, there's no direct way to tell whether it's changed. About the best you can do is to use a query tool to compare the data returned by the primary and by a slave. If they return different data, you probably forgot to increment the serial number. On the other hand, if you encode the date into the serial number, as many people do (e.g., 1998010500 is the first rev of data on January 5, 1998), you may be able to tell at a glance whether you updated the serial number when you made the change. The good news is that, although determining whether the zone was transferred is tricky, making sure the zone is transferred is simple. Just increment the serial number on the primary's copy of the db file and signal the primary to reload. The slaves should pick up the new data within their refresh interval, or sooner if they use NOTIFY.
76
DNS Overview
Griffin Software
Occasionally, you may forget to signal your primary master name server after making a change to the conf file or to the db file. The name server won't know to load the new data - it doesn't automatically check the timestamp of the file and notice that it changed. Consequently, any changes you've made won't be reflected in the name server's data: new zones won't be loaded, and new records won't percolate out to the slaves
77
DNS Overview
Griffin Software
If the secondary cant reach a primary server it will log the problem in syslog and retry after the retry period. If the problem is not resolved within the expiry period the secondary will expire and stop answering queries about the zone.
There are three leading causes of this problem: a loss in connectivity to the master server due to network failure an incorrect IP address for the master server in the conf file a syntax error in the zone data file on the master server.
78
DNS Overview
Griffin Software
79
DNS Overview
Griffin Software
Generally, an error in the conf file will cause the name server to fail to load one or more zones. Some typos in the options statement will cause the name server to fail to start at all, and to log an error like this via syslog: Jan 6 11:59:29 terminator named[544]: can't change directory to /var/name: No such file or directory Note that you won't see an error message when you try to start named on the command line, but named won't stay running for long. If the syntax error is in a less important line in the boot file - say, in zone statement - only that zone will be affected. Usually, the name server will not be able to load the zone at all (say, you misspell "master" or the name of the data file, or you forget to put quotes around the file name or domain name). This would produce syslog output like: Jan 6 12:01:36 terminator named[841]: /etc/named.conf:10: syntax error near 'movie.edu' If a db file contains a syntax error, yet the name server succeeds in loading the zone, it will either answer as "non-authoritative" for all data in the zone or will return a SERVFAIL error for lookups in the zone: % nslookup fred Server: ns0.abc.com Address: 192.168.2.3 Non-authoritative answer: Name: fred.abc.com Address: 192.168.2.13 Here's the syslog message produced by the syntax error that caused this problem: Jan 6 15:07:46 huskymo named[693]: db.abc:11: Priority error (postmanrings2x.movie.edu.) Jan 6 15:07:46 huskymo named[693]: master zone abc.com" (IN) rejected due to errors (serial 1997010600) Jan 6 15:07:46 huskymo named[693]: slave zone abc.com" (IN) removed If you looked in the db file for the problem, you'd find this record: postmanrings2x IN MX postmanrings2x.abc.com. The MX record is missing the preference field, which causes the error. Note that unless you correlate the lack of authority (when you expect the name server to be authoritative) with a problem, or scan your syslog file assiduously, you might never notice the syntax error!
