Lets talk dns

download Lets talk dns

of 38

  • date post

    25-Jan-2017
  • Category

    Technology

  • view

    219
  • download

    0

Embed Size (px)

Transcript of Lets talk dns

  • Let s talk DNS

    1

  • History

    Once upon a time

    computers were very expensive

    computers were very large

    computers were isolated, didnt talk to each other

    2

  • Early Internet Era - ARPANET Later, they started getting connected with others* like ARPANET which

    contains few ~100 nodes

    contains name to address mapping on hosts.txt file

    each host obtains copies of the master hosts.txt file

    files use to be replaced over FTP *thanks to packet-switching network era

    3

  • 4

  • Early Internet Era - ARPANET Later, they started getting connected with others* like ARPANET which

    contains few ~100 nodes

    contains name to address mapping on hosts.txt file

    each host obtains copies of the master hosts.txt file

    files use to be replaced over FTP *thanks to packet-switching network era

    5

  • Sample hosts.txt

    6

  • Early Internet Era - ARPANET Later, they started getting connected with others* like ARPANET which

    contains few ~100 nodes

    contains name to address mapping on hosts.txt file

    each host obtains copies of the master hosts.txt file

    files use to be replaced over FTP *thanks to packet-switching network era

    7

  • Issues with ARPANET ARPANET worked for a while, but not for long as

    hosts.txt files became extremely large (in size)

    exponential bandwidth requirements

    unscalable to the needs of emerging network requirements for hosts mapping

    and remember, this is decades before rsync

    Problem with hosts.txt

    consistency

    name collision (there was no Git for conflict management)

    8

  • Requirements Essentially we need a system which

    can store numbers(IP) with names mapping (database service at core)

    can be able to handle changes of associations

    can be distributed in nature - so no single point of failure

    can be hierarchical in nature, if someone doesn't know the binding, it goes up the hierarchy

    can delegate responsibility - should support a tree structure delegation

    9

  • DNS Is in use since 1980

    Defined in RFC 882 and RFC 883 in 1983

    Superseded in RFC 1034 and RFC 1035 in 1987

    10

  • DNS Async protocol

    Stateless (UDP)

    A very simple packet format

    Compatible with IP suite protocols

    Aggressive caching

    response message specifies TTL

    servers respond to queries with additional information

    First Unix name server implementation is popularly known as BIND, written in 1984 and was first ported to Windows NT

    11

  • DNS - In reality Data is indexed by domain names

    Domain name is a sequence of labels

    Labels are separated by dots (.) and form a tree

    Domain names are case insensitive ASCII

    DNS administration is share

    Authority is delegated

    No single entity in charge

    Top to bottom approach

    13 root servers

    Empty label covers the . zone

    12

  • Root and TLDs

    Top level domains

    GTLD: Generic top-level domain (.com, .org ..)

    ccTLD (.in, .eu, .uk )

    New TLDs (.tourism, .india, .book )

    IDN (. .)

    13

  • Root and TLDs

    14

  • 13 Root TLDs Hostname IP Addresses Manager

    a.root-servers.net 198.41.0.4, 2001:503:ba3e::2:30 VeriSign, Inc.

    b.root-servers.net 192.228.79.201, 2001:500:84::b University of Southern California (ISI)

    c.root-servers.net 192.33.4.12, 2001:500:2::c Cogent Communications

    d.root-servers.net 199.7.91.13, 2001:500:2d::d University of Maryland

    e.root-servers.net 192.203.230.10 NASA (Ames Research Center)

    f.root-servers.net 192.5.5.241, 2001:500:2f::f Internet Systems Consortium, Inc.

    g.root-servers.net 192.112.36.4 US Department of Defense (NIC)

    h.root-servers.net 198.97.190.53, 2001:500:1::53 US Army (Research Lab)

    i.root-servers.net 192.36.148.17, 2001:7fe::53 Netnod

    j.root-servers.net 192.58.128.30, 2001:503:c27::2:30 VeriSign, Inc.

    k.root-servers.net 193.0.14.129, 2001:7fd::1 RIPE NCC

    l.root-servers.net 199.7.83.42, 2001:500:9f::42 ICANN

    m.root-servers.net 202.12.27.33, 2001:dc3::35 WIDE Project

    NOTE

    Generally these 13 well known root servers are compiled in or configured

    Also many resolvers choose to cache . locally

    15

    http://a.root-servers.net

  • Delegation: domains and zone Domain: entire subtree

    Zone: part of domain administered by an entity (smaller, more manageable units by delegation)

    16

  • DNS: Operation of the protocol Server respond to queries

    Clients recursively query servers

    Responses are cached everywhere

    Fundamental Concept -

    Keep asking the same question until you get a reply or until you get bored waiting.

