Post on 25-Jan-2017
transcript
Let ’s talk DNS
1
History
• Once upon a time …
• computers were very expensive
• computers were very large
• computers were isolated, didn’t talk to each other
2
Early Internet Era - ARPANET• Later, they started getting connected with others* like ARPANET which
• contains few ~100 nodes
• contains name to address mapping on hosts.txt file
• each host obtains copies of the master hosts.txt file
• files use to be replaced over FTP • *thanks to packet-switching network era
3
4
Early Internet Era - ARPANET• Later, they started getting connected with others* like ARPANET which
• contains few ~100 nodes
• contains name to address mapping on hosts.txt file
• each host obtains copies of the master hosts.txt file
• files use to be replaced over FTP • *thanks to packet-switching network era
5
Sample hosts.txt
6
Early Internet Era - ARPANET• Later, they started getting connected with others* like ARPANET which
• contains few ~100 nodes
• contains name to address mapping on hosts.txt file
• each host obtains copies of the master hosts.txt file
• files use to be replaced over FTP • *thanks to packet-switching network era
7
Issues with ARPANET• ARPANET worked for a while, but not for long as
• hosts.txt files became extremely large (in size)
• exponential bandwidth requirements
• unscalable to the needs of emerging network requirements for hosts mapping
• and remember, this is decades before rsync
• Problem with hosts.txt
• consistency
• name collision (there was no Git for conflict management)
8
Requirements• Essentially we need a system which
• can store numbers(IP) with names mapping (database service at core)
• can be able to handle changes of associations
• can be distributed in nature - so no single point of failure
• can be hierarchical in nature, if someone doesn't know the binding, it goes up the hierarchy
• can delegate responsibility - should support a tree structure delegation
9
DNS• Is in use since 1980
• Defined in RFC 882 and RFC 883 in 1983
• Superseded in RFC 1034 and RFC 1035 in 1987
10
DNS• Async protocol
• Stateless (UDP)
• A very simple packet format
• Compatible with IP suite protocols
• Aggressive caching
• response message specifies TTL
• servers respond to queries with additional information
• First Unix name server implementation is popularly known as BIND, written in 1984 and was first ported to Windows NT
11
DNS - In reality• Data is indexed by domain names
• Domain name is a sequence of labels
• Labels are separated by dots (“.”) and form a tree
• Domain names are case insensitive ASCII
• DNS administration is share
• Authority is delegated
• No single entity in charge
• Top to bottom approach
• 13 root servers
• “Empty label” covers the “.” zone
12
Root and TLDs
• Top level domains
• GTLD: Generic top-level domain (.com, .org ..)
• ccTLD (.in, .eu, .uk …)
• New TLDs (.tourism, .india, .book …)
• IDN (ایران. .МОСКВА)
13
Root and TLDs
14
13 Root TLDs Hostname IP Addresses Manager
• a.root-servers.net 198.41.0.4, 2001:503:ba3e::2:30 VeriSign, Inc.
• b.root-servers.net 192.228.79.201, 2001:500:84::b University of Southern California (ISI)
• c.root-servers.net 192.33.4.12, 2001:500:2::c Cogent Communications
• d.root-servers.net 199.7.91.13, 2001:500:2d::d University of Maryland
• e.root-servers.net 192.203.230.10 NASA (Ames Research Center)
• f.root-servers.net 192.5.5.241, 2001:500:2f::f Internet Systems Consortium, Inc.
• g.root-servers.net 192.112.36.4 US Department of Defense (NIC)
• h.root-servers.net 198.97.190.53, 2001:500:1::53 US Army (Research Lab)
• i.root-servers.net 192.36.148.17, 2001:7fe::53 Netnod
• j.root-servers.net 192.58.128.30, 2001:503:c27::2:30 VeriSign, Inc.
• k.root-servers.net 193.0.14.129, 2001:7fd::1 RIPE NCC
• l.root-servers.net 199.7.83.42, 2001:500:9f::42 ICANN
• m.root-servers.net 202.12.27.33, 2001:dc3::35 WIDE Project
NOTE
Generally these 13 well known root servers are compiled in or configured
Also many resolvers choose to cache “.” locally
15
Delegation: domains and zone• Domain: entire subtree
• Zone: part of domain administered by an entity (smaller, more manageable units by delegation)
16
DNS: Operation of the protocol• Server respond to queries
• Clients recursively query servers
• Responses are cached everywhere
Fundamental Concept -
Keep asking the same question until you get a reply or until you get bored waiting.
