10-2
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View 10-2 as PDF for free.
More details
- Words: 3,222
- Pages: 11
DNS & mail
1997/12/17
DNS Structure and Management
DNS (Domain Name System)
F Content
– – – – – – – –
F Wide area distribution database
Domain and zone Server type Server configuration Record details Address supplement Wildcard MX CIDR and reverse reference Frequent configuration errors
F Matrix of host name and IP address F Self-administration
according to
organization – long time ago, one organization administrated using /etc/hosts
1
2
Domain Tree
Decentralization and Search root ・ (top)
F (sub)domain
– tree with node as tip – beyond node (lower rank)
jp
uk … com
F Split
upper and lower links between nodes when necessary – Node links to downstream
org
u
node … ac
ad
co
u
kyoto-u
…
wide
nic …
…
ad.jp domain
Delegation
– TOP domain, 2nd(3rd) -level domain
or
NIC administers
F One-way link (from top to bottom)
janog
– to go up, goes back to root and traces – All servers know the root jp domain 3
4
Zone and Domain
Zone and Delegation
F Administration doesn’t necessarily have to be
dispersed by node units F Zone co.jp zone
– Group of adjacent nodes jointly administered – Domains not necessarily matching u
x.co.jp zone
Possible to define multiple sub-domains within 1 zone host
zone unit/region unit dispersion u applies to 1 name server
– Ultimately matches domain 5
InternetWeek'97
sub1
・
jp zone
jp ad
co
x
wide.ad.jp zone
– Data administration unit u
root zone
sub2
kyoto
delegation net
ad.jp zone
net zone
Same NS
wide
nic
tokyo
v6
nic.ad.jp zone
v6.wide.ad.jp zone
6
1
DNS & mail
1997/12/17
Administration of Supplied Data (Zone) (cont.)
Server Types F Categorized
by service type
F Primary
– Supplies data (also searches) / searches only F Categorized by data (zone) administrative
F Secondary
method
by authority
– for outside organization / inside organization
Possible to specify multiple servers as copy origin
8
Authority Regarding Data Supply F Authorized
F Search request comes equally
for zone
F Unauthorized
– One server administers multiple zones
– Not a differentiation of each server
9
F Differentiation toward zones
Server Authority and Zones
10
Dedicated to Searching
Upper zone primary (master)
inquiry from outside organization
ad
delegation
F Cache
ns1
server
– temporarily stores searched data u
Responds as Unauthoritative Answer from second time
– neither primary nor secondary
ns2
u
Authorized Servers inquiry from inside organization (resolv.conf) secondary
Server
– Steady cache kept handy – Data supplied to adjacent clients – No link (delegation of authority) from upper zones
primary for zone A secondary for zone B
Unauthorized ns3
Server
– Supplies data to the Internet – Has links (delegation of authority) from upper zones
– No differentiation between primary and secondary
u
u
7
Administration of Supplied Data (Zone) (cont ’d)
u
Possible to do it from another secondary also
– Placed in location where both won’t fail to work
by service target
F Differentiation
u
– copy chain
– Authorized / Unauthorized F Categorized
(slave) server
– back-up for primary service – copies data from primary server
– Edits there (Primary) / copies from others (Secondary) F Categorized
(master) server
– Edits database file
wide.ad.jp zone
regardless of zone
Reference: negative cache – maintains fact that relevant record didn’t exist
(slave)
(all servers) 11
InternetWeek'97
12
2
DNS & mail
1997/12/17
Search Procedure Name server group root zone 3 4
2 root cache
5
1 Search for www.wide.ad.jp
6
DNS Servers
・ (root server)
jp
F Berkeley Internet Name Domain (BIND)
jp zone (ns.nic.ad.jp)
Server
ad.jp zone (ns.nic.ad.jp) wide.ad.jp zone wide (ns.wide.ad.jp)
– bind 4.9.7 – bind 8.1.2
ad
u
the newer version, the better – security, performance, reliability, new functions
F Can’t be referred unless root server is reachable
– Stability of international lines – Domestic root server necessary (m.root-servers.net) – Unauthorized Secondary of jp zone
– http://www.isc.org/bind.html F Windows
NT name server etc.
– reliability is OK (?)
13
Server Configuration File
sample of named.boot (bind 4) ; default directory directory /etc/namedb ; data needed at start-up (root server information) cache . root.cache ; localhost information primary localhost localhost primary 0.0.127.in-addr.arpa 127.rev ; zone supplied as primary primary wide.ad.jp wide primary 136.178.203.in-addr.arpa 203.178.136.rev ; zone supplied as secondary secondary v6.wide.ad.jp 203.178.136.188 sec/v6
F /etc/named.boot (bind 4) F /etc/named.conf (bind 8)
– Format conversion with named-bootconf.pl u u
14
from named.boot to named.conf attached to bind 8
For BIND, ‘; ’ is the beginning of the comment 15
sample of named.conf (bind 8) options {
zone "0.0.127.in-addr.arpa" {
directory "/etc/namedb"; };
type slave; file "sec/v6"; masters {
}; zone "." { type hint; file "root.cache";
root cache
zone "v6.wide.ad.jp" {
type master; file ”127.rev";
};
};
file "wide";
Japan (1997/8)
zone "localhost" {
};
– m.root -servers.net
zone "136.178.203.in -addr.arpa" { type master; file ”203.178.136.rev"; };
F Inside firewall 17
InternetWeek'97
F ftp://ftp.rs.internic.net/domain/named.root F The 13th root server begin operation in
};
}; type master; file "localhost";
F Root server information
– As long as it knows the root server, everything is searchable
203.178.136.188; zone "wide.ad.jp" { type master;
16
– Prepare root server for internal use – Work with Forwarders
18
3
DNS & mail
1997/12/17
sample of root.cache
forwarders F Outside
; formerly NS.INTERNIC.NET . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 : : ; housed in Japan, operated by WIDE . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
address inquiry from within organization – Forward inquiry to outside name server u
i.e. firewall compatible with SOCKS
– specified together with slave forwarders 12.34.56.79 (server accessible internally and externa lly) slave (options forward-only - 4.9.3 or later)
F Efficient use of cache
– consolidation of data at specified server – curb traffic u
19
when bandwidth is not enough, etc.
