Post on 08-Apr-2018
transcript
8/7/2019 DNS Presntation
1/33
PRESENTATIONOF DOMAIN NAME SYSTEM
8/7/2019 DNS Presntation
2/33
DETAILS OF CONTENTS
y Introduction and History of DNS
y Structure of DNS :TLD & SLD
y Name Server
y FQDN
y DNS Zone and Zone Transfer
y DNS query and resource record
y LOAD balancing of DNS & Round Robin DNS
y DNS & ADS
y DNS and Windows Server
y
IPV6 & DNS Sever Windows 2008y DNS server monitoring and security
y Domain name registration
y DNS and SWAN network
8/7/2019 DNS Presntation
3/33
DNS
The Domain Name System (DNS) is a hierarchical naming system built on
for computers, services, or any resource connected to the Internet or a
private network.
y It translates IP address to meaningful name
y DNS also provides the directory service
8/7/2019 DNS Presntation
4/33
DEFINITION OF DOMAIN
A domain consists of a set of network addresses. This domain is
organized in multiple or single levels. A domain is part of every networkaddress, including Web site addresses, email addresses, and addresses
for other Internet protocols such as FTP .So the domain can be set on a
single network address also.
8/7/2019 DNS Presntation
5/33
HISTORY OF DNS
y Mr. Postel, Paul Mockapetris invented the Domain Name System in 1983
and wrote the first implementation. They developed one file HOST.TXT
y In 1984 , four student of Berkeley collage was developed the first DNS
server - Berkeley Internet Name Domain (BIND) and it was Unix based .
y DNS was introduced by Microsoft on windows NT sever 3.51 on 1995
.Microsoft DNS is based on RFC(Requests for comments) 974, 1034, and1035
8/7/2019 DNS Presntation
6/33
DNS STRUCTURE
The domain name space consists of a tree of domain names. Each nodeor leaf in the tree has zero or more resource records, which hold
information associated with the domain name. The tree sub-divides intozones beginning at the root zone. It is also identified as Top LabelDomain and The hierarchy of domains descends from right to left; eachlabel to the left specifies a sub domain (SLD).
8/7/2019 DNS Presntation
7/33
DOMAIN NAME SPACE
8/7/2019 DNS Presntation
8/33
TLD AND SLD
Each label may contain up to 63 characters. The full domain name may
not exceed the total length of 253 characters .
` com- Commercial organizations
` edu - Educational institutions` org - Nonprofits
` net - Network support canters and network service
` gov -U.S. government
SLD can be divided in 3rd level domain and virtually it can be divided
more than that and there is no limit.
8/7/2019 DNS Presntation
9/33
Query one of the root servers to find the server authoritative for the top-level domain.
Query the obtained TLD DNS server for the address of a DNS serverauthoritative for the second-level domain.
Repeating the previous step to process each domain name label insequence, until the final step which would, rather than generating theaddress of the next DNS server, return the IP address of the host sought.
8/7/2019 DNS Presntation
10/33
HOW DNS WORKS
8/7/2019 DNS Presntation
11/33
NAME SERVER
Name server consists of a program or computer server that implements a
name-service protocol. It maps ah
uman-recognizable identifier to a system-internal, often numeric, identification or addressing component. The most
prominent types of name servers in operation today are the name servers of
the DNS Server,WINS
8/7/2019 DNS Presntation
12/33
FQDN
Is a domain name(Fully Qualified Domain Name) that specifies its
exact location in the tree hierarchy of the Domain Name System
(DNS). It specifies all domain levels, including the top-level domain
and the root domain. This is used to identify the exact name of the sever
for fast searching .
Example, given a device with a local hostname testand a parent domain
name example.com, the fully qualified domain name is
test.example.com.
8/7/2019 DNS Presntation
13/33
DNS ZONES
Forward Lookup Zone- A forward lookup zone is a DNS zone in which
hostname to IP address relations are stored.
Reverse Lookup Zone- Resolves the IP address into a hostname. It
introduced a new domain name - in-addr arpa(Internet - Address
Address and Routing Parameter Area ).This zone solves reverse DNS
query
Conditional Forwarder- Forward the query of other DNS server
8/7/2019 DNS Presntation
14/33
PRIMARY AND SECONDARY ZONE
The primary zone is a master read-write copy of a DNS hostname
database, which is used to commit any sort of zone configuration or
resource record changes. The primary zone is the source of DNS
information for all.
The secondary zone is used reliability of the DNS service, single point of
failure, distributes the DNS query traffic between several nodes
8/7/2019 DNS Presntation
15/33
Zone transfers are configured in the properties of the primary zones
and during secondary zone setup.
Standard zone replication can be classified in two types of transfers:
full transfer and incremental transfer .
Incremental transfer communicates only those records in the primary
zone that have changed since the last replication cycle.
full transfer transfers of entire copies of the zone may still be
necessary.
8/7/2019 DNS Presntation
16/33
DNS QUERY
` Recursive Query-it expects a clear -yes/no reply from the other party.
` Iterative queries(Non Recursive ) -DNS client allows the DNS server toreturn the best answer it can give based on its cache or zone data.
` Reverse Query - used to resolve IP addresses into hostnames
` Inverse Query - used to resolve hostnames into IP addresses
8/7/2019 DNS Presntation
17/33
RESOURCE RECORDS
RR specifies information about a particular object. Zone files
contain numerous records that follow a certain format and describe
specific types and addresses of the resources. These records are called
resource records (RRs). Depending on the type, resource records maycontain information about the zone itself, about other DNS servers
maintaining the zone, or about mail servers, network nodes, network
services, and numerous other types of resources. The various
resource records are SOA,NS,A,CNAME,PTR,MX ,SRV,WINS etc.