17
DNS Actors
query?
response recursiveresolver
name server
authoritative server /root server
stubresolver
18
DNS Actors1. Clients configure recursive
resolver, read from /etc/resolv.conf
19
DNS Actors1. Clients configure recursive
resolver, read from /etc/resolv.conf
2. Recursive resolver find answers on behalf of clients. They query the DNS from the root until they find the answer.
RESOLVER -
1. stub-resolver queries to resolve names
2. queries the authoritative servers for the answer and serve it back
3. results are cached based on TTL
20
DNS Actors1. Clients configure recursive
resolver, read from /etc/resolv.conf
2. Recursive resolver find answers on behalf of clients. They query the DNS from the root until they find the answer.
3. Authoritative server replies authoritatively to queries.
21
DNS Actors• Records are in its zone file
• Type A, AAAA, MX, CNAME etc
• Only Answer queries for data under their authority
• (only if they have internal copy of the data)
• If can’t answer, it points to authority
• but doesn't query recursively
22
DNS Flow - Example
23
Different type of servers
• Authoritative-only DNS Servers
• Authoritative severs can also be caching servers
• Recursive Caching DNS Servers
• Forwarding DNS Servers
• Primary & Slave Servers
24
Queries, Responses & Flags
25
x• Every DNS query consists of following:
• qname: a domain name(popularly know as URLs)
• qtype: A, AAAA, MX etc denotes type of record
• qclass: IN or CH (mostly IN is used)
• Flags: QR, RD, DO, AD, EDNS Opt etc
dig +short A IN google.com
Flags TypeClass Name
26
Types of DNS queries• Forward DNS query
• Look up host’s IP-address by name
• for example - yahoo.com has 98.138.253.109 address
• Reverse DNS query
• Look up host’s name by IP-address
• for example - 98.138.253.109 belongs to yahoo.com
27
DNS Flags• qr — query response (A)
• rd — recursion desired (A) (Q)
• ra — recursion available (A)
• aa — authoritative answer (A)
28
Sample DNS Query In Action
query?
response recursiveresolver
root server “.”
stubresolver
TLD server “.com”
Host server
1. Do I know me.com? — No! 2. Do I know .com? — No! 3. Send query to resolver .. wait
4.Same(1,2) questions will be asked by recursive resolver 5. Do I know me.com? — No! 6. Send query to root server .. wait
29
Sample DNS dig response
30
DNS Record Types• A, AAAA IPv4, IPv6 address
• NS NameServer
• CNAME Canonical name
• MX Mail Exchanger
• PTR Reverse info (IP to host)
• SRV Service (host + port number)
• SOA Start of authority
31
Record Types - A, AAAA• A denotes IPv4 records
• divided into 4 octets/classes
• each octet is of 8 bits
• maximum 2*32 combinations
• AAAA denotes IPv6 records
• 128 bit string
• maximum 2*128 combinations
216.58.220.46
32
2404:6800:4007:800::200e
Record Types - NS
• Name Server Record
• Used to delegate a subdomain to a set of name servers
• Generally we publish NS records in our authoritative name-servers for domains we are authoritative for
• Appears in master and child zones
33
Record Types - CNAME• Canonical Name Record
• rdata contains mapped domain name
• Must always point to another domain-name and not to an IP address
Sample example -
Name Type Value
bar.example.com CNAME foo.example.com
34
Record Types - MX• Mail Exchanger Record
• Defines host which will be receiving emails
• rdata contains the preference field and the hostname of the mail receiver
• Lower preference == Higher priority
35
Record Types - SRV• Used for specifying hostname and port-number of servers for specified
services
• Service record: “generic” description of service
• SIP and XMPP often require SRV support
Sample Example -
36
Record Types - SOA• Stored in a every DNS zone, specifies information about DNS zone, defined at the start of a new
zone
• Always appears at the beginning of the zone
• Each zone contains a single SOA record
• Generally it contains
• name of the server, that supplied the data
• administrator of the zone
• current version of data-zone file
• number of seconds a secondary name server should wait before retrying a failed zone transfer
• default TTL, etc.
37
? Thanks
Abhinav Mehta
@mehta_
38