sample of localhost ; $ORIGIN @ IN
20
sample of 127.rev
localhost. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number 172800 ; Refresh every 2 days 3600 ; Retry every hour 1728000 ; Expire every 20 days 172800 ); Minimum 2 days
; $ORIGIN @ IN
;
0.0.127.in-addr.arpa. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number 172800 ; Refresh every 2 days 3600 ; Retry every hour 1728000 ; Expire every 20 days 172800 ); Minimum 2 days
; IN
NS
localhost .
; IN
A
; 0
127.0.0.1
1
IN
NS
localhost.
IN IN IN
PTR A PTR
loopback-net. 255.0.0.0 localhost.
; network name ; netmask
21
22
sample of wide (cont.)
sample of wide (cont ’d)
; $ORIGIN wide.ad.jp. @ IN SOA ns.wide.ad.jp. two.wide.ad.jp. (
sh jp-gate
1998112301 ; Serial 3600 ; Refresh 900 ; Retry 3600000 3600 ) IN NS
ns ns.tokyo
; Expire ; Minimum
ns
203.178.137.73 203.178.137.75
IN A
203.178.136.81
www
IN CNAME endo
endo
IN A 203.178.137.71 IN MX 10 endo
localhost
IN CNAME localhost.
IN NS ns.tokyo IN MX 10 sh.wide.ad.jp. IN MX 20 jp-gate.wide.ad.jp.
v6
IN NS IN NS
IN A IN A
ns1.v6 ns2.v6
IN A IN A
203.178.136.63 203.178.136.61 23
InternetWeek'97
IN A IN A
ns1.v6 ns2.v6 163.221.11.21 203.178.136.188 24
4
DNS & mail
1997/12/17
sample of 203.178.136 (cont.)
Base Format of Record Definition key [ ttl] IN r-id value1 value2 ...
; $ORIGIN 136.178.203.in -addr.arpa. @ IN SOA ns.wide.ad.jp. two.wide.ad.jp. (
1998100401 ; Serial 3600 ; Refresh 900 ; Retry 3600000 3600
– cache time limit for relevant
; Expire ; Minimum
) IN NS
ns.wide.ad.jp .
IN NS
ns.tokyo.wide.ad.jp.
61
IN PTR
ns.wide.ad.jp .
63 188
IN PTR IN PTR
ns.tokyo.wide.ad.jp. ns2.v6.wide.ad.jp.
F ttl (Time To Live) - option F IN
(class-ID) - Internet Domain (resource-ID)
F r-id
– record type (SOA, NS, A, MX, ....) F value
– record value (different format according to r-id) 25
Basics of Record Definition
SOA (Start Of Authority) RR
F Series of definitions for same key
– Succeeding definition of key optional F $ORIGIN <domain>
– Designation of default domain name – initial default is assigned by named.{boot,conf } F $INCLUDE [<domain>]
– file insertion F host
@ IN SOA ( 1 ; Serial 172800 ; Refresh (2d) 3600 ; Retry 1728000 ; Expire (20d) 172800 ; Minimum TTL (2d) ) F The
@ is changed to . in the administrator mail address
name in FQDN format has . at end 27
SOA Parameter (cont.)
– motonori.wide.ad.jp
F Expire
– For judging update of Sec-NS data F Refresh
(seconds)
– check failure-time before service is stopped – If nslookup is done after service is stopped...
(seconds)
*** ns.provider.ad.jp can't find x.co.jp.: Server failed
– Serial check intervals for Sec-NS
F Minimum
(seconds)
TTL (time to live) (seconds)
– default cache-time for all records defined within zone (Has effect on all NS that caches)
– Check intervals after Refresh completed
29
InternetWeek'97
28
SOA Parameter (cont’d)
F Serial
F Retry
26
30
5
DNS & mail
1997/12/17
Serial
Data Reload
F For Secondary synchronization with Primary F After
updating data, send SIGHUP to named
– when content is revised, serial must increase F 32 binary digits F beware
of confusion with . (better to avoid?)