80
DNS Overview
Griffin Software
81
DNS Overview
Griffin Software
To confirm your suspicion that the cache data are missing, check the syslog output for an error like this: Jan 6 15:10:22 terminator named[764]: No root nameservers for class IN
82
DNS Overview
Griffin Software
83
DNS Overview
Griffin Software
BIND 8 uses address match lists for nearly every security feature, and for some features that aren't security-related at all. An address match list is a list of terms that specify one or more IP addresses. The elements in the list can be individual IP addresses, IP prefixes, or a named access control list. An IP prefix has the format: network in dotted-octet format/bits in netmask For example, the network 15.0.0.0, with the network mask 255.0.0.0 (eight contiguous ones), would be written 15/8. A named ACL must have been previously defined with an acl statement. The acl statement has a simple structure: acl "name" {{ address_match list; }; }; Now we can refer to these ACLs by name in address match lists. There are also four predefined access lists: None No IP addresses Any All IP addresses Localhost Any of the local host's IP addresses Localnets Any of the networks the local host has a network interface on (found by using each network interface's IP address and using the netmask to mask off the host bits in the address)
84
DNS Overview
Griffin Software
Security
Security
Bind 8 implements two security directives Restricting Queries
allow-query { address match list; } ;
Restricting Queries The BIND allow-query substatement allows you to place an IP address-based access list on queries. The access list can apply to a particular zone, or to any queries received by the server. In particular, the access list specifies which IP addresses are allowed to send queries to the server. Restricting all queries The global form of the allow-query substatement looks like this: options { allow-query { address_match_list; }; }; So to restrict our name server to answering queries from the two main Movie U. networks, we'd use: options { allow-query { 192.249.249/24; 192.253.253/24; }; }; Restricting queries in a particular zone BIND also allows you to apply an access list to a particular zone. In this case, just use allow-query as a substatement of the zone statement for the zone you want to protect: zone "hp.com" { type slave; file "db.hp"; masters { 15.255.152.2; }; allow-query { "HP-NET"; }; }; Preventing Unauthorized Zone Transfers BINDs allow-transfer substatement lets administrators apply an access list to zone transfers. allow-transfer can restrict transfers of a particular zone as a zone substatement or can restrict all zone transfers as an options substatement. It takes an address match list as an argument. Say the slave servers for your acmebw.com zone have the IP addresses 192.168.0.1 and 192.168.1.1. The zone statement: zone "acmebw.com" { type master; file "db.acmebw"; allow-transfer { 192.168.0.1; 192.168.1.1; }; }; will allow only those slaves to transfer acmebw.com from the primary master name server. Note that since BIND 8's default is to allow any IP address to transfer zones, and because hackers can just as easily transfer the zone from your slaves, you should probably also have a zone statement like this on your slaves: zone "acmebw.com" { type slave; masters { 192.168.0.4; }; allow-transfer { none; }; }; BIND will also let you establish a global access list on zone transfers. This applies to any zones that don't have their own, explicit access lists defined as zone substatements. For example, you might want to limit all zone transfers to your internal IP addresses: options { allow-transfer { 192.168/16; }; };
85
DNS Overview
Griffin Software
DNS Notify
DNS Notify
Proposed in RFC 1996, Implemented in BIND 8 When the Primary server notices a change it send a NOTIFY message to all the slave servers in the zone The slave servers then check for updates immediately rather than waiting until they are next due to check This feature is on by default To turn it off, include the option notify off either;
In the options section to apply to all zones In the Zone statement to apply to a particular zone
RFC 1996 proposed a mechanism that would allow primary master servers to notify their slaves of changes to a zone's data. BIND implements this scheme, called DNS NOTIFY for short. DNS NOTIFY works like this: when a primary master name server notices a change to data in a zone, it sends a special request to all of the slave servers for that zone. It determines which servers are the slaves for the zone by looking at the list of NS records in the zone and taking out the one that points to the name server listed in the first record-specific field in the zone's SOA record as well as the local host. The special NOTIFY request is identified by its opcode in the query header. The opcode for most queries is QUERY. NOTIFY messages have a special opcode, NOTIFY (duh). Other than that, the request looks very much like a query for the SOA record for the zone: it specifies the zone's domain name, class, and a type of SOA. The authoritative answer bit is also set. When a slave receives a NOTIFY request for a zone from one of its configured master name servers, it responds with a NOTIFY response. The response tells the master that the slave received the NOTIFY request, so that it can stop sending it NOTIFY messages for the zone. Then the slave proceeds just as if the refresh timer had expired: it queries the master server for the SOA record for the zone that the master claimed has changed. If the serial number is higher, the slave transfers the zone. Why doesn't the slave simply take the master's word that the zone has changed? It's possible that a miscreant could forge NOTIFY requests to our slaves, causing lots of unnecessary zone transfers, amounting to a denial of service attack against our master server. If the slave actually transfers the zone, RFC 1996 says that it should issue its own NOTIFY requests to the other authoritative name servers for the zone. The idea is that the primary master may not be able to notify all of the slave servers for the zone itself, since it's possible some slaves can't communicate directly with the primary master and use another slave as their master. However, BIND 8 doesn't implement this, and BIND 8 slaves don't send NOTIFY messages unless explicitly configured to.
