1

Guide To TCP/IP

Domain Name System

2

DNS – TCP/IP Application Protocol• Name resolution protocol - robust, reliable & stable• Distributed database technology• What does it resolve?

– Maps the Internet – all valid domain names (symbolic) with IP addresses (numeric)

* Note: Win2K domain pertains to a group of computers & devises under one adm

DNS – domain is a node representing a partition in the DNS database.

Replaced manual task of updating HOSTS files in a network

3

DNS - contd

Network Services with DNS enabled

4

DNS

Layer 7 Application

Layer 4 – TCP or UDP

DNS Server

5

DNS Background

• Early method – static text files HOSTS

• 1984 – JEEVES by Paul Mockapetris

• 1988 – BIND (Berkeley Internet Name Domain) by Kevin Dunlap– Works with UNIX and Win2K

6

DNS Structure (Domain Namespace)• Hierarchical – inverted tree with the root

on top and is designated by a single period (.)

• Partitions namespace into categories• Parent/child domains

– Top level primary domains– Organizational domain hierarchies: second-

level domains.– Host names

7

DNS Structure – an inverted tree

There are also 2 or 3-letter country codes. See ftp://ftp.ripe.net/iso3166-countrycode.txt

.uk

8

Structure - contd• Root server – provide ultimate source for all

name lookups• 13 root servers worldwide

– A.ROOT-SERVERS.NET– B.ROOT-SERVERS.NET

• At least one valid IP address for each unique domain name.– This name-to-address correlation is the most impt.

function of DNS• Structure of DNS database mirrors domain

namespace itself.

9

FQDN

• Fully Qualified Domain Name – consists of all the elements of the domain including the periods.

• Ex. Computer1.sales.microsoft.com.

RootHost name

Domain name – starts from bottom of tree and work their way up.Domain name – starts from bottom of tree and work their way up.

10

Domain Namespace

• *Structure of DNS database mirrors domain namespace itself.

• Partitioning – trees and subtrees• Delegation of Authority

– Domain – registration & fees central authority– Subdomain – arbitrary, local admin.

• Any valid domain name ultimately resides in master/primary servers– Copies can be made.

11

Domain Namespace – “partitioning”

• Zone – a portion of the domain namespace

ZONE 1 ZONE 2

Microsoft

Zone 1 Database file

Zone 2 database file

developmentsales

.com

Domain namespace divided into zones.

12

Zones - contd

• Zones allows a domain namespace to be partitioned into manageable sections.

• Root domain for zone 1 – microsoft

• Root domain for zone 2 - development

13

Zone File

Zone file located -Win2K Server running DNS%SystemRoot%\System 32\DNS directory

14

DNS Naming Conventions & Guidelines• Limit the number of domain levels.• Host entries should be 3-4 levels down,

no more than 5. The more levels you have, the more admin work.

• Use unique names. For ease of use, select simple names.

• Avoid lengthy names. Domain name can be up to 63 characters including the periods.

15

Naming Guides - contd

• FQDN cannot exceed 255 characters.• Not case sensitive.• Use standard DNS characters & Unicode

characters:– DNS characters: A thru Z, a thru z, 0 thru 9 and

the hyphen (-) RFC 1035– Unicode characters set includes additional

characters not found in ASCII; required for languages.

16

Unicode - contd

• Use Unicode characters only if all the servers support Unicode.

• For complete set of Unicode – RFC 2044

17

DNS DatabaseResource Records (RR) • RR – special database that contains

specific data relevant to DNS:• Address record (A) – stores domain

name-to-IP address translation data• Canonical name record (CNAME) –

used to create aliases• Name server record (NS) – used to

identify all DNS servers in the domain

18

RR - contd

• Pointer record (PTR) – stores IP address-to-domain name translation data; supports reverse DNS lookup

• Start of Authority record (SOA) – identifies the master DNS server for a specific domain or subdomain.

19

Other RR:

– Host information (HINFO) record– Mail exchange (MX) record– Text (TXT) record– Well-known services (WKS) record

20

DNS Structure – delegation of authority• Assignment of duties - hierarchy; zones; authoritative

servers for subdomains,• Easy and quick way to point to other name servers• Resource Records (RR) – will reflect this delegation

of authority.• DNS Servers – 3 kinds at any given subdomain:

– Primary– Secondary– Caching

21

DNS Servers – contd

• Primary or Master server – contains primary database files for the domain or subdomain.– Authoritative– Database file is called zone file, an ASCII

snapshot that is loaded into memory when the server runs.

– Only one primary/master on any given DNS zone.

22

DNS servers - contd

• Secondary or slave server – gets data from primary server; gets regular updates.

• Incremental zone transfer vs. full copy or replication.

– Every zone should have at least one slave server; multiple slaves allowed.

– Serves as backup (fault tolerance) and provides load balancing.

23

DNS servers - contd

• Caching servers – stores recently accessed DNS records– Stand-alone servers (primary & secondary

DNS can provide caching also)– Ideal for large companies & Internet

Service providers– Speeds access by storing lookup data

locally.– Does not provide DNS server functions.