– 1.01 = 100001 ("." is same value as "000" ) F Using
date i.e. 1997122501 is distinctive
– 100 updates/day OK till Year 4294 F No
bind8 or upper version, update request is sent to Secondary with BIND_NOTIFY function (If Serial has increased) – Secondary also needs to be bind8 or upper version
maximum (loop):RFC1912(I)
– possible to return to 1 – within 2147483647(7fffffff), add twice
# ndc reload F If
31
32
Secondary Manual Update F FORCED_RELOAD
NS (Name Server) RR F Pri-NS
function
– Check serial upon receiving SIGHUP
and Sec-NS are listed
– Listings in upper zones are important
F After
erasing back up files, named is rebooted
u
Authorized Server
– No listing in upper zones u
– transfer is done with named-xfer
Unauthorized Server
F A RR relevant to applicable NS also listed
# mv mydomain.zone mydomain.zone.bak # ndc restart
– glue record (not needed for reverse zones) $ORIGIN wide ns.wide
ad.jp. IN NS ns.wide.ad.jp. ; delegation from ad.jp.zone IN A 203.178.136.63 ; ← glue record
33
34
lame NS
A (Address) RR
F Thought
F A RR
it was authorized and sent query but unauthoritative answer was returned
– Maps IP address from host name
– Even though it ’s been Delegated – It ’s not Primary/Secondary NS
$ORIGIN wide.ad.jp. sh IN A 203.178.137.73
F If an actual Authorized NS can’t
be accessed, then it’s assumed that data doesn’t exist even if it does – mail doesn’t get delivered 35
InternetWeek'97
36
6
DNS & mail
1997/12/17
Characters which can be used for “Host Name ” F Alphabet (A-Z,
F MX RR
a-z)
– Map from mail address to destination host name $ORIGIN wide.ad.jp. @ IN MX 10 sh.wide.ad.jp.
F Numbers (0-9) F hyphen
(-)
F characters
MX (Mail eXchanger) RR
that require caution
– underscore ( _ )
F Make
sure for . at end has priority over A (mail delivery) F when you want A to have priority
RFC1035(S), RFC1123(S) do not allow u New (after 4.9.4) bind resolver ignores host names including _ (res_hnok) u
F MX
– mail is not delivered 37
– transfer with 1st -MX
Right side of MX RR and CNAME
MX Preferences F Cost value designated to DNS MX RR
F The name which belongs on the left side of
F Smallest
CNAME should not be written on the right side of MX RR F If the Lower MX can’t recognize your name on the right side of MX RR, there’s a problem
cost
– Primary MX / Primary Mail Server – First MX / First Mail Server F Next
smallest cost
– Secondary MX / Secondary Mail Server
– If preventive measures are taken, it will work, but … – named will issue warning
F Other than smallest cost
– Lower MX (meaning low priority) 39
40
Wild-card MX (cont.)
Wild-card MX (cont’d)
*.x.co.jp. IN MX 10 mail.x.co.jp. F When there’s
F If
a specific record exits, it doesn’t get referenced
firewall (no direct communication)
– outside: doesn’t want to show records to outside u
but wants to use mail address to host
– inside: want one record definition to represent outside world u
F
38
ns.x.co.jp. IN A 12.34.56.78 *.x.co.jp. IN MX 10 mail.x.co.jp. ns.x.co.jp. IN MX 10 mail.x.co.jp. (needed) – Same situation for existing sub-domains
Wildcard MX is defined at root, gathered at GW
matches nohost.x.co.jp and host.nosubdom.x.co.jp – unnecessary mail transfers
InternetWeek'97
41
42
7
DNS & mail
1997/12/17
Adverse effects of Wild-card MX F Mail
send even to non-existent addresses
– unknown it ’s non-existent at time of sending F Supplemented by non-existent addresses
CNAME (Canonical NAME) RR F Host alias name assignment $ORIGIN wide.ad.jp. archie IN CNAME sun3.tokyo.wide.ad.jp. – Attention to . at end
[email protected] – To avoid, in sendmail.cf Resolver Options, define Has Wild-cardMX
– CNAME chain should be avoided – Different type of record should not be assigned to same key – Multiple CNAMES should not be assigned to same key
F Can’t reference appropriate MX RR for
destination – always add . at end of destination host name
→ use only when absolutely necessary
43
F Don’t
use name assigned with CNAME on right side of NS, MX 44
CNAME Chains
Mail address and CNAME F An alias on an envelope should be rewritten to
F The right side of CNAME RR is the left side
the real name (RFC1123(S)) F Many (old) sendmail also rewrite headers to real names
of another CNAME RR alias1 alias2
IN CNAME alias2 IN CNAME real-name
F RFC1034(S)
– Chain definition is not recommended (should not) – things that could be reached when implemented (should) sendmail can reach up to 10 times (MAXCNAMEDEPTH) u named can reach up to 8 times (MAXCNAMES) 45 u
DNS Search Procedure for Mail Delivery (cont.) 1. Solve CNAME
F If
you don’t want rewriting, use MX or A
– IETF is moving towards not rewriting by CNAME – Don’t Expand Cnames option (after 8.7)
46
DNS Search Procedure for Mail Delivery (cont ’d) 3. Search with A
– Follow chain until CNAME is no longer u
– it becomes confusing as to which address it arrived to – depends on settings of sendmail.cf route
– When MX couldn’t be obtained – For individual MX (When A couldn’t obtained through Additional Info.)
there is a limit (to prevent endless looping)
2. Search with MX – If multiple, sort by preference – If preference is same, select at random çWhen MX is found A is also returned as Additional Information (DNS spec)
F If
only A is defined, search process is necessary twice (for MX and A) – MX should be defined also in host u
47
InternetWeek'97
Curb communication traffic 48
8
DNS & mail
1997/12/17
Mail Address Supplementation (cont.)