86
DNS Overview
Griffin Software
described in RFC 2136. This permits authorized updaters to add and delete resource records from a zone for which the server is authoritative. An updater can find the authoritative name servers for a zone by retrieving the zone's NS records. If the server receiving an authorized update message is not the primary master for the zone, it will forward the update "upstream" to its master server(s). If they, in turn, are slaves for the zone, they will also forward the update upstream. Dynamic update permits more than the simple addition and deletion of records. Updaters can add or delete individual resource records, delete RRsets (a set of resource records with the same domain name, class and type, such as all Internet addresses for www.acmebw.com), or even delete all records associated with a given name. An update can also stipulate that certain prerequisite records exist or not exist in the zone before the update takes effect. For example, an update can add the address record: dakota.west.acmebw.com. in a 192.168.1.4 only if the name dakota.west.acmebw.com isn't currently being used, or only if dakota.west.acmebw.com currently has no address records. For the most part, dynamic update functionality is used by programs like DHCP servers that assign IP addresses automatically to computers, and then need to register the resulting name-to-address and address-to-name mappings. These programs use the ns_update() routine to create update messages and send them to an authoritative server for the zone that contains the domain name. However, it is possible to create updates manually with the command-line program nsupdate, which is part of the standard BIND distribution. nsupdate reads one-line commands that it then translates into an update message. Commands can be specified on standard input (the default) or in a file, whose name must be given as an argument to nsupdate. Commands not separated by a blank line are incorporated into the same update message. The commands nsupdate understands are: prereq yxrrset domain name type [rdata] Makes the existence of an RRset of type type owned by domain name a prerequisite to performing the update prereq nxrrset Makes the non-existence of an RRset of type type owned by domain name a prerequisite to performing the update specified in successive update commands prereq yxdomain domain name Makes the existence of the domain name specified a prerequisite to performing the update prereq nxdomain Makes the non-existence of the domain name specified a prerequisite to performing the update update delete domain name [type] [rdata] Deletes the domain name specified or, if type is also specified, deletes the RRset specified or, if rdata is also specified, deletes the record matching domain name, type, and rdata update add domain name ttl [class] type rdata Adds the record specified to the zone. Note that the TTL, in addition to the type and resource-record-specific data, must be included, but the class is optional, and defaults to IN So, for example, the command: % nsupdate > prereq nxdomain dakota.west.acmebw.com. > update add dakota.west.acmebw.com. 333 in a 192.168.0.4 > tells the server to add an address for dakota.west.acmebw.com only if the domain name does not already exist. Note that the last blank line is nsupdate's cue to send the update. The command: % nsupdate > prereq yxrrset dakota.west.acmebw.com. in mx > update delete dakota.west.acmebw.com. in mx > update add dakota.west.acmebw.com. in mx 10 dakota.west.acmebw.com. > update add dakota.west.acmebw.com. in mx 50
87
DNS Overview
Griffin Software
store-forward.mindspring.com. > checks to see whether dakota.west.acmebw.com already has MX records, and if it does, deletes them and adds two in their place. Given the fearsome control that dynamic updates obviously give an updater over a zone, you clearly need to restrict them, if you use them at all. By default, BIND 8 servers don't allow dynamic updates to authoritative zones. In order to use them, you add an allow-update substatement to the zone statement for the zone that you'd like to allow updates to. allow-update takes an address match list as an argument. The address or addresses matched by the list are the only addresses that are allowed to send your server updates to that zone. It's prudent to make this access list as restrictive as possible: zone "acmebw.com" { type master; file "db.acmebw"; allow-update { 192.168.0.1; }; };
88
DNS Overview
Griffin Software
RFC 1995 - Incremental Zone Transfer in DNS If an IXFR client, which likely has an older version of a zone, thinks it needs new information about the zone (typically through SOA refresh timeout or the NOTIFY mechanism), it sends an IXFR message containing the SOA serial number of its, presumably outdated, copy of the zone. An IXFR server should keep record of the newest version of the zone and the differences between that copy and several older versions. When an IXFR request with an older version number is received, the IXFR server needs to send only the differences required to make that version current. Alternatively, the server may choose to transfer the entire zone just as in a normal full zone transfer.
89
DNS Overview
Griffin Software
Views
Views
Allows you to present different configurations based on Address Match Lists E.g.
Have different Zone files for internal and external clients
90
DNS Overview
Griffin Software
The name server rotates addresses for any domain name that has more than one A record. (In fact, the name server will rotate any type of record, except PTR records, as long as a given domain name has more than one of them.) So the records: foo.bar.baz. 60 IN A 192.1.1.1 foo.bar.baz. 60 IN A 192.1.1.2 foo.bar.baz. 60 IN A 192.1.1.3 The BIND documentation calls this process round robin. It's a good idea to reduce the records' time-to-live, too, as we did in this example. This ensures that if the addresses are cached on an intermediate name server that doesn't support round robin, they'll time out of the cache quickly. If the intermediate name server looks up the name again, your authoritative name server can round robin the addresses again.