    17

  • DNS Actors

    query?

    response recursiveresolver

    name server

    authoritative server /root server

    stubresolver

    18

  • DNS Actors1. Clients configure recursive

    resolver, read from /etc/resolv.conf

    19

  • DNS Actors1. Clients configure recursive

    resolver, read from /etc/resolv.conf

    2. Recursive resolver find answers on behalf of clients. They query the DNS from the root until they find the answer.

    RESOLVER -

    1. stub-resolver queries to resolve names

    2. queries the authoritative servers for the answer and serve it back

    3. results are cached based on TTL

    20

  • DNS Actors1. Clients configure recursive

    resolver, read from /etc/resolv.conf

    2. Recursive resolver find answers on behalf of clients. They query the DNS from the root until they find the answer.

    3. Authoritative server replies authoritatively to queries.

    21

  • DNS Actors Records are in its zone file

    Type A, AAAA, MX, CNAME etc

    Only Answer queries for data under their authority

    (only if they have internal copy of the data)

    If cant answer, it points to authority

    but doesn't query recursively

    22

  • DNS Flow - Example

    23

  • Different type of servers

    Authoritative-only DNS Servers

    Authoritative severs can also be caching servers

    Recursive Caching DNS Servers

    Forwarding DNS Servers

    Primary & Slave Servers

    24

  • Queries, Responses & Flags

    25

  • x Every DNS query consists of following:

    qname: a domain name(popularly know as URLs)

    qtype: A, AAAA, MX etc denotes type of record

    qclass: IN or CH (mostly IN is used)

    Flags: QR, RD, DO, AD, EDNS Opt etc

    dig +short A IN google.com

    Flags TypeClass Name

    26

  • Types of DNS queries Forward DNS query

    Look up hosts IP-address by name

    for example - yahoo.com has 98.138.253.109 address

    Reverse DNS query

    Look up hosts name by IP-address

    for example - 98.138.253.109 belongs to yahoo.com

    27

    http://yahoo.com

  • DNS Flags qr query response (A)

    rd recursion desired (A) (Q)

    ra recursion available (A)

    aa authoritative answer (A)

    28

  • Sample DNS Query In Action

    query?

    response recursiveresolver

    root server .

    stubresolver

    TLD server .com

    Host server

    1. Do I know me.com? No! 2. Do I know .com? No! 3. Send query to resolver .. wait

    4.Same(1,2) questions will be asked by recursive resolver 5. Do I know me.com? No! 6. Send query to root server .. wait

    29

    http://me.comhttp://me.com

  • Sample DNS dig response

    30

  • DNS Record Types A, AAAA IPv4, IPv6 address

    NS NameServer

    CNAME Canonical name

    MX Mail Exchanger

    PTR Reverse info (IP to host)

    SRV Service (host + port number)

    SOA Start of authority

    31

  • Record Types - A, AAAA A denotes IPv4 records

    divided into 4 octets/classes

    each octet is of 8 bits

    maximum 2*32 combinations

    AAAA denotes IPv6 records

    128 bit string

    maximum 2*128 combinations

    216.58.220.46

    32

    2404:6800:4007:800::200e

  • Record Types - NS

    Name Server Record

    Used to delegate a subdomain to a set of name servers

    Generally we publish NS records in our authoritative name-servers for domains we are authoritative for

    Appears in master and child zones

    33

  • Record Types - CNAME Canonical Name Record

    rdata contains mapped domain name

    Must always point to another domain-name and not to an IP address

    Sample example -

    Name Type Value

    bar.example.com CNAME foo.example.com

    34

    http://bar.example.comhttp://foo.example.com

  • Record Types - MX Mail Exchanger Record

    Defines host which will be receiving emails

    rdata contains the preference field and the hostname of the mail receiver

    Lower preference == Higher priority

    35

  • Record Types - SRV Used for specifying hostname and port-number of servers for specified