MX Record for the Host also F In case of failure
F MX
– Secondary MX can’t be designated with only A record – A record which defines IP address for other hosts (virtual host) u
F see /etc/resolv.conf
domain sub.x.co.jp – same value as search sub.x.co.jp x.co.jp co.jp
weak as failure countermeasure/only serve as load sharing
F Making
u u
DNS search efficient
reverse search of 3 levels (MAXDFLSRCH) shortest is 2 levels (LOCALDOMAINPARTS) – doesn’t match JP domain current situation
– In RFC1535(I), implicit reverse searching is banned
– Should be defined even if only that host can receive u
RR and A RR are used
– be cautious of wild-card MX issue
u
DNS search would be completed with one time
new bind resolver doesn’t perform reverse search
49
Mail Address Supplementation(cont’d)
PTR (domain name PoinTeR) RR F
search sub1.x.co.jp sub2.x.co.jp x.co.jp F
50
Mapping from IP address to host name – So-called reverse look-up
User setting based on LOCALDOMAIN environment variables – Maximum 6 domains (MAXDNSRCH)
$ORIGIN
137.178.203.in-addr.arpa.
73
IN PTR sh.wide.ad.jp.
çService limitations from PTR record search u
F Sequence of search nic.ad.jp nic.ad.jp.sub.x.co.jp nic.ad.jp.x.co.jp nic.ad.jp.co.jp
u
F
access denial from hosts that can’t perform PTR record search confirmation of domain name
liar issue – can trick when searching method is one-way, from address to host name – check with double reference
– before RFC1535(I), nic.ad.jp was searched last 51
Confirmation of Reverse Lookup with nslookup
52
Network Name Definition
F When the host IP address is 1.2.3.4 % nslookup -q=ptr 4.3.2.1.in-addr.arpa.
F RFC1101:
DNS Encoding of Network Names and Other Types F netstat -i, -r etc. are referenced
F With the new nslookup
(after 4.8.3), the following designation is possible
0.0.54.130.in-addr.arpa.
% nslookup 1.2.3.4
53
InternetWeek'97
kuins.kyoto-u.ac.jp.
IN PTR kuins.kyoto-u.ac.jp. IN A 255.255.0.0 IN PTR 0.0.54.130.in-addr.arpa.
0.0.0.224.in-addr.arpa.
IN PTR BASE -ADDRESS.MCAST.NET
. 54
9
DNS & mail
1997/12/17
Other Records
localhost/127.in-addr.arpa zone
F HINFO, TXT, WKS
F All name servers should be configured
– HINFO always needs more than 2 parameters!
– wasteful to inquire root server
F NULL, MB, MG, MR, MINFO (experimental)
$ORIGIN localhost
– RFC1035(S) F AFSDB,
ISDN, RP, RT, X25
my.domain.jp. IN CNAME localhost .
– RFC1183(E) F prevent
inconsistencies when performing double reference
F PX
– RFC1664(E)
– So 127.0.0.1 won’t become localhost.my.domain.jp 55
56
Classless IN-ADDR.ARPA delegation (cont.)
CIDR and Reverse Look-up administration
F Allocation of classless addresses
– 192.0.2.0/25 – 192.0.2.128/26
F Delegation
- organization A - organization B
F Issues on administration unit in reverse zone – inconsistency with octet (8 bits) unit authority delegation F Solution
– Scatter with CNAME u
RFC2317(BCP) – Classless IN-ADDR.ARPA delegation
from upper zone
$ORIGIN 2.0.192.in -addr.arpa. ; <<0-127>> /25 0/25 NS ns.A.domain.jp . 1 IN CNAME 1.0/25.2.0.192.in-addr.arpa. 2 IN CNAME 2.0/25.2.0.192.in-addr.arpa. : 126 IN CNAME 126.0/25.2.0.192.in-addr.arpa.
– Scatter with NS 57
58
Classless IN-ADDR.ARPA delegation (cont ’d) F Definition
Classless IN-ADDR.ARPA delegation (cont ’d)
at relevant zone
F
$ORIGIN 0/25.2.0.192.in-addr.arpa. @ IN SOA ... IN NS ns.A.domain.jp . 1 IN PTR host1.A.domain.jp. 2 IN PTR host2.A.domain.jp. : 126 IN PTR host126.A.domain.jp.
1.2.0.192.in -addr.arpa. ↓CNAME 1.0/25.2.0.192.in-addr.arpa. ↓PTR host1.A.domain.jp.
59
InternetWeek'97
In other words...
60
10
DNS & mail
1997/12/17
Errors Reported by Server (cont.)
Old glue records don’t erase? F Issue of when address was re-applied F before bind4.8.3? F server
A: primary of x.co.jp F server B: primary of sub.x.co.jp
A
F bad B
F NS
points to a CNAME F MX points to a CNAME F dangling CNAME pointer
– they’re secondary for each other F revise
referral
– No SOA despite having NS
NS (server C) address for x.co.jp erase
– CNAME doesn’t point to anything
F The old glue record of server C won’t
F Lame server on 'x.co.jp'
– even erase with server A… – revive with zone transfer from server B → should erase from secondary copy also
– Supposed to be Authorized server, but Unauthorized answer came back 61
62
Errors Reported by Server (cont’d)
Future of DNS
F Response from unexpected source
F Dynamic
– Response from different interface address? – attack?
Update
– Record-by-record data update F Incremental Zone Transfer (IXFR)
F zone "xxx" (class 1) SOA serial# (nn) is <
– Curbing of traffic and improvement of update speed
ours (mm)
F Security
– SOA serial decreased!