91
DNS Overview
Griffin Software
You must not use the Alias in other resource records ( e.g. MX ) Using Multiple CNAME records (i.e. for rotation ) is WRONG, but may work on some servers
92
DNS Overview
Griffin Software
Wildcards
Wildcards
You can use * as a wildcard in resource records
*.abc.com. IN MX 10 mail.abc.com .
But this can cause confusion as queries for host that do not exist will be returned
e.g. host t MX foobar.abc.com will return mail.abc.com even though the host foobar does not exist.
Also Wildcards do not match names for which there is already data
Most often, you'd use wildcards to forward mail to non-Internet-connected networks. Suppose your site is not connected to the Internet, but you have a host that will relay mail between the Internet and your network. You could add a wildcard MX record to the movie.edu zone for Internet consumption that points all your mail to the relay. Here is an example: *.movie.edu. IN MX 10 movie-relay.nea.gov. Since the wildcard matches one or more labels, this resource record would apply to names like terminator.movie.edu, empire.fx.movie.edu, or casablanca.bogart.classics.movie.edu. The danger with wildcards is that they clash with search lists. This wildcard also matches cujo.movie.edu.movie.edu, making wildcards dangerous to use in your internal zone data. Remember that some versions of sendmail apply the search list when looking up MX records: % nslookup Default Server: wormhole Address: 0.0.0.0 > set type=mx - Look up MX records > cujo.movie.edu - for cujo Server: wormhole Address: 0.0.0.0 cujo.movie.edu.movie.edu - This isn't a real host's name! preference = 10, mail exchanger = movie-relay.nea.gov What are the limitations of wildcards? Wildcards do not match names for which there is already data. Suppose you did use wildcards within your zone data, as in these partial contents of db.movie: * IN MX 10 mail-hub.movie.edu. et IN MX 10 et.movie.edu. jaws IN A 192.253.253.113 fx IN NS bladerunner.fx.movie.edu. fx IN NS outland.fx.movie.edu. Mail to terminator.movie.edu will be sent to mail-hub, but mail to et.movie.edu will be sent directly to et. An MX lookup of jaws.movie.edu would result in a response that said there was no MX data for that name. The wildcard doesn't apply because an A record exists. The wildcard also doesn't apply to domain names in fx.movie.edu, because they don't apply across delegation.
93
DNS Overview
Griffin Software
To map an IP address to a name in DNS, you reverse the IP address, append in-addr.arpa, and look up PTR data. This same technique is used to map a network number to a network name; for example, to map network 15.0.0.0 to "HP Internet." To look up the network number, include the trailing zeros to make it four bytes, and look up PTR data just as you did with a host's IP address. For example, to find the network name for the old ARPAnet, network 10.0.0.0, look up PTR data for 0.0.0.10.inaddr.arpa. You'd get back an answer like ARPAnet.ARPA. If the ARPANET were subnetted, you'd also find an address record at 0.0.0.10.in-addr.arpa. The address would be the subnet mask, 255.255.0.0, for instance. If you were interested in the subnet name instead of the network name, you'd apply the mask to the IP address and look up the subnet number. This technique allows you to map the network number to a name. To provide a complete solution, there must be a way to map a network name to its network number. This, again, is accomplished with PTR records. The network name has PTR data that point to the network number (reversed with in-addr.arpa appended). Let's see what the data might look like in HP's zone data files (the HP Internet has network number 15.0.0.0), and step through mapping a network number to a network name. Partial contents of the file db.hp: ; ; Map HP's network name to 15.0.0.0. ; hp-net.hp.com. IN PTR 0.0.0.15.in-addr.arpa. Partial contents of the file db.corp: ; ; Map corp's subnet name to 15.1.0.0. ; corp-subnet.corp.hp.com. IN PTR 0.0.1.15.in-addr.arpa. Partial contents of the file db.15: ; ; Map 15.0.0.0 to hp-net.hp.com. ; HP's subnet mask is 255.255.248.0. ; 0.0.0.15.in-addr.arpa. IN PTR hp-net.hp.com. IN A 255.255.248.0 Partial contents of the file db.15.1: ; ; Map the 15.1.0.0 back to its subnet name. ; 0.0.1.15.in-addr.arpa. IN PTR corp-subnet.corp.hp.com. Here's the procedure to look up the subnet name for the IP address 15.1.0.1: Apply the default network mask for the address's class. Address 15.1.0.1 is a class A address, so the mask is 255.0.0.0. Applying the mask to the IP address makes the network number 15. Send a query (type=a or type=any) for 0.0.0.15.in-addr.arpa. The query response contains address data. Since there is address data at 0.0.0.15.in- addr.arpa (the subnet mask255.255.248.0), apply the subnet mask to the IP address. This yields 15.1.0.0. Send a query (type=a or type=any) for 0.0.1.15.in-addr.arpa. The query response does not contain address data, so 15.1.0.0 is not further subnetted. Send a PTR query for 0.0.1.15.in-addr.arpa. The query response contains the network name for 15.1.0.1: corp- subnet.corp.hp.com. In addition to mapping between network names and numbers, you can also list all the networks for your domain with PTR records: movie.edu. IN PTR 0.249.249.192.in-addr.arpa. IN PTR 0.253.253.192.in-addr.arpa.