8/7/2019 DNS Presntation
18/33
|A} AND |CNAME}
` A- The most basic type of mapping in the DNS, used to map hostnamesto IP addresses. These simple mappings do not point to any service only
network node. So in one single IP We can register multiple domain name
` CNAME(Canonical) -It may be necessary to assign more than one
FQDN to the same physical host, or more specifically, to the same IPaddress. CNAME resource records, also called aliases .It is generally used
to create multiple sever like - software app & ftp for one single system.
8/7/2019 DNS Presntation
19/33
PTR} AND |MX} RECORDS
` PTR(pointer record)- provide the opposite function of A records. They
provide reverse mapping of IP addresses to hostnames.
` A mail exchanger record (MX record) is a type of resource record in the
Domain Name System that specifies a mail server responsible for accepting
email messages on behalf of a recipient's domain and a preference value
used to prioritize mail delivery if multiple mail servers are available
8/7/2019 DNS Presntation
20/33
8/7/2019 DNS Presntation
21/33
DNS -RESOLVER
The DNS server receives the request to resolve a name into an IPaddress and vice versa. It checks its local cache .The DNS sever thengo to and then the zones supported on the server. If no matches arefound, it proceeds to submit the requests to upstream DNS serversconfigured as forwarders.
8/7/2019 DNS Presntation
22/33
DDNS
` DDNS allows dynamic registration of DNS hostname, and the ability
to locate network services. Dynamic registration also occurs if the IPconfiguration changes on the client, if a hostname is modified on theclient.
` DDNS needs the DHCP sever for configuring on windows activedirectory .
The drawbacks of DDNS is it slow down the response .
8/7/2019 DNS Presntation
23/33
LOAD BALANCING OF DNS
y It is recommended to use additional DNS server instead of one single
server.
y InAD environment , I it is better to configure additional domaincontroller with zone transfer facility
y AD DNS it is better to use CDC (child domain controller) for differentdivision
8/7/2019 DNS Presntation
24/33
ROUND-ROBIN FUNCTIONALITY
The term round-robin describes correspondence to a single addressauthored or signed by numerous individuals .
In its simplest implementation Round-robin DNS works by responding to DNS requests not only with a single IP address, but a listof IP addresses of several servers that host identical services.
It also supports poor man load balancing .
8/7/2019 DNS Presntation
25/33
DNS & ADSThe physical structure of Active Directory information in DNS is
represented in DNS zones and resource records, which, in turn, are typically
stored in Active Directory as Active Directoryintegrated DNS zones. The
DNS zones that support Active Directory domains can also be stored instandard, file-based, DNS zones. In addition, the DNS dynamic update
protocol is utilized by Active Directory in order to make the registration of
domain controller DNS resource records automatic.
In Ad , DNS uses _msdcs DNS sub domain & SRV records
8/7/2019 DNS Presntation
26/33
DNS STRUCTURE IN AD
8/7/2019 DNS Presntation
27/33
DNS OF WINDOWS 2003 & 08
The Windows 2008 DNS sever support the additional followingfeatures
` Windows 2008 support IPV6 also .
` Windows 2008 Support Read Only Domain Controller (RODC).TheRODC is the read only image ofAD used for security purpose.
` Windows 2008 I can support large active directory integrated zone
and are able to respond client more quickly.` Windows 2008 also Provides the CLI mode management .
8/7/2019 DNS Presntation
28/33
IPV6 AND DNS 2008
` This is a new internet protocol and windows 2008 DNS sever can be
configure with that .
` The IPV6 support a wide network address space than IPV4
` The IPV6 subnet size is standardized with the combination ofMAC
address .
In DNS 2008 , hostname are mapped with AAAA resource record and for
reverse query they used ip6.arpa
8/7/2019 DNS Presntation
29/33
DNS SERVER SECURITY
` Interfaces -Restrict a DNS server to listen only on selected addresses.
` Disable recursion-recursion is not disabled for the DNS Server service.
Recursion can be used by attackers it should be disabled. the server will
attempt to resolve a query from its own database only. It will not query any
additional servers. SDNS Secure DNS Server
8/7/2019 DNS Presntation
30/33
DNS SERVER MONITORINGWe need to monitor DNS server Response Time, Record Type,Record Available, Search Field, Search Value, Search Value Statusand Search Time. We can use 3rd party tool- like-Applications
Manager and We can check from DNS event also.
` By providing a useful benchmark for predicting, estimating, andoptimizing DNS server performance.
` DNS servers has degraded either over time or during periods of
peak activity.
8/7/2019 DNS Presntation
31/33
The right to use a domain name is delegated by domain nameregistrars which are accredited by the Internet Corporation forAssigned Names and Numbers (ICANN), the organization chargedwith overseeing the name and numbersystems of the Internet.
Example of DNS name registration organization : 0101 Internet, Inc. Hong Kong. 1st-for-domain-names, LLC United States
8/7/2019 DNS Presntation
32/33
IMPLEMENTATION OF DNS ON SWAN
y Additional DNS sever for load balancing
y Implementation of CDC(child domain controller)
y Using forward zone for enabling hostname query
8/7/2019 DNS Presntation
33/33
THANK YOU