Extention
– SIG RR, NXT RR
RFC1912(I): Common DNS Operational and Configuration Errors 63
InternetWeek'97
64
11
1997/12/17
DNS Structure and Management
DNS (Domain Name System)
F Content
– – – – – – – –
F Wide area distribution database
Domain and zone Server type Server configuration Record details Address supplement Wildcard MX CIDR and reverse reference Frequent configuration errors
F Matrix of host name and IP address F Self-administration
according to
organization – long time ago, one organization administrated using /etc/hosts
1
2
Domain Tree
Decentralization and Search root ・ (top)
F (sub)domain
– tree with node as tip – beyond node (lower rank)
jp
uk … com
F Split
upper and lower links between nodes when necessary – Node links to downstream
org
u
node … ac
ad
co
u
kyoto-u
…
wide
nic …
…
ad.jp domain
Delegation
– TOP domain, 2nd(3rd) -level domain
or
NIC administers
F One-way link (from top to bottom)
janog
– to go up, goes back to root and traces – All servers know the root jp domain 3
4
Zone and Domain
Zone and Delegation
F Administration doesn’t necessarily have to be
dispersed by node units F Zone co.jp zone
– Group of adjacent nodes jointly administered – Domains not necessarily matching u
x.co.jp zone
Possible to define multiple sub-domains within 1 zone host
zone unit/region unit dispersion u applies to 1 name server
– Ultimately matches domain 5
InternetWeek'97
sub1
・
jp zone
jp ad
co
x
wide.ad.jp zone
– Data administration unit u
root zone
sub2
kyoto
delegation net
ad.jp zone
net zone
Same NS
wide
nic
tokyo
v6
nic.ad.jp zone
v6.wide.ad.jp zone
6
1
DNS & mail
1997/12/17
Administration of Supplied Data (Zone) (cont.)
Server Types F Categorized
by service type
F Primary
– Supplies data (also searches) / searches only F Categorized by data (zone) administrative
F Secondary
method
by authority
– for outside organization / inside organization
Possible to specify multiple servers as copy origin
8
Authority Regarding Data Supply F Authorized
F Search request comes equally
for zone
F Unauthorized
– One server administers multiple zones
– Not a differentiation of each server
9
F Differentiation toward zones
Server Authority and Zones
10
Dedicated to Searching
Upper zone primary (master)
inquiry from outside organization
ad
delegation
F Cache
ns1
server
– temporarily stores searched data u
Responds as Unauthoritative Answer from second time
– neither primary nor secondary
ns2
u
Authorized Servers inquiry from inside organization (resolv.conf) secondary
Server
– Steady cache kept handy – Data supplied to adjacent clients – No link (delegation of authority) from upper zones
primary for zone A secondary for zone B
Unauthorized ns3
Server
– Supplies data to the Internet – Has links (delegation of authority) from upper zones
– No differentiation between primary and secondary
u
u
7
Administration of Supplied Data (Zone) (cont ’d)
u
Possible to do it from another secondary also
– Placed in location where both won’t fail to work
by service target
F Differentiation
u
– copy chain
– Authorized / Unauthorized F Categorized
(slave) server
– back-up for primary service – copies data from primary server
– Edits there (Primary) / copies from others (Secondary) F Categorized
(master) server
– Edits database file
wide.ad.jp zone
regardless of zone
Reference: negative cache – maintains fact that relevant record didn’t exist
(slave)
(all servers) 11
InternetWeek'97
12
2
DNS & mail
1997/12/17
Search Procedure Name server group root zone 3 4
2 root cache
5
1 Search for www.wide.ad.jp
6
DNS Servers
・ (root server)
jp
F Berkeley Internet Name Domain (BIND)
jp zone (ns.nic.ad.jp)
Server
ad.jp zone (ns.nic.ad.jp) wide.ad.jp zone wide (ns.wide.ad.jp)
– bind 4.9.7 – bind 8.1.2
ad
u
the newer version, the better – security, performance, reliability, new functions
F Can’t be referred unless root server is reachable
– Stability of international lines – Domestic root server necessary (m.root-servers.net) – Unauthorized Secondary of jp zone
– http://www.isc.org/bind.html F Windows
NT name server etc.
– reliability is OK (?)
13
Server Configuration File
sample of named.boot (bind 4) ; default directory directory /etc/namedb ; data needed at start-up (root server information) cache . root.cache ; localhost information primary localhost localhost primary 0.0.127.in-addr.arpa 127.rev ; zone supplied as primary primary wide.ad.jp wide primary 136.178.203.in-addr.arpa 203.178.136.rev ; zone supplied as secondary secondary v6.wide.ad.jp 203.178.136.188 sec/v6
F /etc/named.boot (bind 4) F /etc/named.conf (bind 8)
– Format conversion with named-bootconf.pl u u
14
from named.boot to named.conf attached to bind 8
For BIND, ‘; ’ is the beginning of the comment 15
sample of named.conf (bind 8) options {
zone "0.0.127.in-addr.arpa" {
directory "/etc/namedb"; };
type slave; file "sec/v6"; masters {
}; zone "." { type hint; file "root.cache";
root cache
zone "v6.wide.ad.jp" {
type master; file ”127.rev";
};
};
file "wide";
Japan (1997/8)
zone "localhost" {
};
– m.root -servers.net
zone "136.178.203.in -addr.arpa" { type master; file ”203.178.136.rev"; };
F Inside firewall 17
InternetWeek'97
F ftp://ftp.rs.internic.net/domain/named.root F The 13th root server begin operation in
};
}; type master; file "localhost";
F Root server information
– As long as it knows the root server, everything is searchable
203.178.136.188; zone "wide.ad.jp" { type master;
16
– Prepare root server for internal use – Work with Forwarders
18
3
DNS & mail
1997/12/17
sample of root.cache
forwarders F Outside
; formerly NS.INTERNIC.NET . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 : : ; housed in Japan, operated by WIDE . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
address inquiry from within organization – Forward inquiry to outside name server u
i.e. firewall compatible with SOCKS
– specified together with slave forwarders 12.34.56.79 (server accessible internally and externa lly) slave (options forward-only - 4.9.3 or later)
F Efficient use of cache
– consolidation of data at specified server – curb traffic u
19
when bandwidth is not enough, etc.