94
DNS Overview
Griffin Software
HINFO stands for Host INFOrmation. The data are a pair of strings identifying the host's hardware type and operating system. The strings should come from the MACHINE NAMES and OPERATING SYSTEM NAMES listed in the "Assigned Numbers" RFC (currently RFC 1700), but this requirement is not enforced; you can use your own abbreviations. The RFC isn't at all comprehensive, so it is quite possible you won't find your system in the list anyway. Originally, host information records were designed to let services like FTP determine how to interact with the remote system. This would have made it possible to negotiate data type transformations automatically. Unfortunately, this didn't happen - few sites supply accurate HINFO values for all their systems. Some network administrators use HINFO records to help them keep track of the machine types, instead of recording the machine types in a database or a notebook. Here are two examples of HINFO records; note that the hardware type or operating system must be surrounded with quotes if it includes any whitespace: ; ; These machine names and system names did not come from RFC 1340 ; wormhole IN HINFO ACME-HW ACME-GW cujo IN HINFO "Watch Dog Hardware" "Rabid OS" As we pointed out, HINFO records are a security risk - by providing easily accessible information about a system, you are making it easier for a hacker to break in. X25, ISDN, and RT These three record types were created specifically in support of research on next-generation internets. Two of the records, X25 and ISDN, are simply address records specific to X.25 and ISDN networks, respectively. Both take arguments (record-specific data) appropriate to the type of network. The X25 record type uses an X.121 address (X.121 is the ITU-T recommendation that specifies the format of addresses used in X.25 networks). The ISDN record type uses an ISDN address. Examples of the X25 and ISDN record types are: relay.pink.com. IN X25 31105060845 delay.hp.com. IN ISDN 141555514539488 hep.hp.com. IN ISDN 141555514539488 004 These records are intended for use in conjunction with the Route Through (RT) record type. RT is syntactically and semantically similar to the MX record type: it specifies an intermediate host that will route packets (instead of mail) to a destination host. So now, instead of only being able to route mail to a host that isn't directly connected to the Internet, you can route any kind of IP packet to that host by using another host as a forwarder. The packet could be part of a telnet or ftp session, or perhaps even a DNS query! Like MX, RT includes a preference value, which indicates how desirable delivery to a particular host is. For example, the records: housesitter.movie.edu. IN RT 10 relay.pink.com. IN RT 20 delay.hp.com. instruct hosts to route packets bound for housesitter through relay.pink.com (the first choice) or through delay.hp.com (the second choice). The way RT works with X25 and ISDN (and even A) records is like this: Internet host A wants to send a packet to host B, which is not connected to the Internet. Host A looks up host B's RT records. This search also returns all address records (A, X25, and ISDN) for each intermediate host. Host A sorts the list of intermediate hosts and looks for its own domain name. If it finds it, it removes it and all intermediate hosts at higher preference values. This is analogous to sendmail's "paring down" a list of mail exchangers. Host A examines the address record(s) for the most preferred intermediate host that remains. If host A is attached to a network that corresponds to the type of address record indicated, it uses that network to send the packet to the intermediate host. For example, if host A were trying to send a packet through relay.pink.com, it would need connectivity to an X.25 network.