24

DNS Root-Level Servers

• Top of the hierarchy• Has access to all elements of the hierarchy

(subdomains)• Any queries that can’t be handled locally go

to the root server• Follows NS (Name Server) records in the

zone database until it finds the authoritative server that contains the SOA name

25

QUERY (Client)

Local – ZONE

Authoritative Server

Neighborhood/Caching Server

ROOT – Authoritative Servers following NS

If DNS server is authoritative, it gives data.

This process always produces some kind of answer, even error message.

How Domain Name Servers Work:

26

Root-level Servers: Types of Queries

• Recursive – “query that keeps working until an answer of some kind is forthcoming.”– FIRST DNS server issues further queries on its

behalf– When other server responds to first server,

they provides answer from own dbases/caches OR

– Provide pointers to other “closer” name servers.

27

Types of queries - contd

• Iterative or non-recursive – queries to authoritative server which may or may not generate a reply.– FIRST DNS server that receives the recursive

query issues repeated iterative queries to other servers

– It will either : get an answer or error message

– What is the difference between a DNS server that receives a recursive and a server that receives iterative query?

28

Queries - contd

• Why is caching important to a DNS server?

• What is non-authoritative response? Authoritative response?

29

Resource Record (RR) FormatsRFC 1034. 2052, 2065

A and CNAME records:

; Host addresseslocalhost.tree.com. IN A 127.0.0.1

pear.tree.com. IN A 172.16.1.2

apple.tree.com. IN A 172.16.1.3

peach.tree.com. IN A 172.16.1.4

30

RR format

; Multi-homed hosthedge.tree.com. IN A 172.16.1.1hedge.tree.com. IN A 172.16.2.1

; Aliasespr.tree.com IN CNAME pear.tree.comh.tree.com IN CNAME hedge.tree.comh1.tree.com IN CNAME 172.16.1.1

Note: CNAME do not end in period.

31

Start of Authority (SOA) Record (p. 325)• tree.com IN SOA apple.tree.com. sue.pear.tree.com (

1 ; Serial (incremented after each update)

10800 ; Refresh after 3 hours (sync w/ primary) 3600 ; Retry after 1 hour (interval before trying another refresh)

604800 ; Expire after 1 week (zone db no longer auth.)

86400 ) ; Minimum TTL of 1 day (how long an entry can persist outside of a zone.)

• “IN” indicates the record is an Internet class of record types

• “SOA” indicates the record is a Start of Authority record

32

Client Side DNS Errors

• Client side DNS errors may stem from any of the following causes– Invalid domain name or Invalid IP address– Inability to locate an IP address that

corresponds to the requested domain name

– Inability to reach an authoritative name server for the requested domain

33

Reverse DNS Lookup – mapping addresses to names

• Used to verify if an IP address matches the domain name of the source.

• Good for identifying IP spoofing

• Format – reverse order (4th octet first)

• Example:1.1.16.172.in-addr-arpa. IN PTR hedge.tree.com

2.1.16.172.in-addr-arpa. IN PTR pear.tree.com

This string defined IP address for Internet formerly known as Arpanet

34

NSLOOKUP Command

• Queries default name server; provides info from default server or from a server/IP address you provide.

• Command-line utility• C:\>nslookup

– should give you default server– Let see if we can find default DNS server

for nvcc.edu.

35

NSLOOKUP

36

NSLOOKUP - contdResults of lookupLookup occurs here

37

NSLOOKUP

38

Other DNS Issues

• Dual Purpose: DNS allows your users to “reach out”; Outsiders can “reach in”– Provide name resolution to your users– Providing the authoritative hostname-to-IP mapping for

services you choose to provide

• Dynamic DNS (DDNS) – name servers & clients within a network automatically update the zone database files– Linkage: need to link DNS and Active Directory.– DHCP, WINS, Active Directory or LDAP Lightweight

Directory Access Protocol) keep track of IP address space; keeps track of domain name-to-address changes over time.

39

DNS Issues - contd

• DDNS & DHCP – DHCP service generates dynamic updates– Active Directory (with DHCP) keeps track of

name-to-address changes over time– Synchronize master copies of zone files– DHCP allows client to add his/her A (host)

records to the zone– DHCP adds the PTR (pointer) to the zone– DHCP also cleans up when zone expires

40

DNS Issues - contd

• Remember the query process? How does caching play a role?

• Propagation Delay – How long will the cached values catch up with “master copies”?– Depends on TTL clause. Default TTL – 24

hours.– Any change will add another 24 hrs to the

default TTL before it kicks in.

41

DNS issues - contd

• Security : if possible, separate your internal & external DNS servers. How?– Single DNS server can leak info about

internal hosts.

42

Security Structure

DNS, Web, FTP, E-mail,etc

How can we separate our external and internal servers?

43

Split DNS Architecture

• 2 DNS servers:

External DNS

Server

Internal DNS

Server

Query

BastionHost

44

Security - contd

• External DNS server contains public server info

• Both external & external servers are primary for the domain– Internal DNS should forward queries that it

cannot resolve to external DNS

• Another alternative – run external DNS on Bastion host.