sample of localhost ; $ORIGIN @ IN
20
sample of 127.rev
localhost. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number 172800 ; Refresh every 2 days 3600 ; Retry every hour 1728000 ; Expire every 20 days 172800 ); Minimum 2 days
; $ORIGIN @ IN
;
0.0.127.in-addr.arpa. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number 172800 ; Refresh every 2 days 3600 ; Retry every hour 1728000 ; Expire every 20 days 172800 ); Minimum 2 days
; IN
NS
localhost .
; IN
A
; 0
127.0.0.1
1
IN
NS
localhost.
IN IN IN
PTR A PTR
loopback-net. 255.0.0.0 localhost.
; network name ; netmask
21
22
sample of wide (cont.)
sample of wide (cont ’d)
; $ORIGIN wide.ad.jp. @ IN SOA ns.wide.ad.jp. two.wide.ad.jp. (
sh jp-gate
1998112301 ; Serial 3600 ; Refresh 900 ; Retry 3600000 3600 ) IN NS
ns ns.tokyo
; Expire ; Minimum
ns
203.178.137.73 203.178.137.75
IN A
203.178.136.81
www
IN CNAME endo
endo
IN A 203.178.137.71 IN MX 10 endo
localhost
IN CNAME localhost.
IN NS ns.tokyo IN MX 10 sh.wide.ad.jp. IN MX 20 jp-gate.wide.ad.jp.
v6
IN NS IN NS
IN A IN A
ns1.v6 ns2.v6
IN A IN A
203.178.136.63 203.178.136.61 23
InternetWeek'97
IN A IN A
ns1.v6 ns2.v6 163.221.11.21 203.178.136.188 24
4
DNS & mail
1997/12/17
sample of 203.178.136 (cont.)
Base Format of Record Definition key [ ttl] IN r-id value1 value2 ...
; $ORIGIN 136.178.203.in -addr.arpa. @ IN SOA ns.wide.ad.jp. two.wide.ad.jp. (
1998100401 ; Serial 3600 ; Refresh 900 ; Retry 3600000 3600
– cache time limit for relevant
; Expire ; Minimum
) IN NS
ns.wide.ad.jp .
IN NS
ns.tokyo.wide.ad.jp.
61
IN PTR
ns.wide.ad.jp .
63 188
IN PTR IN PTR
ns.tokyo.wide.ad.jp. ns2.v6.wide.ad.jp.
F ttl (Time To Live) - option F IN
(class-ID) - Internet Domain (resource-ID)
F r-id
– record type (SOA, NS, A, MX, ....) F value
– record value (different format according to r-id) 25
Basics of Record Definition
SOA (Start Of Authority) RR
F Series of definitions for same key
– Succeeding definition of key optional F $ORIGIN <domain>
– Designation of default domain name – initial default is assigned by named.{boot,conf } F $INCLUDE
– file insertion F host
@ IN SOA
@ is changed to . in the administrator mail address
name in FQDN format has . at end 27
SOA Parameter (cont.)
– motonori.wide.ad.jp
F Expire
– For judging update of Sec-NS data F Refresh
(seconds)
– check failure-time before service is stopped – If nslookup is done after service is stopped...
(seconds)
*** ns.provider.ad.jp can't find x.co.jp.: Server failed
– Serial check intervals for Sec-NS
F Minimum
(seconds)
TTL (time to live) (seconds)
– default cache-time for all records defined within zone (Has effect on all NS that caches)
– Check intervals after Refresh completed
29
InternetWeek'97
28
SOA Parameter (cont’d)
F Serial
F Retry
26
30
5
DNS & mail
1997/12/17
Serial
Data Reload
F For Secondary synchronization with Primary F After
updating data, send SIGHUP to named
– when content is revised, serial must increase F 32 binary digits F beware
of confusion with . (better to avoid?)