95
DNS Overview
Griffin Software
If host A lacks appropriate connectivity, it tries the next intermediate host specified by the RT records. For example, if host A lacked X.25 connectivity, it might fall back to delivering via ISDN to delay.hp.com. This process continues until the packet is routed to the most preferred intermediate host. The most preferred intermediate host may then deliver the packet directly to the destination host's address (which may be A, X25, or ISDN). Loc RFC 1876 defines an experimental record type, LOC, that allows domain administrators to encode the location of their computers, subnets and networks. In this case, location means latitude, longitude and altitude. Future applications could use this information to produce network maps, assess routing efficiency, and more. In its basic form, the LOC record takes latitude, longitude and altitude (in that order) as its record-specific data. Latitude and longitude are expressed in the format: <degrees> [minutes [seconds.<fractional seconds>]] (N|S|E|W) Altitude is expressed in meters. If you're wondering how in the world you're going to get that data, check out "RFC 1876 Resources," at http://www.ckdhr.com/dns-loc/. This site, created by Christopher Davis, one of the authors of RFC 1876, is an indispensable collection of information and useful links and utilities for people creating LOC records. If you don't have your own Global Positioning System receiver to carry around to all of your computers, two sites that may come in handy are Etak's Eagle Geocoder, at http://www.geocode.com/eagle.html-ssi, which you can use to find the latitude and longitude of most addresses in the United States; and AirNav's Airport Information, at http://www.airnav.com/airports/, which will let you find the elevation of the closest airport to you. If you don't have a major airport near you, don't worry: the database even includes the helipad at my neighborhood hospital! Here's a LOC record for one of our hosts: huskymo.acmebw.com. IN LOC 40 2 0.373 N 105 17 23.528 W 1638m Optional fields in the record-specific data allow you to specify how large the entity you're describing is, in meters (LOC records can describe networks, after all, which can be quite large), as well as the horizontal and vertical precision. The size defaults to one meter, which is perfect for a single host. Horizontal precision defaults to 10,000 meters, and vertical precision to ten meters. These defaults represent the size of a typical ZIP or postal code, the idea being that you can fairly easily find a latitude and longitude given a ZIP code. AAAA - IPv6 Addresses If you're to believe the hype, IPv6 is coming soon to a network near you. Clearly, the existing A record won't accommodate IPv6's 128-bit addresses: BIND expects an A record's record-specific data to be a 32-bit address in dotted-octet format. RFC 1886 introduces a new address record, AAAA, used to store a 128-bit IPv6 address. AAAA takes as its record-specific data the textual format of an IPv6 record described in RFC 1884. This format expresses the 128 bits of the address as eight sets of four hexadecimal digits, separated by colons (":"). The first set of four digits encodes the high-order 16 bits of the address. Every set of four bits are compressed into the equivalent hexadecimal digit (e.g., 1111 becomes f). You can omit leading zeroes in a set of hexadecimal digits. So, for example, you'd see AAAA records like this: ipv6 IN AAAA 4321:0:1:2:3:4:567:89ab RFC 1886 also extends the additional processing that BIND and other name servers do, so that name servers include AAAA records for mail exchangers and name servers that speak IPv6, for example. Finally, RFC 1886 establishes a new reverse mapping namespace for IPv6 addresses, called ip6.int. Each level of subdomain under ip6.int represents a nibble (a 4-bit quantity) in the 128-bit address, with the low-order nibble encoded first (appearing at the far left of the domain name). Unlike the format of addresses in AAAA records, omitting leading zeroes is not allowed, so there are always 32 nibbles and 32 levels of subdomain below ip6.int in a domain name corresponding to a full IPv6 address. The domain name that corresponds to the address in the example above is: b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.INT. These domain names have PTR records attached, just as domain names under in-addr.arpa do. SRV Locating a service or server within a zone, if you don't know which host it runs on, is a difficult problem. Some domain administrators have attempted to solve this problem by using service-specific aliases in their zones. For example, at Movie U. we created the alias ftp.movie.edu and point it to the domain name of our FTP archive: ftp.movie.edu. IN CNAME plan9.fx.movie.edu. This makes it easy for people to guess a domain name that will get them to our FTP archive, and separates the name people use to access to archive from the domain name of the host it runs on. If we were to move the archive to a different host, we could simply change the CNAME record. The experimental SRV record, introduced in RFC 2052, is a general mechanism for locating services. SRV also provides powerful features that allow domain administrators to distribute load and provide backup services, similar to the MX record. A unique aspect of the SRV record is the format of the domain name it's attached to. Like service-specific aliases, the domain name to which an SRV record is attached gives the name of the service sought, as well as the protocol it runs over, concatenated with a domain name. So, for example: ftp.tcp.movie.edu would represent the SRV records someone ftping to movie.edu should retrieve in order to find the movie.edu FTP servers, while:
96
DNS Overview
http.tcp.www.movie.edu
Griffin Software
represents the SRV records someone accessing the URL http://www.movie.edu/ should look up in order to find the www.movie.edu web servers. The names of the service and protocol should appear in the latest Assigned Numbers RFC (the most recent as of this writing is RFC 1700), or be unique names used only locally. Don't use the port or protocol numbers, just the names. The SRV record has four resource record-specific fields: priority weight port target priority, weight, and port are unsigned 16-bit numbers (between 0 and 65535). target is a domain name. Priority works very similarly to the preference in an MX record: the lower the number in the priority field, the more desirable the associated target. When searching for the hosts offering a given service, clients should try targets at the same priority before trying those at a higher priority value. Weight allows domain administrators to distribute load to multiple targets. Clients should query targets at the same priority in proportion to their weight. For example, if one target has a priority of zero and a weight of one, and another target also has a priority of zero but a weight of two, the second target should receive twice as much load (in queries, connections, whatever) as the first. Port specifies the port on which the service being sought is running. This allows domain administrators to run servers on nonstandard ports. For example, a domain administrator could use SRV records to point web browsers at a web server running on port 8000 instead of the standard HTTP port (80). Target, finally, specifies the domain name of a host on which the service is running (on the port specified in the port field). Target must be the canonical name of the host (not an alias), with address records attached to it. So, for the movie.edu FTP server, we added these records to db.movie: ftp.tcp IN SRV 1 0 21 plan9.fx.movie.edu. IN SRV 2 0 21 thing.fx.movie.edu. This instructs SRV-capable FTP clients to try the FTP server on plan9.fx.movie.edu's port 21 first when connecting to movie.edu, and then to try the FTP server on thing.fx.movie.edu's port 21 if plan9's FTP server isn't available. The records: http.tcp.www IN SRV 0 2 80 www.movie.edu. IN SRV 0 1 80 www2.movie.edu. IN SRV 1 1 8000 postmanrings2x.movie.edu. direct web queries for www.movie.edu to www.movie.edu's port 80 and www2.movie.edu's port 80, with www.movie.edu getting twice the queries that www2.movie.edu does. If neither is available, queries go to postmanrings2x, on port 8000.
97
DNS Overview
Griffin Software
98
DNS Overview
Griffin Software
Benefits:
Fault Tolerance Security Simplified Management More Efficient Replication of Large Zones
Active Directory Integration and Multimaster Replication In addition to storing zone files on DNS servers, you can store a primary zone in Active Directory. When you store a zone in Active Directory, zone data is stored as Active Directory objects and replicated as part of Active Directory replication. Active Directory replication provides an advantage over standard DNS alone. With standard DNS, only the primary server for a zone can modify the zone. With Active Directory replication, all domain controllers for the domain can modify the zone and then replicate the changes to other domain controllers. This replication process is called multimaster replication because multiple domain controllers, or masters, can update the zone. Although Active Directoryintegrated zones are transferred by using Active Directory replication, you can also perform standard zone transfers to secondary servers as you can with standard DNS zones. Active Directoryintegrated storage provides the following benefits: Fault Tolerance Although you can still perform standard zone transfers with Active Directory integrated zones, Active Directory multimaster replication provides greater fault tolerance than using standard zone transfers alone. Standard zone transfers and updates rely on a single primary DNS server to update all the secondary servers. With Active Directory replication, however, there is no single point of failure for zone updates. Security You can limit access to updates for any zone or record, preventing insecure dynamic updates. For more information about configuring secure dynamic update, see "Dynamic Update and Secure Dynamic Update" later in this chapter. Simpler Management Because Active Directory performs replication, you do not need to set up and maintain a separate replication topology (that is, zone transfers) for DNS servers. More Efficient Replication of Large Zones Active Directory replicates on a per-property basis, propagating only relevant changes. This is more efficient than full zone transfers.