– 1.01 = 100001 ("." is same value as "000" ) F Using
date i.e. 1997122501 is distinctive
– 100 updates/day OK till Year 4294 F No
bind8 or upper version, update request is sent to Secondary with BIND_NOTIFY function (If Serial has increased) – Secondary also needs to be bind8 or upper version
maximum (loop):RFC1912(I)
– possible to return to 1 – within 2147483647(7fffffff), add twice
# ndc reload F If
31
32
Secondary Manual Update F FORCED_RELOAD
NS (Name Server) RR F Pri-NS
function
– Check serial upon receiving SIGHUP
and Sec-NS are listed
– Listings in upper zones are important
F After
erasing back up files, named is rebooted
u
Authorized Server
– No listing in upper zones u
– transfer is done with named-xfer
Unauthorized Server
F A RR relevant to applicable NS also listed
# mv mydomain.zone mydomain.zone.bak # ndc restart
– glue record (not needed for reverse zones) $ORIGIN wide ns.wide
ad.jp. IN NS ns.wide.ad.jp. ; delegation from ad.jp.zone IN A 203.178.136.63 ; ← glue record
33
34
lame NS
A (Address) RR
F Thought
F A RR
it was authorized and sent query but unauthoritative answer was returned
– Maps IP address from host name
– Even though it ’s been Delegated – It ’s not Primary/Secondary NS
$ORIGIN wide.ad.jp. sh IN A 203.178.137.73
F If an actual Authorized NS can’t
be accessed, then it’s assumed that data doesn’t exist even if it does – mail doesn’t get delivered 35
InternetWeek'97
36
6
DNS & mail
1997/12/17
Characters which can be used for “Host Name ” F Alphabet (A-Z,
F MX RR
a-z)
– Map from mail address to destination host name $ORIGIN wide.ad.jp. @ IN MX 10 sh.wide.ad.jp.
F Numbers (0-9) F hyphen
(-)
F characters
MX (Mail eXchanger) RR
that require caution
– underscore ( _ )
F Make
sure for . at end has priority over A (mail delivery) F when you want A to have priority
RFC1035(S), RFC1123(S) do not allow u New (after 4.9.4) bind resolver ignores host names including _ (res_hnok) u
F MX
– mail is not delivered 37
– transfer with 1st -MX
Right side of MX RR and CNAME
MX Preferences F Cost value designated to DNS MX RR
F The name which belongs on the left side of
F Smallest
CNAME should not be written on the right side of MX RR F If the Lower MX can’t recognize your name on the right side of MX RR, there’s a problem
cost
– Primary MX / Primary Mail Server – First MX / First Mail Server F Next
smallest cost
– Secondary MX / Secondary Mail Server
– If preventive measures are taken, it will work, but … – named will issue warning
F Other than smallest cost
– Lower MX (meaning low priority) 39
40
Wild-card MX (cont.)
Wild-card MX (cont’d)
*.x.co.jp. IN MX 10 mail.x.co.jp. F When there’s
F If
a specific record exits, it doesn’t get referenced
firewall (no direct communication)
– outside: doesn’t want to show records to outside u
but wants to use mail address to host
– inside: want one record definition to represent outside world u
F
38
ns.x.co.jp. IN A 12.34.56.78 *.x.co.jp. IN MX 10 mail.x.co.jp. ns.x.co.jp. IN MX 10 mail.x.co.jp. (needed) – Same situation for existing sub-domains
Wildcard MX is defined at root, gathered at GW
matches nohost.x.co.jp and host.nosubdom.x.co.jp – unnecessary mail transfers
InternetWeek'97
41
42
7
DNS & mail
1997/12/17
Adverse effects of Wild-card MX F Mail
send even to non-existent addresses
– unknown it ’s non-existent at time of sending F Supplemented by non-existent addresses
CNAME (Canonical NAME) RR F Host alias name assignment $ORIGIN wide.ad.jp. archie IN CNAME sun3.tokyo.wide.ad.jp. – Attention to . at end
[email protected] – To avoid, in sendmail.cf Resolver Options, define Has Wild-cardMX
– CNAME chain should be avoided – Different type of record should not be assigned to same key – Multiple CNAMES should not be assigned to same key
F Can’t reference appropriate MX RR for
destination – always add . at end of destination host name
→ use only when absolutely necessary
43
F Don’t
use name assigned with CNAME on right side of NS, MX 44
CNAME Chains
Mail address and CNAME F An alias on an envelope should be rewritten to
F The right side of CNAME RR is the left side
the real name (RFC1123(S)) F Many (old) sendmail also rewrite headers to real names
of another CNAME RR alias1 alias2
IN CNAME alias2 IN CNAME real-name
F RFC1034(S)
– Chain definition is not recommended (should not) – things that could be reached when implemented (should) sendmail can reach up to 10 times (MAXCNAMEDEPTH) u named can reach up to 8 times (MAXCNAMES) 45 u
DNS Search Procedure for Mail Delivery (cont.) 1. Solve CNAME
F If
you don’t want rewriting, use MX or A
– IETF is moving towards not rewriting by CNAME – Don’t Expand Cnames option (after 8.7)
46
DNS Search Procedure for Mail Delivery (cont ’d) 3. Search with A
– Follow chain until CNAME is no longer u
– it becomes confusing as to which address it arrived to – depends on settings of sendmail.cf route
– When MX couldn’t be obtained – For individual MX (When A couldn’t obtained through Additional Info.)
there is a limit (to prevent endless looping)
2. Search with MX – If multiple, sort by preference – If preference is same, select at random çWhen MX is found A is also returned as Additional Information (DNS spec)
F If
only A is defined, search process is necessary twice (for MX and A) – MX should be defined also in host u
47
InternetWeek'97
Curb communication traffic 48
8
DNS & mail
1997/12/17
Mail Address Supplementation (cont.)
MX Record for the Host also F In case of failure
F MX
– Secondary MX can’t be designated with only A record – A record which defines IP address for other hosts (virtual host) u
F see /etc/resolv.conf
domain sub.x.co.jp – same value as search sub.x.co.jp x.co.jp co.jp
weak as failure countermeasure/only serve as load sharing
F Making
u u
DNS search efficient
reverse search of 3 levels (MAXDFLSRCH) shortest is 2 levels (LOCALDOMAINPARTS) – doesn’t match JP domain current situation
– In RFC1535(I), implicit reverse searching is banned
– Should be defined even if only that host can receive u
RR and A RR are used
– be cautious of wild-card MX issue
u
DNS search would be completed with one time
new bind resolver doesn’t perform reverse search
49
Mail Address Supplementation(cont’d)
PTR (domain name PoinTeR) RR F
search sub1.x.co.jp sub2.x.co.jp x.co.jp F
50
Mapping from IP address to host name – So-called reverse look-up
User setting based on LOCALDOMAIN environment variables – Maximum 6 domains (MAXDNSRCH)
$ORIGIN
137.178.203.in-addr.arpa.
73
IN PTR sh.wide.ad.jp.
çService limitations from PTR record search u
F Sequence of search nic.ad.jp nic.ad.jp.sub.x.co.jp nic.ad.jp.x.co.jp nic.ad.jp.co.jp
u
F
access denial from hosts that can’t perform PTR record search confirmation of domain name
liar issue – can trick when searching method is one-way, from address to host name – check with double reference
– before RFC1535(I), nic.ad.jp was searched last 51
Confirmation of Reverse Lookup with nslookup
52
Network Name Definition
F When the host IP address is 1.2.3.4 % nslookup -q=ptr 4.3.2.1.in-addr.arpa.
F RFC1101:
DNS Encoding of Network Names and Other Types F netstat -i, -r etc. are referenced
F With the new nslookup
(after 4.8.3), the following designation is possible
0.0.54.130.in-addr.arpa.
% nslookup 1.2.3.4
53
InternetWeek'97
kuins.kyoto-u.ac.jp.
IN PTR kuins.kyoto-u.ac.jp. IN A 255.255.0.0 IN PTR 0.0.54.130.in-addr.arpa.
0.0.0.224.in-addr.arpa.
IN PTR BASE -ADDRESS.MCAST.NET
. 54
9
DNS & mail
1997/12/17
Other Records
localhost/127.in-addr.arpa zone
F HINFO, TXT, WKS
F All name servers should be configured
– HINFO always needs more than 2 parameters!
– wasteful to inquire root server
F NULL, MB, MG, MR, MINFO (experimental)
$ORIGIN localhost
– RFC1035(S) F AFSDB,
ISDN, RP, RT, X25
my.domain.jp. IN CNAME localhost .
– RFC1183(E) F prevent
inconsistencies when performing double reference
F PX
– RFC1664(E)
– So 127.0.0.1 won’t become localhost.my.domain.jp 55
56
Classless IN-ADDR.ARPA delegation (cont.)
CIDR and Reverse Look-up administration
F Allocation of classless addresses
– 192.0.2.0/25 – 192.0.2.128/26
F Delegation
- organization A - organization B
F Issues on administration unit in reverse zone – inconsistency with octet (8 bits) unit authority delegation F Solution
– Scatter with CNAME u
RFC2317(BCP) – Classless IN-ADDR.ARPA delegation
from upper zone
$ORIGIN 2.0.192.in -addr.arpa. ; <<0-127>> /25 0/25 NS ns.A.domain.jp . 1 IN CNAME 1.0/25.2.0.192.in-addr.arpa. 2 IN CNAME 2.0/25.2.0.192.in-addr.arpa. : 126 IN CNAME 126.0/25.2.0.192.in-addr.arpa.
– Scatter with NS 57
58
Classless IN-ADDR.ARPA delegation (cont ’d) F Definition
Classless IN-ADDR.ARPA delegation (cont ’d)
at relevant zone
F
$ORIGIN 0/25.2.0.192.in-addr.arpa. @ IN SOA ... IN NS ns.A.domain.jp . 1 IN PTR host1.A.domain.jp. 2 IN PTR host2.A.domain.jp. : 126 IN PTR host126.A.domain.jp.
1.2.0.192.in -addr.arpa. ↓CNAME 1.0/25.2.0.192.in-addr.arpa. ↓PTR host1.A.domain.jp.
59
InternetWeek'97
In other words...
60
10
DNS & mail
1997/12/17
Errors Reported by Server (cont.)
Old glue records don’t erase? F Issue of when address was re-applied F before bind4.8.3? F server
A: primary of x.co.jp F server B: primary of sub.x.co.jp
A
F bad B
F NS
points to a CNAME F MX points to a CNAME F dangling CNAME pointer
– they’re secondary for each other F revise
referral
– No SOA despite having NS
NS (server C) address for x.co.jp erase
– CNAME doesn’t point to anything
F The old glue record of server C won’t
F Lame server on 'x.co.jp'
– even erase with server A… – revive with zone transfer from server B → should erase from secondary copy also
– Supposed to be Authorized server, but Unauthorized answer came back 61
62
Errors Reported by Server (cont’d)
Future of DNS
F Response from unexpected source
F Dynamic
– Response from different interface address? – attack?
Update
– Record-by-record data update F Incremental Zone Transfer (IXFR)
F zone "xxx" (class 1) SOA serial# (nn) is <
– Curbing of traffic and improvement of update speed
ours (mm)
F Security
– SOA serial decreased!
Extention
– SIG RR, NXT RR
RFC1912(I): Common DNS Operational and Configuration Errors 63
InternetWeek'97
64
11