99
DNS Overview
Griffin Software
Multi-master Replication
Multi-master Replication
DNS Transfers
Full Zone Transfers send the Entire Database Incremental Zone Transfers send Each Change
Per-Property Processing
Only Relevant Changes Propagated
Multimaster Replication Active Directory supports multi-master replication, which is replication in which any domain controller can send or receive updates of information stored in Active Directory. Replication processing is performed on a per-property basis, which means that only relevant changes are propagated. Replication processing differs from DNS full zone transfers, in which the entire zone is propagated. Replication processing also differs from incremental zone transfers, in which the server transfers all changes made since the last change. With Active Directory replication, however, only the final result of all changes to a record is sent. When you store a primary zone in Active Directory, the zone information is replicated to all domain controllers within the Active Directory domain. Every DNS server running on a domain controller is then authoritative for that zone and can update it.
100
DNS Overview
Griffin Software
Server addresses configured at client direct client queries to DNS Server(s) Client Configuration Settings
TCP/IP > Properties > Advanced System Properties > Network Identification
DNS Client Configuration DNS Client configuration is critical to successful operation of DNS. Keep in mind that when we speak of a DNS Client that could mean either an individual host computer submitting a request to a DNS server, or it could be one DNS Server communicating with other DNS servers while attempting to resolve a query on behalf of a client. Therefore, DNS client settings must be correct on all systems workstations, Servers, Domain Controllers, and the DNS Server itself. In Windows 2000 DNS is configured per network connection via TCP/IP > Properties and TCP/IP > Properties > Advanced Settings. TCP/IP Properties This dialog box is used to enter the address of the Preferred DNS Server and optionally one Alternate server address. The Preferred DNS Server will be attempted first for all DNS Name Queries issued by the client. TCP/IP Properties > Advanced Within the Advanced Properties you will notice the DNS tab. Here the user may configure additional Alternate DNS Server addresses, as well as the DNS Suffixes that will be appended onto queries made by the client. The process of how the client appends and uses these suffixes is described in detail later in this section.
101
DNS Overview
Griffin Software
DNS Configuration Interface DNS client settings are configured via TCP/IP Properties and TCP/IP Advanced Settings. In Windows 2000 these settings may be configured for each network adapter present in the system.
102
DNS Overview
Griffin Software
Client-side Configuration
Client-side Configuration
Server Addresses
Preferred DNS Server Address Alternate DNS Server Address(es) Specified via TCP/IP Properties and TCP/IP Properties > Advanced > DNS Initially uses Preferred first, then tries Alternates in order listed Optimizes for non-responding servers
Client-side Configuration: Preferred and Alternate DNS Server Addresses The DNS Client service uses a server search list, ordered by preference. This list includes all preferred and alternate DNS servers configured for each of the active network connections on the system. Windows 2000 rearranges these lists based on the following criteria: Preferred DNS servers are given first priority. If no preferred DNS servers are available, then alternate DNS servers are used. Unresponsive servers are removed temporarily from these lists. Note: In Windows 2000, the DHCP Client service initiates dynamic registration for client DNS names, whether the client is enabled for DHCP automatic addressing or whether it is statically configured. Therefore the DHCP Client service must be running on the client for dynamic registration of DNS names to occur.
103
DNS Overview
Griffin Software
The Preferred DNS Server is the one the client tries first
If Preferred Server fails, the client tries the Alternate DNS Server (if so configured)
104
DNS Overview
Griffin Software
105
DNS Overview
Griffin Software
If Failure:
DYNAMIC UPDATE/REGISTRATION In a conventional DNS implementation (Windows NT 4.0 DNS server and older BIND versions), if the authoritative information of a resource record must be changed, the network administrator has to edit the appropriate zone file manually. Protocol Description The RFC 2136 introduces a new opcode or message format called UPDATE. The update message can add and delete RRs from a specified zone as well as test for prerequisite conditions. Update is atomic, that is, all prerequisites must be satisfied or else no update operation will take place. As in older static DNS implementations, the zone update must be committed on a primary name server for that zone. If an update is received by a secondary server, it will be forwarded up the replication topology until it reaches the primary server. In the case of a Active Directory(AD) integrated zone, an update for a record in that zone may be sent to any DNS server running on a domain controller whose AD contains the zone. Dynamic Update Algorithm The dynamic update sequence consists of the following steps: A client, using an SOA query, locates primary DNS server and zone authoritative for the record to be registered. The client sends to the located DNS server an assertion or prerequisite-only update to verify an existing registration. If the registration does not exist, the client will send the appropriate dynamic update package to register the record.
106
DNS Overview
Griffin Software
107